MesaLibre Privacy Statement

1. Data controller

MesaLibre operates in connection with Altivision S.L. For the processing described in this statement, Altivision S.L. acts as controller unless a more specific role is stated for a particular workflow or contract.

You can contact us using the company details shown in the Legal Notice. If we appoint a specific privacy or data-protection contact for a given service or jurisdiction, we will make that contact information available alongside the relevant workflow or notice.

2. Data we may collect

Depending on the way you interact with MesaLibre, we may process contact and identity details such as your name, work email, phone number, restaurant or group name, billing contact details, support correspondence, and records of onboarding or account activity.

We may also process service and technical data such as workflow references, subscription and invoice records, payment-status information, authentication events, audit logs, usage metadata, device or browser signals, IP-address level security logs, and preference settings where those are necessary to operate the website or product securely.

3. Why we use personal data

We use personal data to respond to contact requests, create and administer onboarding records, open secure checkout, provision and support customer accounts, send operational and billing communications, secure the service, troubleshoot incidents, keep auditable records, comply with legal obligations, and improve the service responsibly.

Where legally required, we rely on an appropriate legal basis such as taking steps requested before entering into a contract, performing a contract, complying with legal obligations, protecting the security and integrity of the service, or pursuing legitimate interests that do not override fundamental rights and freedoms.

4. Sources of personal data

Most personal data is provided directly by you or by your organization during contact, onboarding, billing, support, or account-management interactions.

We may also receive data from payment providers, technical service providers, lawful integration partners, authorized colleagues inside the same customer organization, or public records where this is necessary to complete onboarding, prevent fraud, or maintain business records.

5. Sharing and recipients

We share personal data only where necessary for the operation of MesaLibre, including with hosting and infrastructure providers, payment processors, communication providers, support tooling, professional advisers, and other processors or sub-processors acting under appropriate instructions and safeguards.

We may also disclose information where required by law, regulation, court order, or a legitimate request from a competent authority, or where necessary to protect the rights, security, or integrity of MesaLibre, our customers, or third parties.

6. International transfers

Some service providers may process data outside your country. Where personal data is transferred internationally, we aim to use an appropriate transfer mechanism and reasonable safeguards, such as contractual protections or reliance on an adequacy framework where available.

7. Retention

We keep personal data only for as long as necessary for the purposes described in this statement, including the duration of onboarding, the active subscription or support relationship, and any additional retention period needed for tax, accounting, audit, fraud-prevention, dispute-management, or legal-compliance requirements.

Retention periods therefore vary by dataset. For example, billing and audit materials may need to be held longer than a marketing enquiry, while security logs may be retained according to operational and legal necessity.

8. Security

We use technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. These measures may include access controls, tenant isolation, auditability, secure provider integrations, and operational monitoring.

No method of transmission or storage is perfectly secure, so we cannot guarantee absolute security. If we become aware of a confirmed incident that legally requires notice, we will respond in accordance with applicable law and our incident procedures.

9. Your rights

Subject to applicable law, people may have rights to request access, rectification, erasure, restriction, objection, portability, or withdrawal of consent where consent is the legal basis. They may also have the right to lodge a complaint with a supervisory authority.

We may need to verify identity before acting on a request and may refuse or limit a request where the law allows us to do so, for example to protect the rights of others, preserve audit records, or comply with legal obligations.

10. Cookies, browser storage, and related technologies

Our Cookie Statement explains how cookies and similar browser technologies may be used on the website and related surfaces. Where optional technologies are introduced in the future, we will aim to present any legally required choice mechanism separately from this privacy statement.

11. Changes to this statement

We may update this Privacy Statement from time to time to reflect operational, legal, or product changes. The current version will always be posted on this website with an updated effective date.

12. Contact

For privacy questions or rights requests, please contact us using the company details shown below. To help us respond efficiently, include enough context to identify the relevant workflow, restaurant, or account where possible.