Skip to content
RestData

restdata Privacy Policy

Updated and effective from 17 June 2026

This Privacy Policy describes what personal data is processed by restdata (hereinafter — the "Service") — a B2B service for loading supplier invoices for restaurants into the Syrve Cloud and iiko Server systems — as well as how and why we use it, on what legal basis, to whom we disclose it, how we store and protect it, and what rights you have. This Policy is an integral part of the Service's Terms of Use.

1. Who we are and our roles in data processing

The restdata Service is provided by «WAYG» SRL (Societate cu Răspundere Limitată), Republic of Moldova, IDNO 1020600022483, VAT code 0611359, registered address: Republica Moldova, mun. Chișinău, str. Alecu Russo 55/5, of. 48, MD-2044.

With respect to account data, Service sign-in data, and marketing website data, «WAYG» SRL acts as the controller (operator) of personal data and independently determines the purposes and means of its processing.

With respect to the content of uploaded invoices and the matching of items to the catalog (data about your suppliers, prices, line items, etc.), «WAYG» SRL acts as a processor and processes this data on behalf of and in the interests of the client — the restaurant or organization that is itself the controller of such data.

Personal data is processed in accordance with the legislation of the Republic of Moldova, in particular Law No. 133/2011 on the protection of personal data (from 23 August 2026 it is replaced by Law no. 195/2024). For users from the European Union, we additionally adhere to principles analogous to the requirements of the GDPR.

For privacy matters and the exercise of your rights, write to hello@restdata.app — this is the designated contact address for personal data protection matters.

2. What data we process

Account and profile data. When you register and sign in, we process your email address, name, and, where available, profile photo (avatar).

Data obtained through Google sign-in. If you use Google sign-in (Google OAuth), we receive your email address, name, profile photo, and a stable account identifier (OpenID, the "sub" field). Only the email and profile scopes are requested; these do not belong to sensitive (special) categories of data. For more details, see the "Google user data" section.

Organization and workspace data. Information about your restaurant or organization, workspace settings.

Uploaded invoices and extracted data. Invoice files (PDF or images PNG, JPG, HEIC) and the data extracted from them: supplier, line items, quantities, prices, dates, VAT (TVA).

Item-to-catalog matchings (mappings). The links between line items from invoices and products in your restaurant's catalog.

Technical and usage data. Basic Service operation logs, technical identifiers and information about actions in the Service, as well as data collected through cookies (see the section on cookies and analytics).

3. How we use the data

Providing and operating the Service. We use the data to create and maintain your account, identify you at sign-in, and ensure the operation of the Service.

Document processing. Uploaded documents are processed automatically to extract and structure the data they contain. The specific technical methods of processing may change as the Service evolves.

Matching with the catalog. The extracted line items are checked (validated) and matched with products in your restaurant's catalog.

Export to Syrve/iiko. At your direction, we transfer the prepared invoice data to your own Syrve Cloud or iiko Server account.

Support and communication. We use your contact data to respond to inquiries and provide support.

Security and stability. We use technical data and logs to ensure security, prevent abuse, and diagnose issues.

Marketing website analytics. On our marketing website, we use a third-party web analytics service to assess traffic and improve the site.

Automated processing is limited to data recognition and matching. We do not make decisions about you that produce legal or other significant consequences solely on the basis of automated processing without human involvement: the final verification of the correctness of processed invoices remains with you.

4. Legal bases for processing

We process personal data only when there is a legal basis. For each purpose, the corresponding basis applies under Art. 5 of Law of the Republic of Moldova No. 133/2011, and for users from the EU — under Art. 6 of the GDPR.

Performance of a contract (Art. 6(1)(b) GDPR). Creating and maintaining an account, identification at sign-in, recognizing and verifying invoices, matching with the catalog, and exporting data to Syrve Cloud or iiko Server — that is, everything necessary to provide the Service at your request.

Legitimate interest (Art. 6(1)(f) GDPR). Ensuring the security and stability of the Service, maintaining technical logs, preventing abuse, and diagnosing issues, as well as web analytics of the marketing website to assess traffic and improve the site. You have the right to object to such processing (see the "Your rights" section).

Compliance with legal obligations. The storage and provision of data in cases expressly provided for by applicable law (for example, accounting and tax law).

5. Google user data

When you sign in through Google, we receive from your Google account your email address, name, profile photo, and a stable account identifier (OpenID, the "sub" field). Only the email and profile scopes are requested; sensitive (special) scopes are not requested.

This data is used solely to create your account, authenticate you, and ensure the operation of your account in the Service.

The use and transfer of data obtained from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. In particular: (1) we use the Google data obtained only to provide and improve the sign-in feature; (2) we do not transfer this data except where necessary to provide the sign-in feature, required by law, or done with your consent; (3) we do not use this data for advertising purposes; (4) we do not allow humans to read this data, except where you have given consent to it, it is necessary for security purposes, it is required by law, or the data has been aggregated or anonymized beforehand.

The full text of the policy is available at: https://developers.google.com/terms/api-services-user-data-policy.

6. Subprocessors and data transfers

To operate the Service, we engage a limited number of trusted service providers (subprocessors) who process data on our behalf, in the following categories:

Hosting of the application, database, and uploaded files — on servers located in the EU.

A third-party user authentication service (sign-in to the Service).

A provider of automated document processing — for extracting and structuring invoice data; servers are located in the USA.

A third-party web analytics service — used only on the marketing website.

Your own Syrve Cloud and iiko Server systems — these are the destination systems into which we transfer invoice data at your direction; the management of data in these systems is under your control.

We do not sell personal data. We notify clients of changes to the list of subprocessors through the Service or by email.

7. International data transfers

Some of the providers we engage (in particular, the provider of automated document processing and the provider of Google sign-in) process data outside the Republic of Moldova, including in the USA.

With such cross-border transfers, we take appropriate measures to ensure a corresponding level of data protection in accordance with applicable law (Art. 32 of Law No. 133/2011; for users from the EU — Chapter V of the GDPR).

8. Data retention periods

Account and workspace data is retained for the duration of your account and is deleted or anonymized within 15 business days after its closure.

Uploaded invoice files and the data extracted from them are retained for the duration of the account and are deleted within 15 business days after its closure.

Technical data and logs (journals) are retained for a limited period necessary to ensure security and diagnostics.

Data may be retained in our backups for the duration of their regular rotation, after which it is deleted.

The stated periods do not apply to the extent that longer retention is required by law, primarily by the accounting and tax legislation of the Republic of Moldova — in this case, the relevant data is retained for the period established by law.

To request deletion, write to hello@restdata.app.

9. Security measures and breach notification

We apply reasonable technical and organizational measures to protect data, including encryption of data transmission, access control, and the delineation of rights.

Access to personal data is granted only to those employees and subprocessors who need it to perform their functions.

Despite the measures taken, no method of data transmission or storage is absolutely secure; we continuously work to improve the level of protection.

In the event of a personal data security breach, we notify the supervisory authority without undue delay and, where required by applicable law, the affected users.

10. Your rights

You have the right to access your personal data and obtain a copy of it.

You have the right to rectify inaccurate or incomplete data.

You have the right to erasure of your data in cases established by law.

You have the right to restriction of processing in cases provided for by law.

You have the right to object to processing based on our legitimate interest.

You have the right to portability (export) of the data you have provided.

You have the right to withdraw previously given consent to processing, which does not affect the lawfulness of processing before the withdrawal.

You have the right to lodge a complaint with the supervisory authority: in the Republic of Moldova — with the National Center for Personal Data Protection (CNPDCP); users from the EU have the right to contact the supervisory authority of their country.

To exercise any of these rights, write to us at hello@restdata.app. We respond to inquiries within one month in accordance with applicable law; this period may be extended for complex or numerous requests.

11. Cookies and analytics

restdata_lang — a cookie that stores your chosen interface language.

Authentication and session cookies — necessary for signing in to the Service and maintaining your session.

Analytics cookies — used by a third-party web analytics service only on the marketing website to analyze traffic; they are not used in the Service (application) itself.

You can manage cookies through your browser settings; however, disabling necessary cookies may affect the operation of the Service.

12. Children

The restdata Service is a B2B product and is intended for use by companies and their employees.

The Service is not directed at children, and we do not knowingly collect children's personal data. If you believe that a child's data has been transferred to us, notify hello@restdata.app, and we will take measures to delete it.

13. Changes to the Policy

We may periodically update this Privacy Policy to reflect changes in the Service or legislation.

The current version is always available in the Service with an indication of the date of the last update and entry into force. We will notify you of material changes in a reasonable manner — for example, through the Service interface or by email.

14. Contacts

For privacy matters, the exercise of rights, and support, write to hello@restdata.app.

The full details of the operator («WAYG» SRL) are provided in Section 1.