Privacy Policy

1. Scope

This Policy applies to the Service and to our marketing pages. It does not apply to third-party products you connect (such as your point-of-sale, payment, or accounting provider), which are governed by their own privacy policies. The Service is intended for businesses in the United States.

2. Information we collect

Information you provide

• Account information such as your name, email address, password, restaurant name, address, and time zone.
• Billing information. Paid plans are processed by Stripe. We receive limited billing details such as plan, status, and the last four digits and brand of your card. We do not store full card numbers; Stripe handles card data directly.
• Operational data you enter, including menu items, recipes, ingredient and vendor costs, schedules, and notes.
• Support communications you send us by email.

Information from systems you connect

• Point-of-sale and operational data pulled at your direction, such as sales totals, covers, line items, payments, and labor data.
• Guest information you choose to store or import, such as a guest name, email, visit history, and feedback, used to power features like the guest hub and review requests.

Information we collect automatically

• Usage and log data such as pages viewed, actions taken, device and browser type, and IP address, used to operate and secure the Service.
• Essential cookies used to keep you signed in and to keep the Service secure. See Section 11.

3. How we use information

• to provide, maintain, and improve the Service;
• to synchronize and present data from systems you connect;
• to generate operational insights, including the AI Advisor and the daily owner briefing;
• to process payments and manage your subscription;
• to send transactional messages (for example, trial and billing notices and the morning briefing) and to respond to support requests;
• to secure the Service, prevent abuse, and comply with law.

We do not sell your information, and we do not use Customer Data to train third-party AI models. AI features send only the data needed to generate a response to our model provider, which is contractually restricted from using it to train its models.

4. Legal bases (where applicable)

Where data protection law such as the GDPR applies, we process information as needed to perform our contract with you, in our legitimate interests in operating and securing the Service, to comply with legal obligations, and with your consent where required. You may withdraw consent at any time.

5. How we share information and our subprocessors

We share information with service providers who process it on our behalf under contract, only to operate the Service. Our core subprocessors are:

• Supabase: database, authentication, and file storage hosting.
• Vercel: application hosting and delivery.
• Stripe: payment processing and subscription billing.
• Resend: delivery of transactional and notification email.
• Anthropic: the AI model provider that powers the Advisor and briefing, restricted from training on the data we send.
• Providers you connect: such as your point-of-sale, with which we exchange data at your direction.

We may also disclose information if required by law, to protect rights and safety, or in connection with a merger, acquisition, or sale of assets, in which case we will require the recipient to honor this Policy.

6. Data about your guests and staff

When you store or import information about your guests and staff, you decide what to collect and why; you are the controller and we are your processor. We process that information only to provide the Service to you and on your instructions. You are responsible for providing any privacy notice and for obtaining any consent that the law requires before you share that information with us, including before sending marketing or review-request messages to your guests. If one of your guests asks us to stop emailing them, we honor a global opt-out across every restaurant using the Service.

7. Data retention

We keep Customer Data for as long as your account is active and as needed to provide the Service. After you cancel or we terminate the account, you may request a copy within 30 days, after which we may delete Customer Data in the ordinary course. We may retain limited records as needed to comply with legal, tax, accounting, or security obligations.

8. Your privacy rights

Depending on where you live, you may have the right to access, correct, delete, or receive a portable copy of your personal information, to object to or restrict certain processing, and to withdraw consent. To exercise these rights, email drew@dgbinnovations.com. We respond within 30 days and may need to verify your identity. If you are an end guest of a restaurant that uses the Service, please direct your request to that restaurant, which controls your information; we will assist them as their processor.

9. California privacy rights

If you are a California resident, the CCPA, as amended by the CPRA, gives you the right to know the categories and specific pieces of personal information we have collected, the right to delete it, the right to correct it, and the right not to be discriminated against for exercising these rights. We collect the categories described in Section 2 for the business purposes described in Section 3. We do not sell or share your personal information for cross-context behavioral advertising. To exercise your rights, email drew@dgbinnovations.com.

10. Email and communications

We send transactional messages needed to operate your account, such as authentication, trial, and billing notices. We also send the operational briefing and, at your direction, review-request emails to your guests. Every commercial message includes a one-click unsubscribe link and our mailing address, and we honor opt-outs across the Service. You cannot opt out of essential transactional messages while you maintain an account.

11. Cookies and tracking

We use only the cookies that are necessary to sign you in, keep your session secure, and remember basic preferences. We do not use third-party advertising cookies and we do not track you across other websites. Because our cookies are strictly necessary to provide the Service, they are set when you use it.

12. Security

We protect information with industry-standard measures, including encryption in transit, encryption of data at rest by our hosting providers, and database row-level security that isolates each organization so one customer cannot access the data of another. We support multi-factor authentication, follow least-privilege access internally, and log administrative actions. No method of transmission or storage is perfectly secure, but we work to protect your information and to notify you of a material breach as required by law.

13. International users

The Service is operated in the United States and intended for United States businesses. If you access it from outside the United States, you understand that your information will be processed in the United States, where data protection laws may differ from those in your location.

14. Children

The Service is for businesses and is not directed to children. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, contact us and we will delete it.

15. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you in the application or by email.

16. Contact us

For any privacy question or request, contact:

DGB Innovations LLC
[ Set CADENCE_MAILING_ADDRESS - required on commercial email ]
drew@dgbinnovations.com