Blacklist

Data Processing Agreement

Last updated: February 11, 2026

This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service and governs the processing of personal data by Blacklist on behalf of the Restaurant.

1. Roles of the Parties

  • Restaurant (Controller): The restaurant determines the purposes and means of processing customer personal data by submitting flags to the platform.
  • Blacklist (Processor): Blacklist processes customer personal data on behalf of the Restaurant, strictly for the purposes described in this agreement.

Each restaurant that submits data to the platform acts as a data controller under Article 4(7) GDPR. Blacklist acts as a data processor under Article 4(8) GDPR with respect to that data.

2. Nature of Processing

Blacklist operates a shared reservation incident registry. Processing activities include:

  • Storage of flagged customer records submitted by restaurants.
  • Aggregation and display of flag counts to other verified restaurants.
  • Automatic deletion of records after the retention period.

3. Categories of Data

The following categories of personal data are processed:

  • Customer name
  • Customer email address
  • Customer phone number
  • Reservation date
  • Incident type (no-show, late cancellation, or incident)

4. Retention

Data is retained for the minimum period necessary:

  • Flagged customer data: Automatically deleted 12 months after submission.
  • Account deletion: All data submitted by a restaurant is permanently deleted when the restaurant deletes its account.

5. Security

Blacklist implements appropriate technical and organizational measures to protect personal data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest.
  • Access controls and authentication for all platform users.
  • Regular security reviews and monitoring.
  • Data stored exclusively within the European Economic Area (EEA).

6. Restaurant Responsibilities

As a data controller, the Restaurant is responsible for:

  • Ensuring a lawful basis exists under GDPR before submitting any customer data to the platform.
  • Informing customers, where appropriate, that their data may be shared with a shared incident registry in the event of disruptive booking behavior.
  • Ensuring the accuracy of all data submitted to the platform.

7. Contact

For questions about this Data Processing Agreement: