Privacy Policy

Orderli B.V.
Turfmarkt 11, 8911 KS Leeuwarden, The Netherlands
Chamber of Commerce: 77435877
Email: [email protected]

Last updated: March 2026

This Privacy Policy explains how Orderli B.V. ("Orderli", "we", "us", or "our") processes personal data in connection with its QR ordering platform and related services, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection legislation.

1. Roles in Data Processing

Orderli operates in two distinct roles depending on the context of the data processing:

  • Data Processor – when processing personal data of restaurant guests on behalf of our client restaurants. In this role, the restaurant is the Data Controller and determines the purposes and means of processing.
  • Data Controller – when processing personal data relating to client restaurants, their employees, visitors to our marketing website (orderli.com), and our own internal operations.

2. When Orderli Acts as Data Processor

When a guest scans a QR code and places an order, Orderli processes personal data on behalf of the restaurant. The restaurant determines the purposes and means of this processing, and a Data Processing Agreement (DPA) governs the relationship between Orderli and the restaurant.

Categories of personal data processed

  • Name
  • Email address
  • Phone number
  • Table number and location identifier
  • Order details and payment status
  • IP address and device information (browser type, operating system)
  • Free-text order notes

Special category data

Orderli does not intentionally collect special category data (such as health data). If a guest voluntarily includes health-related information (for example, allergy details) in order notes, the restaurant remains responsible as Data Controller for this data. We recommend that restaurants inform guests not to include sensitive personal data in free-text fields unless necessary.

3. When Orderli Acts as Data Controller

Orderli processes personal data of client restaurants (including their employees and representatives), visitors to our marketing website (orderli.com), and other individuals who interact with us directly, for the following purposes:

  • Providing and maintaining our services
  • Billing and invoicing
  • Internal administration and business operations
  • Compliance with legal obligations, including VAT-related recordkeeping
  • Improving and developing our platform
  • Communicating with clients about their accounts and our services

Legal bases for processing (Article 6 GDPR)

  • Performance of a contract – processing necessary to deliver our services to client restaurants (Art. 6(1)(b)).
  • Legal obligation – processing required to comply with tax, accounting, and other regulatory requirements (Art. 6(1)(c)).
  • Legitimate interests – processing necessary for our legitimate business interests, such as fraud prevention, platform security, and service improvement, provided these interests are not overridden by the data subject’s rights and freedoms (Art. 6(1)(f)).
  • Consent – where applicable, for example when subscribing to our newsletter or opting into cookies (Art. 6(1)(a)). Consent may be withdrawn at any time.

Payments are processed by licensed Payment Service Providers. Orderli does not store credit card details.

4. Marketing

Orderli does not use identifiable guest personal data for its own marketing purposes. We may occasionally send service-related communications to our client restaurants.

If a restaurant collects marketing consent from its guests through the Orderli platform, the restaurant is solely responsible for ensuring compliance with applicable data protection laws, including obtaining valid consent where required.

5. SMS and Mobile Information

If a guest provides a mobile phone number and opts in to receive SMS notifications through the Orderli platform, that mobile number and the related messaging consent data are used solely for sending transactional order-related text messages and for operating, supporting, and securing the messaging service.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Text messaging originator opt-in data and consent will not be sold or shared with any third parties, except with service providers that support the delivery of the messaging service, such as SMS platform providers, acting on our behalf and under appropriate contractual safeguards.

6. Subprocessors and International Data Transfers

Orderli engages the following categories of subprocessors to deliver its services:

  • DigitalOcean – hosting and infrastructure (EU/US)
  • Backblaze – cloud storage and backups (EU/US)
  • Cloudflare – security, DDoS protection, and content delivery (global)
  • Sentry – error monitoring and diagnostics (US)
  • Mailchimp – transactional and service email delivery (US)
  • Spryng and MessageBird – SMS notification services (EU/NL)

Where personal data is transferred outside the European Economic Area (EEA), Orderli ensures that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the recipient’s participation in a recognised adequacy framework. Data Processing Agreements are in place with all subprocessors.

An up-to-date list of subprocessors is available upon request by contacting [email protected].

7. Cookies and Tracking Technologies

When Orderli acts as Data Processor (ordering platform)

When guests use the Orderli ordering platform on behalf of a restaurant, Orderli uses only first-party cookies that are strictly necessary for the platform to function, such as session management and order processing. Orderli does not place any third-party cookies in this context.

Client restaurants may choose to add their own third-party cookies or tracking technologies to the Orderli platform. In such cases, the restaurant is responsible as Data Controller for ensuring compliance with applicable cookie consent and data protection laws.

When Orderli acts as Data Controller (marketing website)

On our marketing website (orderli.com), we may use cookies and similar technologies for the following purposes:

  • Strictly necessary cookies – required for the website to function correctly.
  • Analytical cookies – to understand how our website is used, helping us improve our services.
  • Functional cookies – to remember preferences and enhance user experience.

Where cookies are not strictly necessary, we obtain consent before placing them. You can manage your cookie preferences through your browser settings or our cookie consent tool.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Specific retention periods depend on the type of data and the applicable legal requirements:

  • Guest order data (as Processor) – retained in accordance with the restaurant’s instructions and the applicable Data Processing Agreement.
  • Client account data – retained for the duration of the contractual relationship and up to 12 months after termination, unless longer retention is required by law.
  • Financial and tax records – retained for the statutory period required under Dutch law (generally 7 years).
  • Log and diagnostic data – retained for up to 12 months for security and troubleshooting purposes.

After the applicable retention period expires, personal data is securely deleted or anonymised. Individuals may contact [email protected] to enquire about data retention for their specific situation.

9. Security Measures

Orderli implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or destruction. These measures include:

  • HTTPS/TLS encryption for all data in transit
  • Encryption of sensitive data at rest
  • Role-based access controls with the principle of least privilege
  • Restricted internal access on a need-to-know basis
  • Regular security assessments and monitoring
  • Contractual security obligations with all subprocessors
  • Incident response procedures for data breach detection and notification

10. Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, Orderli will notify the relevant supervisory authority without undue delay, and where feasible within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR.

Where the breach is likely to result in a high risk to affected individuals, we will also notify those individuals directly, in accordance with Article 34 GDPR.

When acting as Data Processor, Orderli will inform the affected restaurant (Data Controller) without undue delay upon becoming aware of a data breach.

11. Children's Data

The Orderli platform is not specifically directed at children under the age of 16. However, the platform may be used by guests of all ages when placing orders at a restaurant. We do not knowingly collect personal data from children beyond what is necessary to process an order.

Parents or guardians who have concerns about data relating to a child may contact [email protected].

12. Automated Decision-Making

Orderli does not use automated decision-making or profiling that produces legal effects or similarly significantly affects individuals, as described in Article 22 GDPR.

13. Your Rights as a Data Subject

Under the GDPR, individuals have the following rights with respect to their personal data:

  • Right of access – to obtain confirmation of whether your data is being processed and to receive a copy.
  • Right to rectification – to have inaccurate or incomplete data corrected.
  • Right to erasure – to request deletion of your data where it is no longer necessary or where consent is withdrawn.
  • Right to restriction – to limit how your data is processed in certain circumstances.
  • Right to data portability – to receive your data in a structured, commonly used, and machine-readable format.
  • Right to object – to object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent – where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month, as required by the GDPR. In complex cases, this period may be extended by a further two months.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at www.autoriteitpersoonsgegevens.nl.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify our client restaurants and update the "Last updated" date at the top of this document.

We encourage you to review this Privacy Policy periodically.

15. Contact

If you have any questions about this Privacy Policy or about how we process your personal data, please contact us:

  • Orderli B.V.
  • Turfmarkt 11, 8911 KS Leeuwarden, The Netherlands
  • Email: [email protected]
  • Chamber of Commerce: 77435877

Download the PDF version

Orderli logo+31 85 303 07 23
English
VisaMastercardMaestroApple PayGoogle PayiDEALBancontactSEPAStripe

Info

IntegrationsPricingDemo

Orderli for

BarsHotelsFestivalsRestaurantsBowling alleysFoodcourtsAll-you-can-eatEveryone

Integrations

LightspeedunTillBorkTrivecVectronMplusKASSAIndex

Legal

Privacy PolicyTerms of Service

Company

About usSystem statusBlogContact
Copyright © 2026 Orderli B.V.
Made with 🎉 in Rotterdam & Delft