Privacy policy

Effective June 8, 2026

This policy explains what Calode collects when you use our website (calode.com), our restaurant software, and any service that links to this policy ("Calode", "we"). It covers personal data we handle for two groups of people: restaurant operators who hold a Calode account, and guests of those restaurants whose data flows through Calode.

1. Data we collect

Account and contact data

Name, email, phone number, business name, business address, and login credentials.

Restaurant operating data

Menus, hours, photos, brand assets, payment-processor IDs, integrations you choose to enable, messages sent from the dashboard, and the configuration of your locations.

Guest data (controller: the restaurant; processor: Calode)

When a guest places an order or books a table at a restaurant on Calode, the restaurant collects the guest's name, contact details, order history, and any notes the guest provides. The restaurant is the data controller; Calode processes that data on the restaurant's behalf under our Data Processing Addendum.

Usage and technical data

IP address, device and browser type, pages visited, referrer, time stamps, error logs, and cookies strictly necessary to run the service. Where you have opted in, we also collect anonymous analytics.

2. How we use it

• Run your account and deliver the product you signed up for.
• Send transactional notifications (receipts, password resets, billing, order confirmations).
• Provide support and respond to your requests.
• Detect, investigate, and prevent fraud, abuse, and security incidents.
• Improve the product and measure how it is used in aggregate.
• Comply with legal obligations.

We do not sell your personal data. We do not use guest data to train AI models without the restaurant's explicit instruction.

3. Legal basis (EEA / UK)

We process personal data on one of the following grounds: performance of a contract (delivering the service), legitimate interests (running and securing the platform), legal obligation (tax, accounting, anti-fraud), or consent (optional analytics, marketing communications you sign up for).

4. Sharing and subprocessors

We share personal data only with vendors strictly required to run Calode, under written contracts that bind them to confidentiality and equivalent data-protection terms:

• Cloudflare R2 / Amazon Web Services — file and object storage.
• Stripe — payment processing for the restaurant's orders.
• Twilio — SMS delivery, only where the restaurant has connected its own Twilio account.
• Google (reCAPTCHA / Maps / Places) — bot protection and address lookup on the website.
• Cloudflare (Turnstile) — bot protection on web forms.
• Sentry — application error monitoring.
• Postmark / Amazon SES — transactional email delivery.

We do not sell personal data and we do not share it with third parties for their own marketing. We may disclose data when required by valid legal process; we push back on overbroad requests.

5. International transfers

Some subprocessors are based outside the EEA / UK. Transfers rely on the European Commission's Standard Contractual Clauses (and the UK addendum) or an adequacy decision, whichever applies.

6. Retention

We retain account data while your account is active and for up to 12 months after cancellation, so you can re-open the account and so we can satisfy legal obligations (typically tax and accounting records for 6–7 years). Restaurant guest data is retained per the restaurant's own retention settings; ask the restaurant for theirs.

7. Your rights

You can request the following at any time:

• Access — a copy of the personal data we hold about you.
• Correction — fix anything that is wrong.
• Deletion — erase your data (subject to legal retention obligations).
• Portability — receive your data in a machine-readable format.
• Restriction or objection — limit or object to certain processing.
• Withdraw consent — where processing is based on consent.

Send requests to privacy@calode.com. We respond within 30 days. If you are a guest of a restaurant on Calode, please contact that restaurant first; we will route the request appropriately.

You have the right to lodge a complaint with your data-protection authority. In the EU, find yours via edpb.europa.eu; in the UK, the ICO at ico.org.uk.

8. California (CCPA / CPRA)

California residents have additional rights: to know what we collect and why, to delete personal information, to correct inaccurate data, to limit use of sensitive personal information, and to opt out of "sale" or "sharing" of personal information. We do not sell personal information. To exercise a right, email privacy@calode.com.

9. Security

We use industry-standard safeguards including TLS in transit, encryption at rest for sensitive secrets, role-based access controls, audit logs, and least-privilege access for our team. No system is perfectly secure; if you suspect an issue, email security@calode.com.

10. Children

Calode is not intended for children under 16 and we do not knowingly collect their data.

11. Cookies

See our Cookies notice for the categories we use and how to control them.

12. Changes to this policy

We update this policy as the product changes. Material changes are announced at the dashboard sign-in and, where required, by email. The "effective" date above always reflects the current version.

Contact

Calode · privacy@calode.com
For general support, book a call or reply to any system email.