Generate Your Data Protection Policy with AI

Hearthstone Kitchen & Bar operates in a data environment shaped by nightly reservations, allergen disclosure cards, contactless payment terminals, and CCTV footage covering every dining area and kitchen pass. This policy governs how Hearthstone collects, processes, stores, and protects personal data generated across those touchpoints, ensuring compliance with applicable data protection legislation.

Every individual who handles personal data on behalf of Hearthstone falls within scope. Front-of-house staff process customer bookings and card payments. Kitchen teams receive allergen disclosure forms identifying guests by name. Delivery drivers access customer addresses through route management apps. Marketing personnel maintain email subscriber lists and loyalty programme databases. All are bound by the standards set out here.

Hearthstone processes personal data relating to several categories of data subject. Dining customers provide reservation details, contact information, dietary requirements, and payment records. Delivery and takeaway customers share addresses, order histories, and phone numbers. Suppliers furnish contact persons, banking details, and trade references. Job applicants submit CVs, references, and right-to-work documentation. Current and former staff have payroll data, health records, disciplinary files, and CCTV footage captured on premises. All processing activities are carried out for legitimate operational purposes under the safeguards detailed in this policy.

Hearthstone Kitchen & Bar operates under the data protection legislation applicable in the jurisdiction where it is registered. Where the business serves customers across multiple jurisdictions through online ordering or franchise arrangements, it applies the most protective standard applicable to each data subject category. The organisation has identified the relevant supervisory authority and maintains registration or notification where required by law.

Hearthstone acts as data controller for all personal data it collects directly from customers, employees, and suppliers. Third-party processors, including the online reservation platform, payment gateway, delivery aggregator apps, and cloud-based point-of-sale system, operate under written data processing agreements specifying processing instructions, security measures, breach notification timelines, and data return or deletion on termination.

Accountability measures include a Record of Processing Activities documenting every category of personal data held, the lawful basis for processing, retention periods, and third-party recipients. Data Protection Impact Assessments are conducted before implementing new technologies such as facial recognition for VIP guest identification, table management AI, or customer sentiment analysis tools. Hearthstone provides mandatory data protection training to all staff during onboarding, with annual refresher sessions covering allergen data handling, CCTV footage access protocols, and secure disposal of paper reservation books.