Privacy Policy
Last updated: June 3, 2026
This Privacy Policy explains how RestaurantFlow LLC (“RestaurantFlow,” “we,” “us”) collects, uses, shares, and protects information in connection with the RestaurantFlow websites and applications (the “Service”). It applies to our account holders and visitors, and it describes how we handle information that restaurants put into the Service about their staff and guests.
1. Our two roles: controller and processor
RestaurantFlow is a business-to-business platform. Our privacy responsibilities depend on whose data is involved:
- Account data — we are the controller. When a restaurant signs up, and for the owners, managers, and administrators who create and manage an account, we decide how that information is used and are the data controller.
- Customer data — we are a processor. Information a restaurant enters about its employees, job applicants, and guests (the “Customer Data”) is controlled by that restaurant. We process it on the restaurant’s behalf and under its instructions, solely to provide the Service.
If you are an employee, applicant, or guest of a restaurant that uses RestaurantFlow and you want to access, correct, or delete your information, please contact that restaurant directly — they control their data. We will help them respond to your request.
2. Information we collect
Information you provide to us
- Account and profile: name, email address, phone number, password (stored only as a salted hash), job role, profile photo, and the organization, location, and team details you set up.
- Billing: subscription plan and billing contact. Card payments are handled by our payment processor (Stripe); we do not store full card numbers.
- Customer Data you enter: depending on the features you use, this can include staff records, schedules, time-clock punches, availability and time-off, wage/labor inputs, bonuses and performance notes, uploaded documents, training and compliance records, recipes and SOPs, applicant details, and guest information such as reservations and complaints.
- Communications: messages you send through in-app chat, support requests, and feedback.
- AI features: the prompts and context you submit to AI features such as the AI Coach, so we can generate a response.
Information we collect automatically
- Usage and device data: log data, IP address, browser and device type, pages viewed, and actions taken, used to operate, secure, and improve the Service.
- Cookies and similar technologies: see “Cookies” below.
3. How we use information
- Provide, maintain, and secure the Service and your account.
- Process subscriptions, payments, and trials.
- Send transactional messages (e.g. invitations, notifications, schedule alerts) by email and, where enabled, SMS or voice.
- Provide support and respond to your requests.
- Monitor performance, debug, prevent fraud and abuse, and protect the rights and safety of users and the public.
- Improve and develop features. We do not use the content of your Customer Data to train generative-AI models.
- Comply with legal obligations and enforce our agreements.
4. Cookies and tracking
We use a small number of cookies and similar technologies. Strictly necessary cookies keep you signed in and protect against cross-site request forgery; these are required for the Service to work. We also use limited analytics and error-monitoring to understand reliability and usage. We do not use third-party advertising cookies or sell information gathered through cookies. You can control cookies through your browser, though blocking necessary cookies will break sign-in.
5. Service providers and subprocessors
We share information with vendors who process it on our behalf to run the Service, under contracts that require appropriate confidentiality and security. Our current subprocessors are:
| Provider | Purpose | Privacy |
|---|---|---|
| Stripe | Subscription billing and payment processing. | Policy |
| Supabase | Authentication, primary database, and uploaded-file storage hosting. | Policy |
| Vercel | Application hosting and content delivery. | Policy |
| Twilio | Outbound SMS and voice notifications. | Policy |
| Resend | Transactional and notification email delivery. | Policy |
| Sentry | Application error and performance monitoring. | Policy |
| Anthropic | Powering AI features such as the AI Coach. | Policy |
We may also disclose information to comply with law, regulation, legal process, or enforceable governmental request; to enforce our terms; to detect or prevent fraud or security issues; or in connection with a merger, acquisition, or sale of assets (with notice as required by law).
6. We do not sell your personal information
We do not sell personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under applicable U.S. privacy laws.
7. Data retention
We retain account data for as long as your account is active and as needed to provide the Service, then for a limited period afterward to comply with legal, accounting, or reporting obligations. We process Customer Data for as long as the controlling restaurant maintains it in the Service. On account termination, we delete or return Customer Data within a commercially reasonable period, except where retention is required by law. Residual copies may persist in backups for a limited time before being overwritten.
8. Security
We use technical and organizational measures designed to protect information, including encryption in transit, tenant isolation through row-level security so one restaurant cannot access another’s data, access controls, and audit logging. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. Please keep your password confidential and notify us promptly of any suspected unauthorized access.
9. International data transfers
We operate the Service in the United States, and our subprocessors may process information in the United States and other countries. Where required, transfers are made under appropriate safeguards such as Standard Contractual Clauses. By using the Service, you understand that information may be processed in countries whose data-protection laws differ from those in your jurisdiction.
10. Your privacy rights
Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your personal information, to restrict or object to certain processing, and to withdraw consent. These include rights under the EU/UK GDPR and U.S. state laws such as the California Consumer Privacy Act (as amended by the CPRA). We do not discriminate against you for exercising these rights.
To exercise rights over account data we control, email support@restaurantflow.app. We will verify your request before acting on it. To exercise rights over Customer Data, contact the restaurant that controls it, as described in Section 1.
11. Children’s privacy
The Service is intended for use by businesses and is not directed to children under 16. We do not knowingly collect personal information directly from children. Restaurants that employ minors and enter their information into the Service are responsible for providing any required notices and obtaining any required consents under applicable child-labor and privacy laws.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice. Your continued use of the Service after an update means you accept the revised policy.
13. Contact us
RestaurantFlow LLC
[Registered business address — to be added]
Email: support@restaurantflow.app