Skip to content
stoveops
  • Solutions
  • Pricing
  • Blog
  • About
English
  • English
  • Français (CA)
  • Português (BR)
  • Español
Contact
  • Solutions
  • Pricing
  • Blog
  • About

Current policy

Privacy Policy

This Privacy Policy explains how StoveOps handles personal information when you visit our website, request access, use the StoveOps product, or appear as a restaurant guest in a workflow operated by one of our customers.

StoveOps is built for restaurants in Canada, the United States, Brazil, the European Union/EEA and Spanish-speaking markets, including Mexico. This policy is written to support privacy expectations under laws such as PIPEDA, Quebec Law 25, state privacy laws including the CCPA/CPRA where applicable, the LGPD, the EU/UK GDPR and Mexican private-sector data protection rules.

Where the GDPR applies, we process personal data on the Article 6 legal bases of contract performance, legitimate interests, consent or compliance with a legal obligation, as relevant to each activity. When personal data is transferred outside its region of origin (for example to the United States), we rely on recognized transfer safeguards such as the EU Standard Contractual Clauses (SCCs) and equivalent mechanisms.

Last updated: 2026-07-03

Who we are and when this applies

StoveOps provides restaurant operations software, including waitlist, guest messaging, digital menu/site tools, marketing workflows and analytics. This policy applies to stoveops.com, localized landing pages, early-access forms, product dashboards and related support communications.

When a restaurant uses StoveOps to manage guests, the restaurant is usually the business, controller or equivalent decision-maker for guest data. StoveOps acts as a service provider, processor, operator or encargado that processes that data on the restaurant’s instructions.

Personal information we collect

  • Website data: locale preference, cookie consent state, analytics choices, device/browser data, referral URL and interaction events when analytics is enabled.
  • Operator data: name, work email, phone number, restaurant name, role, country, state/province, billing details, account settings, plan and support history.
  • Restaurant content: locations, menus, hours, branding, public links, templates, campaign content and operational configuration.
  • Guest data submitted through the product: name, contact details, party size, waitlist or reservation status, visit history, preferences, allergies or notes that the restaurant chooses to store.
  • Messaging data: delivery channel, opt-in or opt-out signals, message status, timestamps and provider delivery logs for email, SMS, WhatsApp or browser notifications.
  • Payment data: subscription and add-on payment status processed by our payment provider; StoveOps does not store full card numbers.

How we use personal information

  • Provide, secure and improve StoveOps features.
  • Create accounts, authenticate users, support teams and manage billing.
  • Send transactional product messages, guest notifications and service updates.
  • Remember language, cookie and product preferences.
  • Measure aggregate product usage and reliability.
  • Detect abuse, enforce policies and comply with legal obligations.

Legal bases and consent

Depending on the country and context, we rely on contract performance, legitimate business interests, consent, compliance with legal obligations and, where needed, protection of vital interests or public safety. For Brazil, this maps to lawful bases under the LGPD. For Canada and Mexico, consent and transparency are central requirements. For U.S. state privacy laws, we provide applicable notice, access, deletion, correction and opt-out choices.

Restaurants are responsible for collecting and proving any guest consent required for their own use cases, especially when sending SMS, WhatsApp, email campaigns or promotional messages.

Messaging compliance

Operational messages, such as table-ready alerts or reservation confirmations, should be sent only where the restaurant has a lawful basis to contact the guest. Marketing messages require the restaurant to maintain appropriate consent, identification, unsubscribe and suppression records under laws such as CASL, TCPA, CAN-SPAM, LGPD and similar rules.

StoveOps provides opt-out and suppression tools where available, but customers must not upload purchased lists, message people without permission, or override unsubscribe requests.

Cookies and analytics

The website uses strictly necessary cookies for locale and consent choices. Analytics and marketing measurement are off by default and are enabled only after consent where required. We use Cloudflare Web Analytics, Cloudflare Zaraz and Google Analytics 4 to measure aggregate traffic, Core Web Vitals and conversion events such as lead form submissions; advertising pixels may be enabled under the marketing category when campaigns are configured. You can change choices through the consent banner or by clearing local browser storage.

Sharing and subprocessors

We share personal information only with service providers needed to run StoveOps, such as Cloudflare for hosting, edge security, Zaraz and Web Analytics, Google Analytics 4 for website measurement, email, SMS/WhatsApp delivery, payment processing, security, logging and customer support vendors. These providers may process information in Canada, the United States, Brazil, Mexico or other countries where they operate.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising as that term is used in California privacy law.

International transfers

StoveOps is a cross-border SaaS. Information may be transferred to and processed in countries other than where it was collected. We use contractual, technical and organizational safeguards appropriate to the data and applicable law.

Retention

We apply concrete retention periods by data type. Message recipient details (the personal data carried in guest messages) are redacted 30 days after the message activity. Login sessions expire after 30 days. Early-access leads are kept until you ask us to delete them or you unsubscribe. Guest data is retained for as long as the restaurant’s relationship with the guest is active, under the restaurant’s lawful instructions and account settings, with an opt-out always available.

Account and billing records are kept while the account is active and for a reasonable period needed for tax, audit, dispute and security purposes. Backup, security and delivery logs may persist for limited periods after deletion from the main application.

Security

We use administrative, technical and organizational safeguards designed for a restaurant SaaS environment, including access controls, encrypted transport, least-privilege permissions, audit logging and provider review. No internet service is risk-free, so restaurants must also protect their own devices, credentials and staff access.

Your privacy rights

Depending on where you live, you may request access, correction, deletion, portability, restriction, objection, consent withdrawal, opt-out of certain processing, or information about how your data is used. In Brazil, LGPD rights may be exercised with the controller and, where applicable, before the ANPD. In Mexico, ARCO rights include access, rectification, cancellation and opposition. In Canada, you may request access, correction and information about our privacy practices. In the United States, state privacy rights vary by state.

We respond to verified requests within the timelines set by applicable law: 30 days under the GDPR and the CCPA/CPRA, 15 days under the LGPD, and 20 days for ARCO requests in Mexico (each extendable where the law permits). If your data was submitted by a restaurant, we may need to route your request to that restaurant or verify with them before acting, because they control the relationship with you.

Children and sensitive data

StoveOps is not directed to children. Restaurants should not submit children’s data unless they have a lawful basis and appropriate guardian consent. Guest allergies, accessibility needs and similar notes should be entered only when relevant to service and disclosed to the guest in the restaurant’s own privacy notice.

Who is responsible and how to contact us

StoveOps is the party responsible for the personal data described here. Our Data Protection Officer / encarregado (LGPD), the person responsible for the protection of personal information (Quebec Law 25) and the data-protection responsible whose domicile is the StoveOps registered business address (Mexico, LFPDPPP) can all be reached through the single privacy channel contact@stoveops.com.

We may update this policy as the product, markets and laws evolve. The date above shows the current version.

Privacy contact: contact@stoveops.com

  • Terms
  • Acceptable Use
stoveops

Waitlist and reservation tools for busy restaurants.

contact@stoveops.com

StoveOps solutions

  • Solutions
  • Compare
  • Blog
  • Pricing
  • About
  • Contact

Legal

  • Privacy
  • Terms
  • Acceptable Use

Language

  • English
  • Français (CA)
  • Português (BR)
  • Español

© 2026 StoveOps. All rights reserved.