DineIT Logo
Rome

PRIVACY POLICY ON THE PROCESSING OF PERSONAL DATA

pursuant to art. 13 of EU Regulation 2016/679 (“GDPR”)

This privacy policy is provided by DineIT S.r.l., with registered office at Via Mortara Ravagese 62, 89134 (RC), VAT No. 03354010807, e-mail [email protected] (hereinafter, the “Company” or the “Controller”), in order to clearly explain how your personal data is processed when you use our App and our Services.

This privacy policy concerns exclusively the processing of personal data of the App's Users by the Company. When you communicate additional information directly to the Restaurant (e.g. allergies or dietary preferences) or when the Restaurant processes your data for its own purposes, the Restaurant acts as an autonomous controller: we therefore invite you to consult its own privacy policy.

1. Definitions

To avoid repetition, capitalised terms have the meaning attributed to them in the Terms of Service (the “TOS”), available in the App and on the website www.dineit.it. In the event of any inconsistency between the TOS and this Privacy Policy, this Privacy Policy shall prevail with regard to matters relating to the processing of personal data.

2. What data we process

When you access or use the Services, we collect data directly from you, automatically from your device and, in some cases, from technical partners (e.g. payment providers, analytics, advertising) as described below.

2.1. Data you provide us

We will collect the following categories of data directly from you:

  • contact data: first name, last name, e-mail, phone number;
  • authentication data: login credentials (e-mail and password) or, if you choose access via Google, Apple or Facebook, the account data you authorise us to share (e.g. identifier, name, e-mail, profile picture);
  • user-generated content: likes, restaurant follows and additions to favourites (without reviews or textual ratings);
  • purchase and billing data: data necessary for invoicing (e.g. address, VAT number/tax code if required);
  • booking data: chosen restaurant, date/time, number of covers, any notes for the booking;
  • customer support and communications: content of requests, any attachments, conversation logs (and, if applicable, call recordings with appropriate notice);
  • user-generated content: reviews and/or ratings, likes, restaurant follows and additions to favourites.

2.2. Data processed in relation to payments

Payments are handled through third-party providers (e.g. Stripe, Apple Pay or equivalents) who may process payment data (e.g. card number, IBAN, authentication instruments) as autonomous controllers or, depending on the contractual arrangements, as processors. In any case, you may consult the relevant provider's privacy policy.

As a rule, we do not store full card data; we may receive transaction outcomes and metadata (e.g. “payment successful”, transaction ID, amount, currency, date).

In the event of disputes, refunds or chargebacks, the Company handles the request and may process and exchange with the payment provider the information necessary (e.g. transaction identifiers, amount, date, reason for the dispute, outcome), as well as retain documentation useful for legal protection and compliance.

2.3. Technical and usage data

We will automatically collect the following categories of data from your device:

  • device and network data: IP address, device identifiers, operating system, app version, language, user agent;
  • logs and usage data: logins, in-app events, pages/screens viewed, errors, response times;
  • security data: suspicious events, anomalous access attempts, anti-fraud indicators.

If you authorise your device, we may process location data (generally in approximate or “foreground” form) to:

  • show you nearby restaurants;
  • improve the relevance of results;
  • prevent fraudulent use (in limited cases and with a short retention period).

You can disable geolocation from your device and/or App settings at any time. We do not process location data in the background.

2.4. Special categories of data

The use of our App and our Services does not involve the processing of special categories of data (e.g. allergies or dietary preferences). The User must communicate such needs directly to the Restaurant, which will process such data as an autonomous controller.

3. Why we ask for this data

Some personal data is necessary to create your account and use the Services (such as first name, last name, e-mail, phone number, booking details and payment data). Without this data we cannot allow you to register or make bookings through the platform.

Location data is optional: it is only used to show you, for example, restaurants near your location.

Data used for marketing purposes, experience personalisation or any communication to third parties is optional. If you choose not to provide it, you will still be able to use all DineIT Services normally.

4. Why we process data

Below we explain the purposes for which we use your personal data and the legal basis on which we rely.

4.1. Provision of Services and management of the contractual relationship

We process your personal data to enable you to use our Services correctly and completely. In particular, we use it to create and manage your account, allow you to purchase and use Discount Packages, make and manage Bookings, apply credits or discounts, send you communications strictly related to the service and provide you with customer support when you need it.

This processing is necessary for the performance of the contract you enter into with us when you use the App and is therefore based on art. 6(1)(b) GDPR.

4.2. Legal and tax obligations

Some of your data is processed to fulfil the legal obligations to which we are subject. This includes, for example, accounting and invoicing activities, tax and administrative obligations, the management of any disputes and, where applicable, compliance with anti-money laundering and fraud prevention obligations related to payment services provided by our partners (PSPs).

In these cases, the processing is based on compliance with a legal obligation pursuant to art. 6(1)(c) GDPR.

4.3. Security, fraud prevention and platform abuse

We also use personal data to ensure the security of the Services and Users. This includes activities such as protecting your account, preventing unauthorised access, detecting anomalous or abusive use of the platform (for example, recurring no-show patterns or misuse of Discount Packages) and, more generally, safeguarding our systems and community.

Such processing is based on our legitimate interest in maintaining a safe and reliable service (art. 6(1)(f) GDPR), carefully balanced against your rights and fundamental freedoms, and, where necessary, on legal obligations.

4.4. Analytics and service improvement

To continuously improve the App and the User experience, we may use data in aggregate or individual form to carry out statistical analyses, monitor Service performance, identify technical errors (debugging), improve usability and evaluate the effectiveness of our initiatives.

These activities are based, depending on the case, on our legitimate interest for analyses essential to the operation of the service (art. 6(1)(f) GDPR) or on your consent, when we use non-essential tools or third-party technologies (e.g. cookies) for which the applicable legislation requires it.

4.5. Direct marketing by the Company

With your consent, we may use your contact data to send you newsletters, promotional communications, surveys and information about initiatives and offers related to our Discount Packages and Services.

The legal basis for this processing is consent (art. 6(1)(a) GDPR). In some cases, we may also send communications relating to services similar to those already purchased, on the basis of soft spam rules (art. 130 d.lgs. 196/2003), without prejudice to your right to object at any time in a simple and immediate manner.

4.6. Sharing data with third parties for their marketing (optional)

Only if you choose to give specific consent, we may share some of your data with third-party partners so that they can send you their own commercial communications.

This processing is based exclusively on consent (art. 6(1)(a) GDPR) and failure to provide it does not in any way affect the ability to use our Services. Given the sensitivity of this purpose, we are committed to keeping it always clear, limited and transparent.

4.7. Personalisation and recommendations (if applicable)

We may use certain information about your use of the Services to suggest restaurants, offers or content that we believe are most in line with your interests and preferences.

This personalisation and recommendation processing is based exclusively on the consent you have given (art. 6(1)(a) GDPR) and is carried out through the use of specific technologies, including cookies. Consent is optional and may be withdrawn at any time, without affecting the ability to use the Services.

4.8. Automated decisions

In some cases, we may use automated processes to support the management of the Services (for example, to detect anomalous use or prevent fraud). Where such processes produce significant effects on your position (such as account blocking or material restrictions), we will adopt appropriate safeguards to protect your rights, including the possibility of requesting human intervention, within the limits and in accordance with art. 22 GDPR.

5. How we process data

Personal data is processed using IT tools and, where necessary, manual means, in compliance with the principles of lawfulness, fairness, transparency and security set out in the GDPR and Italian legislation.

We adopt appropriate technical and organisational measures to protect data from unauthorised access, loss or unlawful use.

6. Who we share data with

We share data only when necessary and with appropriate safeguards.

6.1. Restaurants

To manage your Booking, we share the necessary data with the Restaurant (e.g. name, contact details, booking details, any notes).

The Company remains the controller for the management of the App and the Services. The Restaurant is an autonomous controller for the management of its own relationship with the User (reception, compliance, management of allergies and dietary preferences, any communications of its own).

6.2. Suppliers

In order to provide the Services and ensure their proper functioning, we use certain external suppliers who support us in carrying out technical and operational activities.

These parties process personal data on our behalf and only to the extent necessary to perform the services entrusted to them, in compliance with the instructions we provide and the security measures required by applicable legislation.

By way of example, these suppliers include:

  • cloud and hosting;
  • customer care and ticketing;
  • sending communications via e-mail, SMS or push notifications;
  • analytics and crash monitoring services (if active);
  • IT and security providers;
  • accountants and legal advisors.

Such suppliers act, where applicable, as data processors pursuant to art. 28 GDPR.

Main providers: Google (Firebase Analytics, Crashlytics), Meta Platforms (Facebook Login, SDK), Stripe (payments), Apple (Sign in with Apple). Please refer to their respective privacy policies.

6.3. Payment providers

As indicated, they may act as autonomous controllers or processors, depending on the structure of the service.

6.4. Corporate operations and legal obligations

We may share data in the event of mergers, acquisitions, business transfers or to respond to legitimate requests from authorities.

We do not disclose your data to indeterminate parties.

6.5. Transfers outside the EU

Some providers may process data in non-EEA countries on the basis of Standard Contractual Clauses (SCC) or the EU-US Data Privacy Framework.

7. How long we retain data

We retain data for the time necessary for the purposes indicated:

  • account and service usage: until account closure/deletion, unless further retention is necessary (e.g. security, litigation);
  • purchases and tax/accounting data: up to 10 years (or a different period provided by applicable law);
  • customer support: for the time necessary to handle the request and for an appropriate period for protection;
  • marketing: until withdrawal of consent or objection;
  • security/anti-fraud: for the strictly necessary time, with defined and proportionate retention.

8. Your rights

We inform you that, as a data subject, you may exercise the rights provided for in articles 15 to 22 of the Regulation, by writing to the Company at the following address [email protected].

In particular, you may:

  • request and obtain information regarding the existence of your data held by the Company and regarding the personal data processing carried out by the Company, as well as obtain access to such data;
  • request and obtain the receipt, in a structured, commonly used and machine-readable format, of your data that is processed by automated means; you may also request the transfer of such data to another controller;
  • request and obtain the modification and/or correction of your data if you believe it to be inaccurate or incomplete;
  • request and obtain the erasure – and/or the restriction of processing – of your data where it concerns data or information that is not necessary – or no longer necessary – for the purposes set out above and in any case in the circumstances provided for by law;
  • withdraw consent previously given in the cases set out in this privacy policy.

We remind you that you may lodge a complaint regarding the processing of your data with the competent supervisory authority (in Italy, the Garante per la protezione dei dati personali).

9. Information about minors

The Services are not intended for persons under the age of 16. If we become aware that we have collected data from a minor without the necessary requirements, we will delete it.