Privacy Policy

Restaurant Velocity is a software product that helps independent restaurants manage their online presence. It connects to your Google Business Profile and your Meta accounts (Facebook Pages and Instagram), then drafts review replies, posts, photo captions, and comment replies for you to approve.

Restaurant Velocity is operated by Restaurant Velocity, LLC, a limited liability company formed in Delaware, USA (the words "we", "us", and "Restaurant Velocity" mean that company). This policy explains what data we collect when you use the product, why we collect it, who we share it with, how long we keep it, and the choices you have.

It applies to the Restaurant Velocity web application and the accounts you connect to it. If you do not agree with this policy, please do not use the product.

We collect the following categories of information.

Account information

When you sign up we collect your name, email address, and a password. Passwords are never stored in plain text; authentication is handled by our infrastructure provider, which stores only a salted hash. We also store the name and basic details of the restaurant you are managing.

Business content you connect

When you connect Google or Meta, we receive business content from those accounts so the product can work. This is described in detail in sections 3 and 4 below.

Content you create in the product

This includes your brand voice settings, menu and upsell catalog, banned phrases, automation preferences, and any edits you make to drafted content before approving it.

Payment information

Subscription billing is handled entirely by Stripe. Your card number is entered directly into Stripe and never reaches our servers. We store only a Stripe customer reference and a subscription reference so we can show your plan status. Card details, billing address, and invoice history live with Stripe and are governed by Stripe's privacy policy.

Usage and diagnostic information

We keep an audit log of important actions taken in your account (for example, a reply being approved or a connection being removed) so you and we can see what happened and when. Our hosting and database providers keep standard infrastructure logs for security and reliability.

When you connect your Google account, you grant Restaurant Velocity access through Google OAuth. We request these scopes:

business.manage

The Google Business Profile management scope. It lets us read and, with your approval, write your business listings, reviews and replies, Posts, photos, attributes, hours, and performance insights.

openid, email, profile

Used only to identify which Google account you connected and to show you its email address in the app. We do not build an advertising profile from this.

With these scopes we read your Google Business Profile locations, reviews, Posts, photos, and insights so the product can show them to you and draft content. When you approve a draft, we write it back to your Business Profile on your behalf. We never publish to Google without your explicit approval of that specific item.

You can disconnect Google at any time from the connections screen in the app. Disconnecting revokes our access and deletes the Google-derived data we hold (see section 8).

When you connect Meta, you grant access through Facebook Login. Restaurant Velocity requests only the permissions it actively uses:

• business_management and pages_show_list: used to list the Facebook Pages you manage so you can choose which one to connect.
• pages_read_engagement and pages_read_user_content: used to read your Page posts and the comments visitors leave on them, so we can show them in your inbox and draft replies.
• pages_manage_engagement: used to publish a comment reply to your Facebook Page after you approve it.
• pages_manage_metadata: used to receive real-time notifications when a new comment arrives on your Page.
• instagram_basic and instagram_manage_comments: used to read your Instagram profile basics and comments, and to publish a comment reply after you approve it.

We use this access to populate your comment inbox and to draft replies in your voice. As with Google, nothing is published to Facebook or Instagram until you approve that specific reply. We do not read private messages, we do not access your personal Facebook profile or friends, and we do not use Meta data for advertising or sell it to anyone.

You can disconnect Meta at any time from the connections screen. Disconnecting revokes our access and deletes the Meta-derived data we hold.

We use the information described above to:

• Provide, operate, and maintain the product.
• Draft review replies, posts, captions, and comment replies for you to review and approve.
• Show you your reviews, comments, posts, photos, and performance insights in one place.
• Publish content you have approved back to Google, Facebook, or Instagram.
• Process your subscription, send billing notices, and provide customer support.
• Send you transactional emails about your account (for example, a trial reminder or a connection that needs attention). We do not send marketing email without your consent.
• Keep the product secure, detect abuse, debug problems, and meet legal obligations.

We do not sell your personal information, and we do not use the content of your connected accounts to train any general-purpose AI model.

The core of the product is automated drafting. To turn your reviews, comments, and prompts into drafted replies and posts, we send the relevant text to AI service providers that generate the draft. Your brand voice settings (which you control) shape the output.

These providers process the text only to return a result to us. Under our agreements with them, they do not use the content we send to train their models. The drafts they return are stored in your account and are never published until you approve them.

You are always in control. Every drafted reply and post waits for your approval, and you can edit or reject any of them. If you enable an automatic publishing mode, that is your explicit choice and you can turn it off at any time.

We do not sell your data and we do not share it for anyone else's advertising. We share data only with service providers ("subprocessors") that help us run the product, and only as needed for them to perform their function. Each is bound by a contract that limits how it may use the data.

Supabase

Database, file storage, and authentication. Hosts your account data in the United States.

Vercel

Application hosting and content delivery.

Stripe

Subscription billing and payment processing. Stripe is the controller of your card and billing data.

Resend

Delivery of transactional email.

Anthropic, Google, OpenAI

AI providers that generate drafted content and run quality checks. They do not train on the content we send.

Voyage AI

Generates mathematical embeddings used to avoid duplicate drafts. Does not train on our content.

Upstash

Rate limiting to protect the service from abuse.

We may also disclose information if required by law, to enforce our Terms of Service, to protect the rights and safety of our users or the public, or in connection with a merger or acquisition (in which case we will notify you and this policy will continue to apply to your data).

How long we keep your data depends on the type:

• Account and product data (your profile, brand voice, drafts, settings, audit history) is kept for as long as your account exists, so the product keeps working for you.
• Google and Meta data is kept while the connection is active. When you disconnect a provider, the data derived from that provider is deleted.
• If your subscription lapses, your data is retained so you can resume later without losing your history. It is not automatically erased. To erase it, delete your account (see section 9).
• Backups. Our database provider keeps short-term encrypted backups (a rolling window of about seven days) for disaster recovery. Deleted data ages out of backups within that window.

You can delete your account yourself: sign in, go to Settings, scroll to the Danger zone, and choose Delete my account. You will be asked to type your email to confirm.

Deletion removes your tenant record, brand voice, drafts, posts, harvested photos, ranking history, audit logs, and the encrypted connection tokens we held. Your login is removed so the email address is freed for future sign-up. Content you already published to Google, Facebook, or Instagram stays on those platforms, because it lives on your own channels and is yours to manage there.

If you cannot sign in, email privacy@restaurantvelocity.com from the address on your account and we will process the deletion for you. Full instructions are on our Data Deletion page.

We take reasonable and appropriate measures to protect your information:

• All traffic to the product is encrypted in transit with HTTPS.
• The access tokens for your Google and Meta connections are encrypted with AES-256-GCM before they are stored. They are never written to our database in plain text.
• Access to production systems is limited to the people who need it, and the database enforces tenant isolation so one customer's data is not visible to another.
• We design the product to request the minimum access it needs and to keep human review of your content to a minimum.

No system is perfectly secure, but if we ever become aware of a breach affecting your data we will notify you and the relevant authorities as required by law. To report a vulnerability, email security@restaurantvelocity.com.

Depending on where you live, you may have rights over your personal data, including the right to access it, correct it, delete it, export it, or object to certain processing. These include rights under the EU/UK GDPR and the California Consumer Privacy Act (CCPA).

You can exercise the most common rights directly in the product: edit your profile and settings at any time, export your audit history as a CSV file, and delete your account from Settings. For any other request, email privacy@restaurantvelocity.com and we will respond within the time required by law (within 30 days for GDPR requests).

We will not discriminate against you for exercising a privacy right. Restaurant Velocity does not sell or share personal information for cross-context behavioral advertising, so there is no "sale" for you to opt out of.

The product uses a small number of strictly necessary cookies to keep you signed in. Without them the app cannot work, so they are not subject to a consent banner.

We do not load Google Analytics, advertising pixels, or third-party tracking scripts inside the product, and our transactional emails do not contain open-tracking pixels.

Restaurant Velocity is operated from the United States and your data is stored on servers in the United States. If you use the product from outside the United States, you understand that your information will be transferred to and processed there. Where required, our subprocessor agreements include standard contractual clauses or equivalent safeguards for international transfers.

Restaurant Velocity is a business tool intended for restaurant owners and their staff. It is not directed to children, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us information, contact privacy@restaurantvelocity.com and we will delete it.

We may update this policy as the product evolves or the law changes. When we make a material change we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Continuing to use the product after a change means you accept the updated policy.

If you have any question about this policy or about how we handle your data, please get in touch:

• Privacy and data requests: privacy@restaurantvelocity.com
• Legal and contracts: legal@restaurantvelocity.com
• Security reports: security@restaurantvelocity.com
• General support: support@restaurantvelocity.com

Restaurant Velocity, LLC is the data controller for the information described in this policy.