Privacy Policy
Last updated: 2026-05-12
1. Who we are (Data Controller)
Restaurant Buddy (the “Service”) is operated by Funnel Profits, a Swedish sole proprietorship (enskild firma) registered as SE920914113501 with its principal place of business at Rosstigen 5, 141 30, Huddinge, Sweden. In this policy “we”, “us”, and “our” refer to Funnel Profits as the data controller for personal data processed via Restaurant Buddy.
You can reach our privacy team at privacy@restaurant-buddy.ai.
2. Scope
This policy applies to personal data we collect when you visit restaurant-buddy.ai, register an account, use the Service to run restaurant operations, or interact with our sales and support channels. It does not apply to third-party websites that may link to or from the Service.
3. Personal data we collect
We collect personal data in three ways:
3.1 Data you give us directly
- Account data — full name, email address, phone number, password (hashed at rest), profile photo, language, and time zone.
- Restaurant / business data — venue name, address, VAT or tax ID, opening hours, currency, and the operational data you enter into the platform (inventory items, suppliers, recipes, cash counts, time entries, schedules, customer tabs, AI chat transcripts, and uploaded invoices or receipt images).
- Team data — names, roles, and contact details for staff you invite as Owners, Managers, or Employees. You are the data controller for your staff data; we process it on your behalf as a data processor.
- Billing data — billing name, billing address, last 4 digits and card brand (we never see full card numbers; Stripe is our PCI DSS Level 1 payment processor).
- Support data — messages, screenshots, and call recordings you send to our support team.
3.2 Data we collect automatically
- Device and usage data — IP address, browser type and version, operating system, device identifiers, pages visited, features used, referring URL, timestamps, and crash diagnostics.
- Cookies and similar technologies — see Section 9.
- AI interaction data — prompts, generated responses, and feedback ratings, used to operate the AI assistant and improve safety and accuracy.
3.3 Data from third parties
- POS and integration partners — when you connect a point-of-sale, accounting, or scheduling system, we receive the data you authorize that integration to share (sales, transactions, employee records).
- Marketing partners — aggregated and de-identified attribution data.
4. How and why we use your data (legal bases under GDPR)
| Purpose | Legal basis |
|---|---|
| Provide the Service, including AI assistance, anomaly detection, inventory, cash close-out, scheduling, and tab management | Performance of the contract (GDPR Art. 6(1)(b)) |
| Process payments and prevent fraud | Performance of the contract; legal obligation (GDPR Art. 6(1)(b), (c)) |
| Keep accounting records under Swedish law (Bokföringslagen) | Legal obligation (GDPR Art. 6(1)(c)) |
| Send service updates, security alerts, and onboarding emails | Legitimate interests (GDPR Art. 6(1)(f)) |
| Send marketing newsletters and product launch announcements | Consent (GDPR Art. 6(1)(a)) — withdrawable any time |
| Improve product safety, debug crashes, and detect abuse | Legitimate interests (GDPR Art. 6(1)(f)) |
5. Sharing and disclosure
We do not sell personal data. We share personal data only with the categories of recipient listed below, each under contractual safeguards (Data Processing Agreements and, for transfers outside the EEA, Standard Contractual Clauses):
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Authentication, database, storage | EU (Frankfurt / Stockholm) |
| Vercel | Application hosting and edge runtime | Global (SCCs) |
| Stripe | Payment processing (PCI DSS Level 1) | EU / USA (SCCs) |
| Anthropic | Claude AI assistant and image analysis | USA (SCCs; zero-retention API tier) |
| Resend | Transactional email delivery | EU / USA (SCCs) |
| Upstash | Rate-limiting and caching | EU / USA (SCCs) |
| Sentry | Crash reporting and error monitoring | EU / USA (SCCs) |
| GoHighLevel | CRM and marketing automation (consent-based) | USA (SCCs) |
We may also disclose personal data when required by law, court order, or to protect the rights, property, or safety of Restaurant Buddy, our customers, or others. In the event of a merger, acquisition, or asset sale we will notify you before personal data is transferred and becomes subject to a different privacy policy.
6. International data transfers
Where personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where appropriate, supplementary technical and organisational measures including encryption in transit and at rest. You can request a copy of the SCCs in force with any of our subprocessors by emailing privacy@restaurant-buddy.ai.
7. Data retention
- Account data — for the lifetime of your account plus 30 days after deletion.
- Operational restaurant data (inventory, time entries, tabs, cash reports, etc.) — for the lifetime of your account plus 30 days after deletion, after which the data is purged unless you have exported it.
- Accounting and tax records — 7 years, as required by Swedish tax law (Bokföringslagen).
- AI chat transcripts — 12 months by default; you can purge chat history from the in-app settings at any time.
- Crash and server logs — 90 days, anonymised after 30 days.
- Marketing contact data — until you withdraw consent.
8. Security
We use industry-standard measures to protect your data, including TLS 1.2+ in transit, AES-256 at rest, row-level security policies in our database, hashed passwords (bcrypt via Supabase), least-privilege role-based access controls, mandatory MFA for staff access, and continuous monitoring with Sentry. We perform regular vulnerability scans and dependency audits. No system is 100% secure — see Section 11 for incident response.
9. Cookies
We use a small set of cookies and similar storage technologies:
- Strictly necessary — session and authentication cookies (e.g.
sb-access-token,rb_admin,x-request-id). These cannot be turned off without breaking the Service. - Functional — preferences such as theme, language, and dashboard layout.
- Analytics — aggregated, privacy-preserving usage metrics. Only enabled with consent in jurisdictions that require it.
You can clear cookies through your browser settings or via the cookie banner controls where shown.
10. Your rights
10.1 Rights under the EU / UK GDPR
- The right to access your personal data.
- The right to rectification of inaccurate or incomplete data.
- The right to erasure (“right to be forgotten”).
- The right to restrict processing.
- The right to data portability in a structured, machine-readable format.
- The right to object to processing based on legitimate interests or direct marketing.
- The right to withdraw consent at any time, where consent is the legal basis.
- The right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY, www.imy.se).
10.2 Rights under the California Consumer Privacy Act (CCPA / CPRA)
- The right to know what personal information we collect and how we use it.
- The right to delete personal information we collect from you.
- The right to correct inaccurate personal information.
- The right to opt out of the “sale” or “sharing” of personal information — we do not sell or share personal data in the CCPA sense.
- The right to limit the use of sensitive personal information.
- The right not to be discriminated against for exercising any of these rights.
To exercise any right, email privacy@restaurant-buddy.ai. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice).
11. Data breaches
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Swedish Authority for Privacy Protection (IMY) within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 33, and we will notify affected users without undue delay where the risk is high (GDPR Art. 34).
12. Children
The Service is intended for use by businesses and adults aged 18 or older. We do not knowingly collect personal data from children under the age of 16. If you believe a child has provided us with personal data, contact us and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email or via the Service. Continued use of the Service after changes take effect constitutes acceptance.
14. Contact
For any privacy question or to exercise your rights, contact:
Funnel Profits (SE920914113501)
Rosstigen 5, 141 30, Huddinge, Sweden
privacy@restaurant-buddy.ai