Last updated: July 1, 2026
GDPR Policy — Data Security
How we collect, store, protect, and delete personal data — technical and organisational measures and your rights under GDPR.
1. Data processing principles
GTC SELECT GRUP SRL processes personal data in strict compliance with the seven fundamental principles set out in Article 5 of the GDPR:
- Lawfulness, fairness and transparency — we process data only on a valid legal basis and inform data subjects clearly and accessibly.
- Purpose limitation — data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes.
- Data minimisation — we collect only the data necessary for the declared purpose, avoiding excessive collection.
- Accuracy — we take reasonable steps to correct or erase inaccurate data without delay.
- Storage limitation — data is not retained longer than necessary; retention periods are defined in our Privacy Policy.
- Integrity and confidentiality — we implement appropriate technical and organisational security measures against unauthorised access, loss, or destruction.
- Accountability — we can demonstrate compliance with the above principles and maintain the corresponding documentation.
2. Technical and organisational security measures
2.1 Encryption and secure transmission
- All data in transit is protected by TLS 1.2 or higher; plain HTTP connections are automatically redirected to HTTPS.
- Data stored in Supabase (PostgreSQL database and Storage) is encrypted at rest using AES-256.
- User passwords are hashed using bcrypt managed by Supabase Auth; we never store passwords in plain text.
- Session cookies are HTTP-only and Secure, inaccessible from JavaScript.
2.2 Infrastructure and hosting
- The web application runs on Vercel (global edge network, per-request isolation).
- Database and file storage are hosted on Supabase in the AWS eu-central-1 (Frankfurt) region, within the European Union.
- Production networks are separated from development and staging environments.
- Database backups are performed automatically daily by Supabase and retained for 7 days.
2.3 Application security
- Row Level Security (RLS) is enabled on all tables containing restaurant data; each client can only access their own data.
- Secret keys (Anthropic API key, Stripe secret key, Supabase service role key) are stored exclusively as server-side environment variables and are never exposed to the browser.
- Dependencies are monitored automatically for known vulnerabilities (CVEs) through periodic audits.
- API endpoints that generate or access sensitive resources (PDF invoices, signed URLs) always verify ownership before responding.
2.4 Organisational measures
- Access to production systems is granted on a least-privilege basis.
- Team members with access to production data receive regular training on data protection and information security.
- Contracts with sub-processors include mandatory data protection clauses.
- Security incidents are managed according to the procedure described in section 7.
3. Access control
- Multi-factor authentication (MFA) — available and recommended for platform administrator accounts.
- Multi-tenant isolation — each restaurant operates in a logically isolated space; database-level RLS policies ensure no client can access another client's data, even with a valid but misdirected token.
- Supabase service key — used exclusively in server-side code (Server Actions, Route Handlers) for justified administrative operations (e.g. QR token generation, webhook processing). Never transmitted to the client.
- Super-admin panel — accessible only through accounts with the
super_adminrole, separate from restaurant accounts. - Sessions expire automatically according to Supabase Auth policy; periodic re-authentication is required.
4. Sub-processors
GTC SELECT GRUP SRL uses the following sub-processors to deliver its services. All have been assessed for GDPR compliance and have signed Data Processing Agreements (DPAs):
| Provider | Role | HQ | Transfer safeguard |
|---|---|---|---|
| Supabase Inc. | Database, auth, file storage | USA (data in EU) | DPA + SCCs; data stored in AWS eu-central-1 |
| Vercel Inc. | Web app hosting, edge functions | USA (EU edge) | DPA + SCCs |
| Stripe Inc. | Payment processing | USA | DPA + SCCs; PCI-DSS Level 1 certified |
| Resend Inc. | Transactional email | USA | DPA + SCCs |
| Anthropic PBC | AI models (upselling, chat) | USA | DPA + SCCs; data not used for model training |
| PostHog Inc. | Product analytics | USA (data in EU) | DPA + SCCs; eu.posthog.com instance |
| Functional Software (Sentry) | Error monitoring | USA | DPA + SCCs; anonymised/pseudonymised data |
The sub-processor list is reviewed periodically. Clients may request the current list at contact@tablette.ro. The addition of a major new sub-processor is communicated at least 14 days in advance by email.
5. International data transfers
Some services used by Tablette involve transferring personal data outside the European Economic Area (EEA), in particular to the United States of America.
These transfers are carried out exclusively on the basis of one of the transfer mechanisms approved under Article 46 GDPR:
- Standard Contractual Clauses (SCCs) — adopted by European Commission Implementing Decision (EU) 2021/914 — used with all US-based sub-processors.
- EU storage — for Supabase and PostHog, data is physically stored in EU regions (Frankfurt), eliminating an effective transfer.
We do not transfer personal data to countries without an adequate level of protection and without a valid transfer mechanism.
6. Retention & deletion policy
Personal data is not retained longer than necessary for the processing purpose or than legal obligations require.
| Data category | Retention period | Rationale |
|---|---|---|
| Active account data | Contract duration + 30 days | Post-termination data export window |
| Billing data and accounting documents | 10 years | Legal obligation (Romanian Accounting Law no. 82/1991) |
| Order history | 3 years | Legitimate interest (disputes, audit) |
| AI sessions (guest chat) | 90 days | Data minimisation; automatically deleted |
| Security and access logs | 12 months | Incident detection, security audit |
| Marketing data (with consent) | Until consent withdrawal | — |
| Database backup data | 7 days (daily backup) | Disaster recovery; automatic Supabase retention |
Upon expiry of retention periods, data is permanently deleted or irreversibly anonymised. Erasure requests (right to erasure) are processed within 30 calendar days, except where legal retention obligations apply.
7. Security breach management
GTC SELECT GRUP SRL maintains an internal Data Breach Response Plan covering:
7.1 Detection and assessment
Any suspected incident is immediately flagged to the technical team. A severity assessment (nature of data affected, number of data subjects, likelihood of harm) is completed within 24 hours.
7.2 Notification to the supervisory authority
Where a breach presents a risk to the rights and freedoms of data subjects, we notify ANSPDCP within 72 hours of becoming aware of it, pursuant to Art. 33 GDPR. The notification includes the nature of the breach, approximate categories and number of data subjects affected, measures taken and planned.
7.3 Notification to data subjects
Where a breach is likely to result in a high risk to data subjects' rights, we notify them directly without undue delay (Art. 34 GDPR), in clear and plain language, describing the nature of the breach and recommended protective measures.
7.4 Documentation
All security incidents are documented internally (regardless of whether external notification is required), including the facts, effects, and corrective measures taken, pursuant to Art. 33(5) GDPR.
8. Data Protection Impact Assessment (DPIA)
We carry out a DPIA whenever a planned processing activity is likely to result in a high risk to the rights and freedoms of natural persons, in particular when:
- we introduce a new feature involving large-scale automated processing;
- we engage a new sub-processor accessing special categories of data;
- we fundamentally change how guest data is stored or processed.
DPIAs are documented internally and reviewed periodically. If a DPIA identifies a residual high risk that cannot be mitigated, we consult ANSPDCP before commencing the processing.
9. Records of Processing Activities (ROPA)
Pursuant to Art. 30 GDPR, GTC SELECT GRUP SRL maintains a Record of Processing Activities (ROPA) documenting:
- the name and contact details of the controller;
- the purposes of processing for each activity;
- the categories of data subjects and personal data;
- the categories of recipients;
- transfers to third countries and associated safeguards;
- planned erasure time limits;
- a general description of technical and organisational security measures.
The ROPA is available on request by ANSPDCP and is updated whenever a significant change to processing activities occurs.
10. Data subject rights
Full details of your rights (access, rectification, erasure, restriction, portability, objection, withdrawal of consent) and how to exercise them are set out in our Privacy Policy.
Rights requests are submitted to contact@tablette.ro and resolved within 30 calendar days. In complex cases the deadline may be extended by a further 60 days, with prior notification to the requester.
We do not charge fees for exercising rights, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse, with a reasoned decision.
11. Contact & complaints
For any questions about this policy, the processing of your data, or to exercise your GDPR rights:
GTC SELECT GRUP SRL — Data ProtectionStr. Comarnic 59, Bucharest, Romania
Tax ID: 39138255
contact@tablette.ro
+40 751 954 687
If you are not satisfied with our response or believe your rights are being infringed, you may lodge a complaint with the competent supervisory authority:
Romanian Data Protection Authority (ANSPDCP)B-dul G-ral. Gheorghe Magheru 28–30, Sector 1, 010336 Bucharest
www.dataprotection.ro
anspdcp@dataprotection.ro
The Romanian version of this policy is the legally binding version. The English version is provided for informational purposes only.
© 2026 GTC SELECT GRUP SRL. All rights reserved.