Comanda.
Prova Comanda
Reglament General de Protecció de Dades

RGPD complet.

Last updated · 2026-04-19

This page is the GDPR-specific addendum to the Privacy policy. It names the controller, spells out the legal basis for each processing activity, and outlines the Data Processing Agreement (DPA) we enter with every café operator automatically on sign-up.

1. Data controller

Coverso CC SL, a Spanish sociedad limitada registered in Figueres, Catalunya, acts as the data controller for operator data (your café, your billing) and as a data processor for end-customer data you collect through Comanda.

Representative for EU data protection: hola@comanda.menu. A named Data Protection Officer is not required under Art. 37 given our size, but the privacy address is monitored daily.

2. Legal basis for processing

  • Operator data: Art. 6(1)(b) — performance of the contract (the subscription).
  • End-customer phone numbers for takeaway: Art. 6(1)(b) — needed to deliver the ordered service (pickup alerts).
  • Reviews: Art. 6(1)(a) — explicit consent, captured when the customer submits the form.
  • Aggregate analytics for the operator: Art. 6(1)(f) — legitimate interest; strictly within the tenant.
  • Security logs + fraud checks: Art. 6(1)(f) — legitimate interest in running a stable service.

3. Data Processing Agreement

Every café on Comanda is a data controller for their end-customers' data; Coverso is the processor. When you sign up you automatically enter a DPA with us covering:

  • What we process and why (listed in the Privacy page).
  • Subprocessors we use (Supabase, Vercel, Mollie, Twilio, SendGrid — all EU-hosted where possible).
  • Breach notification: we notify you within 72 hours of becoming aware.
  • Audit rights: you can request a SOC-style attestation from our subprocessors; we'll pass it along.
  • Return/deletion on contract end: 60 days grace, then full deletion.

The full DPA text is available on request — email hola@comanda.menu and we'll send it as PDF. The substance matches the EU standard contractual clauses.

4. Subprocessors

Current list as of 2026-04-19:

  • Supabase — Postgres + Auth + Storage. EU hosting (Frankfurt).
  • Vercel — Frontend CDN + edge functions. EU edge regions preferred.
  • Mollie — Card, iDEAL, Bizum payment processing. PCI-DSS L1.
  • Twilio — OTP SMS delivery for takeaway sign-in. EU data residency option enabled.
  • SendGrid — Transactional email. EU sub-account.

We add or remove subprocessors as needed. When we add one, operators are notified via the admin console + email 30 days ahead, and can object.

5. International transfers

All primary processing is in the EU. Where a subprocessor (e.g. Vercel's global edge) may briefly serve static assets from outside the EU, it does so under EU standard contractual clauses. No personal data leaves the EU for processing purposes.

6. Data-subject rights

End customers (the people eating at your café) have the right to:

  • Access their data (Art. 15) — email hola@comanda.menu.
  • Rectify incorrect data (Art. 16).
  • Delete their data (Art. 17) — "right to be forgotten".
  • Restrict processing (Art. 18).
  • Portability — get a machine-readable JSON export (Art. 20).
  • Object (Art. 21), including to any legitimate-interest processing.
  • Not be subject to solely-automated decisions — Comanda does not make any (Art. 22).

Operators have the same rights for their own operator data. Requests are handled within 30 days of receipt.

7. Complaints

Spain's DPA is the AEPD (aepd.es). Complaints can also go to the supervisory authority in your country of residence if different from Spain.