Privacy Policy
Last updated: April 2026
This Privacy Policy describes how Blero processes personal data in connection with the provision of its intelligent reservation system for restaurants, in accordance with Article 13 of the General Data Protection Regulation (EU) 2016/679 (the "GDPR").
1. Data Controller
The Data Controller is Nexora Venture Studio Srl, with registered office at Piazza della Repubblica 19, 20124 Milano, VAT number IT00000000000. For any data protection matter you may contact privacy@blero.io.
2. About us
Blero is an intelligent reservation system for restaurants, provided as a B2B SaaS. The Service is intended for restaurant owners and operators ("Admins") who use the platform to manage reservations from their end customers ("Restaurant Customers").
With respect to Restaurant Customer data, the restaurant acts as Data Controller, while Blero acts as Data Processor (Art. 28 GDPR), processing data on behalf of and according to the instructions of the restaurant. With respect to Admin data, Blero acts as Data Controller.
3. Data collected — Restaurant owners (Admins)
When an Admin signs up and configures their account, Blero collects and processes:
| Category | Data |
|---|---|
| Account | Full name, email, password (stored only as a bcrypt hash, never in clear), business name, description, location |
| Restaurant | Name, address, URL slug, phone, timezone, country code, image, primary color, booking description |
| Configuration | Opening hours, booking requirements, notification settings, no-show prevention, edit rules, max covers, slot duration, review URL |
| Areas and tables | Areas, tables (capacity, shape, position, requirements), table combinations |
| Staff | First name, last name, label, access key (stored as SHA-256 hash), permissions, last access timestamp |
| Subscription | Plan, subscription status, Paddle Subscription ID, Paddle Customer ID, counters and limits, SMS credits |
| Security | Event log (login, signup, role changes, etc.), session JWT |
4. Data collected — Restaurant Customers
When a customer makes a booking through a restaurant's public page, Blero collects:
| Category | Data |
|---|---|
| Identifiers | First name, last name, phone number (country code + national number), email, preferred language |
| Preferences | Selected requirements (e.g. pets, accessibility, stroller), free-text notes |
| Booking | Date, time, number of guests, assigned table, area, status, source (web, manual, staff, walk-in) |
| Technical tokens | Cancellation and modification tokens (stored as SHA-256 hash), idempotency key (UUID) |
| Customer aggregate | Last SMS verification date, first/last booking date, booking counter, expiration date for automatic GDPR cleanup |
| Consent | Marketing consent flag (if enabled by the restaurant), timestamp of consent |
Blero does NOT collect from Restaurant Customers: payment data (card, IBAN — handled exclusively by Paddle), biometric data, health data, geolocation data, profiling or marketing cookies.
5. Data collected — Website visitors
When a user visits blero.io, navigation data (anonymized IP address, pages visited, events, device, browser) is collected via Google Analytics 4, subject to prior consent through the cookie banner. See the Cookie Policy for details.
6. Purposes and legal bases
| Subject | Processing | Legal basis |
|---|---|---|
| Admin | Account, email, password | Performance of contract — Art. 6(1)(b) GDPR |
| Admin | Restaurant configuration | Performance of contract — Art. 6(1)(b) |
| Admin | Event log and security | Legitimate interest — Art. 6(1)(f) |
| Admin | Billing (via Paddle) | Legal obligation — Art. 6(1)(c) |
| Restaurant Customer | Name, last name, email, phone | Legitimate interest of the restaurant — Art. 6(1)(f) |
| Restaurant Customer | SMS verification (OTP) | Legitimate interest — Art. 6(1)(f) |
| Restaurant Customer | Notes and preferences | Consent — Art. 6(1)(a) |
| Restaurant Customer | Marketing consent (promotional communications) | Consent — Art. 6(1)(a) |
| Website visitor | Analytics cookies | Consent — Art. 6(1)(a) |
7. SMS verification (OTP)
To reduce no-shows and prevent fraudulent bookings, Blero sends a 6-digit OTP code to the phone number provided by the Customer at the time of booking. The code has a limited validity (typically around 5 minutes, configurable per restaurant), allows up to 3 input attempts and up to 3 resends per booking. A daily limit per phone number is also enforced. Once verified, the code is marked as "used" and subsequently deleted. If verification fails or is not completed before expiration, the booking is not confirmed.
8. Automated communications
Blero automatically sends the following transactional emails:
- Booking confirmation — to the Customer, immediately after SMS verification. Necessary to deliver the Service.
- Reminder — to the Customer, N hours before the booked time (configurable per restaurant). Can be disabled at restaurant level.
- Cancellation notice — to the Customer, in case of cancellation.
- Modification notice — to the Customer, in case of booking changes.
- Review request — to the Customer, the day after a completed booking. Can be disabled per booking and per restaurant.
- Welcome email — to the Admin, after signup.
- Magic link / password reset — to the Admin, on request.
- Admin notifications — to the restaurant email, for new bookings, cancellations and changes. Can be disabled.
- Low credits alert — to the Admin, when the SMS credit balance falls below a threshold.
9. Automated processing
Automatic table assignment is performed by a deterministic algorithm that evaluates number of guests, selected requirements, table capacity, availability and combination rules. This is not profiling, nor an automated decision producing legal effects on the data subject within the meaning of Art. 22 GDPR: it is deterministic business logic that always returns the same output for the same input.
10. Sharing with third parties — Sub-processors
Blero relies on the following providers, appointed as Data Processors under Art. 28 GDPR by means of dedicated Data Processing Agreements (DPAs):
| Provider | Service | Location | Safeguards |
|---|---|---|---|
| Xano | Backend, PostgreSQL database | EU (Germany) | DPA, data in EU |
| Vercel | Frontend hosting | USA | DPA, Standard Contractual Clauses (SCC) |
| Paddle | Payments — Merchant of Record | UK / EU | DPA, Paddle Privacy Policy |
| SMSAPI | OTP SMS delivery | EU (Poland) | DPA, data in EU |
| Resend | Transactional email | USA | DPA, SCC |
| Google Analytics 4 | Website analytics | USA | DPA, SCC, IP anonymization |
Paddle acts as Merchant of Record: it processes payments, issues invoices, and handles VAT on behalf of Blero. Payment data (card numbers, financial billing information) NEVER transit through Blero servers and are processed exclusively by Paddle, in accordance with its privacy policy.
11. International data transfers
Some providers (Vercel, Resend, Google Analytics) are based in the United States. Transfers take place on the basis of the Standard Contractual Clauses (SCC) approved by the European Commission and adequate technical and organizational measures. Xano and SMSAPI operate within the European Union.
12. Data retention
| Data | Retention | Mechanism |
|---|---|---|
| Admin account | Until account deletion | On user request |
| Restaurant configuration | Until account deletion | Cascade delete with the account |
| Restaurant Customer record | Configurable by the restaurant (default 24 months from last booking) | Weekly GDPR cron job (gdpr_data_cleanup) that anonymizes bookings and deletes the customer record |
| Anonymized bookings | Until account deletion | PII removed by the GDPR cron, the record remains as aggregated data |
| SMS OTP codes | ~5 minutes | Automatic expiration |
| Bookings | Until account deletion | Cascade delete |
| Session JWT | 24 hours | Automatic expiration |
| Payment data | Never stored on Blero | Handled by Paddle |
| GA4 cookies | Up to 2 years | Managed by Google |
13. Data subject rights
The data subject may exercise at any time the rights provided by Articles 15–22 GDPR:
- Access to personal data (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure ("right to be forgotten") (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Objection to processing (Art. 21)
- Complaint to the supervisory authority (the Italian Data Protection Authority — www.garanteprivacy.it)
To exercise these rights, please send a request to privacy@blero.io. Restaurant Customers may contact the restaurant directly (Data Controller) or Blero, which will forward the request to the relevant restaurant.
14. Security
Blero adopts technical and organizational measures appropriate to protect personal data, including:
- bcrypt hashing for user passwords
- SHA-256 hashing with dedicated salt for API keys (
ak_...) and staff keys (sk_...) - Session JWT with 24-hour expiration
- Single session per staff key (single session enforcement)
- HTTPS/TLS on all communications
- Configurable rate limiting per endpoint, with specific limits for public booking
- Daily SMS sending limit per phone number
- Paddle webhook validation via URL secret
- Multi-tenant isolation: every query is filtered by
account_id, preventing access to data from other restaurants - CORS configuration and input sanitization
- Automatic anonymization of expired customer data (GDPR cron)
15. Blero's role in processing
Blero plays a dual role depending on the data subject:
- For Admins, Blero is Data Controller in relation to account, configuration, billing and security log data.
- For Restaurant Customers, Blero is Data Processor under Art. 28 GDPR. The restaurant remains Data Controller and defines the purposes of processing the data of its customers. Blero processes such data exclusively on behalf of and according to the instructions of the restaurant. The specific terms of processing are governed by the Data Processing Agreement (DPA) available at blero.io/en/dpa, which forms an integral part of the Terms of Service.
16. Changes to this Privacy Policy
Blero reserves the right to amend this Privacy Policy at any time. Any material changes will be communicated to Admins by email at least 30 days in advance and published on this page, with the date at the top updated accordingly.
17. Contact
For any matter regarding the processing of personal data, you may contact privacy@blero.io or send a written communication to Nexora Venture Studio Srl, Piazza della Repubblica 19, 20124 Milano.