Privacy Policy

Last updated: 5 June 2026

1. Who we are

ChatATable is a WhatsApp booking service for restaurants, operated by Waives Analytics Ltd, based in Baldock, Hertfordshire, United Kingdom. We are the data controller for personal data processed through this website and dashboard. For diner data processed through a restaurant's WhatsApp number, the restaurant is the controller and ChatATable is the processor.

You can contact us at neil@chatatable.com.

2. What data we collect

From diners (people booking a table)

  • WhatsApp phone number (from the inbound message)
  • Name (as you provide it during the booking)
  • Booking details: date, time, party size, special requests
  • The content of WhatsApp messages you send to the restaurant

From restaurants

  • Business name and address
  • Owner name, phone number, and email
  • Opening hours, capacity, and operational settings
  • Dashboard login credentials (password stored as a bcrypt hash, never in plain text)

From this website

  • Basic analytics (page views, referrer, device type) — only with your consent
  • Marketing pixel data — only with your consent
  • A session cookie if you log in to the restaurant dashboard

3. How we use it

  • Taking, modifying, and cancelling restaurant bookings
  • Sending booking confirmations and day-before reminders via WhatsApp
  • Notifying restaurant owners about new bookings, cancellations, and issues
  • Operating the restaurant dashboard
  • Detecting and preventing abuse (rate limiting, blocking spam numbers)
  • Improving the service (analysing aggregated booking patterns)

4. Legal basis (UK GDPR)

  • Legitimate interest — for processing diner messages and bookings. You initiate contact by messaging the restaurant, and you have a clear expectation that we will respond and take your booking.
  • Contract — for providing the booking service and dashboard to restaurants.
  • Consent — for analytics cookies and marketing pixels on this website. You can change your choice at any time using the cookie banner.
  • Legal obligation — for keeping records required by tax or accounting law.

5. Who we share data with

We use a small number of trusted service providers to operate ChatATable:

  • Twilio— sends and receives WhatsApp messages on the restaurant's behalf. Twilio processes phone numbers and message content.
  • Meta (WhatsApp)— delivers messages to your WhatsApp account. Meta's own privacy policy applies to WhatsApp itself.
  • Anthropic / OpenRouter — provides the AI model that drafts booking replies. Message content is sent to the model to generate a response, then discarded by the provider; it is not used to train models.
  • Supabase — hosts our PostgreSQL database in the European Union.
  • Vercel — hosts the web application.
  • The restaurant you are booking with — receives your booking details so they can hold your table.

We do not sell personal data, and we do not share it for advertising purposes.

6. Where data is stored

Booking and message data is stored in the European Union (Supabase). Some processing happens in the United States via Twilio (message delivery) and Anthropic (AI responses). Where data leaves the UK or EU, we rely on Standard Contractual Clauses or the UK's equivalent transfer mechanisms.

7. How long we keep it

  • Booking records: 24 months after the booking date, then deleted
  • WhatsApp message history: 6 months from the last message in a conversation
  • Restaurant accounts: for as long as the restaurant uses the service, plus 12 months
  • Server logs (with phone numbers masked): 30 days

You can ask us to delete your data sooner — see "Your rights" below.

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Have inaccurate data corrected
  • Have your data deleted ("right to be forgotten")
  • Restrict or object to how we use your data
  • Receive a copy of your data in a portable format
  • Withdraw consent for analytics and marketing cookies at any time
  • Complain to the Information Commissioner's Office (ico.org.uk)

To exercise any of these rights, email neil@chatatable.com from the email address or phone number tied to the data. We respond within 30 days.

9. Cookies

This site uses three categories of cookies:

  • Essential — required for the dashboard login session. Always on.
  • Analytics — Google Analytics, only with consent.
  • Marketing — Meta Pixel, only with consent.

You can change your cookie choices at any time via the banner that appears on first visit, or by clearing this site's cookies in your browser.

10. Security

We use industry-standard measures to protect personal data: TLS for data in transit, encryption at rest in our database, Row-Level Security on every database table, bcrypt password hashing, signed webhooks, rate limiting, and least-privilege access for service accounts. No system is perfectly secure, so we also keep retention periods short to limit the impact of any incident.

11. AI-generated replies

The first response you receive on WhatsApp tells you that you are messaging an AI booking assistant on behalf of the restaurant. The AI handles bookings, modifications, cancellations, and general queries. If your message is outside what the AI can handle, it passes the conversation to the restaurant team. Your messages are sent to our AI provider to generate a reply; they are not used to train the underlying model.

12. Children

ChatATable is intended for adults making restaurant bookings. We do not knowingly collect data from children under 13. If you believe a child has used the service to send a message, contact us and we will delete the data.

13. Changes to this policy

We may update this policy as the service evolves. The "last updated" date at the top reflects the most recent change. Material changes will be flagged on the homepage.

14. Contact

Questions, data requests, or complaints: neil@chatatable.com.