Privacy Policy

1. Who we are

DineFlow.AI Ltd (“DineFlow”, “we”, “us”, “our”) provides software that helps restaurants take reservations and guest enquiries across voice, web chat, and SMS. This Privacy Policy explains how we handle personal data when you (an operator) use the Service, and how your guests’ personal data is processed on your documented instructions.

For the purposes of EU/UK General Data Protection Regulation (“GDPR”) and the UAE Personal Data Protection Law (“PDPL”), the legal entity responsible for the processing described in this Policy is DineFlow.AI Ltd. Postal contact and an EU / UK representative (where appointed) are listed in Section 16.

2. Our role

Controller — for the personal data we collect directly from operators (account email, billing details, login activity, support tickets, marketing engagement). We decide why and how this data is processed.

Processor — for the personal data of your guests that flows through the Service (call audio, transcripts, reservation contact details, chat messages, SMS-conversation history). You are the Controller of that data; we process it only on your documented instructions, in accordance with our Data Processing Addendum (which forms part of these Terms when you use the Service).

Business / Service Provider — for California residents, we are a “Service Provider” under the CCPA / CPRA with respect to guest personal information processed on behalf of operators, and a “Business” with respect to operator personal information.

3. What we collect

From operators

• Account identity — name, work email, phone, restaurant name, address, role.
• Billing — card last-4 and brand (full card number is held by Stripe; we never see it), billing address, tax ID, invoice history.
• Usage — pages viewed, actions taken in the dashboard, settings, audit-log entries.
• Device + technical — IP address, user-agent, browser type, OS, screen size, language, time zone.
• Communications — support tickets, in-app messages, sales calls and notes you choose to share with us.
• Marketing engagement (if opted in) — newsletter opens, demo signups.

From guests of restaurants using DineFlow

• Reservation contact — name, phone (E.164), email (optional), party size, date, time, special requests.
• Voice call audio (where recording is enabled) and machine-generated transcripts.
• Voice characteristics. Audio of a person’s voice may constitute biometric data in some jurisdictions, including under the Illinois Biometric Information Privacy Act (BIPA) and GDPR Article 9 (special category). DineFlow does not perform voiceprint identification; voice is used solely for speech-to-text and natural-language response.
• Chat-message content from the website widget.
• SMS message content — confirmations sent to the guest and replies received (e.g., CANCEL, STOP).
• Approximate location — derived from IP address at time of widget chat or call origination; we do not collect precise GPS data.
• Device + technical metadata for the widget session.

4. Why we process it (purpose and lawful basis)

For operator personal data (we are Controller):

• To provide the Service and bill you — contract (GDPR Art. 6(1)(b)).
• To prevent fraud, abuse, and security incidents — legitimate interest (Art. 6(1)(f)).
• To improve the Service through de-identified, aggregated analytics — legitimate interest.
• To send service announcements — legitimate interest.
• To send marketing communications — consent (Art. 6(1)(a)), withdrawable at any time from Account → Privacy or by clicking unsubscribe.
• To comply with legal obligations including tax, accounting, and lawful-process requests — legal obligation (Art. 6(1)(c)).

For guest personal data (we are Processor on the operator’s instructions, so the lawful basis flows from the operator):

• To answer the guest’s call or chat and complete their booking on your behalf.
• To deliver SMS confirmation and process reply keywords (CANCEL, STOP, opt-out).
• To provide reporting and audit trails inside your dashboard.
• To detect abuse of the widget or call line (e.g., automated spam).

5. AI processing of personal data

Voice and chat conversations are processed by large language model providers and voice providers (see the live Sub-processor List). We send only the minimum data needed for the current conversation turn plus short-term context. Our agreements with these providers prohibit the use of your or your guests’ data to train their general models.

Automated decision-making (GDPR Art. 22). The Service can confirm reservations automatically when you operate the AI in Live mode. Such automation:

• is necessary for entering into or performing a contract between the guest and the restaurant;
• does not produce legal effects or similarly significant effects on the guest;
• is supervised by you (the operator), who can switch the AI to Shadow mode at any time to introduce human review before commit;
• can be challenged by a guest at any time by contacting the restaurant directly or emailing general@dineflow.ai, in which case a human reviews the decision.

6. Recording and SMS

Where you enable call recording, calls handled by the AI may be recorded and transcribed. We expect operators to comply with all applicable consent laws, including two-party-consent recording laws in the US (California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, Washington and similar laws in the UK, EU, and UAE). The AI is configured to play an audible disclosure on call connect informing the caller that the call may be recorded; you may customize this disclosure in Settings.

SMS confirmations are transactional, not marketing. They are sent only to the phone number the guest provided when making the booking. Replies of STOP, END, QUIT, UNSUBSCRIBE, OPT-OUT (or equivalent) are honored permanently. Replies of CANCEL trigger an immediate booking cancellation and a confirmation reply, after which no further messages are sent for that booking.

7. Retention

When retention expires, data is deleted or irreversibly anonymized. Sub-processors are bound by equivalent retention obligations under their respective contracts.

8. Where data is stored and cross-border transfers

Primary infrastructure is hosted by Render (US), Supabase (US and EU), Cloudflare (global edge), and Vercel (global edge). For EU / UK operators we route requests to EU edge and store reservation data in EU-resident Postgres where the option is available.

Cross-border transfers from the EU/UK are protected by the European Commission Standard Contractual Clauses (SCCs, 2021 version) and the UK International Data Transfer Addendum (IDTA), and from the UAE by binding contractual safeguards in line with PDPL Article 23. Copies are available on request.

9. Security

We maintain technical and organizational safeguards including:

• TLS 1.2+ in transit.
• Argon2id password hashing.
• Short-lived JWT access tokens, refresh-token rotation, HttpOnly+Secure+SameSite cookies, CSRF double-submit.
• MFA (TOTP + backup codes) available; encouraged for owners.
• Application-layer tenant isolation enforced on every query.
• Cloudflare WAF and per-endpoint rate limits.
• PII scrubber in logs and error reports.
• Daily encrypted database backups with point-in-time recovery; restore drills before production launch.
• Vendor dependency vulnerability scans on every build.

Breach notification. No system is impregnable. In the event of a personal-data breach likely to result in risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware, and we will notify affected operators without undue delay so they can in turn notify their affected guests as required by applicable law.

10. Your rights

Depending on where you live, you have the right to:

• Access your personal data and obtain a copy.
• Correct inaccurate personal data.
• Delete personal data (subject to legal-hold and retention exceptions).
• Restrict or object to certain processing.
• Port your personal data in a machine-readable format.
• Withdraw consent at any time, where processing is based on consent.
• Not be subject to automated decisions with legal or similarly significant effects (see Section 5).
• Complain to a supervisory authority (ICO in the UK, your national DPA in the EU, the UAE Data Office, the California Attorney General).

Operators can self-serve most rights from Account → Privacy. Guests of restaurants should contact the restaurant directly, or email general@dineflow.ai and we will route the request to the relevant restaurant (Controller) and verify identity before action. We aim to respond within 30 days; we may extend by an additional 60 days for complex requests with notice.

11. California rights (CCPA / CPRA)

If you are a California resident:

• You have the right to know what categories of personal information we have collected about you, the sources, business purposes, and categories of recipients.
• You have the right to request deletion, subject to exceptions.
• You have the right to correct inaccurate information.
• You have the right to opt out of the sale or sharing of personal information. We do not sell personal information and do not share it for cross-context behavioral advertising. If this ever changes, we will provide a “Do Not Sell or Share My Personal Information” link here.
• You have the right to limit the use and disclosure of sensitive personal information. We do not use sensitive personal information for any purpose beyond providing the Service.
• You have the right to non-discrimination for exercising any of these rights.

Authorized agents may submit requests on your behalf with verified written authority. Send requests to general@dineflow.ai.

12. Other US state rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and similar states have rights substantially equivalent to those described in Sections 10–11. To exercise them, contact general@dineflow.ai. Nevada residents may opt out of the sale of personal information by emailing the same address with subject “Nevada Opt Out”.

Illinois (BIPA). If you reside in Illinois and your voice is captured by a call to a DineFlow customer, the restaurant (Controller) is responsible for obtaining your written informed consent and retention schedule before processing. DineFlow does not perform voice-print identification.

13. Cookies and tracking

The dashboard sets strictly-necessary cookies for authentication and short-lived session preferences (theme, locale, recent location). We do not use third-party advertising cookies. We use anonymous product analytics to improve the Service. Operators can opt out from Account → Privacy. For full details see our Cookie Policy.

14. Children

The Service is not directed to children. We do not knowingly collect personal information from children under 16 (under 13 in the United States in line with COPPA). If you believe a child has provided us data, email general@dineflow.ai and we will delete it.

15. Changes to this Policy

Material changes will be notified at least 30 days before they take effect, via email and an in-product banner. Non-material changes (clarifications, contact updates) take effect immediately. The “Effective” date at the top reflects the latest version. Earlier versions are archived and available on request.

16. Contact and representatives

For privacy, data-protection, and legal questions, including data-subject access, correction, deletion, portability, objection, and complaints:

DineFlow.AI Ltd
Email: general@dineflow.ai

EU Representative (GDPR Art. 27). DineFlow does not currently process personal data of EU residents at the threshold that requires the formal appointment of an EU representative under GDPR Article 27. Where required by the regulator or by the scale of processing changing, we will appoint a representative and publish their contact details here.

UK Representative. Same position as above under UK GDPR. Will be appointed and published when threshold criteria are met.

UAE Office. Inquiries from UAE residents may be sent to the same email; we will route them to the relevant local point of contact.