Privacy Policy

This Privacy Policy describes how Nicklas SARL, trading as The New Software Company ("Verjus", "we", "us"), collects, uses, and shares personal data when you use the Verjus platform (verjus.io) and related services.

Nicklas SARL — SIRET 91339724600012 — 31 Perspective de la Côte des Basques, 64200 Biarritz, France. Privacy contact: nicklasmenschel@gmail.com.

1. Data Controller & Processor

Verjus acts in two capacities depending on the data involved.

For restaurant owner account data (name, email, authentication credentials, billing information), Verjus is the data controller. For guest personal data (names, emails, phone numbers, booking history, preferences, notes) entered by restaurants or their guests through the platform, each restaurant is the data controller and Verjus is the data processor acting on the restaurant’s instructions.

2. Data We Collect

Guest data (managed by restaurants)

When a guest makes a reservation or is added by a restaurant, the following data may be stored:

• First name, last name
• Email address (hashed for privacy-preserving lookups)
• Phone number (hashed for privacy-preserving lookups)
• Booking history: dates, party sizes, statuses, special requests
• Guest profile: dietary restrictions, allergies, preferences, VIP status, internal notes
• Payment data: Stripe customer ID for deposits and no-show charges (card details are stored by Stripe, not by Verjus)
• Marketing preferences: email opt-in, SMS opt-in, unsubscribe records

Restaurant owner data

When a restaurant owner creates an account, we collect:

• Name, email address, phone number
• Authentication data (hashed password or Google OAuth token)
• Billing information: Mollie customer ID, payment method, subscription details

3. How We Use Your Data

We process personal data to: provide the reservation and restaurant management platform; send transactional communications (booking confirmations, reminders, follow-ups); process payments via Stripe (guest deposits) and Mollie (restaurant subscriptions); send marketing communications to guests who have opted in (with one-click unsubscribe via RFC 8058 compliant links); maintain guest marketing profiles for restaurants; generate analytics and reports; detect fraud and enforce security; comply with legal obligations. We do not sell personal data.

4. Third-Party Processors

We share personal data only with service providers who need it to deliver our platform. Each processor handles only the minimum data required for its function.

A complete list of sub-processors is available upon request.

5. Cookies

Verjus uses only essential cookies required for the platform to function. Specifically, we use a session cookie set by NextAuth.js for authentication. We do not use analytics cookies, advertising cookies, or tracking pixels. No cookie consent banner is displayed because we do not use non-essential cookies.

6. Data Retention

Restaurant owner data is retained for the duration of the account and deleted upon account closure or request. Guest data retention is configurable per restaurant, with a default of 365 days. Restaurants can configure anonymization of guest data after 730 days. Payment audit logs are retained as required for PCI-DSS compliance and legal accounting obligations. Email logs and webhook records are retained for operational debugging and compliance.

7. Data Security

We implement appropriate technical and organizational measures to protect personal data. These include: hashed storage of email addresses and phone numbers (HMAC-SHA256); encrypted sensitive fields (dietary restrictions, allergies); immutable payment audit logs with actor tracking; rate limiting on API endpoints and webhooks; HTTPS for all data in transit. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

8. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

To exercise any of these rights, contact us at nicklasmenschel@gmail.com

You also have the right to lodge a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France.

9. International Data Transfers

Most data processing occurs within the European Union. Where data is transferred to the United States (Stripe, Sentry), transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission. We do not transfer data to countries without adequate data protection guarantees unless appropriate safeguards are in place.

10. Changes to This Policy

We may update this Privacy Policy. Changes will be posted on this page with an updated effective date. For material changes, we will notify registered users by email.