Data Processing Addendum
Last updated: 18 June 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Webcandy FZ ("Foodix", "Processor") and the Venue ("Controller") and applies where Foodix processes personal data relating to the Venue's diners and staff on the Venue's behalf. Where this DPA conflicts with the Terms, this DPA prevails for data-protection matters.
1. Roles & scope
For diner personal data processed through the Venue's menus, ordering, payments, reservations and loyalty, the Venue is the controller and Foodix is the processor. Foodix is an independent controller for service-operation, security and aggregated analytics, and for its own business-user and website-visitor data, as described in the Privacy Policy. This DPA applies to "Applicable Data Protection Law", including the UAE PDPL (Federal Decree-Law No. 45 of 2021), EU/UK GDPR, and other laws where relevant.
2. Processing details
- Subject-matter & duration: provision of the Foodix Service for the term of the Terms.
- Nature & purpose: hosting, displaying menus, processing orders/payments/reservations, running loyalty, support, security and analytics.
- Data subjects: the Venue's diners, guests and staff.
- Categories of data: identifiers and contact details, order/reservation details, dietary/allergy preferences, loyalty activity, device/usage data; no full card numbers are processed by Foodix.
3. Foodix's obligations
- Process personal data only on the Venue's documented instructions (including the Terms and use of the Service), unless required by law.
- Ensure persons authorised to process data are bound by confidentiality.
- Implement appropriate technical and organisational security measures (Section 5).
- Assist the Venue, taking into account the nature of processing, with data-subject requests, security, breach notification and impact assessments.
- Make available information needed to demonstrate compliance.
4. Sub-processors
The Venue provides general authorisation for Foodix to engage sub-processors to provide the Service. A current list is maintained on our Sub-processors page. We impose data-protection obligations on each sub-processor no less protective than this DPA and remain responsible for their performance. We will give notice of intended changes and allow the Venue a reasonable period to object on reasonable data-protection grounds.
5. Security
Foodix maintains measures appropriate to the risk, including encryption in transit and at rest, access controls and least-privilege, network protections, logging and monitoring, backups, and regular review, and requires sub-processors to do the same.
6. Data-subject requests
Foodix will, where the Venue cannot do so itself through the dashboard, provide reasonable assistance to help the Venue respond to requests from data subjects to exercise their rights, and will promptly forward any such request it receives directly.
7. Personal-data breach
Foodix will notify the Venue without undue delay after becoming aware of a personal-data breach affecting the Venue's data, with information reasonably available to assist the Venue in meeting its own notification obligations.
8. International transfers
Where personal data is transferred across borders, Foodix uses an appropriate transfer mechanism required by Applicable Data Protection Law, such as the EU Standard Contractual Clauses and the UK Addendum, which are incorporated by reference where they apply.
9. Audits
Foodix will make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Venue or an auditor it mandates, on reasonable prior notice, subject to confidentiality and not more than once per year unless required by a supervisory authority.
10. Return & deletion
On termination of the Service, Foodix will, at the Venue's choice, delete or return the Venue's personal data and delete existing copies, except where retention is required by law. A reasonable retrieval window applies as described in the Terms.
11. Liability & contact
Each party's liability under this DPA is subject to the limitations of liability in the Terms. To request a countersigned copy of this DPA or to raise a data-protection matter, contact letstalk@foodix.io.