Privacy Policy
Last updated: 28 May 2026 — version 1.0
This privacy policy explains how WebOustaou collects, uses, shares and protects personal data when you visit this website and, where applicable, when you use the WebOustaou administration service (the SaaS).
Controller and contact
The controller for personal data processed through this website is Alexy Roman, individual publisher of WebOustaou. Full publisher details are in our Legal Notice.
For any question about your data, or to exercise your rights:
Email: contact@weboustaou.fr
Related documents:
Our role: controller and processor
For data relating to website visitors, prospects, WebOustaou account holders, security, analytics and support, WebOustaou acts as controller.
For end-customer data that a restaurant manages through WebOustaou in the future (for example orders, delivery addresses, phone numbers or call transcripts), the restaurant is the controller and WebOustaou acts as processor on its instructions, under a data processing agreement.
Principles and legal bases
We process personal data in line with the GDPR principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
Depending on the processing, our legal basis is:
- Your consent (e.g. analytics cookies)
- Performance of a contract (e.g. providing the WebOustaou account)
- Compliance with a legal obligation (e.g. accounting, storing consent records)
- Our legitimate interests (e.g. site security, anti-spam, answering enquiries)
Processing activities
| Processing | Data | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Website visit | IP address, technical logs, browser/device metadata | Security, delivery and diagnostics of the site | Legitimate interest | Short technical log period (up to 12 months) |
| Cookie consent | Consent choices and expiry | Store and prove your cookie preferences | Legal obligation / legitimate interest | 12 months, then renewal prompt |
| Analytics | Page views, device data, identifiers (Google Analytics / GTM) | Audience measurement | Consent | Up to 14 months (per analytics configuration) |
| Contact form | Name, email, company/restaurant, message, anti-spam signals | Reply to your enquiry, pre-contractual steps | Legitimate interest / pre-contractual steps | 3 years after the last contact |
| Account (SaaS) | Email, authentication metadata, login/security logs | Account access and security | Contract / legitimate interest | Account lifetime + legal/security retention |
| Profile | Display name, avatar | Personalise the admin workspace | Contract | Account lifetime; deleted on account deletion |
| Tenant content | Restaurant names, menu, hours, closures, messages | Provide the SaaS | Contract | Contract lifetime + deletion/backup window |
Future processing (billing, online ordering, customer accounts, AI phone agent) will be added to this table and to our records of processing before it goes live.
WebOustaou account holders
Accounts are created by invitation only; there is no public sign-up. When you sign in with email/password or with Google, we process your email address and authentication metadata to give you access and to secure your account.
If you sign in with Google, Google provides us with your email address, name and profile picture for authentication purposes. Email/password sign-in remains available as an alternative.
Recipients and subprocessors
We do not sell your personal data. We share it only with service providers that process data on our instructions to operate the website and the service (hosting, database, authentication, email, analytics, anti-spam), under contracts that include data protection obligations.
The current providers are listed and kept up to date here:
International transfers
Our database, authentication and storage are hosted in the European Union (Supabase, Paris region). Some providers (e.g. Vercel, Google) may process data outside the EU, in particular in the United States. In that case, transfers are framed by appropriate safeguards such as the European Commission's Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.
Data retention
We keep personal data only for as long as necessary for the purposes described above, then delete or anonymise it, subject to applicable legal retention periods (for example accounting obligations). Indicative periods are shown in the processing table.
Security
We apply technical and organisational measures appropriate to the risk, including:
- Encryption in transit (HTTPS) and at rest at our infrastructure providers
- Row Level Security and tenant isolation in the database
- Strict separation of administrative (service-role) credentials, kept server-side only
- Access limited to what is necessary, with authentication on the admin area
- Anti-spam protection on public forms (Cloudflare Turnstile)
Your rights
Under the GDPR you have the following rights over your personal data:
Right of access
Obtain confirmation that we process your data and receive a copy of it.
Right to rectification
Have inaccurate or incomplete data corrected.
Right to erasure
Have your data deleted in the cases provided by law (e.g. no longer necessary, withdrawal of consent).
Right to restriction
Ask us to limit the processing of your data in certain cases.
Right to portability
Receive data you provided in a structured, commonly used, machine-readable format.
Right to object
Object to processing based on legitimate interests or to direct marketing.
Withdraw consent
Withdraw your consent at any time, without affecting processing already carried out.
To exercise your rights, contact us at the address below with enough information to identify you. We reply within one month.
Email: contact@weboustaou.fr
You also have the right to lodge a complaint with a supervisory authority. In France: CNIL (Commission Nationale de l'Informatique et des Libertés), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France — www.cnil.fr.
Hosting
The website is hosted by Vercel Inc. (United States). The database, authentication and file storage are provided by Supabase in the European Union (Paris region). See our subprocessors list for details.
Changes to this policy
We may update this policy as the service evolves. The version and “last updated” date at the top of the page reflect the current version.