Privacy Policy

This policy covers three groups of people:

• Restaurant operators — businesses that sign up for an oliiva account.
• Restaurant staff — employees added to a restaurant account by the operator.
• End-clients — individuals who subscribe to meal plans offered by a restaurant on oliiva.

Account data

Name, email address, and hashed password when you create an account or are invited to one. Restaurant operators also provide a restaurant name and URL slug.

Usage data

Pages visited, features used, timestamps of key actions (e.g. meal selection, payment). Collected to improve the product and diagnose issues.

Payment data

oliiva does not store card numbers. Payments are processed by Stripe (PCI DSS Level 1). We receive and store only a Stripe Customer ID, payment status, and invoice metadata.

Communication data

If you contact us by email or submit a demo request, we store your message and contact details to respond to you.

Technical data

IP address, browser type, and device type, collected automatically via server logs. Retained for 90 days for security and debugging purposes.

• Provide the service — run your restaurant account, process orders, send notifications.
• Billing — charge subscription fees, issue invoices, process refunds.
• Security — detect fraud, investigate incidents, enforce rate limits.
• Product improvement — understand how features are used; we aggregate and anonymise before analysis.
• Legal compliance — respond to lawful requests from authorities.

We do not sell your data. We do not use your data for advertising.

We share personal data only with the following sub-processors:

• Supabase — database hosting (Frankfurt, EU).
• Stripe — payment processing (US/EU, PCI DSS Level 1).
• Cloudflare — CDN, DDoS protection, WAF (US, EU adequacy).
• Wise — bank transfer settlement for operators who opt in.

All sub-processors are bound by data processing agreements. No data is shared with third parties for marketing.

• Account data: retained while the account is active, plus 30 days after deletion request.
• Invoice and payment records: 7 years (legal obligation).
• Server logs: 90 days.
• Demo request data: 2 years, or until you ask us to delete it.

If you are in the EU or UK, you have the right to:

• Access — receive a copy of the personal data we hold about you.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data ("right to be forgotten").
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent.

To exercise these rights, email privacy@oliiva.com. We will respond within 30 days.

We use only functional cookies necessary to keep you logged in. We do not use advertising or tracking cookies. A session cookie is set on login and expires when you close your browser or after 24 hours of inactivity.

See our Security page for a full description of the technical and organisational measures we use to protect your data.

We may update this policy when we add new features or change our data practices. Material changes will be communicated by email to account owners at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.

Data controller: oliiva OÜ (Estonia)
Email: privacy@oliiva.com
For security issues: security@oliiva.com