Privacy Policy

1. Who We Are

The DineChat service is operated by MARIOS GAITANIS & SONS MECHANICAL WORKS LIMITED, a private limited company incorporated in the Republic of Cyprus under registration number HE185185, with registered office at 3 Prodikou, Kato Polemidia 4154, Cyprus. This Policy applies to our websites (dinechat.io, app.dinechat.io, and sub-domains) and to our AI-powered messaging and reservation automation service.

2. Scope of this Policy

This Privacy Policy applies to the processing of personal data of the following categories of individuals:

• Visitors to the DineChat websites;
• Clients — representatives, owners, or Authorized Users of restaurants and other hospitality businesses that subscribe to the Service;
• End-Users — individuals who interact with a Client via messaging channels connected to the Service (for example, guests messaging a restaurant's WhatsApp Business number);
• Prospective Clients and other persons who correspond with us regarding the Service.

3. Our Role: Controller and Processor

3.1 Controller. When we process personal data about Visitors, Clients, and Prospective Clients — for example, to operate our websites, manage Client accounts, administer subscriptions, and communicate with our customers — we act as a data controller.

3.2 Processor. When we process End-User Data on behalf of our Clients — including message content exchanged between End-Users and the Client, phone numbers, names, and reservation details — we act as a data processor. The Client is the data controller. Our processing of End-User Data is governed by the Data Processing Agreement incorporated into our Terms and Conditions.

3.3 Dual Role. Where law requires both parties to be treated as independent or joint controllers for a specific processing activity, we acknowledge the allocation of responsibilities required by such law.

3.4 End-User Rights — Direct Controller. End-Users who wish to exercise data-protection rights in respect of data we process as a processor should in the first instance contact the Client with whom they have interacted (the restaurant). Where necessary we will assist the Client in responding, and we will forward requests received directly by us to the relevant Client without undue delay.

4. Personal Data We Process

4.1 Website Visitor Data

• IP address (collected in server logs for security and abuse-prevention purposes);
• Device and browser information (user-agent, language, screen information);
• Pages visited, referring URL, and timestamps;
• Cookies and similar technologies (see Section 13);
• Information you provide voluntarily through contact or demo-request forms.

4.2 Client Data

• Full name and email address (from Clerk authentication);
• Account credentials (passwords and authentication factors are held by Clerk; we do not access plaintext values);
• Personal WhatsApp number (provided by the Client for owner-notification purposes);
• Business details (restaurant name, address, cuisine type, operating hours, website URL);
• WABA credentials and identifiers (access token, phone number ID, business account ID);
• Reservation-provider credentials;
• Subscription and billing information (billing address, VAT ID, subscription status and history — payment card details are stored and processed by Stripe, not by us);
• Legal acceptance records (timestamps, versions, and IP address recorded at the time of acceptance of our Terms, DPA, Privacy Policy, and Subprocessor Disclosure).

4.3 End-User Data (processed on behalf of our Clients)

• WhatsApp phone number;
• Profile name as provided by Meta;
• Message content (text of messages sent to and received from the Client's WhatsApp number);
• Where enabled by the Client's subscription tier, the text transcription of voice messages;
• Reservation details (name, date, time, party size, and special requests, which may include limited health-related disclosures such as food allergies, dietary restrictions, or accessibility needs voluntarily shared by the End-User);
• Conversation metadata (timestamps, message IDs, language detected, escalation state, conversation state);
• Interaction history within the retention windows set out in Section 9.

4.4 Scraped Content

If a Client uses our website-scraping feature to populate its Knowledge Base, we process the content of a URL provided by the Client via a third-party crawler (Firecrawl). Under our Terms and Conditions, the Client warrants that it owns, or holds the necessary rights to crawl, each URL it submits; we do not independently verify those rights.

4.5 System and Security Data

For the operation, security, and auditability of the Service, we maintain system logs that may include restaurant identifiers, conversation identifiers, event types, truncated message previews (for debugging), IP addresses of webhook requests, and error diagnostic data.

4.6 Aggregated and De-identified Data

We generate aggregated, de-identified statistics (such as daily conversation counts, reservation funnel metrics, and language-distribution analytics) that do not identify any individual. Such data is not considered personal data for the purposes of this Policy.

5. How We Use Personal Data and Legal Bases

5.1 When we act as Controller (Visitors, Clients, Prospective Clients), we rely on the following legal bases under the GDPR and equivalent provisions under the UAE PDPL:

5.2 When we act as Processor (End-User Data), we process personal data only on the documented instructions of our Client. The legal basis for the processing, and the obligation to inform End-Users, rest with the Client as the data controller.

6. AI and Automated Processing

6.1 The Service uses artificial intelligence systems based on large language models to generate automated responses to End-User messages. Message content is transmitted to our AI subprocessor (OpenRouter) and routed to underlying model providers to produce a response.

6.2 No Training on Your Data. We do not use Client Data, End-User Data, or Outputs to train our own AI models, and we configure our AI subprocessor (OpenRouter) to only route requests to endpoints whose providers commit to not training on input data. OpenAI, Anthropic, Google, and other enterprise AI API providers reached via OpenRouter do not, in the ordinary course and on the tiers and routes we use, use API inputs to train their models.

6.3 Short-term Abuse-Monitoring Logs. Notwithstanding Section 6.2, some underlying AI providers may temporarily log input and output payloads for short periods (typically up to thirty (30) days) for the sole purpose of detecting and preventing abuse or as required by their legal obligations. Such logs are not used for model training and are deleted or anonymised at the expiry of the relevant provider's retention period.

6.4 Audio Transcription. Voice messages are transcribed by Groq, Inc. using the Whisper model family. We do not retain the original audio after transcription. Consistent with Section 6.3, the transcription subprocessor may temporarily retain input payloads for short periods for abuse-monitoring and security purposes.

6.5 Voice Data is Not Biometric Data. We process voice message audio exclusively for the purpose of converting speech to text (dictation) in order to parse reservation intent and answer End-User inquiries. Voice data is not processed, modeled, or used for the purpose of uniquely identifying a natural person, and is therefore not "biometric data" within the meaning of Article 9 GDPR or equivalent provisions of the UAE PDPL.

6.6 Human Oversight. Clients retain full access to all conversations via their dashboard, can take over any conversation in real time via their WhatsApp Business App, and can disable AI processing at any time.

6.7 AI Disclosure to End-Users. Clients are contractually required to ensure that End-Users are informed that they are interacting with an AI system. The Service's AI responses may include a brief statement indicating that the response is automated.

6.8 No Solely Automated Decisions with Legal Effect. The Service does not make decisions that produce legal effects or similarly significantly affect individuals on a solely automated basis within the meaning of Article 22 GDPR.

7. How We Share Personal Data

We do not sell, rent, or trade personal data. We share personal data only with the following categories of recipients:

7.1 Subprocessors and Service Providers. We engage third-party service providers to provide infrastructure, hosting, AI processing, messaging, authentication, billing, and related functions. These are grouped in our Subprocessor Disclosure into (a) Subprocessors of End-User Data (processors of data about End-Users, acting on behalf of our Clients) and (b) our own Service Providers (processing data about Clients and Visitors, acting on our behalf as Controller). The full list is maintained at app.dinechat.io/subprocessors.

7.2 Reservation Providers. Where a Client has connected a reservation provider (such as SevenRooms, Eat App, or ServMe), reservation details are transmitted to that provider via its official API at the Client's direction. The Client is the customer of the reservation provider; the Company acts as a technical conduit. The Company's responsibility in respect of such End-User Data ceases upon successful transmission to the reservation provider's API.

7.3 Legal and Compliance. We may disclose personal data to public authorities, courts, regulators, or law-enforcement agencies where required to comply with a valid legal obligation, court order, or binding regulatory request, or where necessary to establish, exercise, or defend legal claims. Before disclosing, we evaluate each request for validity and scope and disclose only the minimum information required.

7.4 Corporate Transactions. In the event of a merger, acquisition, corporate reorganisation, or sale of all or substantially all of our assets, personal data may be transferred as part of the transaction, subject to the recipient's commitment to honour this Privacy Policy (or to provide notice of a new privacy policy).

8. International Data Transfers

8.1 Some of our Subprocessors and Service Providers are located outside the European Economic Area ("EEA") and the United Arab Emirates, including in the United States. These jurisdictions may have data-protection standards that differ from those of the EEA or UAE.

8.2 Transfer Safeguards. Where personal data is transferred outside the EEA, we rely on the following legal mechanisms, in order of priority:

• (a) the EU–US Data Privacy Framework ("DPF") for transfers to recipients self-certified under the DPF;
• (b) an adequacy decision issued by the European Commission, where applicable;
• (c) the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), incorporated into our agreements with the relevant recipients, where no adequacy decision or valid DPF certification applies;
• (d) other legally valid transfer mechanisms permitted under the GDPR.

8.3 UAE Transfers. Where personal data collected in the UAE is transferred outside the UAE, we take steps consistent with the UAE PDPL, including (where applicable) entering into contractual clauses equivalent in protection to those required under UAE law.

8.4 Information on Safeguards. Copies of applicable transfer safeguards can be requested at privacy@dinechat.io.

9. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy:

Post-Termination Retention. Upon cancellation of the Client's subscription, we retain the Client's data for a grace period of thirty (30) days to allow for reactivation and data export. The 30-day post-termination deletion protocol overrides the operational retention periods above: all Client and End-User personal data is permanently deleted at the end of the grace period, with the exception of (a) billing and invoice records retained under the legal obligation above, (b) aggregated and de-identified analytics, and (c) records necessary for the establishment, exercise, or defence of legal claims. Subprocessors may take an additional period of up to ninety (90) days to remove data from immutable backup media, during which such data is put beyond active operational use.

10. Security

10.1 Technical and Organisational Measures. We implement technical and organisational measures designed to protect personal data commensurate with the risks of processing, including:

• Encryption in transit (TLS 1.2 or higher) for all communications with the Service and between the Service and its Subprocessors;
• Encryption at rest for data stored in our managed database (Supabase / PostgreSQL) and cloud storage;
• Access controls including role-based access, row-level security in the database tied to Clients' authenticated identity, and the principle of least privilege;
• Webhook signature verification using cryptographically strong, timing-safe comparison for messages received from Meta, Stripe, Clerk, and reservation providers;
• Rate limiting and anti-abuse measures on message-processing endpoints;
• Audit logging of security-relevant events to a dedicated system-log facility;
• Secrets management via environment variables and our hosting provider's secret store;
• Subprocessor due diligence, including review of each Subprocessor's security and privacy commitments prior to engagement;
• Backups of the managed database performed by our database subprocessor in accordance with its standard service terms.

10.2 Limitations. Notwithstanding the measures above, no information system or data transmission is entirely secure. We cannot guarantee that the Service will be free of unauthorised access or that personal data will never be disclosed in a manner inconsistent with this Policy.

10.3 Payment Card Data. We do not collect or store payment card information. Card data is collected and stored directly by Stripe, which is certified as PCI-DSS Level 1.

11. Your Rights

Subject to the conditions set out in applicable law, you have the following rights in respect of your personal data:

• Right of access — to obtain confirmation as to whether we process your personal data and, where that is the case, access to that data;
• Right to rectification — to have inaccurate personal data corrected and incomplete data completed;
• Right to erasure ("right to be forgotten") — to have personal data deleted in certain circumstances;
• Right to restriction of processing — to limit how we process your personal data in certain circumstances;
• Right to data portability — to receive personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller;
• Right to object — to object to processing based on legitimate interests or direct marketing;
• Right to withdraw consent — where processing is based on consent, to withdraw it at any time, without affecting the lawfulness of processing before the withdrawal;
• Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (see Section 6.8);
• Right to lodge a complaint with a supervisory authority (see Section 12.4).

Equivalent rights apply under the UAE PDPL.

12. How to Exercise Your Rights

12.1 Contact Email. Requests may be submitted to privacy@dinechat.io. Please include (a) your name, (b) sufficient identifying information (for End-Users, the WhatsApp phone number used), and (c) a description of your request.

12.2 Verification. We may ask for additional information to verify your identity before acting on a request. This protects your data from unauthorised access.

12.3 Response Time. We will respond within the timeframes required by applicable law, which under the GDPR is generally one month (extendable by two further months for complex requests, with notice).

12.4 Complaints. You have the right to lodge a complaint with a data-protection authority, including in the country of your habitual residence, place of work, or place of the alleged infringement. In Cyprus, the authority is the Office of the Commissioner for Personal Data Protection (www.dataprotection.gov.cy). In the UAE, complaints may be addressed to the UAE Data Office.

12.5 End-User Requests Routed to Clients. As set out in Section 3.4, End-Users should initially address requests relating to End-User Data to the relevant Client (the restaurant). We will provide reasonable assistance to our Clients in responding.

13. Cookies and Similar Technologies

13.1 Our websites use cookies and similar technologies for essential functionality (session management, authentication, load balancing) and, where applicable, for analytics and measurement of site performance.

13.2 Categories of Cookies:

• Strictly necessary cookies, required for the Service to function (for example, authentication cookies set by Clerk; session cookies set by our hosting provider). These do not require consent under applicable law;
• Functional cookies that remember your preferences;
• Analytics cookies, where enabled, that help us understand aggregate usage of our websites. These are set only with your consent.

13.3 Managing Cookies. You can control cookies through your browser settings or via the cookie banner, where present. Refusing non-essential cookies does not affect your ability to use essential features of the Service.

14. Who May Use the Service

The Service is offered to businesses and to individuals acting in the course of a trade, business, craft, or profession. The Service is not offered to, and is not intended to be used by, individuals under the age of eighteen (18) contracting in a personal, non-business capacity. This Section does not limit the ability of a Client's End-Users (for example, an adult accompanied by their minor children at a restaurant, or a teenager making a table booking for their family) to interact with the Service as part of the Client's ordinary hospitality offering, which is a matter between the Client and its End-Users.

15. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by (a) email to Clients at the address associated with their Account, and/or (b) a prominent notice on our websites, at least thirty (30) days before the effective date where practicable. The most current version is always accessible at https://dinechat.io/privacy.

17. Contact & Governing Law

For any question, request, or concern regarding this Privacy Policy or our processing of your personal data, please contact us:

This Privacy Policy shall be interpreted in accordance with the laws of the Republic of Cyprus, without prejudice to the mandatory application of the GDPR, the UAE PDPL, and any other applicable data-protection law.