Built for UK hospitality. GDPR compliant by design.
Foldout handles personal data the right way — not as an afterthought. Your venue data and your customers' data stays in the UK and is never sold or shared.
UK data hosting
All data stored in UK-based infrastructure. Your data never crosses outside the UK.
GDPR compliant
Designed for GDPR from the start — lawful basis, data minimisation, right to erasure.
Encrypted everywhere
Encrypted at rest and in transit. TLS 1.3 in transit. AES-256 at rest.
No tracking pixels
No analytics SDKs, no ad pixels, no third-party tracking on your widget traffic.
Designed for GDPR from day one
UK GDPR and the Data Protection Act 2018 apply to data you collect through Foldout — enquiry form submissions, for example. We've built Foldout so your obligations are clear and your data is yours.
- You are the data controller for enquiry form data
- Foldout acts as processor — we process only on your instructions
- Data subject requests: we'll help you respond
- Retention periods configurable per form
- Audit log of all data access
Data processing summary
Widget display data
Opening hours, menu content — public, no personal data
Enquiry form submissions
Name, email, message — processed per your configuration
Dashboard user data
Email, auth token — encrypted, UK-hosted
Analytics
Widget views — aggregate only, no individual tracking
How we protect your data
UK-based servers
All Foldout data is stored in UK-based data centres. We don't use regions outside the UK for any personal data processing.
TLS 1.3 in transit
All communication between your website, our servers, and the Foldout dashboard is encrypted in transit using TLS 1.3.
AES-256 at rest
Data stored by Foldout — including enquiry form submissions and user credentials — is encrypted at rest using AES-256.
Isolated per venue
Each venue's data is isolated. An agency admin can see their own clients' data; venues cannot see each other's data.
No third-party trackers
Foldout's widget script does not load any third-party analytics, advertising or tracking SDKs on your website.
Regular security reviews
We conduct regular security reviews of our codebase and infrastructure. Vulnerabilities are patched and disclosed.
Stays up even when we don't
If our database is ever unreachable, widgets serve the last-published configuration from a snapshot. Your visitors never see a broken widget.
Version history on everything
Every widget keeps a draft-to-publish history. Restore any previous version in a click — a bad edit is never permanent.
Audited, guarded access
Every privileged data access is recorded in a service-role audit ledger, and install checks fetch only the page you name — guarded against internal-network probing.
UK legal framework
Foldout operates under UK GDPR and the Data Protection Act 2018. We are registered with the ICO. Our full Data Processing Agreement is available on request.
Security questions?
If you have specific security or compliance questions — for a DPA, vendor assessment, or anything else — get in touch.