PRIVACY POLICY
Last updated: 15 June 2026
1. INTRODUCTION
We operate guest venues in Stockholm, Sweden and London, United Kingdom, and our website www.moyagi.com (the "Website"). The controller responsible for your personal data depends on which venue you interact with:
- Stockholm venue, the Website, membership, marketing and recruitment (EU): Moyagi Shiro AB, registration number 559206-5717, Brunkebergstorg 3, 111 51 Stockholm, Sweden.
- London venue (UK): Moyagi Okoku Ltd, company number 14717835, 5 Cavendish Place, London W1G 0QA, United Kingdom.
Together referred to as "Moyagi", "we", "our" or "us". Depending on where you visit us and where you are located, your personal data is protected by:
- the EU General Data Protection Regulation (2016/679) ("EU GDPR") and Swedish data protection legislation (Stockholm / Moyagi Shiro AB), and/or
- the UK GDPR and the Data Protection Act 2018 ("UK GDPR"), together with the Privacy and Electronic Communications Regulations ("PECR") for electronic marketing (London / Moyagi Okoku Ltd).
We understand that your privacy matters. This Notice explains when we are responsible for processing your personal data, how and why we do so, and what rights you have. You can contact us at any time using the details in section 11.
2. SCOPE
This Notice applies whenever we process personal data — any information that, directly or indirectly, can identify you as an individual (for example your name, email address, phone number, or a reservation number).
We do not seek to collect special categories of personal data (such as health, racial or ethnic origin, religious beliefs, etc.). However, when you make a reservation you may voluntarily disclose allergies or dietary preferences, which can reveal information about health. We process this only to respect your preferences and protect the health of our guests.
This Notice applies to you if you are a:
- Guest — when you make, or wish to make, a reservation at our venues.
- Member — when you join our membership/loyalty programme.
- Visitor — when you visit or interact with us through our Website, our booking and marketing tools, or our social channels.
- Corporate client — when you enquire about or book a corporate event.
- Job applicant — when you apply for a role with us.
3. WHAT PERSONAL DATA WE COLLECT AND HOW
We collect most personal data directly from you — for example when you make a reservation, subscribe to our newsletter or SMS list, contact us, enquire about a corporate event, or apply for a job.
We also collect data:
- Automatically, when you use the Website — technical and usage data via cookies and similar technologies (see section 6 and our Cookie Policy), such as IP address, device and browser type, and pages viewed.
- From third parties — for corporate clients, publicly available business information; for job applicants, references you authorise us to contact; and aggregated/measurement data from our advertising and analytics partners.
- Generated internally — such as reservation numbers, application numbers, and membership records.
Please share only the information we actually need. When noting another guest's allergy or assistance need, you do not need to give us their name — only what we must be aware of for the reservation.
4. WHY AND HOW WE USE YOUR PERSONAL DATA
4.1 Guests, members and visitors
| Purpose | Personal data | Legal basis | Retention |
|---|---|---|---|
| To enable and manage your reservation at our venues (handled through our booking platform, SevenRooms). | First and last name, email, phone number, reservation details and notes, dietary/allergy notes, date of birth, postcode, preferred language, reservation number. | Performance of a contract (our Terms & Conditions). | For the duration of our contract with you and in any case 12 months after your last visit. |
| To take and process payments and deposits (handled through our payment processor, Stripe). | Name, email, transaction amount and status, and partial card details/payment token. We do not store full card numbers — these are handled by Stripe as a PCI-DSS compliant processor. | Performance of a contract and compliance with legal (tax/accounting) obligations. | Transaction records retained 7 years per the Swedish Bookkeeping Act (Bokföringslag 1999:1078) / applicable UK requirements. |
| To respond to your enquiries (reservations, cancellations, general questions). | Name, email, content of your communication. | Legitimate interest (responding to you). | For as long as relevant to your enquiry. |
| To send you our email newsletter. | Email address. | Consent, collected when you subscribe. | Until you unsubscribe or withdraw consent. |
| To send you SMS and email marketing (e.g. via SevenRooms marketing). | Name, email, phone number, marketing preferences. | Consent (and, in the UK, in line with PECR). For corporate contacts, we may also rely on legitimate interest (B2B). | Until you unsubscribe or withdraw consent. |
| To run our membership / loyalty programme. | Name, email, phone, reservation history and notes, date of birth, address. | Consent (you opt in when you register). | For as long as you remain a member; withdraw at any time. |
| To measure guest satisfaction and collect reviews. | Name, email, your review. | Legitimate interest (improving our service). | Anonymised once your rating is received. |
| To advertise and measure the performance of our marketing (online advertising, remarketing, conversion measurement and website analytics) using the partners listed in section 7. | Online identifiers, cookie/pixel IDs, device data, on-site and conversion events, approximate location. | Consent for advertising/analytics cookies and similar technologies (see Cookie Policy). | Per each partner's retention; consent withdrawable at any time. |
| Corporate event billing and invoicing. | Name, email, company name, and any personal data on the invoice. | Legitimate interest (invoicing clients) and legal obligation. | Invoices retained 7 years; other data only as long as needed. |
4.2 Job applicants
| Purpose | Personal data | Legal basis | Retention |
|---|---|---|---|
| To evaluate and manage your application (handled through our recruitment platform, Teamtailor). | Name, email, phone, CV, interview notes where relevant, and references you authorise. | Legitimate interest (recruiting suitable employees). | As long as needed to evaluate; in any case 2 years to defend against claims under the Swedish Anti-Discrimination Act (Diskrimineringslagen 2008:567) / applicable UK equality law. Longer if a claim is raised. |
| To enter into an employment agreement. | Name, email, home address, personal identity number (personnummer) or equivalent, salary, benefits. | Performance of a contract. | As long as needed to fulfil the contract. |
4.3 General purposes
| Purpose | Legal basis | Retention |
|---|---|---|
| To comply with legal obligations (tax, accounting, food safety, etc.). | Legal obligation. | As required by the relevant law. |
| To establish, exercise or defend legal claims. | Legitimate interest. | Up to 10 years under the Swedish Act on Limitations (Preskriptionslag 1981:130) / applicable UK limitation periods. |
5. MARKETING AND YOUR CHOICES
You can opt in to email and SMS marketing when you book, subscribe, or join our membership. You can withdraw consent or unsubscribe at any time — use the unsubscribe link in any email, reply STOP to any SMS, or contact us at [email protected]. Withdrawing consent does not affect processing carried out before withdrawal.
6. COOKIES AND SIMILAR TECHNOLOGIES
When you visit our Website we use cookies and similar technologies. Strictly necessary cookies are always active; all other cookies (preferences, statistics and marketing) are set only with your consent, which we collect through our consent management platform (Cookiebot) using Google Consent Mode v2. For full details of the cookies we use, the third parties involved, and how to manage your choices, please read our Cookie Policy.
7. RECIPIENTS OF YOUR PERSONAL DATA
| Recipient | Purpose | Role |
|---|---|---|
| SevenRooms | Reservations, guest profiles, email/SMS marketing | Processor |
| Stripe | Payment processing | Processor (PCI-DSS) |
| Webflow | Website hosting | Processor |
| Google (Analytics / Ads / Tag Manager) | Website analytics, advertising, conversion measurement | Processor / independent controller |
| Meta, TikTok, LinkedIn | Advertising and measurement | Independent controllers / joint controllers for pixel data |
| Triple Whale | Marketing analytics and attribution | Processor |
| Cookiebot (Usercentrics) | Consent management | Processor |
| HubSpot | Corporate enquiry and meeting scheduling | Processor |
| Typeform | Corporate enquiry forms | Processor |
| Teamtailor | Recruitment | Processor |
| Courts, authorities, advisers | Where required by law or to defend legal claims | — |
| A successor owner | If our business changes ownership, on the terms of this Notice | — |
8. INTERNATIONAL TRANSFERS
Some of the recipients above are located outside the EEA/UK (for example in the United States). Where we transfer your personal data internationally, we rely on appropriate safeguards:
- transfers to countries with an EU/UK adequacy decision;
- the EU Standard Contractual Clauses (SCCs) together with the UK International Data Transfer Addendum (IDTA); and/or
- certification under the EU–US Data Privacy Framework (and UK extension) where the recipient is certified (e.g. Google, Meta, Stripe, HubSpot).
Where required, we apply additional technical and organisational measures to ensure an adequate level of protection.
9. YOUR RIGHTS
Under the GDPR (EU and UK) you have the rights to: access, rectification, erasure, objection, restriction, withdraw consent, and data portability. To exercise any right, contact us at [email protected]. We will verify your identity before acting and respond within the statutory deadline. These rights are subject to legal conditions and limitations.
If you have a complaint, please contact us first. You also have the right to lodge a complaint with a supervisory authority:
- Sweden / EU: Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm · [email protected] · +46 8 657 61 00 · www.imy.se
- United Kingdom: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF · [email protected] · 0303 123 1113 · www.ico.org.uk
10. CHANGES TO THIS NOTICE
If we change this Notice we will post the updated version on our Website and update the "last updated" date above. Significant changes will be notified by email where appropriate.
11. CONTACT INFORMATION
For any privacy matter, contact us at [email protected] for Stockholm and [email protected] for London. Our controller entities are:
- Moyagi Shiro AB (reg. no. 559206-5717) — Brunkebergstorg 3, 111 51 Stockholm, Sweden — controller for Stockholm, the Website, membership, marketing and recruitment.
- Moyagi Okoku Ltd (company no. 14717835) — 5 Cavendish Place, London W1G 0QA, United Kingdom — controller for the London venue.
