Language

🇬🇧

English

🇵🇱

Polski

🇱🇹

Lietuvių

🇩🇪

Deutsch

🇪🇸

Español

🇷🇺

Русский

Privacy Policy

Last updated: 21 April 2026

1. Who we are

The Dinn platform (available at dinn.app) is operated by:

  • Artsiom Khamiakou, sole proprietor registered in Poland

  • Address: ul. Straganiarska 20/22/35, 80-837 Gdańsk, Poland

  • NIP: 8982278013

  • General contact: info@dinn.app

  • Data protection contact: privacy@dinn.app

  • In this Privacy Policy, "Dinn", "we", "us" and "our" refer to the above entity. We have not appointed a Data Protection Officer — all privacy matters are handled via the address above.

2. Scope of this Policy

This Policy explains how we process personal data when:

  • a venue owner, their staff or an authorised representative registers or uses a Dinn account ("B2B Users");

  • a restaurant guest, hotel guest or other end-customer uses a venue's Dinn-powered digital menu, places an order, makes a payment or leaves a review ("Guests");

  • a visitor submits a demo or contact form on dinn.app.

3. Our role (controller vs processor)

  • For B2B Users, Dinn is the data controller.

  • For Guests, Dinn generally acts as data processor on behalf of the venue that operates the premises. The venue is the controller of guest data generated at its premises. The terms of that processing are governed by the Data Processing Agreement concluded with the venue.

  • For some limited processing — such as platform security, fraud prevention, abuse detection, and reviews directed at the platform as a whole — Dinn acts as data controller even with respect to Guest data.

4. What personal data we process

    4.1 B2B User accounts

  • Identity and contact: name, email address, phone number

  • Role in the venue, company association

  • Authentication data: Firebase user identifier, hashed confirmation and password-reset codes

  • Device / push data: Firebase Cloud Messaging (FCM) tokens, device identifier, platform, push-notification preferences

  • Operational metadata: account creation and update timestamps, login events

    4.2 Venue business data

  • Legal business name, VAT ID (NIP), business registration number, billing address, billing and invoice email addresses

  • Venue geolocation coordinates

  • Stripe Connect account identifier

  • Venue Wi-Fi credentials (stored encrypted)

  • Third-party analytics identifiers configured by the venue (Google Tag Manager, Google Analytics, Meta Pixel)

  • Where the venue is a natural person (sole trader), some of the above may constitute personal data.

    4.3 Guest data (processed on behalf of venues)

  • Session: UUID session identifier, IP address, company identifier, table and waiter identifiers, session start timestamp, associated order identifiers

  • Orders: items ordered, customer notes, payment intent reference, table number

  • Delivery orders (where the venue offers delivery): guest name, phone number, delivery address

  • Reviews: rating, comment, optional name, optional email address (used solely to notify the Guest of a venue reply)

  • Guest FCM tokens, where the Guest opts into push notifications

    4.4 Demo / lead form submissions

  • Name, email, phone, country, venue name, links, and free-text comments provided through the form on dinn.app.

5. Purposes and legal bases

  • Account management and Service delivery — Art. 6(1)(b) – performance of contract

  • Transactional emails (verification, invites, password reset) — Art. 6(1)(b) – performance of contract

  • Processing guest orders, payments, reviews on behalf of venues — Art. 6(1)(b) – contract with the venue; Dinn acts as processor

  • Storing guest IP addresses in session records — Art. 6(1)(f) – legitimate interest (fraud prevention, service integrity, troubleshooting)

  • Retaining accounting records for paid orders and invoices — Art. 6(1)(c) – legal obligation (Polish Accounting Act, VAT Act, General Tax Code)

  • Push notifications to B2B Users and Guests — Art. 6(1)(a) – consent

  • Optional Guest review-reply email notification — Art. 6(1)(a) – consent

  • Demo / lead form submissions — Art. 6(1)(a) – consent

  • Third-party analytics on venue public pages (GTM, GA, Meta Pixel) — Art. 6(1)(a) – consent, obtained by the venue as controller

  • Platform security, abuse and fraud prevention — Art. 6(1)(f) – legitimate interest

6. Recipients and sub-processors

We share personal data only with trusted service providers bound by written data-processing agreements. Our current sub-processors are:

  • Google / Firebase (Google Ireland Ltd.) — Authentication, push notifications — EU (Firebase region: eur3 / europe-west)

  • Amazon Web Services EMEA SARL — File storage (S3), session store (DynamoDB) — eu-central-1 (Frankfurt, Germany)

  • Stripe Payments Europe Ltd. — Payment processing, Connect onboarding / KYC — EU and United States

  • Mailgun Technologies Inc. (EU) — Transactional email delivery — EU (api.eu.mailgun.net)

  • Google Cloud EMEA Ltd. – Cloud Translate — Menu translation — EU

  • Hetzner Online GmbH (Redis) — Connection / cache storage — Falkenstein, Germany

  • MongoDB hosting provider — Main application database — EU

  • A current list of sub-processors is maintained and is provided to B2B Users on request. We do not sell personal data.

7. International transfers

Where personal data is transferred outside the European Economic Area (for example, to Stripe Payments Inc. in the United States for certain processing), transfers are carried out under Standard Contractual Clauses adopted by the European Commission (Decision (EU) 2021/914) together with any supplementary safeguards required under applicable case law.

8. Retention

  • B2B User accounts (active): For the duration of the contract

  • B2B User accounts (after termination): 6 years after contract end (Polish civil law claims period)

  • Firebase user records for B2B Users: Deleted when the B2B account is deleted

  • Guest orders with payment data: 5 years from the end of the calendar year of the transaction

  • Guest delivery details (name, phone, address): 90 days after fulfilment of the order

  • Guest sessions, including IP address: 90 days (enforced by DynamoDB TTL)

  • Guest reviews: 3 years, or until deletion is requested

  • Redis cache / connection state: 24 hours

  • Demo / lead form submissions: 12 months

  • FCM device tokens: Until the device unregisters or the account is deleted

  • S3 venue assets: Until the venue deletes them or the account ends

9. Your rights

Under GDPR you have the right to:

  • Access your personal data (Art. 15)

  • Rectify inaccurate or incomplete data (Art. 16)

  • Erase your data ("right to be forgotten") (Art. 17), subject to legal retention obligations

  • Restrict processing (Art. 18)

  • Object to processing based on legitimate interests (Art. 21)

  • Data portability in a structured, commonly-used, machine-readable format (Art. 20)

  • Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal (Art. 7(3))

  • Lodge a complaint with the Polish Data Protection Authority

  • To exercise any right, write to privacy@dinn.app. Guests should include the session identifier visible on their order confirmation. We respond within one month (extendable by two further months for complex requests, with notice).

  • The Polish supervisory authority is: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl

10. Security

We apply appropriate technical and organisational measures to protect personal data, including:

  • TLS encryption for data in transit

  • Hashed storage of authentication codes (SHA-256)

  • Access controls, role-based permissions and audit logging

  • Encryption of Wi-Fi credentials and similar sensitive operational data

  • Firebase-managed identity and password security

  • Regular backups and access review

  • Pseudonymisation of guest sessions (UUID identifiers)

  • No system is completely secure; we continuously improve our measures and will notify affected individuals and the supervisory authority of data breaches as required by Art. 33–34 GDPR.

11. Automated decision-making

We do not carry out automated individual decision-making (including profiling) that produces legal or similarly significant effects on data subjects.

12. Children

The B2B side of Dinn (venue accounts) is available only to persons aged 18 and over. The Guest side does not have a minimum age requirement, but we process only the minimum data required to place an order or leave a review; where a payment involves a payment card or similar instrument, the issuer's age requirements apply.

13. Cookies and tracking

We use only strictly necessary cookies and similar technologies on dinn.app to deliver the Service. Individual venues may enable their own analytics and marketing tags (Google Tag Manager, Google Analytics, Meta Pixel) on their public menu pages — where this is done, the venue is the controller and responsible for obtaining Guest consent. See our separate Cookie Policy for details.

14. Changes to this Policy

We may update this Privacy Policy from time to time. The current version is always available at dinn.app/privacy. Material changes affecting B2B Users will be communicated by email at least 14 days in advance.

15. Contact

  • Privacy matters and data subject requests: privacy@dinn.app

  • General inquiries: info@dinn.app

  • Postal address: Artsiom Khamiakou, ul. Straganiarska 20/22/35, 80-837 Gdańsk, Poland