Privacy notice
Privacy Policy
Last updated: 2026-04-27
This notice is provided pursuant to Articles 13–14 of Regulation (EU) 2016/679 (GDPR) and applicable Italian privacy law. We have written it to be readable; the legally-binding Italian version takes precedence in case of any divergence.
1. Data controller
The data controller is Italy On Demand S.r.l., with registered office at Via Ponte Vetero 11, 20121 Milan (MI), Italy, VAT no. IT13796560962. Italy On Demand operates the marketing site at italyondemand.eu and the related SaaS application for restaurants.
Contact: contact@italyondemand.partners
2. Types of data collected
We process personal data only in the categories strictly necessary to deliver the service:
- Identification + contact data: name, email, role.
- Restaurant data: business name, address, VAT number, opening hours, menu, table layout.
- Order data: items ordered, table number, optional guest name and phone provided at order time.
- Technical data: browser/device info, IP address (hashed at server entry), pages viewed via cookieless analytics (self-hosted Plausible).
- Marketing data: email and (optional) restaurant info if you sign up to the waitlist or marketing newsletter.
We do not knowingly process special-category data (health, religion, political opinions, etc.) and we do not collect data from minors.
3. Purposes and legal basis
- Service delivery (Art. 6.1.b GDPR): to operate ordering, reservations, billing, and POS integration for restaurants and their guests.
- Legal obligations (Art. 6.1.c): tax records, accounting, fiscal receipt issuance (RT) per Italian Decree 5 August 2019.
- Legitimate interest (Art. 6.1.f): fraud prevention, technical security, anonymous analytics, dispute defence.
- Consent (Art. 6.1.a): marketing communications and (where applicable) third-party advertising pixels — always optional and revocable.
4. Storage and retention
All personal data is stored within the European Union. Primary infrastructure is Hetzner (Falkenstein, Germany and Helsinki, Finland); transactional email goes through Resend EU. We do not transfer personal data outside the EU.
Retention periods:
- Operational order data: 24 months from the date of the order, then automatically purged or pseudonymised.
- Tax-relevant records: 10 years (Italian Civil Code Art. 2220).
- Marketing waitlist email: until you withdraw consent or unsubscribe.
- Audit logs: 12 months.
- Account data: for the duration of the contract plus 6 months after termination.
5. Your rights
Under Articles 15–22 of the GDPR you have the right to:
- Access your personal data and obtain a copy.
- Have inaccurate data corrected.
- Have data erased ("right to be forgotten") where conditions are met.
- Restrict or object to processing.
- Data portability — receive a structured, commonly used, machine-readable export.
- Withdraw consent at any time, without affecting prior lawful processing.
- Lodge a complaint with the Italian Data Protection Authority (Garante Privacy) at gpdp.it.
To exercise any right, write to contact@italyondemand.partners. We respond within 30 days as required by Art. 12 GDPR.
6. Cookies
The marketing site uses no third-party cookies. Audience analytics are provided by self-hosted Plausible — cookieless and compliant with EU ePrivacy guidance, so no cookie banner is required.
The application (after sign-up) uses essential cookies only: a session cookie for authentication and a CSRF protection token. Both are first-party, secure, httpOnly, and exempt from prior consent under Recital 30 GDPR / Art. 5(3) ePrivacy.
If/when we activate third-party advertising tags (Meta, Google Ads, LinkedIn, TikTok), we will deploy a granular consent banner; until then no such tags fire.
7. Contact
For any matter related to this notice, including exercising your rights or raising a concern, write to contact@italyondemand.partners.
We will publish the appointment of a Data Protection Officer (DPO) at the same address before the public launch of the SaaS application.