Pisteo

Privacy Policy

Last updated: 29.05.2026

Controller for this notice: Pisteo, an aputoiminimi of Easy Host Oy (Y-tunnus 3288005-7), registered office Helsinki, Finland, operating the Pisteo platform. The restaurant where you placed your order is a separate controller for its own customer relationship and any marketing it sends you. This notice covers what Pisteo itself does with your data.

Contact: [email protected]

1. Who we are and what Pisteo does

Pisteo is a phone-based ordering and payment service for restaurants. You scan a QR code at your table, browse the menu, place an order, and pay, all from your phone, with no app install and no account creation. The restaurant prepares your order and is your contractual counterparty for the food and drink. We provide the technology.

2. What data we collect about you

  • Order data: the items you order, table number, time of order, special instructions you type.
  • Payment data: payment is processed by Stripe. We do not see or store your full card number. We store a Stripe payment reference, amount, currency, payment method type (Apple Pay, MobilePay, card), and the last four digits of the card if applicable.
  • Email address: only if you choose to receive an email receipt or opt in to marketing from the specific restaurant. Optional.
  • Session cookie: a strictly necessary cookie that links your phone session to the table for the duration of your visit. Expires when you close the browser or after a short period of inactivity.
  • Device and connection data: IP address and basic browser information, processed transiently for security and fraud prevention.

We do not run analytics or behaviour tracking on the diner-facing app. No advertising pixels, no third-party trackers on the diner side.

3. Why we process your data and on what legal basis

PurposeLegal basis
Taking your order and arranging payment to the restaurantArt 6(1)(b) GDPR, performance of a contract
Sending you an email receipt if you ask for oneArt 6(1)(b) GDPR, performance of a contract
Preventing fraud, abuse, and securing the serviceArt 6(1)(f) GDPR, legitimate interest
Sending you marketing from the specific restaurant you visitedArt 6(1)(a) GDPR, your consent, given to the restaurant via the Pisteo interface
Meeting accounting and tax obligationsArt 6(1)(c) GDPR, legal obligation

For marketing, Pisteo acts as data processor on behalf of the restaurant. You can withdraw consent at any time using the unsubscribe link in any marketing email, or by contacting the restaurant directly.

4. How long we keep your data

  • Order and payment records: kept for the period required by Finnish accounting law, currently six years from the end of the financial year (Kirjanpitolaki).
  • Email used for a receipt only: deleted within 90 days unless tied to an order record we must keep.
  • Marketing consent and email: kept until you withdraw consent or the restaurant deletes the list.
  • Session cookie: session duration only.
  • Security and fraud logs: up to 12 months.

5. Who we share your data with

  • The restaurant where you ordered. They see your order, table, and, where applicable, your name on the order ticket.
  • Stripe Payments Europe Limited (Ireland). Payment processing. Stripe is an independent controller for its own fraud and compliance work.
  • Resend (email infrastructure). Used to deliver your receipt and any marketing email you opted into. Resend is based in the US. Transfers are protected by Standard Contractual Clauses.
  • Cloudflare R2, Railway, Sentry. Hosting, storage, and error monitoring. They are processors acting on our instructions. See the sub-processor list in our Data Processing Agreement.
  • Authorities where required by law.

We do not sell your data. We do not use it for advertising.

6. International transfers

Some sub-processors are based outside the EU/EEA, principally in the United States. Where we transfer personal data outside the EEA, we rely on the European Commission's Standard Contractual Clauses and, where relevant, additional safeguards.

7. Your rights

You have the following rights under the GDPR:

  • Access (Art 15): ask what we hold about you.
  • Rectification (Art 16): correct inaccurate data.
  • Erasure (Art 17): ask us to delete data, subject to legal retention obligations.
  • Restriction (Art 18): ask us to pause processing.
  • Portability (Art 20): get your data in a portable format.
  • Objection (Art 21): object to processing based on legitimate interest.
  • Withdraw consent (Art 7(3)): at any time, with no effect on prior lawful processing.
  • Not be subject to solely automated decisions (Art 22): we do not make such decisions about diners.

To exercise any right, email [email protected]. We respond within one month, free of charge in normal cases.

8. Complaints

You can complain to the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), Lintulahdenkuja 4, 00530 Helsinki, [email protected], www.tietosuoja.fi.

9. Cookies

We use a single strictly necessary session cookie to link your phone to the table you scanned. No analytics cookies, no marketing cookies, no third-party cookies on the diner app.

Under ePrivacy law and Finnish guidance, strictly necessary cookies do not require consent. We do not show a consent banner, because there is nothing to consent to. We do not use analytics, advertising, or third-party tracking on the diner app.

10. Changes

If we change this policy in a way that affects you, we will post the new version at this page and update the "Last updated" date.

Restaurant operators

If you operate a restaurant on Pisteo, your processing of diner personal data through the platform is governed by our Data Processing Agreement, which forms part of the Pisteo Service Terms.