Skip to content

Privacy Policy

Last updated: April 4, 2026

1. Data Controller

The controller of personal data collected through resst.io, app.resst.io, and menu.resst.io is:

CC CODE Damian Kamiński
ul. Lilli Wenedy 15/30, 30-833 Kraków, Poland
VAT EU: PL6792950185
REGON: 381006639
Email: support@resst.io
Website: https://resst.io

The Controller takes special care to protect personal data and ensures that data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and applicable Polish law, including the Act of 10 May 2018 on the Protection of Personal Data (Dz.U. 2018, item 1000, as amended).

2. Data We Collect

Website visitors (resst.io): We automatically collect technical data such as IP address, browser type, operating system, pages visited, referral source, and visit duration. This data is collected through self-hosted analytics (Plausible Analytics) and, with your consent, advertising pixels (Meta Pixel, Google Ads).

Public Menu visitors (menu.resst.io): When restaurant guests view a Public Menu, we collect minimal technical data (IP address, browser type) necessary for delivering the service. With your consent, advertising cookies may be set for conversion measurement purposes. No account registration is required.

Registered users (app.resst.io): When you create an account, we collect your email address, first and last name, restaurant name, and language preferences. As part of providing the service, we also process menu content, categories, menu items, photos, and translations entered by the user.

Payment data: Payments are processed by our external payment provider Creem (creem.io). We do not store credit card numbers or sensitive financial information on our servers. We receive from Creem: transaction identifiers, subscription status, and billing amounts for accounting purposes.

Providing personal data is voluntary but may be necessary to use certain features of the Service (account registration, subscribing to a plan, contacting us).

3. Processing Purposes and Legal Bases

Personal data is processed for the following purposes:

  • Performance of a contract (Art. 6(1)(b) GDPR) - account registration, providing the menu management service, processing subscriptions and payments.
  • Legal obligations (Art. 6(1)(c) GDPR) - maintaining tax and accounting records, issuing invoices, complying with data retention requirements.
  • Legitimate interests (Art. 6(1)(f) GDPR) - website traffic analysis using privacy-friendly analytics (Plausible), ensuring service security, establishing or defending legal claims, marketing our own services via email to existing users.
  • Consent (Art. 6(1)(a) GDPR) - use of advertising cookies and pixels (Meta Pixel, Google Ads) for conversion tracking and remarketing, sending marketing communications via email to non-users. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.

4. Data Recipients (Sub-processors)

Personal data may be shared with the following categories of recipients, who act as sub-processors or independent controllers as indicated:

  • Creem (creem.io) - payment and subscription processing (sub-processor)
  • Amazon Web Services (AWS) - application hosting, file storage (S3), email delivery (SES) (sub-processor, EU region: eu-central-1)
  • Hetzner - database and application server hosting (sub-processor, EU region: Falkenstein/Nuremberg, Germany)
  • Cloudflare - website hosting (Cloudflare Pages), DNS, and CDN for resst.io (sub-processor)
  • Plausible Analytics - privacy-friendly traffic analytics, self-hosted on our infrastructure (no personal data leaves our servers, no cookies used) (no data sharing)
  • Meta (Facebook) - advertising measurement (Meta Pixel), only with user consent (independent controller)
  • Google - advertising measurement (Google Ads, Google Tag), only with user consent (independent controller)
  • DeepL - automatic translation of menu item names (only menu text is transmitted, no personal data) (sub-processor)
  • Anthropic - automatic translation of menu item descriptions using Claude (only menu text is transmitted, no personal data) (sub-processor)
  • Government authorities as required by applicable law

5. International Data Transfers

As a general rule, personal data is stored and processed within the European Economic Area (EEA). However, some of our service providers (Meta, Google, Anthropic, AWS, Cloudflare) may process data on servers located in the United States. In such cases, data transfers are carried out based on:

  • European Commission adequacy decisions, including the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795)
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
  • Other appropriate safeguards as provided for under Chapter V of the GDPR

You may request information about the specific safeguards applied to transfers of your data by contacting us at support@resst.io.

6. Data Retention

  • User account data - retained for the duration of account activity. After account deletion, data is anonymized within 30 days and content (menus, categories, items) is permanently removed.
  • Billing and tax data - retained for 5 years from the end of the tax year in which the transaction took place, in accordance with Polish accounting regulations (Ordynacja podatkowa, Art. 86 § 1).
  • Advertising cookies - Meta Pixel cookies (_fbp): up to 90 days; Google Ads cookies (_gcl_aw, _gcl_au): up to 90 days. Retention periods are set by Meta and Google respectively.
  • Analytics data (Plausible) - aggregated and anonymized; no personal data is stored. Plausible Analytics is self-hosted and does not use cookies.
  • Contact and complaint data - retained for the period necessary to handle the inquiry or complaint, no longer than 12 months, unless retention is required for establishing or defending legal claims.

7. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Right of access (Art. 15) - you may obtain information about processed data and receive a copy of your personal data.
  • Right to rectification (Art. 16) - you may request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17, "right to be forgotten") - you may request deletion of your data when it is no longer necessary for processing purposes.
  • Right to restriction of processing (Art. 18) - you may request restriction of processing in certain circumstances.
  • Right to data portability (Art. 20) - you may receive your data in a structured, commonly used, and machine-readable format (JSON/CSV) and transfer it to another controller.
  • Right to object (Art. 21) - you may object to processing based on the controller's legitimate interest, including profiling and direct marketing. Where you object to processing for direct marketing purposes, your data will no longer be processed for such purposes.
  • Right to withdraw consent (Art. 7(3)) - at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Right to lodge a complaint - you may file a complaint with the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland (uodo.gov.pl), or with your local supervisory authority if you reside in another EU/EEA Member State.

To exercise your rights, please contact us at support@resst.io. We will respond to your request without undue delay, and in any event within one month of receipt of the request. If the complexity or number of requests warrants it, this period may be extended by a further two months, of which you will be informed within the initial one-month period together with the reasons for the delay.

The exercise of these rights is free of charge, unless the requests are manifestly unfounded or excessive, in which case the Controller may charge a reasonable fee or refuse to act on the request, in accordance with Art. 12(5) GDPR.

8. Automated Decision-Making and Profiling

The Service does not subject Users to automated decision-making, including profiling, that produces legal effects or similarly significantly affects them within the meaning of Article 22 of the GDPR.

However, if you have consented to advertising cookies, third-party services (Meta, Google) may use your data for profiling purposes in order to display personalized advertisements. This profiling is carried out by Meta and Google as independent controllers under their own privacy policies. You may opt out of such profiling at any time by withdrawing your cookie consent or adjusting your ad preferences directly with Meta and Google.

9. Cookies

resst.io and its subdomains use cookies for the following purposes:

  • Essential cookies - ensuring proper functioning of the website and application (login session, language preferences, CSRF protection). Legal basis: legitimate interest (Art. 6(1)(f) GDPR). These cookies are necessary and cannot be disabled.
    Retention: session duration or up to 30 days.
  • Analytics - Plausible Analytics (privacy-friendly, does not use cookies, does not collect personal data, self-hosted). Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
  • Advertising cookies - set only after you give explicit consent via the cookie consent banner:
    • Meta Pixel: _fbp (retention: 90 days), _fbc (retention: 90 days) - used to measure advertising campaign effectiveness and remarketing.
    • Google Ads: _gcl_aw (retention: 90 days), _gcl_au (retention: 90 days) - used to measure advertising campaign effectiveness and remarketing.
    Legal basis: user consent (Art. 6(1)(a) GDPR, Art. 5(3) ePrivacy Directive 2002/58/EC).

Advertising cookies are shared across resst.io subdomains (resst.io, app.resst.io, menu.resst.io) to ensure consistent conversion measurement.

You can manage your cookie preferences at any time through the cookie consent banner (available via the "Cookie Settings" link in the footer) or through your browser settings. Disabling essential cookies may limit the functionality of the Service. Withdrawing consent does not affect cookies already stored - you may delete existing cookies through your browser settings.

10. Security Measures

We implement appropriate technical and organizational measures to protect personal data, in accordance with Article 32 of the GDPR, including:

  • Data transmission encryption (TLS 1.2+ / HTTPS)
  • Password hashing using BCrypt algorithm
  • Regular encrypted database backups
  • Restricted data access based on the principle of least privilege
  • System access monitoring and security logging
  • User sessions bound to IP address and browser identifier
  • Regular security reviews and updates of dependencies

In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of individuals, we will notify the affected Users without undue delay, in accordance with Article 34 of the GDPR, and report the breach to the supervisory authority within 72 hours in accordance with Article 33 of the GDPR.

11. Automatic Translations and Personal Data

resst.io uses external APIs for automatic translation of menu content (DeepL for names, Anthropic Claude for descriptions). The content sent to these services consists solely of menu item names and descriptions - it does not contain any user personal data. Translations are stored on our servers and are not shared with third parties.

In accordance with Regulation (EU) 2024/1689 (AI Act), we inform you that these translations are generated by artificial intelligence systems. Users retain full control over all translations and may edit or replace them at any time.

12. Changes to This Privacy Policy

The Controller reserves the right to amend this Privacy Policy to reflect changes in applicable law, our processing activities, or security practices. Material changes will be communicated via email (to the address provided during registration) with at least 14 days' advance notice. The current version of this Privacy Policy is always available at resst.io/privacy.

13. Contact

For matters related to personal data protection, please contact us:

CC CODE Damian Kamiński
ul. Lilli Wenedy 15/30, 30-833 Kraków, Poland
Email: support@resst.io

We aim to respond to all data protection inquiries within 48 hours on business days.