Privacy Policy

1. Our Philosophy

Simple Reso was built with a fundamentally different approach to data. We believe restaurants should own their customer relationships completely. We are a tool for restaurants, not a marketplace that profits from your customers.

This means we collect only what we need to provide the service, we never use restaurant customer data for our own purposes, and we give restaurants full control and ownership of their data at all times.

2. What We Collect

From Restaurant Owners (You)

• Account information: email address, restaurant name, contact details
• Payment information: processed securely by Stripe (we don't store card numbers)
• Restaurant settings: hours, capacity, booking rules, confirmation messages

From Your Customers (Diners)

• Reservation details: name, email, phone (if provided), party size, date/time
• Special requests or notes submitted with the reservation

Important: Customer data is collected on behalf of your restaurant and belongs to you. We process it solely to deliver reservations and provide the Service.

3. What We Never Do With Customer Data

4. How We Use Data

We use the data we collect to:

• Provide reservation functionality (confirmations, reminders, modifications)
• Display reservations and customer history in your dashboard
• Generate analytics about your restaurant's performance (visible only to you)
• Send transactional emails (booking confirmations, reminders) on your behalf
• Process your subscription payments
• Improve the Service and fix bugs

5. Data Security

We implement industry-standard security measures to protect your data:

• All data transmitted over HTTPS/TLS encryption
• Database encryption at rest
• Regular security audits and monitoring
• Secure password hashing
• Row-level security to isolate restaurant data

6. Your Rights

As a restaurant owner, you have full control over your data:

• Access: View all your data anytime through the dashboard
• Export: Request a complete export of all your data
• Delete: Request deletion of your account and all associated data
• Portability: Take your customer data with you if you leave

7. Third-Party Services

We use a limited number of trusted third-party services:

• Stripe: Payment processing (PCI compliant)
• Supabase: Database and authentication
• Resend: Transactional email delivery
• Vercel: Application hosting

These services are contractually bound to protect your data and use it only for the purposes we specify.

8. Cookies

We use essential cookies only to keep you logged in and maintain your session. We do not use tracking cookies, advertising cookies, or third-party analytics that track users across websites.

9. Roles & Responsibilities

For diner (customer) data collected through the Service, the restaurant is the data controller and Simple Reso is the data processor. This means the restaurant decides what data is collected and why, and we process it only on the restaurant's behalf and according to these terms.

• Restaurants are responsible for obtaining any necessary consent from their diners, posting their own privacy notice where required, and responding to diner privacy requests.
• Simple Reso is responsible for safeguarding the data, processing it only to deliver the Service, and assisting restaurants with privacy requests when needed.

For your own account data (restaurant owner information), Simple Reso acts as the data controller.

10. Data Retention

We retain data only as long as it is needed to provide the Service or as required by law:

• Reservation & customer data: kept for as long as your account is active so you retain full booking and guest history.
• After account closure: customer data is deleted from our active systems within 30 days of your request, except where we must retain limited records to comply with legal or tax obligations.
• Billing records: retained as required by applicable financial and tax regulations.

11. Regional Privacy Rights

European Union / UK (GDPR)

If you or your diners are in the EU or UK, applicable individuals have the right to access, correct, delete, restrict, or object to the processing of personal data, and the right to data portability. Our legal bases for processing include performance of a contract, legitimate interests in operating the Service, and consent where required. Diner requests should be directed to the restaurant as data controller; we will assist as processor.

California (CCPA/CPRA)

California residents have the right to know what personal information is collected, to request deletion, to correct inaccurate information, and to opt out of the sale or sharing of personal information. We do not sell or share personal information, and we do not discriminate against anyone for exercising their privacy rights.

12. International Data Transfers

Our infrastructure and trusted sub-processors may store and process data in the United States and other countries. Where data is transferred across borders, we rely on appropriate safeguards such as standard contractual clauses to ensure your data remains protected to the standards described in this policy.

13. Children's Privacy

The Service is intended for use by restaurants and their adult representatives. It is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

14. Data Breach Notification

In the unlikely event of a data breach affecting your data, we will notify affected restaurants without undue delay and in accordance with applicable law, describing the nature of the incident, the data involved, and the steps we are taking in response.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email. Our commitment to never marketing to your customers or selling their data is fundamental to our business and will not change.

16. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us.