Data Processing Agreement
Last updated 13 July 2026
Roles
When Foldout stores and routes the personal data your website visitors submit through enquiry forms, the venue (our customer) is the controller and Foldout is the processor. We process that data only to provide the service and only on the controller’s documented instructions.
Scope & duration
Subject matter: operation of the Foldout service. Data subjects: the venue’s enquirers/customers. Data types: contact details and enquiry content (e.g. name, email/phone, party size, message). Duration: for the term of the account, subject to the retention window (default 24 months).
Security
Data is encrypted in transit and at rest; access is controlled by row-level security and application-layer authorization; the service role is server-only. Enquiry data is deleted on the retention schedule and on request.
Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication & file storage (incl. enquiry submissions) | EU — Ireland (eu-west-1) |
| Vercel | Application hosting & serverless compute; widget embed delivery | EU/global edge |
| Cloudflare (Turnstile) | Spam / bot protection on enquiry forms | Global |
| AgentMail | Transactional & operational email (invitations, enquiry routing, alerts) | United States |
| Google (Business Profile API) | Publishing hours to Google listings — only if a venue enables Google sync | Global |
| Google (Gemini API) | AI menu/content parsing — only if a venue enables AI features | Global |
Independent payment controller
Where paid checkout is enabled, Lemon Squeezy acts as merchant of record and an independent controller for buyer, payment, tax and invoicing data. It is not appointed as a sub-processor for venue enquiry data. Foldout receives only the transaction and subscription data needed to provide and administer the selected plan.
International transfers
Core application data (including enquiry submissions) is stored in the EU (Ireland). Where a sub-processor processes data outside the UK/EU, that transfer relies on appropriate safeguards (e.g. UK IDTA / EU SCCs).
Breach notification & assistance
We notify affected controllers without undue delay after becoming aware of a personal-data breach, and assist with data-subject requests, DPIAs and regulator engagement as required by Article 28 GDPR.
Deletion
On termination we delete or return controller personal data, save where retention is required by law.
Related: Privacy Policy · Terms of Service · Security