This Privacy Policy explains how Sully Booking Ltd (“Sully”, “we”, “us”, “our”) collects and uses personal information. It applies to our website sullybooking.com and the Sully Booking software (together, the “Service”).
We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who is the Data Controller?
For Sully account holders (restaurant operators): Sully Booking Ltd is the data controller of the account information you provide to us (e.g. name, email, venue details, billing details).
For restaurant guests whose bookings are processed through the Service: the restaurant you are booking with is the data controller. Sully acts as a data processor on their behalf, handling guest data only under their instructions and for the purpose of providing the Service.
2. Information We Collect
2.1 From Sully account holders
- Account details: name, email, phone, password (stored as a salted hash).
- Business details: venue name, address, opening hours, table configuration.
- Billing details: handled by Stripe. We store the last 4 digits of your card, expiry and a reference ID — we never store your full card number.
- Usage data: pages visited, features used, IP address, browser, device type.
- Support communications: emails, messages and call notes when you contact us.
2.2 From restaurant guests
- Booking details: name, email, phone, party size, date/time, dietary notes.
- Deposit information: processed by Stripe, settled directly to the restaurant.
- Messaging history: emails exchanged between guest and restaurant via Sully.
3. How We Use Your Information
We use personal data to:
- provide, operate and improve the Service;
- process bookings, deposits and guest communication on restaurants’ behalf;
- take payment for subscriptions and send invoices;
- communicate with you about product updates, security notices and support;
- detect, prevent and respond to fraud, abuse and security incidents;
- comply with our legal obligations.
We only send marketing emails where we have your consent or a legitimate interest, and you can unsubscribe at any time via the link in each email.
4. Legal Bases
We rely on the following lawful bases under UK GDPR:
- Contract: to deliver the Service you have subscribed to.
- Legitimate interests: to improve the Service, prevent fraud and run our business.
- Consent: for non-essential cookies and marketing emails.
- Legal obligation: to comply with tax, accounting and regulatory requirements.
5. Sharing & Sub-processors
We never sell personal data. We share it only with trusted service providers who help us run the Service:
| Provider | Purpose | Location |
|---|---|---|
| Stripe | Subscription payments & booking deposits | UK / EU / US |
| Cloudflare | DNS, CDN, bot protection | Global |
| AWS / Abacus.AI | Application hosting & file storage | EU / US |
| Email delivery provider | Transactional emails (booking confirmations, password reset, etc.) | EU |
Where data is transferred outside the UK/EEA, we rely on appropriate safeguards such as Standard Contractual Clauses.
6. Cookies
We use essential cookies to keep you signed in and analytical cookies to understand how our site is used. See our Cookie Policyfor a full list and for instructions on how to manage your preferences.
7. Data Retention
- Account data: for as long as your account is active, then up to 12 months.
- Billing records: 7 years, as required by UK tax law.
- Guest bookings: retained on the restaurant’s behalf for as long as their account is active. On restaurant account termination, guest data is anonymised or deleted within 30 days.
- Support communications: up to 3 years.
8. Your Rights
Under UK GDPR you have the right to:
- access a copy of the personal data we hold about you;
- correct inaccurate data;
- request deletion of your data (the “right to be forgotten”);
- restrict or object to certain processing;
- port your data to another service;
- withdraw consent at any time, without affecting earlier lawful processing.
To exercise any right, email [email protected]. Guests who wish to exercise rights over booking data should contact the restaurant directly; we will assist where needed. You can also complain to the UK’sInformation Commissioner’s Office (ICO).
9. Security
We apply industry-standard security measures: encrypted connections (HTTPS), encrypted data at rest, salted password hashes, least-privilege access controls, and regular backups. No system is 100% secure, so we cannot guarantee absolute security, but we work hard to protect your data and will notify you of any notifiable breach in line with UK GDPR timelines.
10. Children
The Service is intended for businesses and adults. We do not knowingly collect personal data from anyone under 16.
11. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be notified to registered account holders by email. The “last updated” date at the top of the page always reflects the latest revision.
12. Contact
Questions about privacy or data protection? Email [email protected] or write to Sully Booking Ltd, Leeds, United Kingdom.