Legal
How 8te handles the personal data of diners and restaurant partners. Plain-English. No dark patterns.
Last updated 2026-04-19
[8te Limited (Company Number TBC)] (“8te”, “we”, “our”) is the data controller for the personal data described in this policy.
You can reach us at privacy@8teit.com. Postal mail goes to:
[8te Limited]We're registered with the UK Information Commissioner's Office (ICO) under registration number [ICO REGISTRATION NUMBER TBC].
Exactly what we need to personalise dish recommendations for diners and give feedback back to restaurants. Nothing else.
Mobile phone number
Used solely to sign you in. We don't market to you or sell this number.
Flavour preferences
The answers to the three onboarding cards and how they update as you rate dishes — a 16-number taste profile and optional AI embedding of dishes you liked.
Dietary and allergen preferences
Only what you set in your profile. Applied as a safety filter before any match score is calculated.
Dish ratings
One 👍 or 👎 per dish, per diner. Feeds both your future recommendations and the restaurant's dashboard.
Scan sessions
A timestamp and restaurant id every time your phone loads a menu via QR. Helps restaurants see how many diners scanned today.
Consent records
When you opted in, what version of this policy you consented to, the user-agent string, and a one-way hashed fingerprint of your IP address. Kept for the audit trail UK GDPR requires.
Email address
Used to send you a magic link to sign in.
Restaurant profile
Name, address, opening details, uploaded menu PDFs, and the dishes you configure.
We do not collect: your name, your email (for diners), your photo, your location, your browsing history, your card details, or anything else that isn't listed above.
For diners, the lawful basis is your consent.
You give that consent at the start of onboarding, before we store any preference data. You can withdraw it at any time by deleting your account on your profile page.
For restaurant owners, the lawful basis is the contract you enter into with us when you sign up to use the dashboard.
We also rely on legitimate interests for a narrow set of aggregate, anonymised analytics that help us run the service (for example, knowing the total number of scans per restaurant per day). These never re-identify you.
Data is shared only with the service providers we rely on to run 8te. Each is a processor bound by a data processing agreement. Some of these are third-party AI infrastructure providers that power the recommendation engine; we name them individually below.
Supabase (Amazon Web Services, EU region)
Our database and authentication provider. Holds every row described above.
Vercel
Hosts this website.
Twilio
Sends the SMS with your one-time sign-in code. Sees your phone number.
Resend
Sends magic-link emails to restaurant owners.
Anthropic (Claude API)
Extracts structured data from restaurant menu PDFs when an owner uploads one. Anthropic receives only the uploaded menu PDF — never diner phone numbers, ratings, or taste profiles.
OpenAI
Generates dish embeddings so our semantic matcher can reason about flavour similarity. OpenAI receives only dish names and descriptions — never anything that identifies a diner.
Restaurants see aggregate rating data only — numbers of upvotes, downvotes, and scan counts per dish. They never see your phone number, your name, your individual vote, or anything that could identify you.
We do not sell personal data. We do not share it with advertisers. We do not share it with third parties who aren't listed above.
Your personal data is stored in the European Union. Our primary database (Supabase) is hosted in the London (eu-west-2) or Frankfurt (eu-central-1) region. We chose EU hosting specifically to keep UK diner data within the UK/EU legal framework.
Where a processor operates partly outside the UK/EU (for example, Twilio's SMS infrastructure), appropriate safeguards are in place — Standard Contractual Clauses or the UK International Data Transfer Agreement.
We keep your personal data for as long as your 8te account exists, or until your account has been inactive for three years, whichever comes sooner.
If you delete your account, we erase your profile, your dietary settings, your ratings, and your consent records. Historic scan sessions are anonymised — the user id is stripped so the restaurant's count of past scans remains accurate, but nothing in the record points back to you.
Under UK GDPR you have the right to:
Access
Ask us for a copy of every piece of personal data we hold about you.
Portability
Download a machine-readable copy of your data at any time from your profile page.
Rectification
Correct anything that's wrong. You can edit most of this yourself from your profile.
Erasure
Delete your account entirely. One click from your profile page.
Withdraw consent
At any time, with no penalty. Deletion withdraws consent.
Object
Tell us to stop processing your data for a specific purpose. Email us.
Complain
To us first at privacy@8teit.com, but you also have the right to complain to the Information Commissioner's Office at ico.org.uk.
We'll respond to any rights request within one calendar month, as required by UK GDPR.
Diners can delete their 8te account directly from their profile page. For restaurant owners, deletion isn't self-service because your account is tied to business data — the menu you manage and the per-dish feedback diners leave — that affects other people. Instead, email privacy@8teit.com from the address linked to your restaurant. We'll confirm with you what happens to the restaurant's menu, dishes, and rating history, and complete the deletion within one calendar month.
We use one cookie: the session cookie that Supabase sets when you sign in. It's strictly necessary to keep you logged in — without it the site cannot function. No banner is required for strictly necessary cookies under PECR.
We do not use analytics cookies, advertising cookies, social-media cookies, or any other kind of tracking cookie on 8te.
8te is not directed at children under 13. We don't knowingly collect personal data from anyone under 13. If you think a child has given us their information, email privacy@8teit.com and we'll delete it.
If we make a material change, we'll email signed-in restaurant owners and update the Last updated date at the top of this page. Your continued use of 8te after a change means you accept the updated policy — if you don't, you can delete your account at any time.
For any question about this policy or about your data, email privacy@8teit.com. Please put “privacy” in the subject line so it routes correctly.