Legal

Data Processing Agreement

Last updated 13 July 2026

DRAFT — pending legal review. A working summary of our processor commitments and sub-processors, prepared by the Foldout team and not yet reviewed by a solicitor. A signable DPA is available on request.

Roles

When Foldout stores and routes the personal data your website visitors submit through enquiry forms, the venue (our customer) is the controller and Foldout is the processor. We process that data only to provide the service and only on the controller’s documented instructions.

Scope & duration

Subject matter: operation of the Foldout service. Data subjects: the venue’s enquirers/customers. Data types: contact details and enquiry content (e.g. name, email/phone, party size, message). Duration: for the term of the account, subject to the retention window (default 24 months).

Security

Data is encrypted in transit and at rest; access is controlled by row-level security and application-layer authorization; the service role is server-only. Enquiry data is deleted on the retention schedule and on request.

Sub-processors

Sub-processorPurposeLocation
SupabaseDatabase, authentication & file storage (incl. enquiry submissions)EU — Ireland (eu-west-1)
VercelApplication hosting & serverless compute; widget embed deliveryEU/global edge
Cloudflare (Turnstile)Spam / bot protection on enquiry formsGlobal
AgentMailTransactional & operational email (invitations, enquiry routing, alerts)United States
Google (Business Profile API)Publishing hours to Google listings — only if a venue enables Google syncGlobal
Google (Gemini API)AI menu/content parsing — only if a venue enables AI featuresGlobal

Independent payment controller

Where paid checkout is enabled, Lemon Squeezy acts as merchant of record and an independent controller for buyer, payment, tax and invoicing data. It is not appointed as a sub-processor for venue enquiry data. Foldout receives only the transaction and subscription data needed to provide and administer the selected plan.

International transfers

Core application data (including enquiry submissions) is stored in the EU (Ireland). Where a sub-processor processes data outside the UK/EU, that transfer relies on appropriate safeguards (e.g. UK IDTA / EU SCCs).

Breach notification & assistance

We notify affected controllers without undue delay after becoming aware of a personal-data breach, and assist with data-subject requests, DPIAs and regulator engagement as required by Article 28 GDPR.

Deletion

On termination we delete or return controller personal data, save where retention is required by law.

Related: Privacy Policy · Terms of Service · Security

We use privacy-friendly analytics to improve this site — no ads, no data selling. How we handle data