🔒 Privacy Policy

1. Introduction

SAVR ("we," "us," or "our") operates a restaurant loyalty management platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Restaurant Dashboard web application and related services ("Service").

This policy applies to restaurant owners, managers, and staff who use our dashboard. A separate privacy policy applies to end customers using the SAVR mobile application.

By using the Service, you consent to the data practices described in this policy. If you do not agree with this policy, please discontinue use of the Service immediately.

2. Information We Collect

2.1 Information You Provide

When you register and use the Service, we collect:

• Account Information: Restaurant name, address, contact email, phone number, and password
• Business Information: Restaurant profile details, operating hours, branding assets
• Deal Information: Promotional deals, descriptions, point requirements, expiration dates
• Business Verification: Google Maps Place ID, business location coordinates, contact person name, reason for joining SAVR, business ownership confirmation details
• Support Communications: Messages, feedback, and inquiries you send to our support team via email or in-app contact forms
• QR Code Data: Generated QR codes, scan statistics, and location assignments

2.2 Automatically Collected Information

When you use the Service, we automatically collect:

• Usage Data: Pages visited, features used, time spent on pages, click patterns
• Device Information: IP address, browser type and version, operating system, device identifiers
• Log Data: Access times, error logs, system activity
• Cookies and Similar Technologies: Session cookies, preference cookies, analytics cookies

2.3 Customer Data (You Are the Data Controller)

Through your use of the loyalty program features, we process data about your customers on your behalf, including:

• Customer transaction history (points earned and redeemed)
• Customer point balances and redemption records
• Deal redemption codes and validation timestamps
• Customer interaction patterns with your loyalty program

Important: You are the data controller for your customer data. You are responsible for: (1) obtaining proper consent from your customers before enrolling them, (2) providing them with your own privacy notice, (3) complying with all applicable privacy laws (GDPR, CCPA, etc.), and (4) responding to customer data requests. SAVR acts as a data processor under your instructions.

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: To provide, maintain, and improve the Service functionality
• Account Management: To create and manage your account, authenticate access, and enable features
• Communication: To send service-related notifications, updates, security alerts, and support messages
• Analytics: To analyze usage patterns, improve user experience, and develop new features
• Security: To detect, prevent, and address technical issues, fraud, and security breaches
• Compliance: To comply with legal obligations and enforce our Terms of Service
• Marketing: With your consent, to send promotional materials about new features and services (you can opt out at any time)
• Customer Support: To respond to your requests, questions, and provide technical assistance

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Service Providers (Third-Party Tools We Use)

We share information with the following third-party service providers who perform services on our behalf. All providers are contractually required to protect your data and use it only for the purposes we specify:

• Supabase (Database & Authentication): Stores your account data, deals, transactions, and customer loyalty data. Hosted on AWS infrastructure. Privacy policy: https://supabase.com/privacy
• Google Maps Platform: Provides business location verification and address autocomplete. Privacy policy: https://policies.google.com/privacy
• Resend (Email Delivery): Sends business verification emails, support notifications, and service-related communications. Privacy policy: https://resend.com/legal/privacy-policy

We do not use analytics tracking services (like Google Analytics) or advertising networks. We do not sell or share your data for marketing purposes.

4.2 Legal Requirements

We may disclose your information if required by law, court order, or governmental request, or to protect our rights, property, or safety.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

4.4 With Your Consent

We may share information for any other purpose with your explicit consent.

5. Data Security

We implement industry-standard security measures to protect your information:

• Encryption of data in transit using SSL/TLS protocols
• Encryption of sensitive data at rest
• Regular security assessments and vulnerability testing
• Access controls and authentication mechanisms
• Employee training on data protection and privacy practices
• Monitoring and logging of system access

However, no method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. When you terminate your account, we will delete or anonymize your information within 30 days, except where we are required to retain it for legal, accounting, or security purposes.

Specific retention periods:

• Account Data: Deleted within 30 days of account termination
• Transaction Records: Retained for 7 years for accounting and tax purposes
• Support Communications: Retained for 3 years
• Log Data: Retained for 12 months

7. Your Privacy Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Data Portability: Request a copy of your data in a structured, machine-readable format
• Opt-Out: Opt out of marketing communications at any time
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing based on legitimate interests

To exercise these rights, please contact us at team@savreats.app. We will respond to your request within 30 days.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Required for authentication and basic functionality
• Preference Cookies: Remember your settings and preferences
• Analytics Cookies: Understand how you use the Service and improve performance
• Marketing Cookies: Deliver relevant advertisements (with your consent)

You can control cookies through your browser settings. Note that disabling essential cookies may affect Service functionality.

9. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child without parental consent, we will take steps to delete that information.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. When we transfer data internationally, we implement appropriate safeguards such as standard contractual clauses approved by relevant authorities.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information (subject to exceptions)
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

To exercise your California privacy rights, contact us at team@savreats.app.

13. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR), including the right to access, rectification, erasure, restriction of processing, data portability, and objection. You also have the right to lodge a complaint with your local data protection authority.

Our legal basis for processing your information includes: performance of a contract, legitimate interests, compliance with legal obligations, and your consent (which you may withdraw at any time).

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on the Service. The "Last Updated" date at the top of this policy indicates when it was last revised. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

15. Data Processing Agreement (For Customer Data)

When you use SAVR to process your customers' personal data, the following terms apply:

• Your Role: You are the Data Controller. You determine what customer data is collected and for what purposes.
• Our Role: We are the Data Processor. We process customer data only on your instructions and in accordance with this policy.
• Your Obligations: You must obtain valid consent from customers, provide them with a privacy notice, honor their data rights (access, deletion, etc.), and comply with all applicable laws.
• Our Obligations: We will implement appropriate security measures, only use customer data to provide the Service, assist you with data subject requests, and notify you of any data breaches.
• Sub-Processors: We use the sub-processors listed in Section 4.1. You authorize their use by using the Service.
• Data Deletion: Upon account termination or upon your request, we will delete all customer data within 90 days, except where legal retention is required.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: