OPENTABLE SECURITY CENTRE

Restaurants own their data, and guests own their data.

Guest data entered by a restaurant into its OpenTable system is owned by the restaurant, including any data collected when a guest makes a reservation over the phone or walks in.

Guests who come to OpenTable’s consumer-facing properties to make a reservation maintain ownership of their data. Since OpenTable is a consumer marketplace where millions of diners make reservations via OpenTable properties, we process a vast ecosystem of guests and guest-related information. We will securely share this information with restaurants to enhance your business – as long as the guest grants us permission to do so. Gaining and maintaining guests’ trust is critical for OpenTable to service our restaurant partners with guest demand, and ultimately keeps restaurants compliant with privacy laws as well.

As long as guests grant OpenTable permission to share their information, we securely share it. By agreeing to OpenTable’s Privacy Policy, the guest grants OpenTable certain rights to use their data – including the right to share their data with restaurants. Any restrictions on what OpenTable can share with restaurants is determined by what scope of data the guest agreed to in OpenTable’s Privacy Policy.

Guests who book through OpenTable may opt out of certain data-sharing activities through their account preferences. In cases where guests choose to opt-out, OpenTable is required by law to honour guest choice about how their information is used and shared. This is a requirement for OpenTable to stay compliant with privacy laws, as well as protect restaurants from risk.

OpenTable operates as a data processor, merely facilitating the reservation process and enabling guests to access restaurants for booking.

OpenTable’s use of a restaurant’s data is limited to the rights and permissions granted in the Client Agreement. That restaurant data is used for the limited purposes of promoting the restaurant on OpenTable properties, helping guests to make restaurant bookings, and enabling the restaurant reservation.

OpenTable also aggregates and anonymizes data to better service guests and restaurant partners.

All data received by the restaurant is handled in compliance with applicable data privacy laws and is processed and stored based on our robust, SOC 2 certified security programme.

At OpenTable, we prioritise the security of your payment card information. When you enter your card details to make a reservation or payment, your information is encrypted using secure protocols during transmission. OpenTable does not store your payment card information. Instead, we partner with trusted, PCI-compliant payment processors who handle and store your data securely. We require these processors to keep your information secure and confidential.

At OpenTable, we prioritise privacy and are transparent about how we handle guests’ personal information. As permitted by applicable law, we share guest data with trusted partners—such as restaurants, service providers, and advertising partners—to enhance the dining experience and improve our services. 

For more information, view the “How We Share Your Information” section of our Privacy Policy.

OpenTable’s SOC 2 Type II compliance, validated by an independent auditor, proves that we rigorously safeguard your data with robust, consistently effective controls. This means you can trust us to protect your information and ensure the reliability of our services, giving you peace of mind. 

OpenTable employs a comprehensive array of security measures and controls to safeguard restaurant accounts, which include:

• Multi-Factor Authentication (MFA): Restaurants have the option to enforce MFA for their staff accounts, enhancing security measures.
• Granular Access Controls: Role-based access controls are implemented to ensure that employees have access only to the information needed to carry out their responsibilities.
• Device Verification: To protect your most sensitive data and actions, our application enforces access controls that go beyond simple logins. Only devices that have been explicitly trusted by the user can access certain high-risk features.
• Network Security: OpenTable ensures that all data exchanged between its restaurant clients and data centres is protected through encryption using secure transport protocols. Additionally, data stored within OpenTable databases is also encrypted, safeguarding it from unauthorized access.
• Secure Data centres: All OpenTable data centres are compliant with industry-standard security certifications, including SOC 2 Type II, PCI DSS, and ISO standards and international data security regulations. Data centres enforce stringent physical security standards and environmental protections.

To report a concern, please contact our customer support team.

• We integrate artificial intelligence (“AI”), including generative AI, into our content, features, and Services (including OT4R).
• This may involve partnerships with third-party entities or the use of their large language models.
• We process your input and generate data to deliver and improve our Services, ensuring quality and troubleshooting, in accordance with our Terms and our Privacy Policy.
• We have strict protocols to limit third parties from training their AI on your personal or sensitive data.
• AI-generated content is provided “as-is” without guarantees of relevance, accuracy, or completeness, and we are not liable for its use.

• Powering your experience: We leverage both established ML and cutting-edge LLM AI to enhance our Services for internal operations and direct restaurant/diner interactions.
• Responsible AI: Our AI systems, classified as “limited risk” under the EU AI Act, are built with careful consideration for user safety.
• Privacy-centric design: We deliberately exclude direct PII like names, emails, and phone numbers from our AI models.
• Understanding your needs: While anonymised, insights into user behaviour and preferences help us personalise and improve your experience.
• Innovation with safeguards: We are committed to utilising the power of AI responsibly, prioritizing user privacy and adhering to regulatory standards.

OpenTable implements device verification to enhance data security. When a restaurant user logs in from an unfamiliar network, sensitive guest information, also known as Personally Identifiable Information (PII), such as email addresses or phone numbers, will be obscured. This measure helps protect PII from unauthorized access. Device verification is also required for critical guest-facing features like creating or editing Experiences, defining Booking Policies, and sending direct marketing communications among others, ensuring that only verified devices can manage these sensitive interactions.