Privacy Policy

1. Information We Collect

1.1 Restaurant Account Data

When a restaurant owner, operator, or staff member creates or uses a Reddito account, we collect:

• Name, email address, and password (or Google OAuth credentials)
• Business name, address, phone number, and website
• Billing information processed through our payment provider (Stripe) — we do not store raw card numbers
• Platform settings, brand voice configurations, and campaign content you create
• Usage logs, feature interactions, and session data

1.2 Guest Data (Collected via QR Code Flow)

When a restaurant deploys Reddito's QR code review flow, we collect information submitted by Guests at the point of experience:

• First name, last name, and email address
• Traffic source / visit attribution (e.g., how they heard about the restaurant)
• Return visit attribution (for returning guests identified by email match)
• Star rating and review content submitted
• Marketing opt-in status (pre-checked checkbox; Guests may unsubscribe at any time)
• Timestamp and location identifier of the QR interaction

Guest data is collected on behalf of, and processed for the benefit of, the restaurant that deployed the QR code. Restaurants are the data controllers for Guest data; Reddito acts as a data processor on their behalf.

1.3 Automatically Collected Data

We automatically collect certain technical data when you use the platform:

• IP address, browser type, and operating system
• Pages visited, features used, and time spent on the platform
• Referring URLs and device identifiers
• Error logs and performance data

2. How We Use Your Information

We use the information we collect for the following purposes:

• Delivering and improving the Reddito platform and its features
• Processing AI-generated content (review responses, marketing campaigns, insights) using third-party AI models — see Section 4
• Attribution analysis: connecting guest interactions, review patterns, and campaign activity to measurable revenue outcomes
• Sending transactional emails (account setup, weekly Monday Morning Reports, billing receipts, milestone summaries)
• Sending marketing communications to Guests who have opted in, on behalf of the restaurant
• Processing billing and managing subscriptions
• Enforcing our Terms of Service and applicable legal obligations
• Detecting fraud, abuse, or security threats

3. Lawful Bases for Processing

For Restaurant Account data, we process personal information on the following bases:

• Performance of a contract: to deliver the services you subscribed to
• Legitimate interests: platform security, fraud prevention, and service improvement
• Legal obligation: compliance with applicable law

For Guest data collected through the QR flow, processing is based on:

• Consent: Guests provide their information voluntarily and opt in to marketing communications
• Legitimate interests of the restaurant: collecting feedback and attributing guest visits

4. Artificial Intelligence Processing

Reddito uses third-party AI services, including Anthropic's Claude API, to generate review responses, marketing campaign copy, and analytical insights. When content you create or review data submitted to the platform is processed by AI:

• Text inputs (reviews, campaign prompts, menu feedback) may be transmitted to Anthropic's API for processing
• We do not send personally identifiable Guest information (names, emails) to AI models
• AI-generated outputs are returned to you for review and approval before publication
• Anthropic processes data in accordance with its own privacy policy and enterprise data handling commitments

You retain full control over AI-generated content and should not publish outputs without human review.

5. How We Share Your Information

We do not sell personal information. We share data only as described below:

5.1 Service Providers

We share data with vendors who help us operate the platform:

• Stripe: payment processing and billing management
• Anthropic: AI content generation (review text, campaign copy, insights)
• Supabase: database hosting and storage
• Google: authentication (Google OAuth) and business review data (Google Business Profile API)
• Email delivery providers for transactional and marketing emails

5.2 Restaurant Operators

Guest data collected through a restaurant's QR code is accessible to that restaurant via the Reddito dashboard. Restaurants are responsible for using Guest data in accordance with their own posted privacy disclosures and applicable law.

5.3 Legal Requirements

We may disclose information when required by law, court order, or to protect the rights, property, or safety of Reddito, our users, or the public.

5.4 Business Transfers

If Reddito is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will provide notice before your data is subject to a materially different privacy policy.

6. Data Retention

We retain personal data for as long as necessary to deliver our services and fulfill the purposes described in this policy:

• Restaurant Account data: retained for the life of the account plus 90 days following account closure
• Guest data: retained for the duration of the restaurant's active subscription plus 90 days
• Billing records: retained for 7 years to meet tax and accounting obligations
• Server logs: retained for 90 days

You may request deletion of your data at any time (see Section 8).

7. Data Security

We implement industry-standard safeguards to protect personal data, including:

• Encrypted data transmission over HTTPS/TLS
• Access controls limiting data access to authorized personnel and systems
• Regular security reviews of our infrastructure

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at privacy@getreddito.com.

8. Your Privacy Rights

8.1 All Users

• Access: request a copy of the personal data we hold about you
• Correction: request correction of inaccurate or incomplete data
• Deletion: request that we delete your personal data, subject to legal retention obligations
• Opt-out of marketing: unsubscribe from marketing emails at any time via the unsubscribe link or by contacting us

8.2 California Residents (CCPA / CPRA)

California residents have the right to know what personal information we collect, use, disclose, and sell; delete personal information we hold; correct inaccurate personal information; opt out of the sale or sharing of personal information (we do not sell personal information); limit use of sensitive personal information; and non-discrimination for exercising your rights. Submit requests to privacy@getreddito.com. We will respond within 45 days.

8.3 Virginia Residents (VCDPA)

Virginia residents have the right to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of profiling used to make decisions that produce legal or similarly significant effects. Submit requests to privacy@getreddito.com.

8.4 Colorado, Connecticut & Texas Residents

Residents of Colorado, Connecticut, and Texas have rights of access, correction, deletion, portability, and opt-out of targeted advertising and profiling. Submit requests to privacy@getreddito.com.

8.5 Other State Residents

We honor privacy rights under all applicable state consumer privacy laws as they come into effect. Contact privacy@getreddito.com to submit any privacy request regardless of your state of residence.

9. Children's Privacy

Reddito is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, contact us at privacy@getreddito.com and we will delete it promptly.

10. Third-Party Links and Integrations

The platform may link to third-party services (e.g., Google Business Profile, social media platforms). We are not responsible for the privacy practices of those services. We encourage you to review their privacy policies before sharing information with them.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Restaurant Account holders by email at least 14 days before material changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions, requests, or complaints, contact us at: