Personal Data Protection
This Privacy Policy is intended to inform users, business customers, and any person interacting with EatNow’s services (“EatNow,” “we,” “us,” “our”) about how their personal data is collected, used, protected, and processed.
EatNow operates a booking and customer-relationship management platform for hospitality businesses (restaurants and hotels). EatNow’s services include, in particular:
EatNow is committed to complying with:
This Policy reflects EatNow’s commitment to a high level of transparency, compliance, and security aligned with SaaS industry standards and the needs of hospitality professionals.
This Policy applies to all users and business customers accessing EatNow’s services, including:
This Policy covers processing carried out:
This Policy covers:
Not covered:
For the purposes of this Policy, the following terms have the meanings set out below. These definitions clarify each party’s role and the nature of data processed when using EatNow’s services.
“Personal data” means any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to a name, an identification number, location data, or to one or more factors specific to that person’s identity. This definition covers information relating to end users and to representatives of partner establishments.
“Processing” means any operation or set of operations performed on personal data, by any means, such as collection, recording, organization, structuring, storage, adaptation, consultation, use, disclosure, dissemination, interconnection, restriction, erasure, or destruction, whether or not by automated means.
“User” means any person making a reservation via EatNow, accessing EatNow interfaces, or interacting with the service through available channels, including the website, booking widget, email, or WhatsApp. A user may be an end customer or a person acting on behalf of a partner establishment.
“Partner establishment” means any professional using the EatNow platform to manage reservations, guest reception, and communications. This includes, without limitation, restaurants, hotels, guesthouses, restaurant groups, and other hospitality actors.
The “controller” is, as the case may be, the partner establishment or EatNow. For data relating to end customers in the context of reservations (identity, contact details, booking information, confirmation interactions), the partner establishment is the controller. EatNow may act as controller for certain data necessary for service operation, such as establishment account data, technical logs, billing, or security.
EatNow acts as a “processor” when, under the contractual mandate, it processes personal data on behalf of a partner establishment as part of the booking and management service.
“Sub-processors” are providers engaged by EatNow to perform technical operations related to data processing (hosting, databases, cloud infrastructure, sending transactional communications, log management, monitoring). EatNow ensures these providers offer appropriate safeguards.
“Transactional communications” are messages necessary for service execution (such as booking confirmations and modifications or arrival information), sent via email or WhatsApp Business API. They do not include marketing communications, which require appropriate consent.
“Card hold” refers to a temporary pre-authorization that may be applied to an end customer when a business wishes to secure a booking, including to limit the risk of no-shows. EatNow does not store, view, or directly process any card data; such data is processed exclusively by certified payment providers.
“Special categories of data” are those defined by applicable law, including data relating to health, religion, political opinions, ethnic origin, or biometric data. EatNow does not collect or process such data.
This section defines the roles of EatNow and partner establishments with respect to personal data processing, in accordance with Moroccan Law No. 09-08 and CNDP implementing decisions, and with the GDPR where applicable.
The partner establishment is the controller for end-customer data collected in the context of reservations (including identity, contact details, special requests, visit history, and booking date/time). It determines the purposes and means of processing, ensures compliance with applicable regulations, informs data subjects where required, and guarantees the lawfulness of data it provides to EatNow.
EatNow acts as processor for end-customer data, in accordance with the partner establishment’s documented instructions and the service contract. EatNow processes this data solely to provide the service, including reservation management, sending transactional communications, and operational support.
EatNow does not access reservation content relating to end customers unless such access is strictly necessary for proper service operation, for example in connection with a technical incident, a support request, or for security reasons. Any access, when it occurs, is limited, controlled, and performed exclusively for diagnostics, maintenance, or security, in accordance with CNDP and GDPR requirements.
EatNow is the controller for certain categories of data that do not form part of partner establishments’ customer files, including professional contact details of establishment representatives, information necessary for contract management, billing, abuse prevention, security maintenance, and browsing data from EatNow websites.
The partner establishment undertakes to provide EatNow with lawful instructions compliant with applicable regulations, to fulfill its own data protection obligations, and to inform end customers of its use of EatNow for reservation management where this information obligation lies with the establishment.
The allocation of responsibilities between EatNow and each partner establishment is set out in the service agreement and, where applicable, a Data Processing Agreement (DPA) compliant with CNDP requirements and, where necessary, the GDPR.
Unless expressly agreed otherwise, there is no joint controllership between EatNow and the partner establishment for reservation data: the establishment is the sole controller, and EatNow acts exclusively as processor.
In providing its services, EatNow collects only the data necessary for the purposes described in this Policy and in the contractual framework with partner establishments. The data processed depends on the user type (end customer, professional representative, website visitor, or user of EatNow interfaces).
For reservations made via channels provided by EatNow (online form, embedded widget, WhatsApp Business API, EatNow booking pages, digital entry points operated by EatNow, and any other channel supported by the platform), EatNow processes on behalf of the partner establishment: identity (first and last name), contact details (phone, email), booking details (date, time, party size, optional preferences), submitted comments, booking history, attendance status (confirmed, canceled, no-show), and interactions necessary to process the booking. EatNow does not collect special categories of data within the meaning of applicable law.
When a business requires a card hold or pre-authorization to secure a booking or prevent no-shows, EatNow never processes or views card data. Such data is processed exclusively by approved payment providers in compliance with applicable regulations. EatNow does not store or access this data.
For professionals using EatNow interfaces, the following data may be collected: identity (first and last name), professional contact details (email, phone), account identification information, billing data, information related to platform usage, and exchanges with EatNow support during onboarding or operational follow-up.
For service operation, security, and improvement, EatNow collects technical data such as session identifiers, browser type, device information, IP address, access logs, error logs, and timestamps. This data is used solely to ensure platform reliability, security, diagnostic capability, and performance. It is not used to track end customers for marketing or commercial profiling.
When support is requested, EatNow may process data and exchanges necessary to handle the request (message content, provided screenshots or files, technical elements useful for diagnosis), strictly to respond to the inquiry.
For visitors to the public site eat-now.io and related information areas, EatNow may collect browsing data (pages viewed, time spent, essential cookies, analytics data). This data is processed in accordance with valid consents and used only to optimize site performance and user experience.
EatNow processes personal data only for specified, legitimate, and explicit purposes, in compliance with Moroccan Law No. 09-08, CNDP decisions, and, where applicable, the GDPR. EatNow commits to never using end-customer data for purposes other than those necessary to provide the service.
Personal data of end customers is processed to:
Legal basis: performance of a contract between the establishment and the end customer; the establishment’s legitimate interest in organizing its activity.
Data is processed to allow partner establishments to manage their customer relationships, including visit tracking, no-show prevention, and non-commercial relationship building.
Legal basis: establishment’s legitimate interest; contract performance.
Where a card hold or pre-authorization is used to secure a booking, EatNow facilitates the technical transmission to the approved payment provider, without accessing card data.
Legal basis: contract performance; establishment’s legitimate interest in preventing no-shows.
EatNow provides communications strictly necessary to the service (confirmation, reminder, arrival instructions, technical notifications).
Legal basis: contract performance; legitimate interest.
Data is processed to provide support to partner establishments, diagnose incidents, and ensure proper service operation.
Legal basis: legitimate interest; contract performance.
Technical data may be used to ensure platform security, prevent misuse, protect systems, and maintain service continuity.
Legal basis: legal obligation; legitimate interest related to system security.
EatNow processes data on representatives of partner establishments for account management, billing, contractual administration, and professional communications.
Legal basis: contract performance; legal obligations.
EatNow may use aggregated or anonymized data for analysis, functional improvement, product performance, and user experience optimization. No identifiable end-customer information is used for profiling or promotional purposes without consent.
Legal basis: legitimate interest; no identifiable personal data in statistical analyses.
EatNow may process certain data to meet legal obligations, including those related to CNDP, GDPR where applicable, anti-fraud measures, and IT security.
Legal basis: legal obligation.
EatNow collects personal data lawfully, fairly, and transparently, directly from data subjects or via partner establishments when bookings are made through their channels. Data is collected only to the extent strictly necessary for the defined purposes.
Some data is collected directly from end customers when they use EatNow’s services, including when they make a booking via a channel provided by EatNow (widget, dedicated page, WhatsApp Business API, or any other supported channel), when they confirm or modify a booking, or when they provide specific information to organize their visit.
The partner establishment may enter or transmit data via its EatNow interface as part of reservation and customer-relationship management. This may include adding a booking made through another channel (e.g., walk-in, external phone, direct messages), updating existing information, or tracking visits. In this context, EatNow acts strictly as processor.
Certain technical data is collected automatically when using EatNow’s services, including connection information, device used, access logs, timestamps, and elements strictly necessary for security, continuity, and performance.
When assistance is requested, EatNow may collect information necessary to handle the request (messages, screenshots, technical logs), voluntarily provided by the user or generated for diagnostic purposes.
EatNow does not collect personal data by covert, opaque, or unfair means. EatNow does not purchase or obtain third-party contact files and does not use data from unauthorized sources.
EatNow retains personal data only for as long as necessary for the purposes for which it was collected, in compliance with Moroccan Law No. 09-08, CNDP requirements, and, where applicable, the GDPR. The periods below apply unless a longer legal obligation exists or a dispute requires temporary retention.
Data relating to end-customer bookings is retained for the time necessary to manage the booking and operational follow-up, then archived for up to 36 months after the last interaction. This duration enables establishments to manage guest reception and operational needs (e.g., repeated no-shows) without excessive retention.
EatNow does not retain any card data.
Guarantee data is processed exclusively by payment providers, in accordance with their regulatory obligations (including PCI-DSS). EatNow retains only the technical information needed to trace the operation (hold indicator, guarantee status) for up to 12 months, as evidence in the event of a no-show dispute.
Data on representatives of establishments is retained for the duration of the contract, then archived for 5 years from the end of the contractual relationship, in accordance with legal requirements for commercial, accounting, and evidentiary purposes.
Data exchanged for support (tickets, messages, attachments) is retained for 24 months for quality tracking and support history, then deleted or anonymized.
Technical logs, access logs, system traces, and data necessary for platform security are retained for up to 12 months, unless a security incident requires longer retention for investigation and prevention.
Browsing data is retained in accordance with expressed consents and, for audience-measurement cookies under GDPR regimes, for a maximum of 13 months as recommended by data protection authorities.
At the end of the above periods, data is either securely deleted or irreversibly anonymized for statistical and internal analysis purposes.
EatNow uses technical providers selected for their security, compliance, and reliability. These providers act solely for service needs and in accordance with EatNow’s instructions. All are subject to strict contractual commitments on confidentiality, protection, and data security in line with Law 09-08, CNDP decisions, and, where applicable, the GDPR.
Data is primarily hosted within the European Union. Some providers may be located outside the EU (notably in the United States) or operate international support centers. Where transfers outside the EU are necessary, they are governed by appropriate safeguards compliant with the GDPR (Standard Contractual Clauses, reinforced contractual commitments, technical and organizational measures) and in accordance with CNDP requirements for processing concerning users located in Morocco.
EatNow relies on the following providers for service operation:
EatNow never processes or stores card data. Such data is handled exclusively by approved payment providers in compliance with applicable security rules (including PCI-DSS).
Where data may be processed outside the European Union (e.g., technical support or distributed infrastructure), EatNow implements appropriate safeguards, including:
EatNow may update its list of processors for technical or operational reasons, while ensuring an equivalent level of protection. Partner establishments will be informed of any material change affecting data protection.
EatNow implements technical and organizational measures to ensure a level of security appropriate to the risks, in accordance with Law 09-08, CNDP decisions, the GDPR where applicable, and SaaS best practices. These measures protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure, unauthorized access, or any other unlawful processing.
EatNow notably applies:
EatNow implements, in particular:
Access to personal data is limited to authorized EatNow personnel who require it for technical reasons, maintenance, support, or service operation, and only according to documented instructions where end-customer data of the partner establishment is concerned.
EatNow regularly performs checks, technical verifications, and security improvements. External audits and additional testing may be carried out as needed based on service requirements and evolving risks.
In the event of a security incident that could affect personal data, EatNow will implement its internal incident-response procedure and notify the partner establishment as soon as possible, providing necessary information in accordance with applicable regulatory requirements.
Communications between users, partner establishments, and EatNow services are protected by appropriate security protocols, including TLS encryption for Internet exchanges.
Data is hosted by cloud providers recognized for reliability, regulatory compliance, and security. EatNow ensures that relevant processors implement adequate safeguards.
In accordance with Moroccan Law 09-08 on the protection of individuals with regard to the processing of personal data, CNDP decisions and authorizations, and the GDPR where applicable (users located in the EU), data subjects have rights concerning their personal data.
Any request to exercise these rights may be addressed to EatNow as described in this Policy. EatNow undertakes to respond within applicable legal timeframes and to assist partner establishments in meeting their own obligations toward end customers.
Data subjects may request confirmation that data concerning them is being processed and obtain access, as well as certain information about the processing, within the limits permitted by law.
Data subjects may request correction or updating of their data where it is inaccurate or incomplete.
Data subjects may request deletion of their data in the cases provided by law, in particular where the data is no longer necessary for the purposes of processing, or where consent—when used as the legal basis—has been withdrawn.
Data subjects may object, on legitimate grounds, to the processing of their data, or to the use of their data for commercial communications (where applicable).
In certain situations provided by law, data subjects may request temporary suspension of processing.
Where processing is based on consent or on contract performance and carried out by automated means, data subjects may request transmission of their data in a structured, commonly used, machine-readable format, where technically feasible.
Where users are subject to French or EU law, they may define directives regarding the fate of their personal data after death, in accordance with local legal requirements.
EatNow may request additional information to verify the requester’s identity in order to prevent unauthorized access.
Where EatNow acts as processor (for establishments’ end-customer data), rights requests must be addressed primarily to the partner establishment, which EatNow will assist as necessary.
Data subjects may exercise their rights regarding their personal data with EatNow under Law 09-08, CNDP decisions, and, where applicable, the GDPR. EatNow has internal procedures to handle such requests securely, traceably, and within legal deadlines.
For any question or request regarding personal data, data subjects may contact EatNow at:
(The email address is dedicated to handling personal data requests.)
EatNow will respond within a reasonable period and in accordance with applicable legal obligations.
If extended, EatNow will inform the data subject of the additional time and the reasons.
For data processed on behalf of a partner establishment (customer reservations, history, internal notes, etc.), EatNow acts as processor. In such cases, any request from an end customer will be forwarded to the relevant establishment, which remains solely responsible for handling data subject rights. EatNow will assist the establishment as needed.
To ensure data security and confidentiality, EatNow may request additional information to verify the requester’s identity before fulfilling a request.
Data subjects have the right to lodge a complaint with the competent data protection authority:
EatNow nonetheless encourages users to contact it first to attempt an amicable resolution.
In providing its services, EatNow acts both as controller and as processor, depending on the nature of the data processed and the purpose pursued.
EatNow acts as controller for data necessary for:
In this context, EatNow determines the purposes and means of processing.
EatNow acts as processor on behalf of the partner establishment where data concerns end customers and is processed for:
In this context, the partner establishment remains solely responsible for ensuring lawful collection and for informing end customers.
The partner establishment undertakes to:
EatNow processes end-customer data only on the partner establishment’s documented instructions and to the extent necessary to perform the service. Any request to use data for other purposes requires a specific agreement.
Each party remains responsible for its respective obligations. EatNow cannot be held liable for the partner establishment’s failure to meet its legal or contractual obligations, including customer information duties or the handling of rights requests.
When using the EatNow platform, cookies and similar technologies may be placed on the user’s device to ensure proper service operation, secure access, improve user experience, and perform audience measurement.
EatNow favors a proportionate and responsible use of these technologies, in compliance with applicable legal requirements, including Law 09-08, CNDP decisions, and, where relevant, the GDPR.
EatNow may use the following categories:
EatNow does not use cookies for third-party advertising purposes and does not resell data for external marketing.
Where required by law, a clear information mechanism and, where applicable, prior consent is implemented before placing non-essential cookies.
Users can manage their preferences or withdraw consent at any time, where applicable.
Cookie and similar technology lifespans are limited to what is strictly necessary and, where consent is required, do not exceed durations recommended by supervisory authorities (notably 13 months for audience-measurement cookies under GDPR regimes).
EatNow may use audience-measurement and product-analytics tools configured to limit data collection, respect user confidentiality, and transmit information only to authorized providers, to the extent necessary for service operation and improvement.
Users can configure their browser or device to restrict or block certain cookies. However, disabling essential cookies may affect service operation.
This Policy may be updated to reflect legal, regulatory, technical, or organizational developments affecting personal data processing by EatNow.
Any material change affecting users’ rights or obligations will be communicated appropriately, by any suitable means (e.g., in-service notice, direct communication to partner establishments, or a visible website update).
The applicable version is the one in force at the time of service use. Partner establishments are encouraged to review this Policy regularly to stay informed of updates.
Data subjects have the right to lodge a complaint with the competent data protection authority if they believe their rights have not been respected or that the processing of their personal data does not meet legal requirements.
For users and businesses located in Morocco, the competent authority is:
Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP)
Website: https://cndp.ma
EatNow declares its processing activities to the CNDP in accordance with Law 09-08 and applies the relevant authorizations and decisions regarding storage, hosting, and, where applicable, international data transfers.
For users located in the European Union, complaints may be submitted to the competent local data protection authority in the country of residence or where the relevant processing takes place.
For example, in France: Commission Nationale de l’Informatique et des Libertés (CNIL) – https://cnil.fr
Before approaching an authority, data subjects are encouraged to contact EatNow to seek an amicable solution:
EatNow undertakes to examine and handle any request or complaint as promptly as possible, in accordance with legal obligations.