Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
CoverManager is a Spanish reservation and table management platform built by CoverManager SL in Seville. It powers booking widgets, hosted reservation pages, table management consoles and customer relationship features for restaurants across Spain and Europe. Diners interact with a JavaScript widget or a hosted page that captures name, email, phone, party size and special requests, then transmits them to CoverManager backend on EU AWS infrastructure. Operators must apply GDPR transparency, consent and retention rules.
CoverManager is a Spanish reservation, table management and CRM platform for restaurants, developed by CoverManager SL in Seville. It is one of the most widely deployed booking solutions in Spain and is increasingly used by restaurants, hotels and venues across Europe. Restaurants integrate a JavaScript booking widget on their website, link to a hosted reservation page or accept bookings through a CoverManager managed listing, and manage tables, waitlists and customer relationships through the back office.
The CoverManager widget sets a session cookie, a CSRF token cookie and a persistent reservation context cookie that link the diner browser to a server side reservation session. On the server side, CoverManager processes the reservation: name, email, phone, party size, date and time, special requests and optional prepayment metadata. The CRM module can store guest history, preferences (table location, allergies, special dates) and marketing consent records.
The session and reservation cookies fall under the Article 5(3) ePrivacy strictly necessary exemption. Optional marketing analytics, loyalty and behavioural cookies require consent. The processing of reservation details relies on contract performance under Article 6(1)(b) GDPR. CoverManager SL acts as a processor on behalf of the restaurant under Article 28 GDPR. Spanish operators must apply the LSSI for cookie consent and the LOPDGDD for additional GDPR rules.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Reservation, prepayment and guest communication rely on contract performance (Article 6(1)(b) GDPR). Marketing communications, loyalty programmes and behavioural personalisation rely on consent (Article 6(1)(a) GDPR). No show prevention, anti fraud and table reuse rules rely on legitimate interest (Article 6(1)(f) GDPR) with a balancing test. A data processing agreement under Article 28 GDPR between the restaurant (controller) and CoverManager SL (processor) is required.
CoverManager hosts the platform on AWS EU regions and primarily uses EU established sub processors. Transfers outside the EEA only occur if the restaurant enables optional modules such as WhatsApp Business API, SMS gateways with US providers, or payment service providers based in third countries. In those cases Standard Contractual Clauses or the EU US Data Privacy Framework apply and must be reflected in the privacy notice.
Sign the CoverManager DPA, list CoverManager SL in the privacy notice as a processor, document the EU AWS hosting and review the sub processor list whenever optional modules are activated. Integrate the CoverManager cookies in the CMP with strictly necessary cookies always on and optional marketing or loyalty cookies gated behind consent. Limit the diner data collected to what is strictly required for the reservation and retain it only for as long as needed for the booking and any follow up cycle.
Websites using CoverManager must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not generally required for a standard CoverManager deployment in a restaurant, because the personal data is limited to reservation details (name, contact, party size). A DPIA becomes relevant when the operator combines CoverManager with extensive CRM profiling, loyalty programmes that build long term customer profiles, or sensitive customer attributes (allergies, religion linked dietary preferences, accessibility needs).
Sample consent text
Our restaurant uses CoverManager, a Spanish reservation platform by CoverManager SL, to manage your booking. Strictly necessary cookies are used to keep your reservation session and to confirm your booking; these do not require your consent. With your permission we also activate optional analytics and loyalty cookies. Your reservation data is hosted on EU AWS infrastructure.
Third-party domains contacted
covermanager.comapp.covermanager.comwidget.covermanager.comapi.covermanager.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cm_session | third_party | Session | Session identifier set by CoverManager to bind the visitor to a server side reservation session. |
| cm_xsrf | third_party | Session | CSRF protection token used to authorise booking submissions. |
| cm_reservation | third_party | 7 days | Persistent reservation context cookie that retains the selection (date, party size, restaurant) while the diner completes the booking. |
| cm_locale | third_party | 12 months | Stores the language chosen by the diner for the reservation page. |
CoverManager uses cookies for user preferences — inform visitors with a consent banner.
Session, CSRF token and reservation context cookies for the strictly necessary booking flow. Optional analytics, loyalty and marketing modules can add their own cookies, which are non strictly necessary.
Not for strictly necessary cookies. Yes for optional analytics, loyalty and marketing cookies enabled by the restaurant.
Reservation, prepayment and guest communication rely on contract performance under Article 6(1)(b) GDPR. Marketing and loyalty rely on consent under Article 6(1)(a) GDPR. No show prevention relies on legitimate interest under Article 6(1)(f) GDPR.
Not in the standard configuration: data stays on AWS EU. Optional modules (WhatsApp, SMS US providers, US PSPs) can introduce transfers, in which case SCC or the EU US Data Privacy Framework apply.
Not generally for restaurant reservation. Recommended when combined with extensive CRM profiling, long term loyalty programmes, or sensitive guest attributes (allergies, religious dietary preferences, accessibility).
Sign the CoverManager DPA, list CoverManager SL as a processor, document the AWS EU hosting and review sub processors when activating optional modules. Block optional analytics or marketing cookies behind the CMP. Limit collected diner data to what is strictly required.
OpenTable, TheFork (Tripadvisor), Resy, SevenRooms, Bookatable. For European data residency, CoverManager (Spain) and TheFork (France/Italy under Tripadvisor) are well positioned.
List session and reservation cookies with names and durations. Mention CoverManager SL as a processor and the AWS EU hosting. Document any optional analytics, loyalty or marketing cookies separately, with purpose, duration and recipient.