Privacy Policy

1. Who we are

GuestBrain.ai is operated by Benelux Foods Ltd, registered in Bulgaria, with offices at Ulitsa Ivan Radoev 1A, 1700 Sofia, Bulgaria. We provide AI-powered messaging automation services for restaurants and hospitality businesses.

For privacy questions, contact us at: privacy@getguestbrain.net or via WhatsApp at +359 877 088 933.

2. What data we collect

2.1 Account data (restaurant owners)

• Email address and password (hashed)
• Business name, address, phone number, website
• Business hours, menu information, delivery details
• Facebook Page access tokens (encrypted)
• Billing information (processed by Stripe — we never store card numbers)

2.2 Guest data (your customers who message you)

• Sender ID from Facebook/Instagram/WhatsApp (a numeric identifier, not a name)
• Message content and timestamps
• Channel used (Messenger, Instagram, WhatsApp, Viber)
• First and last contact date

2.3 Usage data

• Number of messages processed
• AI response logs for quality improvement
• Dashboard usage analytics

3. How we use your data

• To provide the service — processing messages, generating AI replies, storing conversation history
• To improve the AI — analysing message patterns to improve response quality
• To send you notifications — new signup alerts, system updates, billing reminders
• To comply with legal obligations — tax records, regulatory requirements

We never sell your data or your guests' data to third parties. We never use your data for advertising.

4. Data sharing

We share data only with the following service providers, strictly for operating the service:

• Supabase — database hosting (EU servers)
• Cloudflare — infrastructure and CDN
• Meta (Facebook) — Messenger, Instagram and WhatsApp API integration
• Stripe — payment processing
• Vapi / Twilio — voice call processing

All providers are GDPR-compliant and operate under Data Processing Agreements.

5. Data retention

• Active accounts — data retained for the duration of the subscription
• Cancelled accounts — data deleted within 30 days of cancellation
• Message logs — retained for 12 months, then automatically deleted
• Billing records — retained for 7 years as required by Bulgarian tax law

6. Your rights under GDPR

As a data subject, you have the right to:

• Access — request a copy of all data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Portability — receive your data in a machine-readable format
• Objection — object to processing of your data
• Restriction — request we limit processing of your data

To exercise any of these rights, contact us at privacy@getguestbrain.net. We respond within 30 days.

7. Cookies

Our website uses minimal cookies:

• Essential cookies — for login sessions and security (cannot be disabled)
• Analytics cookies — anonymous usage statistics via Google Analytics (can be disabled)

We do not use advertising or tracking cookies.

8. Security

We protect your data using industry-standard security measures including:

• All data encrypted in transit (HTTPS/TLS)
• Database encryption at rest
• Access tokens stored encrypted
• Regular security audits
• Two-factor authentication available for all accounts

9. Children's privacy

GuestBrain.ai is a business tool and is not intended for use by anyone under 18. We do not knowingly collect data from minors.

10. Changes to this policy

We may update this policy from time to time. We will notify you of significant changes via email. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Complaints

If you have concerns about how we handle your data, you can contact the Bulgarian Commission for Personal Data Protection (CPDP) at www.cpdp.bg or the relevant supervisory authority in your EU member state.