Privacy Policy

Last updated: 04-09-2025

Version: 1.0

1. Introduction

This Privacy Policy describes how [COMPANY NAME] ("we," "our," or "us") collects, uses, and protects your personal information when you use our restaurant AI recommendation and analytics platform (the "Service"). We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Personal Information Protection and Electronic Documents Act (PIPEDA), and UK Data Protection Act 2018.

2. Information We Collect

2.1 Account and User Information

Account Data

Name and email address (required for account creation and service communication)
Password hash (encrypted and stored securely for account security)
User role within teams (member, admin, etc.) to determine access levels
Account creation and update timestamps for account management and security monitoring
Consent records including explicit consent status, timestamp of consent, and privacy policy version agreed to
Marketing consent preferences for optional communications

Authentication Data

OAuth provider information if using social login (Google, etc.)
Session tokens for maintaining secure login sessions
Verification tokens for email verification and password reset processes

2.2 Team and Business Information

Team Management

Team names, member roles, join dates, and invitation history
Team invitation records including email, role, invited by, and status
Team member relationships and role-based permission assignments

Billing and Subscription Data

Stripe Customer ID, Subscription ID, Product ID for payment processing
Plan names, subscription status, and billing history
Payment processing handled securely through Stripe (we do not store credit card details)
Token usage tracking for billing and plan limit enforcement

2.3 Restaurant and Menu Data

Restaurant Information

Restaurant names, locations, opening hours, and business details
Restaurant logos, branding colors, welcome messages, and visual customizations
Chatbot settings including tone (friendly, professional, humorous, concise) and formality levels
Website embed codes for integrating recommendation widgets into your restaurant website

Menu and Product Data

Dish names, descriptions, prices, and currency information
Menu categories, toppings, ingredients, and preparation details
Allergen information and dietary flags (vegetarian, vegan, gluten-free, etc.)
Spice levels, availability status, and seasonal menu variations
Nutritional information including weight, calories, protein, carbs, and fat content
Menu creation and update timestamps for version tracking

2.4 Usage Analytics and Performance Data

Session and Interaction Data

Daily and hourly recommendation session counts and durations
Recommendation frequency, success rates, and performance metrics
Customer interaction patterns and engagement analytics
Menu section popularity and view counts by date and time

Recommendation Data

Dishes recommended, recommendation algorithms used, and success tracking
Customer feedback on recommendations (positive/negative ratings)
Conversion rates from recommendations to orders or engagement
A/B testing data for recommendation optimization

Business Intelligence

Monthly dish insights including total recommendations, views, and conversion rates
Average daily recommendation patterns and peak performance periods
Menu performance analytics and optimization suggestions
Seasonal trends and customer preference analytics

2.5 Technical and Security Information

Security Monitoring

Activity logs including user actions, timestamps, and IP addresses
Login attempts, session management, and authentication events
Website embed usage tracking and integration monitoring
Security incident logs and threat detection data

System Performance

Token usage per team and restaurant for billing and optimization
API performance metrics and system health monitoring
Service availability statistics and error logging
Database performance and query optimization data

2.6 Legal and Compliance Data

GDPR and Privacy Compliance

Detailed deletion request records including original user ID and email hash (SHA-256)
Deletion completion timestamps and verification methods used
Records of what data was deleted and what was retained with legal basis
Processing records including who/what processed requests and completion status
Data export and portability request history

3. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

Contract Performance

Account management, service delivery, billing, and subscription management

Legitimate Interests

Security monitoring, service improvement, analytics, fraud prevention, and business operations

Consent

Marketing communications, non-essential analytics, and optional features

Legal Obligations

Tax records, regulatory compliance, data retention requirements, and law enforcement requests

4. How We Use Your Information

4.1 Service Delivery and Core Functions

Provide AI-powered restaurant recommendations based on customer preferences and data
Generate comprehensive analytics and insights dashboards for business intelligence
Manage user accounts, team access, and role-based permissions
Process payments, manage subscriptions, and handle billing inquiries
Maintain website embed functionality and integration capabilities
Track token usage and enforce subscription limits

4.2 Service Improvement and Development

Analyze usage patterns to improve recommendation algorithms and accuracy
Monitor system performance, reliability, and user experience
Develop new features based on user behavior data and feedback
Conduct A/B testing for recommendation optimization
Research market trends and customer preferences
Optimize menu performance and business outcomes

4.3 Communication and Support

Send service-related notifications, updates, and important announcements
Provide customer support and technical assistance
Send marketing communications and product updates (with explicit consent)
Deliver educational content and best practices for restaurant optimization
Communicate security updates and system maintenance schedules

4.4 Security, Compliance, and Legal Requirements

Monitor for fraudulent, suspicious, or unauthorized activity
Maintain comprehensive activity logs for security auditing
Comply with legal and regulatory requirements including tax obligations
Respond to law enforcement requests and legal proceedings
Protect our rights, property, and the safety of users
Conduct security assessments and vulnerability management

5. Data Sharing and Third Parties

5.1 Service Providers

Payment Processing

Stripe handles all payment processing and stores payment card information subject to Stripe's privacy policy and PCI DSS compliance

Cloud Infrastructure

AWS/Google Cloud provides hosting services with appropriate data processing agreements and security safeguards

AI Services

OpenAI or similar providers for recommendation generation, subject to their privacy policies and data processing terms

Email Communications

Third-party email services for transactional and marketing communications with proper data protection measures

5.2 Legal Requirements and Compliance

We may disclose information when required by:

Law enforcement requests with proper legal authority
Court orders, subpoenas, or other legal processes
Regulatory investigations or compliance audits
Protection of our legal rights, property, or safety
Prevention of fraud or illegal activities
Emergency situations involving immediate harm

5.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your data may be transferred to the acquiring entity, subject to the same privacy protections outlined in this policy.

5.4 Data We Do Not Share

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We do not share individual user data with competitors or use your data for unrelated commercial purposes.

6. Data Retention

Active Account Data

Retained while your account is active, plus 30 days after account deletion for recovery purposes

Analytics and Usage Data

Retained for up to 2 years for service improvement and business intelligence

Financial and Billing Records

Retained for 7 years for tax compliance and legal requirements

Security and Activity Logs

Retained for 1 year for security monitoring and incident response

Soft Deleted Data

Marked for deletion but retained for 30 days to allow for account recovery

Legal Hold Data

Retained longer when required by law, regulation, or legal proceedings

GDPR Deletion Records

Maintained permanently for compliance demonstration and audit purposes

7. Your Privacy Rights

Depending on your location, you have various rights regarding your personal data:

7.1 Universal Rights

Access

Request copies of your personal data and information about how we process it

Rectification/Correction

Correct inaccurate or incomplete data through your account settings or by contacting us

Erasure/Deletion

Request deletion of your personal data ("right to be forgotten") with secure deletion processing

Portability

Receive your data in structured, machine-readable formats for transfer to other services

7.2 Regional Rights (GDPR, CCPA, etc.)

Restriction

Limit how we process your data in certain circumstances

Objection

Object to processing based on legitimate interests or for direct marketing purposes

Opt-Out

Opt out of the sale of personal information (note: we do not sell personal data)

Non-Discrimination

Receive equal service regardless of your privacy choices

Automated Decision-Making

Object to purely automated decision-making that significantly affects you

7.3 How to Exercise Your Rights

Account Settings

Many rights can be exercised directly through your account dashboard

Email Requests

Data Export

Use built-in tools or request custom data exports

Deletion Requests

Formal GDPR deletion process with detailed tracking and verification

Marketing Opt-out

Use unsubscribe links or account preference settings

8. International Data Transfers

Your data may be processed in countries outside your jurisdiction. We ensure appropriate safeguards through:

Standard Contractual Clauses (SCCs)

For EU data transfers to countries without adequacy decisions

Adequacy Decisions

Where available, we rely on European Commission adequacy decisions

Binding Corporate Rules

For internal data transfers within our organization

Certification Programs

Participation in recognized data protection certification frameworks

Technical Safeguards

Encryption, access controls, and monitoring regardless of processing location

9. Data Security

We implement comprehensive security measures including:

Encryption

All data encrypted in transit using TLS and at rest using industry-standard encryption

Access Controls

Role-based access with multi-factor authentication and principle of least privilege

Security Monitoring

24/7 monitoring, intrusion detection, and automated threat response

Regular Audits

Security assessments, penetration testing, and vulnerability management

Staff Training

Regular privacy and security training for all personnel with data access

Incident Response

Detailed procedures for handling data breaches and security incidents

Backup Security

Encrypted backups with tested restoration procedures and access logging

10. Cookies and Tracking

10.1 Essential Cookies

We use necessary cookies for:

Authentication

Maintaining secure login sessions and user state

Security

Preventing CSRF attacks and maintaining security protections

Performance

Basic system functionality and load balancing

10.2 Analytics and Optional Cookies

Usage Analytics

Understanding how users interact with our service for improvement purposes

Preference Storage

Remembering your dashboard settings and customization choices

A/B Testing

Testing new features and optimizations (with consent where required)

We do not use third-party tracking cookies for advertising or cross-site tracking purposes.

11. Children's Privacy

Our service is designed for business use and is not intended for children under 13 (or 16 in the EU). We do not knowingly collect personal information from children. If we discover we have collected information from a child, we will delete it immediately. Parents or guardians who believe we have collected information from a child should contact us immediately.

12. Data Protection Officer and Contacts

Data Protection Officer

[DPO_EMAIL] - for GDPR compliance inquiries and data protection matters

Privacy Questions

[PRIVACY_EMAIL] - for general privacy questions and rights requests

Security Issues

[SECURITY_EMAIL] - for security concerns and incident reporting

General Support

[SUPPORT_EMAIL] - for service and technical support

13. Privacy Policy Updates

We may update this policy periodically to reflect changes in our practices, technology, legal requirements, or service features. We will notify you of material changes through:

Email notifications to all registered users with details of changes
In-app notifications when you log in to your account
Version tracking in your account preferences showing which version you've reviewed
Posted notice on our website with effective date and change summary

For significant changes, we may require renewed consent

14. Regulatory Contacts

EU Supervisory Authorities

Contact your local Data Protection Authority or the lead authority in [EU_COUNTRY]

UK Information Commissioner's Office

ico.org.uk for UK residents

California Attorney General

oag.ca.gov for California residents

Privacy Commissioner of Canada

priv.gc.ca for Canadian residents

Other Jurisdictions

Contact your local privacy regulator or data protection authority

15. Special Provisions for Business Users

As our service is primarily used by business customers:

Business Contact Data

When you provide employee contact information, ensure you have appropriate consent or legal basis

Customer Data

You are responsible for any customer data you collect through our recommendations system

Data Processing Agreements

Available upon request for enterprise customers requiring formal DPA documentation

Cross-Border Data

Consider data residency requirements for your business and customers

Industry Compliance

Ensure your use of our service complies with restaurant industry regulations

16. Consent Declaration and Agreement

By creating an account and using our service, you acknowledge that you have:

Read and understood this Privacy Policy in its entirety
Understood how we collect, use, and protect your personal information
Provided explicit consent for data processing as described herein
Understood your rights and how to exercise them
Agreed to the international transfer and processing of your data as described

Your consent is recorded in our system with timestamp and privacy policy version for compliance demonstration and audit purposes.

Contact Information

Business name: Voicu Octavian-Mihai PFA

CUI: 51944577

Email: octavianvoicu0@gmail.com

Address: Str. Cerealelor. Nr 13 Baneasa, Constanta

Privacy contact: octavianvoicu0@gmail.com