Privacy Policy

Last updated: April 28, 2026

1. Introduction

This Privacy Policy explains how Rubycode d.o.o. processes personal data in connection with the Reservista web application for hospitality reservation management. The Policy applies to visitors of reservista.app, users of Reservista (hospitality businesses), and the guests of those businesses whose data is entered into the system. By accessing Reservista you confirm that you have read this Policy.

2. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

• Rubycode d.o.o.
• Jukićeva 6, 10000 Zagreb, Republic of Croatia
• OIB (Croatian tax ID): 34979704560
• Data protection contact: info@reservista.app
• Phone: +385 99 351 3642

Given the scale of processing, Rubycode d.o.o. is not required to appoint a Data Protection Officer (DPO). All privacy questions are handled via the contact address above.

3. Our Dual Role: Controller and Processor

Reservista has two distinct roles under GDPR depending on whose data is being processed:

• Controller – For data concerning Reservista users (employees and managers of hospitality businesses) and visitors to reservista.app, we ourselves determine the purposes and means of processing.
• Processor – For data about guests that Reservista users enter into the system (names, contact details, special requests), the controller is the hospitality business itself. We process such data exclusively on their instructions, under a Data Processing Agreement (DPA), for the purpose of providing the Service.

A separate Data Processing Agreement (DPA) under Article 28 of GDPR is concluded with hospitality businesses on request and forms an integral part of our contractual relationship with them.

4. What Personal Data We Collect

We collect different categories of data depending on your relationship with Reservista:

User data (employees and managers of hospitality businesses)

• first and last name, email address, phone number;
• name of the hospitality business, OIB, address;
• username, password (stored only in cryptographically secure form);
• role within the team (e.g., manager, waiter);
• technical usage data (IP address, browser type, sign-in date and time) — for security and abuse detection.

Guest data (entered by hospitality businesses)

• first and last name, phone number, email address;
• reservation details: date, time, party size, table, special requests;
• history of reservations at the same venue, ratings and comments left by the guest through Reservista, if any;
• no-show, cancellation, and deposit data, if tracked by the venue.

Visitor data (reservista.app)

• data submitted via the contact form (name, email, restaurant name, message);
• minimal technical data needed for site operation (IP address, browser type).

Payment data

• billing data (company name, OIB, address) — stored by us due to legal obligations;
• payment instrument data (card number, CVC) is not stored by us — it is processed directly by our payment provider, who is PCI DSS certified.

5. Purposes of Processing and Legal Bases

We process personal data only for the purposes listed below, each with a corresponding legal basis under Article 6 of GDPR:

• Providing the Service (running the system, sending reservation confirmations and reminders, enabling sign-in) — legal basis: contract performance (Art. 6(1)(b) GDPR).
• Billing, invoicing, and tax obligations — legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR) under the Croatian VAT Act and Accounting Act.
• System security and abuse prevention (sign-in logs, suspicious activity detection) — legal basis: legitimate interest (Art. 6(1)(f) GDPR) in protecting our Service and Users.
• Communicating with the User about Account status, Service updates, and security notices — legal basis: contract performance (Art. 6(1)(b) GDPR).
• Marketing communications to Users (newsletter, feature announcements) — legal basis: consent (Art. 6(1)(a) GDPR) or legitimate interest (Art. 6(1)(f)); consent can be withdrawn at any time.
• Processing of guest data on behalf of a hospitality business (reservations, reminders, campaigns, feedback collection) — the legal basis is determined by the venue itself as the controller; we act as processor.
• Responding to inquiries sent via the contact form — legal basis: legitimate interest in responding to information requests.

6. Recipients and Subprocessors

We do not sell your personal data to third parties. To deliver the Service we rely on carefully selected subprocessors who process data on our behalf, under contracts containing standard data protection clauses. Current subprocessors are:

• DigitalOcean / Hatchbox — application and database hosting. Processing takes place in a data center in Frankfurt, Germany (EU).
• Resend (Resend Inc., USA) — sending of transactional emails (confirmations, reminders, feedback requests). Email content is processed in the Ireland region (EU). Transfers to the US headquarters are governed by EU-US Standard Contractual Clauses.
• Twilio (Twilio Inc., USA) — sending of SMS reminders for users who have enabled this feature. Transfers to the US are governed by EU-US Standard Contractual Clauses.
• Amazon Web Services (AWS) — storage of attached files (e.g., restaurant profile photos). Processing takes place in the Ireland region (EU).

Apart from the listed subprocessors, we may disclose your data to public authorities only when expressly required by law (e.g., court order, tax inspection).

7. International Data Transfers

All processing of personal data primarily takes place in data centers within the European Economic Area (EEA). Certain subprocessors (Resend, Twilio) are headquartered in the United States. For all such transfers we apply Standard Contractual Clauses approved by the European Commission, ensuring a level of protection equivalent to that within the EEA.

8. Data Retention

We keep personal data only as long as needed for the purpose for which it was collected, or as required by law:

• Active Account data and associated Content — for the duration of the contract.
• Content after contract termination — 30 days for export purposes, then permanently deleted.
• Invoicing and tax records — 11 years from issuance, in accordance with the Croatian VAT Act and General Tax Act.
• Security and log records — at most 90 days, except in case of incident investigation.
• Contact form correspondence — 24 months from the last correspondence.
• Guest data — kept according to the instructions of the hospitality business as controller. On a guest's request we forward the request to the venue and execute it on their behalf.

9. Data Security

We implement organizational and technical measures appropriate to the processing risk, including:

• encryption of data in transit (HTTPS / TLS);
• encryption of data at rest for database backups;
• passwords stored only in cryptographically secure form (bcrypt);
• access control on the principle of least privilege (role-based access);
• regular backups and recovery testing;
• monitoring of security updates and timely patching of vulnerabilities.

In case of a personal data breach that poses a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority (AZOP) within 72 hours, and if necessary the affected individuals, in accordance with Articles 33 and 34 of GDPR.

10. Your Rights Under GDPR

As a data subject you have the following rights under GDPR:

• Right of access – obtain confirmation whether we process your data and a copy of that data.
• Right to rectification – request correction of inaccurate or completion of incomplete data.
• Right to erasure ("right to be forgotten") – request deletion of data when it is no longer needed for the original purpose.
• Right to restriction of processing – request restriction of processing in certain circumstances.
• Right to data portability – receive your data in a structured, machine-readable format and transmit it to another controller.
• Right to object – object to processing based on legitimate interest, including direct marketing.
• Right to withdraw consent – withdraw a previously given consent at any time, without affecting the lawfulness of earlier processing.
• Right to lodge a complaint with the supervisory authority – file a complaint with the Croatian Personal Data Protection Agency (AZOP), Selska cesta 136, 10000 Zagreb, https://azop.hr.

11. How to Exercise Your Rights

To exercise any of the listed rights, please contact us at info@reservista.app. We will respond to your request without undue delay and at the latest within one month of receipt, with a possible two-month extension in justified cases. If you find that we have not acted in accordance with your rights, you have the right to file a complaint with the Croatian Personal Data Protection Agency (AZOP).

Note for guests of hospitality businesses: since the controller of your data is the hospitality business itself, requests regarding your reservations should primarily be addressed to them. We will promptly forward the request and execute it on the technical side.

12. Cookies

Reservista uses only essential cookies needed for the Service to function — for example for sign-in and language selection. We do not use advertising, profiling, or cross-site tracking cookies. Since the cookies are strictly necessary, no explicit consent is required under applicable law, but you may delete them at any time in your browser settings.

13. Automated Decision-Making

Reservista does not make decisions producing legal effects concerning you based solely on automated processing, including profiling, within the meaning of Article 22 of GDPR.

14. Children

Reservista is not intended for individuals under 16 years of age and we do not knowingly collect children's personal data. If we become aware that such data has been entered without appropriate consent, we delete it without delay.

15. Changes to This Privacy Policy

We may update this Policy from time to time for legal compliance, additional functionality, or new subprocessors. We will notify you of material changes via email or in-app notice. The current version is always available on this page, with a visible last-updated date at the top.

16. Contact

For all questions regarding privacy and personal data processing, please contact us at info@reservista.app or via our Contact page.