Trust & security

Built for UK hospitality. GDPR-first by design.

Foldout handles personal data as a processor for your venue. Core application and enquiry data is stored in the EU (Ireland), and we never sell it.

EU data hosting

Core application and enquiry data is stored in Supabase's Ireland region. Optional subprocessors are disclosed in our DPA.

GDPR-first controls

Designed to support lawful processing, data minimisation, retention controls and data-subject rights.

Encrypted everywhere

Encrypted at rest and in transit. TLS 1.3 in transit. AES-256 at rest.

No advertising trackers

Foldout widgets do not load advertising pixels or third-party behavioural tracking SDKs on venue websites.

GDPR

Designed for GDPR from day one

UK GDPR and the Data Protection Act 2018 apply to data you collect through Foldout — enquiry form submissions, for example. We've built Foldout so your obligations are clear and your data is yours.

  • You are the data controller for enquiry form data
  • Foldout acts as processor — we process only on your instructions
  • Data subject requests: we'll help you respond
  • Retention periods configurable per form
  • Audit log of key administrative changes

Data processing summary

Widget display data

Opening hours, menu content — public, no personal data

Enquiry form submissions

Name, email, message — processed per your configuration

Dashboard user data

Email, auth token — encrypted, stored in the EU (Ireland)

Analytics

Widget views — aggregate only, no individual tracking

Infrastructure

How we protect your data

EU application region

Core application data is stored in Supabase's eu-west-1 Ireland region. Our DPA lists each subprocessor and processing location.

TLS 1.3 in transit

All communication between your website, our servers, and the Foldout dashboard is encrypted in transit using TLS 1.3.

AES-256 at rest

Data stored by Foldout — including enquiry form submissions and user credentials — is encrypted at rest using AES-256.

Isolated per venue

Each venue's data is isolated. An agency admin can see their own clients' data; venues cannot see each other's data.

No third-party trackers

Foldout's widget script does not load any third-party analytics, advertising or tracking SDKs on your website.

Regular security reviews

We conduct regular security reviews of our codebase and infrastructure. Vulnerabilities are patched and disclosed.

Stays up even when we don't

If the database is unreachable, widgets can serve their last-published configuration from a separate Storage snapshot.

Version history on everything

Every widget keeps a draft-to-publish history. Restore any previous version in a click — a bad edit is never permanent.

Audited, guarded operations

Key privileged mutations are recorded in the audit log, while install checks pin validated public IP addresses and re-check every redirect.

Compliance

UK legal framework

Foldout operates under UK GDPR and the Data Protection Act 2018. Our privacy notice and Data Processing Agreement explain our roles, subprocessors and transfer safeguards.

UK GDPRData Protection Act 2018Privacy notice publishedDPA published

Security questions?

If you have specific security or compliance questions — for a DPA, vendor assessment, or anything else — get in touch.

We use privacy-friendly analytics to improve this site — no ads, no data selling. How we handle data