Privacy policy
TableSpark builds and hosts websites for restaurants. This policy explains what personal data we handle, why, who we share it with, how long we keep it, and the rights you have — whether you run a restaurant on TableSpark or you're a guest of one.
Who we are
TableSpark operates tablespark.uk, a website builder and hosting platform for restaurants. Restaurant websites built with TableSpark are published at addresses like yourname.tablespark.uk or on the restaurant's own domain, but they run on our infrastructure.
That means we wear two hats, and this policy covers both:
- For our customers (restaurant owners and their teams) we are the data controller: we decide how account data is used to provide the service.
- For guests of those restaurants (people who book a table, send an enquiry or join a mailing list on a restaurant's site) we are a data processor: we store and handle that data strictly on the restaurant's behalf and instructions. The restaurant is the controller — contact them first about data you gave them; we'll help them honour any request.
For anything in this policy, you can reach us at hello@tablespark.uk.
What we collect from platform customers
Account data
When you create a TableSpark account we store your email address and, if you provide them, your name and an avatar. Sign-in is handled by our authentication provider (Supabase); passwords are stored only as secure hashes and are never visible to us.
Your restaurant's content
Everything you put into the builder — menus, photos, opening hours, your restaurant's public contact details — is stored so we can publish your site. It's your content; you can edit or delete it at any time, and deleting a site removes its content, leads and analytics with it.
Billing and plan information
We keep a record of which plan your account is on. We do not store card details — if and when online payment is taken, it is handled by a dedicated payment provider and card numbers never touch our servers.
Support
If you email us, we keep the correspondence so we can help you and refer back to it. We use it for nothing else.
Menu scan photos
If you use the AI menu scan, the photos you upload are sent to OpenAI to read the menu text and are processed transiently — we do not store the photos, and OpenAI does not use API data to train its models by default.
Legal basis: we process account, content and billing data because it's necessary to provide the service you signed up for (contract), and support correspondence on the same basis or our legitimate interest in running the service well.
What we process for restaurants' guests
Restaurant sites on TableSpark can take bookings, enquiries, gift-card requests, event RSVPs and newsletter signups. When you submit one of these forms, the details go straight into that restaurant's private inbox on TableSpark. Depending on the form, that can include:
- your name, email address and phone number;
- booking details — date, time, party size, seating preference, occasion and any notes you add;
- allergy or dietary notes, if you choose to share them, so the restaurant can look after you. Please share only what the restaurant needs for your visit;
- for gift cards, the recipient's name and your personal message;
- for newsletters, just your email address.
Only the restaurant you contacted can see these details (plus TableSpark staff where needed to run and support the platform). We never sell guest data, never use it for advertising, and never contact guests ourselves.
First-party, cookieless analytics
Restaurant sites include a deliberately minimal, first-party visit counter so owners can see how their site is doing. It records the type of action (page view, tap-to-call, directions, booking click), the page path, a coarse traffic source (direct, search, social), device type (mobile or desktop) and a random identifier stored in your browser. It does not record your IP address, your precise location, or what you do on any other website, and it sets no cookies. Restaurants may show a notice letting you decline this measurement.
How long we keep things
- Account data and site content: for as long as your account is open. Deleting your account, or a site, permanently removes the associated content, leads and analytics.
- Guest leads (bookings, enquiries and similar): kept for the restaurant until the restaurant or the guest asks for deletion, or the restaurant's account or site is deleted. We are introducing automatic retention limits so old leads don't linger indefinitely.
- Analytics events: kept as aggregate history for the restaurant's dashboard; a retention cap is being introduced as part of the same work.
- Menu scan photos: not stored — processed and discarded.
Who we work with
We use a small number of service providers to run TableSpark. They process data only on our instructions:
| Provider | What they do | What they handle |
|---|---|---|
| Cloudflare | Hosting and delivery of the platform and all restaurant sites | All site traffic in transit; short-lived technical logs |
| Supabase | Database, authentication and media storage | Account data, site content, guest leads, analytics events |
| Google Fonts & Fontshare | Deliver the typefaces used on our pages and templates | Your IP address receives the font files (a standard web request; no cookies) |
| Pexels | Free stock photography that restaurants can use on their sites | Your browser fetches chosen images from Pexels' image servers |
| OpenAI | Reads menu photos for the AI menu scan (customers only) | Menu photos, transiently; nothing stored by us |
Some restaurant sites also choose to embed third-party content — a Google map, a YouTube video, an external booking widget. Loading those hands a standard web request to that provider; we are moving all such embeds to click-to-load, so nothing loads until you choose it. See our cookie declaration.
Where a provider processes data outside the UK/EEA, transfers are covered by that provider's data-processing agreement and standard contractual clauses.
Your rights
Under UK and EU data-protection law you can ask for access to your data, correction, deletion, restriction, portability, and you can object to processing based on legitimate interest. You can also withdraw consent at any time where consent is the basis (for example a newsletter).
- Guests: the restaurant you dealt with is the controller of your booking or enquiry — contacting them directly is usually fastest, and we give them the tools to delete your details. You can always email us at hello@tablespark.uk and we will pass the request on and make sure it's honoured.
- Customers: email hello@tablespark.uk from your account address for a copy, correction or deletion of your account data.
You also have the right to complain to the Information Commissioner's Office (ico.org.uk) or your local EU supervisory authority — though we'd appreciate the chance to sort things out first.
Unsubscribing and deletion, in practice
- Newsletters: every mailing sent through TableSpark will carry a one-click unsubscribe link that works instantly, without a login. Until you unsubscribe, only the restaurant you signed up with can email you through us.
- Booking and enquiry details: ask the restaurant, or us, and the records are deleted from the restaurant's inbox and our database. Deletion requests made through a restaurant site land in the owner's inbox with a one-click delete action.
- Whole accounts: account deletion removes the profile, its sites, and everything beneath them.
Changes to this policy
If we change this policy in a way that matters — new processors, new data, new purposes — we'll update this page, revise the date at the top, and for significant changes notify account holders by email. The current version always lives at tablespark.uk/privacy.html.