Privacy Policy
Last updated: March 18, 20261. Data Controller
The data controller is Gustlo (sole proprietorship), registered in Budapest, Hungary. Contact: [email protected]
2. Data We Collect
Account data: Account data: Email address, name (optional), password (hashed). Legal basis: Contract performance (GDPR Article 6(1)(b)).
Restaurant data: Restaurant data: Business name, address, phone, hours, photos, reviews — sourced from Google Places API. This is publicly available information, not personal data.
Analytics: Analytics: We use Plausible Analytics, which does not use cookies or collect personal data. IP addresses are not stored.
Payment data: Payment data: Processed by Lemon Squeezy LLC (Merchant of Record). We do not store credit card information.
3. Purpose of Processing
• Providing website generation and hosting service (Article 6(1)(b))
• Analytics for service improvement — Plausible, no personal data (Article 6(1)(f))
• Marketing communications — only with explicit consent (Article 6(1)(a))
• Legal compliance and fraud prevention (Article 6(1)(c))
• Analytics for service improvement — Plausible, no personal data (Article 6(1)(f))
• Marketing communications — only with explicit consent (Article 6(1)(a))
• Legal compliance and fraud prevention (Article 6(1)(c))
4. Data Recipients
• Supabase (database, EU — Frankfurt) — user accounts and website data storage
• Google Cloud (Storage, CDN, USA) — public website hosting
• Cloudflare (CDN, R2 storage) — EU-US Data Privacy Framework
• Lemon Squeezy (payments, USA) — EU-US Data Privacy Framework
• Anthropic (AI content generation, USA) — EU-US Data Privacy Framework
• Plausible Analytics (EU) — anonymous usage statistics
• Google Cloud (Storage, CDN, USA) — public website hosting
• Cloudflare (CDN, R2 storage) — EU-US Data Privacy Framework
• Lemon Squeezy (payments, USA) — EU-US Data Privacy Framework
• Anthropic (AI content generation, USA) — EU-US Data Privacy Framework
• Plausible Analytics (EU) — anonymous usage statistics
5. International Data Transfers
USA-based services (Google Cloud, Cloudflare, Lemon Squeezy, Anthropic) process data under the EU-US Data Privacy Framework, which provides adequate protection under GDPR.
6. Data Retention
• Account data: until account deletion + 30 days grace period
• Website data: while the venue exists or until deletion request
• Billing records: 5 years (Hungarian tax law)
• Analytics: up to 26 months (aggregated, no personal data)
• Consent records: retained for compliance purposes
• Website data: while the venue exists or until deletion request
• Billing records: 5 years (Hungarian tax law)
• Analytics: up to 26 months (aggregated, no personal data)
• Consent records: retained for compliance purposes
7. Your Rights
Under GDPR, you have the right to:
• Access (Article 15) — account settings > Export data
• Rectification (Article 16) — edit profile and website content
• Erasure (Article 17) — delete account in settings
• Restriction (Article 18) — [email protected]
• Data portability (Article 20) — export data in JSON format
• Objection (Article 21) — unsubscribe from marketing messages
• Access (Article 15) — account settings > Export data
• Rectification (Article 16) — edit profile and website content
• Erasure (Article 17) — delete account in settings
• Restriction (Article 18) — [email protected]
• Data portability (Article 20) — export data in JSON format
• Objection (Article 21) — unsubscribe from marketing messages
8. Data Security
Encryption: HTTPS for all data transfers, bcrypt password hashing. Access control: role-based permissions. Regular security backups and monitoring.
9. Cookies
Details: gustlo.com/cookies
10. Contact
Data Protection Officer: [email protected]
Hungarian Data Protection Authority (NAIH): naih.hu, 1055 Budapest, Falk Miksa utca 9-11.
Hungarian Data Protection Authority (NAIH): naih.hu, 1055 Budapest, Falk Miksa utca 9-11.