INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA

1. Introduction and purpose of this notice

This Notice is provided pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”) and Legislative Decree No. 196/2003, as amended, and is addressed to end users, as data subjects (hereinafter the “Users” or, individually, the “User”), who use the restaurant’s services (hereinafter the “Customer”) through the “Risto Pilot” platform.

The Customer processes the User’s data as Data Controller for the purposes connected with the provision of its services. Webofficine Srls, owner of the “Risto Pilot” platform, processes data with different roles depending on the purposes: as Data Processor on behalf of the Customer, limited to the “core” services, and as an independent Data Controller exclusively for specific purposes of network marketing and network statistical analytics, as indicated in section 4.B.

There is no joint controllership pursuant to Article 26 GDPR: the Customer and Webofficine determine purposes and means independently for their respective processing activities.

The purpose of this Notice is to provide Users with a clear and transparent description of which personal data are collected, how they are processed, the purposes of the processing, the scope of data disclosure and the rights granted to data subjects.

2. Data Controllers, roles and contacts

2.A – Data Controller: the restaurant (Customer)
The Data Controller for the services provided by the restaurant to Users is the restaurant/Customer at which the User uses the services and provides their data (hereinafter the “Controller”). The Controller’s contact details and full identification data are made available by the business operator on the premises and/or on its official channels (e.g., website, digital menu, booking page).

Where a Data Protection Officer (DPO) has been appointed, their contact details will be provided upon the User’s request or made available by the Controller.

2.B – Independent Data Controller: Webofficine Srls (Risto Pilot)
For the purposes indicated in point 4.B, the independent Data Controller is Webofficine Srls (VAT No. 02613570973), with registered office at Viale Guglielmo Marconi 50/15, 59100 Prato (PO), Email: [email protected].

2.C – Role as Data Processor (processor)
Webofficine Srls also acts as Data Processor on behalf of the restaurant/Customer in relation to the core services (e.g., bookings, waiting list, loyalty card, transactional messages). This relationship is governed by a specific Data Processing Agreement (DPA) pursuant to Article 28 GDPR.

3. Types of data processed

The personal data processed may include:

1. Common data: first name, last name, tax code (if required), contact details (e-mail, telephone), residence (if provided) and any other information suitable to identify or make a natural person identifiable.
2. Special categories of data: any data relating to health (e.g., food allergies or intolerances). Such information is processed solely to the extent necessary to meet a User’s request to the restaurant and, where required, subject to explicit consent.
3. Browsing data: information automatically collected by the IT systems and software that enable the operation of the Controller’s website or devices made available on the premises (tablet/smartphone), such as IP addresses, technical logs, access times, parameters relating to the operating system and IT environment.
4. Cookies and similar technologies: for details, please refer to the Controller’s Cookie Policy.

Important clarification on special categories of data: any health-related data (e.g., allergies) remain with the restaurant and are used only for the provision of the service requested by the User. Such data are not transferred to Webofficine Srls for network marketing purposes or network analytics.

Where the User opts in to the purposes referred to in point 4.B, the restaurant communicates to Webofficine Srls only the necessary data: identification and contact data (first name, last name, e-mail, telephone) and non-excessive metadata (e.g., restaurant of first collection, city/area, average booking frequency). Any special categories of data are not shared for such purposes.

4. Purposes and legal basis for processing

The User’s personal data are processed for the following purposes.

4.A – Processing carried out by the restaurant (Controller)

1. Management of bookings and services offered: including table reservations, waiting list, loyalty card, any free Wi-Fi, transactional messages and management of the User’s requests. Legal basis: performance of pre-contractual/contractual measures (Article 6(1)(b) GDPR).
2. Legal, accounting and tax compliance: fulfilment of obligations provided for by law and by provisions of the authorities. Legal basis: legal obligation (Article 6(1)(c) GDPR).
3. Administrative and security purposes: prevention and detection of unlawful/fraudulent activities, legal defence. Legal basis: legitimate interest (Article 6(1)(f) GDPR).
4. Statistics: internal statistical analyses in anonymous/aggregated form to improve service quality. Legal basis: legitimate interest.
5. Restaurant marketing: sending promotional communications/newsletters/surveys via automated or traditional channels. Legal basis: consent (Article 6(1)(a) GDPR).
6. Restaurant profiling: analysis of preferences/habits for targeted communications. Legal basis: consent.

4.B – Processing carried out by Webofficine Srls (independent Controller)

Webofficine Srls processes data as an independent Data Controller only for the following purposes, where the relevant conditions are met.

1. “Risto Pilot” network marketing: sending promotional communications relating to restaurants participating in the network other than the one where the User provided their data (e.g., offers, discounts, initiatives). Legal basis: consent (Article 6(1)(a) GDPR); for electronic channels, Article 130 of the Italian Privacy Code applies.
2. “Light” profiling for personalisation: segmentation into clusters (e.g., geographic area, visit frequency, type of cuisine inferred from bookings) in order to send more relevant communications. Legal basis: consent.
3. Network-wide analytics: aggregated or anonymised statistical processing to measure network performance and create benchmarks for participating Customers. Legal basis: legitimate interest (Article 6(1)(f) GDPR) with minimisation and anonymisation; where anonymisation is not technically possible, Webofficine relies on the User’s consent.

5. Processing methods, data disclosure and Data Sharing

The processing of personal data is carried out by manual, IT or telematic means, using logic strictly related to the purposes indicated and in a manner that ensures security and confidentiality.

• Core services: the restaurant uses Risto Pilot to provide the core services; in this context Webofficine acts as Data Processor pursuant to Article 28 GDPR.
• Data Sharing to Webofficine (independent Controller): only where the User has consented to “Risto Pilot network marketing”, the restaurant communicates to Webofficine the identification and contact data and the non-excessive metadata indicated in point 3, for the purposes set out in point 4.B. Any special categories of data (e.g., allergies) are not transferred for such purposes.
• Internal scope: data may be processed by the Controller’s authorised and trained staff.
• External scope: data may be disclosed to necessary suppliers (e.g., IT services, accounting/tax advisers, platform operators) within the limits necessary and with adequate safeguards, including in non-EU countries through GDPR-compliant instruments (e.g., Standard Contractual Clauses).
• Authorities: data may be disclosed to bodies or public authorities where required by law.

6. Data retention period

Personal data are retained for the time necessary to achieve the purposes for which they are collected and processed, in compliance with the data minimisation principle. In particular:

• Services and bookings: for the entire duration of the relationship and, thereafter, for the period required by accounting and tax regulations.
• Marketing and profiling: until consent is withdrawn and in any event within the time limits provided for by applicable law; once the relevant period has elapsed, the data are anonymised or deleted, unless further legal retention obligations apply.

7. Data subjects’ rights

The User may exercise at any time the rights provided for under Articles 15–22 GDPR, including access, rectification, erasure, restriction, portability, objection, withdrawal of consent and the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali).

8. Consequences of failure to provide data

Providing data for purposes related to the services (e.g., bookings, contractual and legal obligations) is necessary in order to use the Controller’s services. If such data are not provided, it may not be possible to provide the requested services.

Providing data for marketing and profiling purposes is optional and failure to provide consent does not affect the use of the main services.

9. Automated decision-making processes and profiling

Any profiling activity is limited to marketing purposes and service improvement. Where the User has given consent, preferences, habits and frequency of use of the services may be analysed in order to send more relevant communications. No automated decisions are taken that produce legal effects or otherwise significantly affect the User without human intervention.

10. Changes and updates to this Notice

This Notice may be subject to changes or updates, including following the introduction of new services or regulatory changes. In the event of material changes, the Controller will provide appropriate notice to Users. Users are invited to review this Notice periodically.

Last updated: 14/12/2025

11. How to contact the Controller

To exercise the rights indicated above or to obtain further information on the processing of personal data, the User may contact the Controller (restaurant/Customer) using the contact details made available by the same. For the purposes referred to in point 4.B, the User may also contact Webofficine Srls using the contact details indicated in section 2.B.