Privacy Policy
Diese Datenschutzerklärung informiert über die Verarbeitung personenbezogener Daten durch CODLAB (Francesco Cucinotta) when visiting this website and when using our products and services, in particular the platform Riservati.
1. Data Controller
Francesco Cucinotta
Bischof-von-Henle-Straße, 93051 Regensburg, Deutschland
E-Mail: info@codlab.de
The appointment of a Data Protection Officer is not legally required (§ 38 BDSG). For data protection inquiries, please contact the email address listed above.
2. Hosting and Access Data (Server Logs)
This website is hosted on a server provided by Ionos SE (Elgendorfer Str. 57, 56410 Montabaur, Germany). When accessing the pages, the server automatically processes technical access data in so-called server log files:
- IP address of the requesting device
- Date and time of the request
- Referrer URL (previously visited page)
- Browser type and operating system (user agent)
- Requested page and amount of data transferred
This data is not merged with other data sources and is automatically deleted after 30 days.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and stable provision of the website).
3. Contact
When contacting us by email, we process the information you provide (name, email address, message content) exclusively to handle your inquiry.
Bei Kontakt per E-Mail verarbeiten wir die Angaben ausschließlich zur Bearbeitung der Anfrage (Art. 6 Abs. 1 lit. b DSGVO). Die Daten werden gelöscht, sobald die Anfrage abschließend bearbeitet ist, vorbehaltlich gesetzlicher Aufbewahrungspflichten.
4. Riservati – Reservation Management Platform
Riservati is a SaaS platform for managing restaurant reservations. As part of the platform, we process the following personal data:
a) Restaurant operators (CODLAB customers)
The following data is collected during registration and use of Riservati:
- Email address, phone number
- Restaurant name, address, website
- Opening hours, capacities, table configurations
- Payment information (via Stripe, see section 12)
Providing this data is required to use the platform; without this data, the service cannot be provided.
Legal basis: Art. 6(1)(b) GDPR (contract performance).
b) Guests / end customers of the restaurants
When making a reservation via Riservati (widget, app, or WhatsApp), the following data is collected:
- Name, email address, phone number
- Date, time, number of guests for the reservation
- Special requests, allergies, and dietary preferences
- Reservation status (confirmed, cancelled, showed up, no-show)
Providing your name and phone number is required to process the reservation. Without this information, the reservation cannot be accepted.
This data is processed on behalf of the respective restaurant. The restaurant is the data controller pursuant to Art. 4(7) GDPR; CODLAB acts as data processor pursuant to Art. 28 GDPR. A corresponding data processing agreement is part of the platform's terms of use.
Legal basis: Art. 6(1)(b) GDPR (performance of the reservation).
c) Customer history, profiling, and automated assessment
To improve the service and protect the restaurants, the following data is automatically calculated and stored per restaurant based on the reservation history:
- Total number of reservations, completed reservations, cancellations, no-shows
- Average group size, preferred times
- Loyalty score (0–100): calculated from the reservation completion rate and visit frequency
- Risk score (0–100): calculated from the rate of no-shows and cancellations
- Customer segment (e.g., new customer, regular, VIP) based on the loyalty score
Automated individual decision-making (Art. 22 GDPR): The above assessments (loyalty score, risk score) serve as decision-making aids for restaurant staff. No reservations are rejected or accepted solely on the basis of automated processing that produces legal effects or similarly significantly affects the individual. The final decision on whether to accept or reject a reservation always lies with the restaurant staff.
Block list (Blacklist): Restaurants can add individual phone numbers to a block list. When a reservation request is made via the AI assistant, the phone number is checked against this list. In such cases, the AI assistant advises that the reservation should be made directly with the restaurant. The decision to add a number to the block list is made exclusively by the restaurant staff (not an automated decision).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the restaurant in customer relationship management and protection against repeated no-shows). You may object to profiling at any time (Art. 21 GDPR) and request a review of the automated assessment by a qualified person.
5. AI-powered Booking Assistant
Riservati offers an AI-powered chat assistant for reservations. The following data is processed:
- Conversation history (entered messages and responses)
- Booking data extracted from the conversation (name, date, time, number of guests, special requests)
- Detected intent (booking, modification, cancellation)
- Detected language of the conversation
How AI processing works (Art. 13(2)(f) GDPR): The AI assistant analyzes entered messages to detect reservation intentions and extract relevant booking data (date, time, number of guests, name). The assistant automatically checks availability based on the restaurant's opening hours and capacities. No automated credit checks or other automated decisions with legal effect are performed.
Processing is carried out via third-party AI services:
- Anthropic PBC (Claude API) – Headquarters: San Francisco, USA
- OpenAI Inc. (GPT API) – Headquarters: San Francisco, USA
Only the conversation history and restaurant configuration (opening hours, capacities) are transmitted to the AI services – no additional personal data. Both providers process API data in accordance with their data processing agreements and do not use the data for their own purposes or for training their AI models. Conversation logs are stored for quality assurance for a maximum of 12 months.
Legal basis: Art. 6(1)(b) GDPR (performance of the reservation) and Art. 6(1)(f) GDPR (legitimate interest in quality assurance).
6. SMS and Email Notifications
As part of reservation management, we send the following notifications on behalf of the restaurants:
- Reservation confirmations (SMS and/or email)
- Reminders before the reservation date
- Cancellation confirmations
For this purpose, the guest's name, phone number, and/or email address are processed.
SMS/Email Marketing: Restaurants can send marketing messages (e.g., birthday greetings, promotions) to their guests via Riservati. This is done exclusively with the guest's prior explicit consent (Art. 6(1)(a) GDPR in conjunction with § 7(2)(3) UWG). Each marketing message contains information on how to withdraw consent. Consent can be withdrawn at any time with effect for the future.
Service providers:
- SMSHosting.it (Beit srl) – SMS delivery (headquarters: Italy)
- Ionos SE – Email delivery via SMTP (headquarters: Germany)
Legal basis: Art. 6(1)(b) GDPR (transactional confirmations) or Art. 6(1)(a) GDPR (marketing with consent).
7. Push Notifications
The Riservati apps use push notifications to inform restaurant operators and staff about new reservations and status changes. For this purpose, device tokens are processed via the Expo Push Notification Service (650 Industries Inc., USA).
Push notifications are only activated after explicit permission on the device. They can be deactivated at any time in the device settings. Device tokens are automatically deleted upon logging out of the app.
Legal basis: Art. 6(1)(a) GDPR (consent through activation on the device) and Art. 6(1)(b) GDPR (contract performance).
8. Riservati Staff App – Staff Management
The Riservati Staff App enables restaurants to manage their staff and track working hours. As the employer, the restaurant is the data controller for the processing of employee data; CODLAB acts as data processor.
a) Employee data
- First name, last name, email address, phone number
- Photo/avatar, PIN code (for identification on the device)
- Role, employment status, start date
- Scheduled working hours, vacation days
Personal data fields (name, email, phone number, PIN) are stored encrypted in the database (Fernet encryption, see section 14).
Legal basis: § 26(1) BDSG in conjunction with Art. 6(1)(b) GDPR (performance of the employment relationship). Providing this data is required for the establishment and performance of the employment relationship.
b) Time tracking and location data
When clocking in and out via the Staff App, the following data is collected:
- Timestamp of clocking in and out
- GPS coordinates (latitude/longitude) for location validation
- Device information (platform, device name)
- Calculated working time and any tardiness
GPS location tracking serves exclusively to verify that clocking in/out takes place at the agreed workplace. GPS data is only collected at the time of the clocking event – there is no continuous location tracking. The data is retained for a maximum of 24 months.
Legal basis for time tracking: § 26(1) BDSG in conjunction with Art. 6(1)(b) GDPR (performance of the employment relationship). Legal basis for GPS location tracking: § 26(1) BDSG in conjunction with Art. 6(1)(f) GDPR (legitimate interest of the employer in verifying correct time tracking) as well as Art. 6(1)(a) GDPR (consent through granting location permission on the device). Location permission can be revoked at any time in the device settings; clocking in/out is also possible without GPS permission.
9. Riservati Online Shop
Restaurants can operate an online shop for orders (pickup, delivery, dine-in) via Riservati. The following data is processed:
- Customer name, phone number, email address
- Delivery address (for delivery orders)
- Order details (items, quantity, total amount)
- Payment information (via Stripe Connect, see section 12)
Providing your name and contact details is required for order processing.
The respective restaurant is the data controller; CODLAB acts as data processor.
Legal basis: Art. 6(1)(b) GDPR (contract performance / purchase agreement).
10. WhatsApp Business Integration
Riservati can be connected to the WhatsApp Business API to enable reservations and communication via WhatsApp. The following data is processed:
- Guest's phone number
- Name (as stored in the WhatsApp profile)
- Message history within the 24-hour session window
- Media content (images, documents), as sent by the guest
Service provider: Meta Platforms Ireland Ltd. (4 Grand Canal Square, Dublin 2, Ireland). Meta processes the data as an independent data controller in accordance with its own terms of use for the WhatsApp Business Platform. Information on data processing by Meta: WhatsApp Business Data Processing Terms.
Legal basis: Art. 6(1)(b) GDPR (performance of the reservation at the guest's initiative).
Note: The use of WhatsApp is voluntary. Alternatively, reservations can be made via the widget or by phone.
11. Riservati Desktop App
The Riservati Desktop App for Windows and macOS communicates with the same servers and processes the same data as described in sections 4–10. Additionally, the app version is processed to provide automatic updates.
12. Payment Processing (Stripe)
For processing payments (subscriptions and shop orders), we use the payment service provider Stripe:
- Stripe Payments Europe Ltd. (1 Grand Canal Street Lower, Dublin 2, Ireland) – for payment processing in Europe
- Stripe Inc. (354 Oyster Point Blvd, South San Francisco, USA) – as parent company
During payment, the following data is transmitted directly to Stripe via the Stripe payment form (Stripe Elements) – complete payment data never reaches our servers:
- Name, email address
- Credit card or payment data
- Billing address
We only store the last four digits of the card number, the card brand, and the expiration date for display in the customer account, as well as the Stripe Customer ID and Subscription ID for reference.
Stripe is PCI DSS Level 1 certified. Stripe acts as an independent data controller or data processor. Stripe's privacy policy: stripe.com/de/privacy
Legal basis: Art. 6(1)(b) GDPR (contract performance).
13. Cookies and Web Analytics
This website and the embedded widgets use cookies and comparable technologies (localStorage). The legal basis for accessing end devices is governed by § 25 TDDDG (Telecommunications Digital Services Data Protection Act).
a) Technically Necessary Cookies
These cookies are strictly necessary for the operation of the website and are set without consent (§ 25(2)(2) TDDDG).
| Cookie | Purpose | Duration |
|---|---|---|
codlab_cookie_consent | Storage of cookie consent | 365 days |
sessionid | Session management (Django) | End of session |
csrftoken | Protection against cross-site request forgery | End of session |
b) Google Analytics 4
We use Google Analytics 4 (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland) for statistical analysis of website usage. Activation occurs exclusively after your explicit consent via our cookie banner (§ 25(1) TDDDG, Art. 6(1)(a) GDPR).
The following data is processed, among others: page views, time on page, device information, approximate location (country/region). The IP address is transmitted in anonymized form.
Google is certified under the EU-U.S. Data Privacy Framework. You can withdraw your consent at any time with effect for the future via the cookie banner.
c) Local Storage (Widget)
The booking widget uses the browser's local storage (localStorage) to temporarily cache the conversation history. This data is automatically deleted after 20 minutes and is not transmitted to third parties. This constitutes technically necessary storage (§ 25(2)(2) TDDDG).
14. Data Encryption and Technical Security
We implement comprehensive technical measures to protect personal data (Art. 32 GDPR):
- Database encryption: Personal data fields (name, email, phone number, special requests, employee data, PIN codes) are stored encrypted using Fernet encryption (symmetric, based on AES-128-CBC with HMAC authentication).
- Transport encryption: All connections between client and server use HTTPS/TLS. HTTP Strict Transport Security (HSTS) is enabled with a validity period of one year.
- Authentication: JWT tokens (JSON Web Token) with limited validity and automatic rotation. Access token: 1 hour, refresh token: 30 days.
- Mobile security: Credentials are stored in encrypted device storage (Expo SecureStore / iOS Keychain / Android Keystore).
- API protection: Rate limiting against abuse, CORS policies, CSRF protection.
15. Data Processors and International Data Transfers
To provide our services, we use the following third-party providers:
| Provider | Purpose | Headquarters | Transfer safeguard |
|---|---|---|---|
| Ionos SE | Hosting, email (SMTP) | Germany | EU – no third-country transfer |
| SMSHosting.it (Beit srl) | SMS delivery | Italy | EU – no third-country transfer |
| Stripe Payments Europe Ltd. | Payment processing | Ireland | EU / DPF-certified (Stripe Inc.) |
| Meta Platforms Ireland Ltd. | WhatsApp Business API | Ireland | EU / DPF-certified (Meta Inc.) |
| Google Ireland Ltd. | Reporting & Analytics | Ireland | EU / DPF-certified (Google LLC) |
| Anthropic PBC | AI assistant (Claude API) | USA | SCC + DPA |
| OpenAI Inc. | AI assistant (GPT API) | USA | DPF-certified + DPA |
| Expo / 650 Industries Inc. | Push notifications | USA | SCC + DPA |
Data transfers to third countries: Where personal data is transferred to providers in the USA, this is done on the basis of the EU Commission's adequacy decision on the EU-U.S. Data Privacy Framework (DPF), provided the respective provider is DPF-certified. Additionally or alternatively, Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR and Data Processing Agreements (DPA) have been concluded with all US providers.
Data processing agreements pursuant to Art. 28 GDPR have been concluded with all processors, or corresponding data protection provisions are a binding part of the respective terms of use.
16. Retention Period
Personenbezogene Daten werden nur so lange gespeichert, wie es für die jeweiligen Zwecke erforderlich ist oder gesetzliche Pflichten dies verlangen.
| Data category | Retention period |
|---|---|
| Restaurant account | Duration of the contractual relationship + statutory retention period (up to 10 years per HGB/AO) |
| Reservation data | 2 years after the reservation date |
| AI conversation logs | 12 months |
| Customer history | Diese AGB regeln die Geschäftsbeziehung zwischen dem Anbieter |
| Employee data | Duration of the employment relationship + statutory retention period |
| Time tracking data / GPS | 24 months |
| Order data (shop) | Statutory retention period (up to 10 years per HGB/AO) |
| SMS/email delivery logs | 12 months |
| Payment data (Stripe references) | Statutory retention period (up to 10 years per HGB/AO) |
| Widget cache (localStorage) | 20 minutes (automatic) |
| Server log files | 30 days |
| Cookie consent | 365 days |
After the retention period expires, data is deleted or anonymized, unless statutory retention obligations apply.
17. Your Rights
You have the following rights regarding your personal data:
- Access to the data stored about you (Art. 15 GDPR)
- Rectification of inaccurate or incomplete data (Art. 16 GDPR)
- Erasure of your data, provided no retention obligation exists (Art. 17 GDPR)
- Restriction Widerspruch (Art. 21 DSGVO)
- Data portability – receive your data in a structured, commonly used, and machine-readable format (Art. 20 GDPR)
- Objection to processing based on legitimate interests, including profiling (Art. 21 GDPR). In case of objection, we will assess whether compelling legitimate grounds exist.
- Withdrawal of consent with effect for the future (Art. 7(3) GDPR). The lawfulness of processing carried out prior to the withdrawal remains unaffected.
- Automated decisions – If automated assessments (loyalty score, risk score) affect you, you may request a review by a qualified person, express your point of view, and contest the decision (Art. 22 GDPR).
To exercise your rights, please contact: info@codlab.de. We will process your request without delay, but no later than within one month (Art. 12(3) GDPR). Identity verification may be required.
Note for guests: As CODLAB acts as a data processor for guest data, please direct inquiries about your reservation data primarily to the respective restaurant. We are happy to assist with forwarding your request.
You also have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach (www.lda.bayern.de).
18. Data Protection Impact Assessment
For processing activities that are likely to result in a high risk to the rights and freedoms of natural persons (in particular AI-based data processing and profiling), a Data Protection Impact Assessment pursuant to Art. 35 GDPR has been carried out. The results are incorporated into the ongoing improvement of our technical and organizational measures.
19. Security
We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk. These include, among others, the measures listed in section 14, as well as access restrictions based on the principle of least privilege, regular security updates, and access logging.
In the event of a personal data breach, we will notify the competent supervisory authority pursuant to Art. 33 GDPR and – where there is likely a high risk – the affected individuals pursuant to Art. 34 GDPR.
20. Changes to this Privacy Policy
We reserve the right to update this privacy policy if the legal situation, our services, or the nature of data processing changes. In case of material changes, registered users will be informed by email. The current version is always available at this URL.
Last updated: February 2026 | Data controller: Francesco Cucinotta (hereinafter „CODLAB"). Contact: info@codlab.de