Data Processing Addendum

1. Roles & scope

For diner personal data processed through the Venue's menus, ordering, payments, reservations and loyalty, the Venue is the controller and Foodix is the processor. Foodix is an independent controller for service-operation, security and aggregated analytics, and for its own business-user and website-visitor data, as described in the Privacy Policy. This DPA applies to "Applicable Data Protection Law", including the UAE PDPL (Federal Decree-Law No. 45 of 2021), EU/UK GDPR, and other laws where relevant.

2. Processing details

3. Foodix's obligations

4. Sub-processors

The Venue provides general authorisation for Foodix to engage sub-processors to provide the Service. A current list is maintained on our Sub-processors page. We impose data-protection obligations on each sub-processor no less protective than this DPA and remain responsible for their performance. We will give notice of intended changes and allow the Venue a reasonable period to object on reasonable data-protection grounds.

5. Security

Foodix maintains measures appropriate to the risk, including encryption in transit and at rest, access controls and least-privilege, network protections, logging and monitoring, backups, and regular review, and requires sub-processors to do the same.

6. Data-subject requests

Foodix will, where the Venue cannot do so itself through the dashboard, provide reasonable assistance to help the Venue respond to requests from data subjects to exercise their rights, and will promptly forward any such request it receives directly.

7. Personal-data breach

Foodix will notify the Venue without undue delay after becoming aware of a personal-data breach affecting the Venue's data, with information reasonably available to assist the Venue in meeting its own notification obligations.

8. International transfers

Where personal data is transferred across borders, Foodix uses an appropriate transfer mechanism required by Applicable Data Protection Law, such as the EU Standard Contractual Clauses and the UK Addendum, which are incorporated by reference where they apply.

9. Audits

Foodix will make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Venue or an auditor it mandates, on reasonable prior notice, subject to confidentiality and not more than once per year unless required by a supervisory authority.

10. Return & deletion

On termination of the Service, Foodix will, at the Venue's choice, delete or return the Venue's personal data and delete existing copies, except where retention is required by law. A reasonable retrieval window applies as described in the Terms.

11. Liability & contact

Each party's liability under this DPA is subject to the limitations of liability in the Terms. To request a countersigned copy of this DPA or to raise a data-protection matter, contact letstalk@foodix.io.