Privacy Policy

1. Data Controller

ReservAI ("we", "us", "our") is the data controller responsible for your personal data. We operate the website at www.reservai.eu and the ReservAI Android application.

Contact: privacy@reservai.eu

Location: Romania, European Union

2. Data We Collect

Account Information

• Full name
• Email address
• Password (stored as a bcrypt hash — we never store plain text passwords)
• Phone number (required at registration, used as the contact number when the AI calls to make your reservation)

Reservation Data

• Restaurant name, address, and phone number
• Reservation date, time, and party size
• Guest name provided for the booking
• Special requests or dietary requirements
• Reservation status and outcome

Call Data

• Full transcripts of AI phone conversations with restaurants
• Call duration and timestamps
• Call status (completed, failed, no answer, etc.)

Note: We do not record or store audio from phone calls. Only text transcripts of the AI-generated conversation are retained.

Chat & Interaction Data

• Messages exchanged with our AI chat assistant
• Voice input transcriptions (processed in your browser via the Web Speech API — audio is not sent to our servers)
• Feedback and bug reports you submit, including an optional screenshot of the app at the time of the report

Location Data

• Approximate or precise GPS coordinates from your device — only when you explicitly grant location permission
• Location is used solely to find restaurants near you and is not stored on our servers
• Location permission is entirely optional — you can use the service without it by typing your city or neighbourhood in the chat

Payment Data

Payments are processed by Google Play Billing (Android app) and Lemon Squeezy (web). We do not collect, store, or have access to your credit card numbers, bank account details, or other payment credentials. We only store your subscription status, token balance, and a purchase history record (product ID, date, tokens granted).

3. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing your account data, reservation details, and making calls to restaurants is necessary to provide the service you requested.
• Consent (Art. 6(1)(a)): You explicitly confirm each reservation before our AI places a call. Voice input via microphone and device location access each require your explicit browser or device permission, which you can withdraw at any time.
• Legitimate interest (Art. 6(1)(f)): Improving our AI assistant, preventing abuse (rate limiting), and ensuring service security.

4. How We Use Your Data

• Making reservations: Your name, phone number, and reservation details are shared with restaurants during AI phone calls to book your table.
• Email notifications: We send confirmation emails about reservation outcomes, a welcome email at registration, and password reset emails when requested.
• Service improvement: Chat interactions and feedback help us improve the AI assistant quality and user experience.
• Account management: Managing your profile, token balance, and subscription.
• Security: Rate limiting, input validation, and abuse prevention to protect all users.

5. AI & Voice Technology Disclosure

ReservAI uses artificial intelligence in the following ways:

• AI Chat Assistant: Your messages are processed by Anthropic's Claude AI to understand your reservation requests and guide you through the booking process.
• AI Phone Calls: When you confirm a reservation, our AI places a real phone call to the restaurant. The AI always identifies itself as an AI assistant at the beginning of each call. Restaurants are never misled about speaking with AI.
• AI Voice Synthesis: Phone call speech is generated using ElevenLabs text-to-speech technology. This produces synthetic audio that is clearly identified as AI-generated.
• Browser Voice Input: The microphone feature in chat uses your browser's built-in Web Speech API. Audio is processed locally by your browser — it is not sent to or stored on our servers.

Your data is not used to train AI models. Your conversations and reservation data are used only to provide and improve the ReservAI service.

5b. Automated Decision-Making (Art. 22 GDPR)

ReservAI uses AI to assist with reservation requests. We want to be transparent about how automated processing works in our service:

• No fully automated decisions with legal effect: No reservation is placed without your explicit confirmation. You review and approve every booking before the AI places a call to the restaurant. You are always in control of the final decision.
• AI-assisted processing: Our AI chat assistant interprets your natural language requests to extract reservation details (restaurant, date, time, party size). This is a convenience feature — you can correct any detail before confirming.
• Call outcome processing: The AI interprets the restaurant's verbal response (confirmed, rejected, alternative offered) to update your reservation status. Ambiguous outcomes are flagged for human review.
• Token deductions: Token balances are adjusted automatically based on confirmed reservation activity. You can contact us at privacy@reservai.eu to dispute any automated token deduction.

Under Art. 22 GDPR, you have the right to request human review of any automated processing that significantly affects you. Contact privacy@reservai.eu to exercise this right.

5c. Special Category Data (Art. 9 GDPR)

ReservAI does not intentionally collect special category data as defined under Art. 9 GDPR (health data, religious beliefs, racial or ethnic origin, etc.).

However, the "special requests" field in reservations is a free-text field where you may voluntarily include information such as dietary requirements, food allergies, or accessibility needs. This information may indirectly reveal health conditions or religious beliefs.

• This data is used solely to communicate your requirements to the restaurant during the booking call.
• It is not analysed, profiled, or shared for any purpose other than completing your reservation.
• By submitting a special request that includes sensitive information, you provide explicit consent (Art. 9(2)(a)) for us to process and communicate that information to the restaurant on your behalf.
• You can omit sensitive details from special requests at any time — they are entirely optional.

6. Third-Party Services & Data Sharing

We share data with the following service providers, solely to operate ReservAI. We do not sell your data or share it for advertising purposes.

7. International Data Transfers

Some of our service providers are located in the United States. When your data is transferred outside the European Economic Area (EEA), it is protected by the EU-U.S. Data Privacy Framework, Standard Contractual Clauses (SCCs), or other approved transfer mechanisms as required by GDPR (Chapter V). Each provider listed above maintains appropriate safeguards for international transfers.

8. Data Security

We implement the following security measures:

• All connections encrypted via HTTPS/TLS
• Passwords hashed with bcrypt (never stored in plain text)
• Password reset tokens SHA-256 hashed in database, expire after 1 hour
• JWT session tokens with HttpOnly, Secure, and SameSite cookie attributes
• API rate limiting to prevent brute force and abuse
• Content Security Policy, HSTS, and other security headers
• Webhook signature verification for telephony callbacks
• Input validation and sanitization on all endpoints

9. Data Retention

• Account data: Retained for as long as your account is active. Deleted upon account deletion request.
• Reservation history & transcripts: Retained for 12 months after the reservation date, then automatically deleted.
• Chat conversations: Retained for as long as your account is active to provide booking continuity.
• Password reset tokens: Expire and are invalidated after 1 hour.
• Payment records: Retained as required by Romanian fiscal regulations.

10. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right of access — obtain a copy of the personal data we hold about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure — request deletion of your data ("right to be forgotten")
• Right to restrict processing — limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interest
• Right to withdraw consent — withdraw consent at any time where processing is consent-based

To exercise any of these rights, email us at privacy@reservai.eu. We will respond within 30 days.

You also have the right to lodge a complaint with the Romanian data protection authority: ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal) at www.dataprotection.ro

11. Children's Privacy

ReservAI is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal data, please contact us at privacy@reservai.eu and we will promptly delete it.

12. Cookies & Local Storage

ReservAI uses only essential cookies required to operate the service:

• Session cookie — Authenticates your login session (HttpOnly, Secure, expires after 24 hours or 7 days with "Keep me signed in")

We do not use analytics cookies, advertising cookies, or third-party tracking cookies. We do not use browser fingerprinting.

13. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights, we will notify the ANSPDCP within 72 hours as required by GDPR Article 33. If the breach is likely to result in a high risk to you, we will also notify you directly via email without undue delay.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. If we make significant changes that affect how your data is processed, we will notify you via email. Continued use of the service after changes constitutes acceptance of the updated policy.

15. Contact

For any questions about this Privacy Policy, your personal data, or to exercise your rights, contact us:

• Email: privacy@reservai.eu
• Website: www.reservai.eu