Legal

Privacy policy

TableSpark builds and hosts websites for restaurants. This policy explains what personal data we handle, why, who we share it with, how long we keep it, and the rights you have — whether you run a restaurant on TableSpark or you're a guest of one.

Last updated 2 July 2026 · Contact hello@tablespark.uk

Who we are

TableSpark operates tablespark.uk, a website builder and hosting platform for restaurants. Restaurant websites built with TableSpark are published at addresses like yourname.tablespark.uk or on the restaurant's own domain, but they run on our infrastructure.

That means we wear two hats, and this policy covers both:

  • For our customers (restaurant owners and their teams) we are the data controller: we decide how account data is used to provide the service.
  • For guests of those restaurants (people who book a table, send an enquiry or join a mailing list on a restaurant's site) we are a data processor: we store and handle that data strictly on the restaurant's behalf and instructions. The restaurant is the controller — contact them first about data you gave them; we'll help them honour any request.

For anything in this policy, you can reach us at hello@tablespark.uk.

What we collect from platform customers

Account data

When you create a TableSpark account we store your email address and, if you provide them, your name and an avatar. Sign-in is handled by our authentication provider (Supabase); passwords are stored only as secure hashes and are never visible to us.

Your restaurant's content

Everything you put into the builder — menus, photos, opening hours, your restaurant's public contact details — is stored so we can publish your site. It's your content; you can edit or delete it at any time, and deleting a site removes its content, leads and analytics with it.

Billing and plan information

We keep a record of which plan your account is on. We do not store card details — if and when online payment is taken, it is handled by a dedicated payment provider and card numbers never touch our servers.

Support

If you email us, we keep the correspondence so we can help you and refer back to it. We use it for nothing else.

Menu scan photos

If you use the AI menu scan, the photos you upload are sent to OpenAI to read the menu text and are processed transiently — we do not store the photos, and OpenAI does not use API data to train its models by default.

Legal basis: we process account, content and billing data because it's necessary to provide the service you signed up for (contract), and support correspondence on the same basis or our legitimate interest in running the service well.

What we process for restaurants' guests

Restaurant sites on TableSpark can take bookings, enquiries, gift-card requests, event RSVPs and newsletter signups. When you submit one of these forms, the details go straight into that restaurant's private inbox on TableSpark. Depending on the form, that can include:

  • your name, email address and phone number;
  • booking details — date, time, party size, seating preference, occasion and any notes you add;
  • allergy or dietary notes, if you choose to share them, so the restaurant can look after you. Please share only what the restaurant needs for your visit;
  • for gift cards, the recipient's name and your personal message;
  • for newsletters, just your email address.

Only the restaurant you contacted can see these details (plus TableSpark staff where needed to run and support the platform). We never sell guest data, never use it for advertising, and never contact guests ourselves.

First-party, cookieless analytics

Restaurant sites include a deliberately minimal, first-party visit counter so owners can see how their site is doing. It records the type of action (page view, tap-to-call, directions, booking click), the page path, a coarse traffic source (direct, search, social), device type (mobile or desktop) and a random identifier stored in your browser. It does not record your IP address, your precise location, or what you do on any other website, and it sets no cookies. Restaurants may show a notice letting you decline this measurement.

How long we keep things

  • Account data and site content: for as long as your account is open. Deleting your account, or a site, permanently removes the associated content, leads and analytics.
  • Guest leads (bookings, enquiries and similar): kept for the restaurant until the restaurant or the guest asks for deletion, or the restaurant's account or site is deleted. We are introducing automatic retention limits so old leads don't linger indefinitely.
  • Analytics events: kept as aggregate history for the restaurant's dashboard; a retention cap is being introduced as part of the same work.
  • Menu scan photos: not stored — processed and discarded.

Who we work with

We use a small number of service providers to run TableSpark. They process data only on our instructions:

ProviderWhat they doWhat they handle
CloudflareHosting and delivery of the platform and all restaurant sitesAll site traffic in transit; short-lived technical logs
SupabaseDatabase, authentication and media storageAccount data, site content, guest leads, analytics events
Google Fonts & FontshareDeliver the typefaces used on our pages and templatesYour IP address receives the font files (a standard web request; no cookies)
PexelsFree stock photography that restaurants can use on their sitesYour browser fetches chosen images from Pexels' image servers
OpenAIReads menu photos for the AI menu scan (customers only)Menu photos, transiently; nothing stored by us

Some restaurant sites also choose to embed third-party content — a Google map, a YouTube video, an external booking widget. Loading those hands a standard web request to that provider; we are moving all such embeds to click-to-load, so nothing loads until you choose it. See our cookie declaration.

Where a provider processes data outside the UK/EEA, transfers are covered by that provider's data-processing agreement and standard contractual clauses.

Your rights

Under UK and EU data-protection law you can ask for access to your data, correction, deletion, restriction, portability, and you can object to processing based on legitimate interest. You can also withdraw consent at any time where consent is the basis (for example a newsletter).

  • Guests: the restaurant you dealt with is the controller of your booking or enquiry — contacting them directly is usually fastest, and we give them the tools to delete your details. You can always email us at hello@tablespark.uk and we will pass the request on and make sure it's honoured.
  • Customers: email hello@tablespark.uk from your account address for a copy, correction or deletion of your account data.

You also have the right to complain to the Information Commissioner's Office (ico.org.uk) or your local EU supervisory authority — though we'd appreciate the chance to sort things out first.

Unsubscribing and deletion, in practice

  • Newsletters: every mailing sent through TableSpark will carry a one-click unsubscribe link that works instantly, without a login. Until you unsubscribe, only the restaurant you signed up with can email you through us.
  • Booking and enquiry details: ask the restaurant, or us, and the records are deleted from the restaurant's inbox and our database. Deletion requests made through a restaurant site land in the owner's inbox with a one-click delete action.
  • Whole accounts: account deletion removes the profile, its sites, and everything beneath them.
The self-serve versions of these controls (tokened unsubscribe links and an on-site "your data" request form) are rolling out across all restaurant sites; in the meantime the same outcomes are available by email and are actioned promptly.

Changes to this policy

If we change this policy in a way that matters — new processors, new data, new purposes — we'll update this page, revise the date at the top, and for significant changes notify account holders by email. The current version always lives at tablespark.uk/privacy.html.