Last updated: April 2026
OPERADORA PCG SL
Tax ID (CIF): B88615174
Address: C/ Bretón de los Herreros 46, 6º 15, 28003 Madrid, Spain
Privacy email: privacidad@kazole.com
General email: hola@kazole.com
We collect different data depending on your relationship with Kazolé:
| Data | Purpose | Legal basis |
|---|---|---|
| Name, email, phone | Create your account and communicate with you | Contract performance (Art. 6.1.b GDPR) |
| Restaurant data (name, address, hours, menu) | Generate and maintain your website | Contract performance |
| Billing data (Tax ID, billing address) | Issue invoices | Legal obligation (Art. 6.1.c) |
| Payment data | Process payments | Contract performance. Stripe processes payments; Kazolé does not store card data. |
| Restaurant photos | Publish on your website | Contract performance |
| CMS login data (email, password hash) | Secure authentication | Contract performance |
| Google account (OAuth, if you connect "My Google") | Manage reviews, hours and Google metrics | Consent (Art. 6.1.a). You can revoke at any time. |
| Data | Purpose | Legal basis |
|---|---|---|
| Name, phone, email | Manage your reservation and contact you if needed | Contract performance (the reservation) |
| Preferences, allergies, notes | Prepare for your visit | Contract performance |
| Visit history | Restaurant CRM to improve service | Legitimate interest of the restaurant (Art. 6.1.f) |
| Phone (WhatsApp) | Send reservation reminder | Contract performance (reservation confirmation) |
Important: When you make a reservation at a restaurant that uses Kazolé, the data controller for your data is the restaurant, not Kazolé. Kazolé acts as a data processor on behalf of the restaurant. To exercise your data rights regarding a reservation, contact the restaurant directly or write to us at privacidad@kazole.com and we will redirect you.
Kazolé uses privacy-friendly web analytics (Plausible/Umami) that do not use cookies and do not collect personal data. Only aggregated, anonymised data is recorded: pages visited, traffic source, country, device. No IP addresses are stored and no tracking cookies are installed.
Kazolé uses only essential technical cookies required for the service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| sb-access-token | Authentication session (Supabase) | Session |
| sb-refresh-token | Session renewal | As configured |
| staff-session | Team view session (/res) | 12 hours |
We do not use advertising, tracking, third-party analytics or social media cookies. Therefore, no cookie consent banner is required under ePrivacy regulations.
Your data is only shared with the service providers strictly necessary for delivering the service:
| Provider | Function | Data shared | Location |
|---|---|---|---|
| Supabase Inc. | Database and authentication | All service data | EU (Frankfurt) |
| Vercel Inc. | Website hosting | Public website content | EU/Global CDN |
| Stripe Inc. | Payments | Payment and billing data | EU/US (SCCs compliant) |
| Resend Inc. | Transactional emails | Recipient email + email content | EU/US |
| Meta Platforms (WhatsApp Cloud API) | Reservation reminders | Diner phone + message | EU/US |
| Anthropic PBC (Claude API) | AI text generation and review responses | Restaurant data (no diner PII) | US (stateless API) |
| Google (Business Profile API) | Profile, reviews and metrics management | Only with restaurant owner's OAuth | Global |
All providers with data outside the EU comply with Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent safeguards. Anthropic operates its API in stateless mode: data sent is not stored or used to train models.
Kazolé never sells, rents or shares your data with third parties for advertising or marketing purposes.
| Data | Retention period |
|---|---|
| Client account (active) | Duration of the contract |
| Data after Client cancellation | 90 days (possible reactivation). Then: anonymisation. |
| Billing data | 5 years (Spanish tax obligation) |
| Diner data (reservations) | Duration of the restaurant's contract. 90 days after cancellation: anonymisation. |
| WhatsApp reminders (log) | 90 days |
| Security logs | 3 months to 2 years depending on severity |
| Google data (cached reviews, metrics) | While the OAuth connection is active. Not deleted upon disconnection (public data). |
Under the GDPR (Art. 15-22), you have the right to:
To exercise any of these rights, write to privacidad@kazole.com stating your name, associated email and the right you wish to exercise. We will respond within a maximum of 30 days.
If you believe your data is not being handled properly, you can file a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es, or with the data protection authority of your country of residence.
We apply technical and organisational measures to protect your data:
Kazolé is not directed at children under 16 and does not intentionally collect data from minors. Reservations are made by adults or with the authorisation of their legal guardians.
Our main database is located in the European Union (Supabase, eu-central-1, Frankfurt). Some providers may process data in the United States, always under the Standard Contractual Clauses (SCCs) of the European Commission or the EU-US Data Privacy Framework, as applicable.
We may update this Privacy Policy to reflect changes in our practices or applicable legislation. We will notify you by email of any substantial changes at least 30 days in advance.
For any privacy and data protection queries:
Email: privacidad@kazole.com
Postal address: Operadora PCG SL, C/ Bretón de los Herreros 46, 6º 15, 28003 Madrid, Spain