Legal information
Privacy & Cookie Policy
Last updated: January 2025
1. Data controller
In accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD), we inform you that the data controller for your personal data is:
Name: SOI Restaurante & Bar
Address: Calle Baltasar Gracian, 12 -- 50005 Zaragoza, Spain
Contact email: reservas@soirestaurantezaragoza.com
2. Personal data we collect
We only collect data that you voluntarily provide when making an online reservation:
- Full name
- Email address
- Phone number
- Reservation date, time and number of guests
- Any notes or allergy information you voluntarily provide
We do not collect sensitive data (special categories under Art. 9 GDPR), unless you spontaneously mention such information in the notes field.
3. Purposes and legal basis for processing
Reservation management
Confirmation, modification or cancellation of your reservation, and sending related communications.
Legal basis: performance of a contract / pre-contractual measures (Art. 6(1)(b) GDPR).
Transactional communications
Sending confirmation emails and reservation status updates via the Resend service.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
We do not use your data for marketing, profiling or behavioural analysis purposes.
4. Data retention period
We retain reservation data for a maximum period of 2 years from the date of the reservation, unless a legal obligation requires a longer period or you exercise your right to erasure before then.
5. Recipients and international transfers
Your data may be accessed by the following data processors, with whom we maintain data processing agreements in accordance with Art. 28 GDPR:
- Supabase Inc. — -- Data storage on servers located in the EU.
- Resend Inc. — -- Transactional email delivery. Data transferred to the US under appropriate safeguards (SCCs).
We do not share your data with third parties for commercial purposes.
6. Your rights
You may exercise the following rights by sending an email to reservas@soirestaurantezaragoza.com with a copy of your ID document:
- Access: know what data we hold about you.
- Rectification: correct inaccurate data.
- Erasure: request deletion of your data.
- Objection and restriction: object to or restrict certain processing.
- Portability: receive your data in a structured format.
If you believe that data processing does not comply with the GDPR, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).
7. Cookie policy
This website uses only strictly necessary technical cookies. We do not use analytics, advertising or social media cookies.
| Name | Purpose | Duration |
|---|---|---|
| soi_admin_token | Authenticated session for the administration panel (accessible only to restaurant staff). | 8 hours |
The session cookie is technical and essential for the administration panel to function. It does not require consent under Art. 22.2 of the Spanish LSSI. Public website visitors do not receive any cookies.
8. Security measures
We apply appropriate technical and organisational measures to protect your data against unauthorised access, loss or alteration, including: encrypted transmission via HTTPS, HTTP-only cookies, role-based database authentication and passwords hashed with bcrypt.
9. Changes to this policy
We may update this policy to reflect regulatory changes or changes to our services. The date of the last update is shown at the top of this page. We recommend reviewing it periodically.