Privacy Policy

2. CATEGORIES OF PERSONAL DATA COLLECTED

2.1. The specific personal data we collect depends on the nature of Your relationship with Savorria and the manner in which You interact with our services. The categories are as follows.

2.2. Customer Data (Restaurant Operators)

When You register for an account and subscribe to the Service, we collect: full name; business name and registration details (where applicable); email address; telephone number; billing address; payment information (processed via third-party payment gateways; we do not store complete card numbers); login credentials; and any additional information You voluntarily provide during account setup or subsequent communications.

2.3. End User Data (Consumers Placing Orders)

When End Users place orders through a Customer's ordering page hosted on the Platform, we may process: name; delivery address or pickup details; email address; telephone number; order history and preferences; and payment details (handled by integrated payment processors). It is important to note that, in most cases, Customers act as data controllers with respect to their End Users personal data, and Savorria acts as a data processor on the Customer's behalf; the allocation of responsibilities is addressed further in Section 3.

2.4. Website Visitor Data

When You visit our marketing Website at https://savorria.com , we collect technical and usage data through cookies and similar technologies, as further described in our Cookie Policy. This may include: IP address; browser type and version; operating system; referring URL; pages viewed; time and date of visit; and interaction data.

2.5. Communication Data

Where You contact us via email, live chat (powered by Intercom), or other channels, we retain records of such correspondence, including the content of messages and metadata, for the purpose of responding to enquiries and improving service quality.

3. ROLES AND RESPONSIBILITIES: CONTROLLER VERSUS PROCESSOR

3.1. The GDPR distinguishes between data controllers (entities that determine the purposes and means of processing) and data processors (entities that process data on behalf of controllers). Savorria occupies both roles depending on the context.

3.2. Savorria as Data Controller

We act as data controller when processing: (a) personal data of Customers for the purpose of administering accounts, processing subscriptions, and communicating about the Service; (b) personal data of Website visitors collected through cookies and analytics; and (c) personal data of individuals who contact us directly.

3.3. Savorria as Data Processor

When Customers use the Platform to receive and manage orders from their End Users, Savorria processes End User personal data on behalf of the Customer. In this capacity, the Customer remains the data controller for their End Users information, and Savorria acts as a data processor subject to the Customer's documented instructions. Customers requiring a formal Data Processing Agreement (DPA) pursuant to Article 28 of the GDPR may request execution of such agreement by contacting us at the email address provided above.

3.4. Customers bear responsibility for ensuring that their own collection and use of End User data complies with applicable law, including obtaining any necessary consents and providing adequate privacy notices to their patrons.

4. LAWFUL BASES FOR PROCESSING

4.1. Under Article 6(1) of the GDPR, processing of personal data is lawful only where at least one of the specified legal bases applies. We rely on the following bases depending on the processing activity.

4.2. Performance of a Contract (Article 6(1)(b))

Processing Customer data is necessary for the performance of the subscription agreement, including account creation, service delivery, billing, and customer support.

4.3. Legitimate Interests (Article 6(1)(f))

Certain processing activities are undertaken on the basis of our legitimate interests, provided such interests are not overridden by Your fundamental rights and freedoms. These interests include: maintaining the security and integrity of our systems; preventing fraud and unauthorized access; improving and optimizing the Platform; conducting internal analytics; and communicating with Customers about service updates. We have conducted balancing assessments to confirm that these interests do not unduly infringe upon data subject rights.

4.4. Consent (Article 6(1)(a))

Where we deploy non-essential cookies for analytics or marketing purposes, we obtain Your prior consent through our cookie consent mechanism. Consent may be withdrawn at any time by adjusting Your cookie preferences or contacting us directly.

4.5. Compliance with Legal Obligations (Article 6(1)(c))

We may process personal data where necessary to comply with legal obligations to which we are subject, such as tax reporting, responding to lawful requests from public authorities, or retaining records as required by applicable law.

5. PURPOSES OF PROCESSING

5.1. Personal data is processed for the following purposes.

5.2. Service Provision and Account Management: to create and maintain Your account; to provide access to the Platform and its features; to process subscription payments; and to deliver customer support.

5.3. Order Facilitation: to enable the transmission of orders from End Users to Customers; to generate order confirmations and notifications; and to facilitate payment processing through integrated gateways.

5.4. Communication: to respond to enquiries; to provide service-related announcements; and, where consent has been obtained, to send promotional materials or newsletters.

5.5. Analytics and Improvement: to analyze usage patterns and improve the functionality, performance, and user experience of the Platform and Website; to conduct aggregate statistical analysis that does not identify individuals.

5.6. Security and Fraud Prevention: to detect and prevent unauthorized access, security incidents, and fraudulent activity; to enforce our Terms and Conditions.

5.7. Legal Compliance: to comply with applicable laws, regulations, and legal processes; to respond to requests from competent authorities.

6. DATA RETENTION

6.1. We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law.

6.2. Customer Data: Account information and transaction records are retained for the duration of the subscription and for a period of five (5) years thereafter, in accordance with commercial and tax record-keeping obligations under Romanian law.

6.3. End User Data: Where we act as processor, retention periods are determined by the Customer (controller). Upon termination of a Customer's subscription, End User data associated with that Customer will be deleted within thirty (30) days, unless the Customer requests earlier deletion or legal obligations require continued retention.

6.4. Website Visitor Data: Cookie-based data is retained in accordance with the durations specified in the Cookie Policy. IP addresses collected for security logging purposes are retained for a maximum of twelve (12) months.

6.5. Communication Records: Correspondence and support tickets are retained for three (3) years following resolution, to enable continuity of service and for quality assurance.

7. DATA SHARING AND RECIPIENTS

7.1. We do not sell personal data to third parties. Disclosure of personal data is limited to the following categories of recipients.

7.2. Service Providers and Sub-processors: We engage third-party vendors to assist in delivering the Service, including: cloud hosting providers (for infrastructure and data storage); payment processors (to handle transactions securely); analytics providers (such as Google Analytics, subject to consent); and customer communication tools (Intercom for live chat and support). These providers are contractually bound to process data only on our instructions and to implement appropriate security measures.

7.3. Customers (in the Processor Context): Where we act as processor, End User data is processed on behalf of the Customer, who may access such data through the Platform dashboard.

7.4. Legal and Regulatory Authorities: We may disclose personal data where required by law, court order, or governmental request, or where disclosure is necessary to protect our rights, safety, or property, or those of others.

7.5. Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the successor entity, subject to the commitments made in this Policy.

8. INTERNATIONAL DATA TRANSFERS

8.1. Personal data may be transferred to, and processed in, countries outside the European Economic Area (EEA) where our service providers are located. Such transfers are undertaken only where appropriate safeguards are in place.

8.2. For transfers to countries that have not received an adequacy decision from the European Commission, we rely on the Standard Contractual Clauses (SCCs) adopted pursuant to Commission Implementing Decision (EU) 2021/914, or other lawful transfer mechanisms recognized under Chapter V of the GDPR.

8.3. Transfers to the United States may be conducted under the EU-U.S. Data Privacy Framework where the recipient has self-certified to the framework, or otherwise pursuant to SCCs with supplementary measures as necessary following transfer impact assessments.

8.4. You may obtain further information about the safeguards applied to international transfers by contacting us at the address provided in Section 1.

9. DATA SUBJECT RIGHTS

9.1. Under the GDPR, You have the following rights with respect to Your personal data. These rights are subject to certain conditions and exceptions prescribed by law.

9.2. Right of Access (Article 15): You have the right to obtain confirmation as to whether personal data concerning You is being processed, and if so, to access such data along with information about the purposes, categories, recipients, retention periods, and Your rights.

9.3. Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data and completion of incomplete data.

9.4. Right to Erasure (Article 17): Also known as the “right to be forgotten,” this entitles You to request deletion of Your personal data in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected, or where You withdraw consent and no other legal basis applies.

9.5. Right to Restriction of Processing (Article 18): You may request that processing be restricted in specified situations, for example where You contest the accuracy of the data or where You have objected to processing pending verification of legitimate grounds.

9.6. Right to Data Portability (Article 20): Where processing is based on consent or contract and carried out by automated means, You have the right to receive Your personal data in a structured, commonly used, machine-readable format and to transmit such data to another controller.

9.7. Right to Object (Article 21): You have the right to object to processing based on legitimate interests, including profiling. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override Your interests, rights, and freedoms.

9.8. Right to Withdraw Consent: Where processing is based on consent, You may withdraw consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.

9.9. Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. In Romania, the competent authority is the ANSPDCP, contactable at [email protected] or via their website at https://www.dataprotection.ro . You may also lodge a complaint with the supervisory authority in the Member State of Your habitual residence or place of work.

9.10. To exercise any of the above rights, please submit a written request to [email protected] . We will respond within one (1) month of receipt, subject to extension where requests are complex or numerous, in accordance with Article 12(3) of the GDPR.

10. SECURITY MEASURES

10.1. We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include: encryption of data in transit using TLS protocols; access controls limiting data access to authorized personnel; regular security assessments and vulnerability testing; incident response procedures; and employee training on data protection obligations.

10.2. Notwithstanding our efforts, no method of transmission over the Internet or electronic storage is entirely secure. While we strive to protect Your data, we cannot guarantee absolute security.

10.3. In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, we will notify the ANSPDCP within seventy-two (72) hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to affected individuals, we will also notify those individuals directly, in accordance with Article 34.

11. AUTOMATED DECISION-MAKING AND PROFILING

11.1. We do not currently engage in automated decision-making, including profiling, that produces legal effects or similarly significantly affects data subjects. Should this change in the future, we will update this Policy and provide appropriate safeguards, including the right to obtain human intervention, express Your point of view, and contest the decision.

12. CHILDREN'S PRIVACY

12.1. The Service is designed for use by businesses and is not directed at individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will take prompt steps to delete such information.

13. THIRD-PARTY LINKS

13.1. The Website and Platform may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of such third parties, and we encourage You to review their privacy policies before providing any personal data.

14. CHANGES TO THIS POLICY

14.1. We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. The “Effective Date” at the top of this document indicates when the Policy was last revised.

14.2. Material changes will be communicated via email to registered Customers or through a prominent notice on the Website. Continued use of the Service following such notification constitutes acceptance of the updated Policy.

15. CONTACT INFORMATION

15.1. For questions, concerns, or requests relating to this Privacy Policy or our data protection practices, please contact:

SC Savorria Tech SRL
Email: [email protected]

15.2. You may also contact the Romanian supervisory authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
Email: [email protected]
Website: https://www.dataprotection.ro

This Privacy Policy has been prepared in accordance with Regulation (EU) 2016/679 (GDPR), Romanian Law No. 190/2018, and applicable guidance from the European Data Protection Board and ANSPDCP.

Last reviewed: 14 January 2026.