Built for UK hospitality. GDPR-first by design.
Foldout handles personal data as a processor for your venue. Core application and enquiry data is stored in the EU (Ireland), and we never sell it.
EU data hosting
Core application and enquiry data is stored in Supabase's Ireland region. Optional subprocessors are disclosed in our DPA.
GDPR-first controls
Designed to support lawful processing, data minimisation, retention controls and data-subject rights.
Encrypted everywhere
Encrypted at rest and in transit. TLS 1.3 in transit. AES-256 at rest.
No advertising trackers
Foldout widgets do not load advertising pixels or third-party behavioural tracking SDKs on venue websites.
Designed for GDPR from day one
UK GDPR and the Data Protection Act 2018 apply to data you collect through Foldout — enquiry form submissions, for example. We've built Foldout so your obligations are clear and your data is yours.
- You are the data controller for enquiry form data
- Foldout acts as processor — we process only on your instructions
- Data subject requests: we'll help you respond
- Retention periods configurable per form
- Audit log of key administrative changes
Data processing summary
Widget display data
Opening hours, menu content — public, no personal data
Enquiry form submissions
Name, email, message — processed per your configuration
Dashboard user data
Email, auth token — encrypted, stored in the EU (Ireland)
Analytics
Widget views — aggregate only, no individual tracking
How we protect your data
EU application region
Core application data is stored in Supabase's eu-west-1 Ireland region. Our DPA lists each subprocessor and processing location.
TLS 1.3 in transit
All communication between your website, our servers, and the Foldout dashboard is encrypted in transit using TLS 1.3.
AES-256 at rest
Data stored by Foldout — including enquiry form submissions and user credentials — is encrypted at rest using AES-256.
Isolated per venue
Each venue's data is isolated. An agency admin can see their own clients' data; venues cannot see each other's data.
No third-party trackers
Foldout's widget script does not load any third-party analytics, advertising or tracking SDKs on your website.
Regular security reviews
We conduct regular security reviews of our codebase and infrastructure. Vulnerabilities are patched and disclosed.
Stays up even when we don't
If the database is unreachable, widgets can serve their last-published configuration from a separate Storage snapshot.
Version history on everything
Every widget keeps a draft-to-publish history. Restore any previous version in a click — a bad edit is never permanent.
Audited, guarded operations
Key privileged mutations are recorded in the audit log, while install checks pin validated public IP addresses and re-check every redirect.
UK legal framework
Foldout operates under UK GDPR and the Data Protection Act 2018. Our privacy notice and Data Processing Agreement explain our roles, subprocessors and transfer safeguards.
Security questions?
If you have specific security or compliance questions — for a DPA, vendor assessment, or anything else — get in touch.