Blacklist

Privacy Policy

Last updated: February 11, 2026

1. Data Controller

Blacklist ("we", "us", "our") operates the platform at blacklist.rest. We are the data controller responsible for your personal data under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales ("LOPDGDD").

  • Location: Barcelona, Spain
  • Contact: legal@blacklist.rest
  • Supervisory Authority: Agencia Española de Protección de Datos (AEPD), www.aepd.es

2. What Data We Collect

2.1 Restaurant Account Data (Data Subjects: Restaurant Operators)

When you register as a restaurant, we collect:

  • Restaurant name
  • NIF/VAT identification number (primary identifier)
  • Email address
  • Password (hashed, never stored in plain text)

2.2 Flagged Customer Data (Data Subjects: Flagged Individuals)

When a verified restaurant flags a customer, the following data may be submitted:

  • Customer name
  • Customer email address
  • Customer phone number
  • Flag category (e.g., no-show, late cancellation)
  • Date of the flag

This data is submitted by restaurants and pertains to third parties (flagged individuals). We do not collect data directly from flagged individuals. Restaurants are responsible for ensuring they have a legitimate basis to submit this data.

2.3 Usage and Technical Data

  • IP address and browser user agent (for security and rate limiting)
  • Search queries performed within the platform
  • Session identifiers
  • Timestamps of actions performed

3. Legal Basis for Processing

3.1 Restaurant Account Data

We process restaurant account data on the basis of contractual necessity (Article 6(1)(b) GDPR) to provide the service you registered for, and legitimate interest (Article 6(1)(f) GDPR) for fraud prevention and platform integrity.

3.2 Flagged Customer Data

The processing of flagged customer data is based on legitimate interest (Article 6(1)(f) GDPR). The legitimate interest is the protection of restaurants from financial harm caused by repeated no-shows, late cancellations, and similar disruptive booking behavior. We have conducted a Legitimate Interest Assessment (LIA) and concluded that:

  • The interest is legitimate, specific, and real (preventing financial losses from booking abuse).
  • The processing is necessary (there is no less intrusive way for restaurants to collectively identify repeat offenders).
  • The interest is balanced against the rights of data subjects, with safeguards including: data minimization, 12-month automatic expiry, aggregated-only visibility (no restaurant attribution), and the right to object and request erasure at any time.

3.3 Usage and Technical Data

Processed on the basis of legitimate interest (Article 6(1)(f) GDPR) for platform security, abuse prevention, and service improvement.

4. Data Controllership Model

Blacklist operates as the data controller for the shared database of flagged customer records. Each restaurant that submits a flag is a joint data controller (Article 26 GDPR) with respect to the data they submit. The essence of this arrangement is as follows:

  • Blacklist is responsible for the security, storage, retention, and deletion of all data on the platform.
  • Each restaurant is responsible for ensuring they have a legitimate basis to submit customer data and that the data they submit is accurate.
  • Blacklist handles all data subject rights requests (access, erasure, rectification, objection) on behalf of all joint controllers.
  • Data subjects may exercise their rights against any controller, including Blacklist directly.

5. How Data Is Shared

When a verified restaurant searches for a customer, they can see:

  • The total number of flags associated with that customer.
  • The categories of flags (e.g., no-show, late cancellation).
  • The date of the most recent flag.

Restaurants cannot see which specific restaurant submitted a flag. Individual restaurant identities behind flags are never disclosed. This aggregation is a deliberate privacy safeguard.

6. Data Retention

  • Flagged customer data: Automatically deleted 12 months after submission. No manual intervention is required.
  • Restaurant account data: Retained for the duration of the account. Upon account deletion, all account data and all flags submitted by that restaurant are permanently and irreversibly deleted.
  • Technical logs: Retained for a maximum of 90 days for security purposes, then permanently deleted.
  • Backup data: Purged within 30 days of deletion from the primary database.

7. Your Rights as a Data Subject

Under GDPR and LOPDGDD, you have the following rights. These apply to both restaurant operators and flagged individuals:

  • Right of Access (Article 15): You may request confirmation of whether your personal data is being processed and obtain a copy of that data.
  • Right to Rectification (Article 16): You may request correction of inaccurate data.
  • Right to Erasure (Article 17): You may request deletion of your personal data. For flagged customer data, erasure will remove all flags associated with your identifying information across the entire platform.
  • Right to Restriction (Article 18): You may request restriction of processing in certain circumstances.
  • Right to Data Portability (Article 20): You may request your data in a structured, machine-readable format.
  • Right to Object (Article 21): You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
  • Right to Lodge a Complaint: You may file a complaint with the AEPD at www.aepd.es or any other EU supervisory authority.

To exercise any of these rights, contact us at legal@blacklist.rest. We will respond within 30 days. No fee is charged for the first request. We may require identity verification before processing your request.

8. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest.
  • Password hashing using industry-standard algorithms.
  • Rate limiting and brute-force protection on all endpoints.
  • Manual verification of every restaurant before granting access.
  • Session management with automatic expiry.
  • Security headers (HSTS, CSP, X-Frame-Options, etc.).
  • Regular security reviews.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will:

  • Notify the AEPD within 72 hours of becoming aware of the breach, as required by Article 33 GDPR.
  • Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 GDPR.
  • Document all breaches, including facts, effects, and remedial actions taken.

10. International Data Transfers

Your data is stored on servers located within the European Economic Area (EEA). We do not transfer personal data outside the EEA. If this changes in the future, we will ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses) and update this policy accordingly.

11. Cookies and Tracking

We use only strictly necessary cookies for authentication and session management. We do not use analytics cookies, advertising cookies, or third-party tracking. No consent banner is required because we do not use non-essential cookies.

12. Third-Party Services

  • Cloudflare: DNS, CDN, and DDoS protection. Cloudflare processes IP addresses and request metadata. See Cloudflare Privacy Policy.
  • Cloudflare Turnstile: Bot protection (invisible CAPTCHA). Processes device and browser signals. No personal data is stored.
  • Resend: Transactional email delivery. Processes email addresses for delivery purposes only. See Resend Privacy Policy.
  • Stripe: Payment processing (when subscription billing is active). Processes payment card data, billing address, and email. Stripe is an independent data controller for payment data. See Stripe Privacy Policy.

We have Data Processing Agreements (DPAs) in place with all sub-processors that handle personal data on our behalf.

13. Children

Our service is intended for business use by restaurant operators. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have collected data from a minor, we will delete it immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered restaurants and posted on this page with an updated "Last updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.

15. Contact

For any questions about this Privacy Policy, your data, or to exercise your rights:

  • Email: legal@blacklist.rest
  • Supervisory Authority: Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, www.aepd.es