Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account information: Your email address, which is used for authentication and communications.
• Platform credentials: Authentication tokens for third-party restaurant booking platforms that you connect to the Services. These are obtained through our secure verification process and are used solely to interact with those platforms on your behalf.
• Payment information: Billing details you provide when subscribing to paid plans or adding a payment method. Payment card details are processed and stored by our payment processor (Stripe, Inc.) and are not stored on our servers.
• Reservation preferences: The restaurant selections, dates, times, party sizes, and other criteria you configure for your Monitors.

1.2 Information Collected Automatically

• Usage data: Information about your interactions with the Services, including Monitors created, bookings made, and feature usage.
• Device and browser information: Technical information such as your device type, browser type, operating system, and screen resolution, collected through analytics tools.
• Log data: Server logs that may include your IP address, access times, and pages viewed.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Services: Monitoring restaurant availability, making reservations on your behalf, and managing your account.
• Transactional communications: Sending you booking confirmations, Monitor status updates, credential expiry alerts, and other service-related notifications based on your notification preferences.
• Payment processing: Processing subscription payments and booking fees through our payment processor.
• Service improvement: Analysing usage patterns to improve the performance, reliability, and features of the Services.
• Security: Detecting and preventing fraud, abuse, and unauthorised access to the Services.
• Legal compliance: Complying with applicable laws, regulations, and legal processes.

3. Data Security

We take the security of your data seriously and implement industry-standard measures to protect it:

• Encryption at rest: Platform credentials are encrypted using AES-256-GCM encryption before being stored in our database.
• Encryption in transit: All communication between your device, our servers, and third-party platforms is encrypted via TLS (HTTPS).
• Session security: User sessions are secured with HTTP-only cookies that cannot be accessed by client-side scripts.
• Payment security: We do not store your full payment card details. All payment processing is handled by Stripe, Inc., which is PCI-DSS Level 1 compliant.
• Access controls: Access to user data is restricted to authorised personnel and systems on a need-to-know basis.

While we implement robust security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data.

4. Data Sharing

We do not sell, rent, or trade your personal information with third parties. We may share your information only in the following limited circumstances:

• Third-party booking platforms: Your platform credentials are transmitted to the respective booking platforms solely to make reservation requests on your behalf. This is the core function of the Services.
• Payment processor: We share necessary billing information with Stripe, Inc. to process your payments.
• Analytics provider: We use PostHog for product analytics. Data shared with analytics providers is anonymised or pseudonymised where possible.
• Email service provider: We use AWS Simple Email Service (SES) to send transactional emails. Your email address is shared with this provider solely for the purpose of delivering service communications.
• Legal requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfers: In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

5. Data Retention

We retain your data for as long as necessary to provide the Services and fulfil the purposes described in this policy:

• Account data: Retained for the lifetime of your account.
• Booking records: Retained for the lifetime of your account for your reference and our records.
• Activity logs (check logs, slot logs): Retained for 7 days, then automatically deleted.
• Audit logs: Retained for 90 days.
• Payment records: Retained as required by applicable tax and financial regulations.

When you delete your account, all personal data is permanently removed from our systems, except where we are required by law to retain certain records.

6. Your Rights

You have the following rights regarding your personal data:

• Access: You can request a copy of the personal data we hold about you.
• Correction: You can request that we correct any inaccurate personal data.
• Deletion: You can delete your account at any time from the Settings page, which will permanently remove all your personal data. You may also request deletion by contacting us.
• Data portability: Upon request, we will provide a copy of your data in a machine-readable format within 30 days of your request.
• Notification preferences: You can manage what communications you receive from the Settings page.
• Withdraw consent: Where we rely on your consent to process personal data, you can withdraw that consent at any time.

Additional Rights for UK and EEA Residents

If you are located in the United Kingdom or European Economic Area, you have additional rights under the UK GDPR and EU GDPR, including:

• Right to restriction: You can request that we restrict the processing of your personal data in certain circumstances.
• Right to object: You can object to the processing of your personal data where we rely on legitimate interests as the legal basis.
• Supervisory authority: You have the right to lodge a complaint with your local data protection authority (in the UK, this is the Information Commissioner's Office at ico.org.uk).

To exercise any of these rights, please contact us at support@resbooker.io. We will respond to your request within 30 days.

7. International Data Transfers

Our servers and service providers are located in the United States. If you access the Services from outside the United States, including from the United Kingdom or EEA, your personal data may be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your country.

By using the Services, you consent to the transfer of your data to the United States. We take appropriate safeguards to ensure that your personal data is treated securely and in accordance with this Privacy Policy and applicable data protection laws.

8. Legal Basis for Processing

If you are located in the United Kingdom or EEA, we process your personal data on the following legal bases:

• Performance of a contract: Processing necessary to provide the Services to you as described in our Terms of Service.
• Consent: Where you have given us explicit consent, such as for receiving certain communications.
• Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Services, preventing fraud, and ensuring security, provided these interests are not overridden by your rights.
• Legal obligation: Processing necessary to comply with applicable laws and regulations.

9. Cookies & Tracking Technologies

We use a minimal set of cookies and similar technologies:

• Session cookie: An HTTP-only cookie used for authentication. This is essential for the Services to function and cannot be disabled.
• Analytics: We use PostHog for product analytics to understand how users interact with the Services and to improve our product. You can opt out of analytics tracking through your browser settings or by using a Do Not Track header.

We do not use third-party advertising cookies or sell data to advertisers.

10. Children's Privacy

We do not knowingly collect or solicit personally identifiable information from children under 16 years of age. If you are under 16, please do not attempt to register for or otherwise use the Services or send us any personal information. If we learn that we have collected personal information from a child under 16, we will delete that information promptly. If you believe that a child under 16 may have provided us personal information, please contact us at support@resbooker.io.

11. Third-Party Services

The Services integrate with or link to third-party services, including restaurant booking platforms, payment processors, and analytics providers. These third parties have their own privacy policies, and we encourage you to review them. We are not responsible for the privacy practices of third-party services.

Our key third-party service providers include:

• Stripe, Inc. — payment processing (Privacy Policy)
• Amazon Web Services — email delivery and infrastructure
• PostHog — product analytics
• Supabase — database hosting
• Vercel — frontend hosting
• Railway — backend hosting

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. If we make material changes, we will notify you by placing a notice on our website, sending you an email, or by other reasonable means. Your continued use of the Services after any changes constitutes your acceptance of the revised policy.

We encourage you to review this policy periodically for the latest information on our privacy practices.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us at:

Arc Telos Labs Inc. (d/b/a ResBooker)
Email: support@resbooker.io

For UK and EEA residents, you also have the right to contact your local data protection authority if you have concerns about how we process your personal data.