Spotline

Privacy Policy

Last updated 22 May 2026. How Spotline handles personal data, including the SMS program for waitlist and reservations.

About this policy

This privacy policy explains how Workyloop OÜ (“Spotline”, “we”, “us”) handles personal data collected through the Spotline service — the website at www.spotline.so, the operator application at app.spotline.so, and the public waitlist join and reservation booking pages.

If you joined a restaurant’s waitlist or made a reservation and want to know how your phone number and SMS messages are handled, the SMS program section below covers it.

Who we are

Workyloop OÜ, Tartu mnt 67/1-13b, 10115 Tallinn, Estonia. Estonian registry code 16837036. We operate the Spotline service and are the controller of personal data described below.

Contact: info@workyloop.com

Carrier-compliance disclosures

SMS program

When you provide your mobile phone number on a Spotline-powered waitlist join form or reservation booking form for a participating restaurant, you are opting in to receive transactional SMS messages from Spotline on that restaurant’s behalf.

What you will receive

You will receive SMS only in connection with your waitlist or reservation activity at participating restaurants. Frequency varies based on your activity.

Example messages you may receive:

  • A waitlist join confirmation with a link to your live status page (e.g. “Hi {name}! You’re on the waitlist. Track your spot here: {link}”).

  • A call-ahead confirmation when the restaurant saves your spot (e.g. “Hi {name}! We saved your spot. We’ll text when your table is ready: {link}”).

  • A “table ready” notification (e.g. “Hi {name}, your table is ready! Please head to the host stand.”).

  • A no-show acknowledgement if you didn’t make it (e.g. “Sorry we missed you tonight, {name}. Hope to see you soon!”).

  • A reservation confirmation prompt when you book (e.g. “{restaurant}: Your reservation is pending. Confirm or cancel: {url}”).

Costs

Message and data rates may apply. Charges from your mobile carrier are independent of Spotline; we do not bill you for SMS.

Opting out

Reply STOP to any message to unsubscribe at any time. Reply HELP for assistance.

STOP opt-outs are honored across all Spotline-powered restaurants that share the same originating number. After you opt out, Spotline will not send you further SMS until you opt in again through a new waitlist join or reservation form.

How we share SMS data

We do not sell or share your mobile phone number or SMS opt-in data with third parties for their marketing purposes.

We share your phone number only with Twilio Inc. (our SMS gateway processor) for the purpose of delivering the transactional SMS described above, and with the restaurant whose waitlist or reservation form you used.

SMS contact

Questions about the SMS program, or want to be removed even though you haven’t replied STOP? Email info@workyloop.com.

What we collect

  • Operator account data — name, email, password hash, business name and address, login activity. Provided by restaurant operators when they create an account.

  • Guest data captured by operators — name, mobile phone number (E.164 format), party size, optional notes, and visit history within a single restaurant’s account. Provided by guests at the waitlist join or reservation booking form, or by operators on their behalf.

  • SMS message content and delivery metadata — outbound transactional messages sent by Spotline on the restaurant’s behalf, any inbound replies, and delivery status from the carrier.

  • Status-page tokens — short random identifiers (10–12 characters) that appear in the status-page URL sent to each guest. The token is the identifier; we do not include name, phone, or party size in the URL.

  • Payment data — card details for operator subscriptions are handled exclusively by our payment processor (Stripe). We see only the last four digits, card brand, and billing country.

  • Server logs — IP address, user-agent, request timestamps, and requested URLs, retained for up to 30 days for security and operational purposes.

Legal basis (GDPR Art. 6)

  • Operator account data — contract (Art. 6(1)(b)) and legitimate interest in operating the service.

  • Guest data and SMS — legitimate interest of the restaurant in seating guests, plus the guest’s consent given when providing their phone number to receive status updates.

  • Payment data — contract (Art. 6(1)(b)).

  • Server logs — legitimate interest in operating and securing the service.

How long we keep it

Operator account data is retained while the account is active and for 90 days after deletion (so accounts can be restored on request). Guest data is retained per the restaurant’s configured retention setting; the default is 24 months from last visit. SMS message metadata (delivery status, timestamps) is retained for 12 months. Server logs: up to 30 days.

Who we share data with

We do not sell personal data. We do not sell or share your mobile phone number or SMS opt-in data with third parties for their marketing purposes. We share data only with the following processors, strictly to operate the service:

  • Vercel Inc. (hosting) — United States, under EU Standard Contractual Clauses.

  • Twilio Inc. (SMS delivery) — United States, under EU Standard Contractual Clauses. Guest phone numbers and SMS message bodies are processed by Twilio on our behalf solely to deliver the transactional messages above.

  • Stripe, Inc. (payments) — United States, under EU Standard Contractual Clauses. Operator billing data only.

  • Email delivery provider — for transactional emails to operators. Provider details available on request.

  • The restaurant whose form you submitted — your name, phone number, party size, and visit history are visible to the operator account of that single restaurant. Not shared across restaurants.

Your rights

Under the GDPR, you have the right to access, rectify, erase, restrict processing of, or port your personal data, and to object to processing. To exercise these rights, contact info@workyloop.com.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee).

International transfers

Some processors listed above are based in the United States. Transfers are governed by the European Commission’s Standard Contractual Clauses. We do not transfer personal data to jurisdictions without an adequate level of protection unless protected by appropriate safeguards.

Children

Spotline is not directed at children under 16. Restaurants using Spotline must not knowingly collect personal data of children under 16 through Spotline join forms or reservation forms.

Changes to this policy

We may update this policy. The “Last updated” date at the top always reflects the current version. Material changes will be communicated to operators by email.

Questions about how we handle data, or the SMS program? Email info@workyloop.com.

Email info@workyloop.com