Privacy policy
Last updated: July 2026
This document is complete and maintained, but has not yet had external legal counsel review. It will be re-issued after review; material changes will be notified.
VenueDeck is an independent platform and is not affiliated with, endorsed by, or an official partner of EposNow. EposNow is a trademark of its respective owner.
Who we are (data controller)
VenueDeck is a product and trading name of JP Tech Group Ltd (registered as JPTECHGROUP LTD), a company registered in England and Wales (company number 11968503, registered office 28b Theydon Road, London, England, E5 9NA).
For the personal data described in this policy, JP Tech Group Ltd is the data controller. Contact us about privacy at [email protected], for anything else at [email protected], or by post at the registered office above.
What we collect, surface by surface
Customer-facing menus and ordering (the pages your guests use): no account is required and no tracking cookies are set. An anonymous device identifier is stored in your browser (localStorage) so your cart and order status survive a page refresh; it is random, is not linked to your identity, and stays on the venue scope you visited. When you place an order we process the order contents, the table or collection reference, and - if you pay online - the payment is handled by the venue's payment provider; we never see or store full card numbers.
The enquiry form on this website (book a demo / start free): we store the details you submit - business name, your name, email, business type, number of sites, how you plan to start, and your note - in our database so we can respond, and we send you a confirmation email.
Venue operator accounts (the admin console): account identity is handled by Auth0 (email, name, authentication events). Billing details for paid plans - card details and invoices - are handled by Stripe; we store the subscription state, not your card number.
Website analytics: we run a self-hosted Umami analytics instance. It is cookieless and collects aggregated usage data only - pages viewed, referrer, browser and device class, and country. It does not set cookies, does not identify you, does not track you across other sites, and its data never leaves infrastructure we control. This is why this site shows no cookie banner: there is nothing to consent to.
Purposes and lawful bases
- Responding to enquiries and providing demos - legitimate interests (pre-contract steps at your request).
- Providing the service to venues, including accounts, subscriptions and billing - performance of a contract.
- Processing guest orders on behalf of venues - performance of the venue's contract with its customer; for this data we act primarily as a processor for the venue.
- Transactional email (confirmations, billing notices, account emails) - performance of a contract and legitimate interests.
- Aggregated, cookieless analytics - legitimate interests (understanding how the site is used, without identifying anyone).
- Legal obligations - accounting and tax records.
How long we keep it
Enquiry (lead) data: up to 24 months from our last contact with you, unless you become a customer or ask us to delete it sooner. Order data: kept for the venue for as long as the venue subscribes, and per our accounting obligations after that. Account data: for the life of the account plus a short wind-down period during which exports remain available. Aggregated analytics contain no personal data and are kept indefinitely.
Who we share it with (processors and subprocessors)
We do not sell personal data, and analytics data is never shared with third parties. We use a small set of processors to run the service:
- Auth0 (Okta) - operator account authentication.
- Stripe - subscription billing and, where a venue chooses it, payment processing.
- uSend - our self-hosted email server for transactional email; mail data stays on infrastructure we control.
- Umami - our self-hosted, cookieless analytics; data stays on infrastructure we control.
- Hosting - our applications and databases run on servers we operate in UK/EU data centres.
- The venue's own payment provider (for example Dojo, PAX, Blink or Stripe) where the venue has configured one - the provider's own privacy policy applies to the payment itself.
Cookies and local storage
This marketing site sets no advertising or analytics cookies. The customer-facing menu stores a random device identifier and your cart in your browser's local storage strictly so ordering works; these never leave the ordering flow. The admin console sets the session storage its sign-in requires. None of this is used for cross-site tracking.
International transfers
Data is held in secure UK/EU infrastructure. Where a processor (such as Auth0 or Stripe) processes data outside the UK, transfers are protected by UK-approved safeguards such as the UK Addendum to the EU Standard Contractual Clauses or an adequacy decision.
Your rights
Under UK GDPR you can ask for access to, correction of, or deletion of your personal data; ask us to restrict or object to processing; and ask for a portable copy. Where we process guest order data as a processor for a venue, we will route your request to the venue and help them answer it. To exercise any right, email [email protected] - we respond within one month.
Children
Our services are aimed at businesses and their adult customers. We do not knowingly collect data from children under 13, and venue operators must be adults.
Changes, contact and complaints
If we materially change this policy we will update the date above and, for operators, notify you by email. Privacy questions: [email protected]. General: [email protected]. Press: [email protected]. Post: the registered office above.
If you are unhappy with how we handle your data you can complain to the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113.