Privacy Policy

1. Introduction

booteek AI Limited ("Company", "we", "us", "our") operates the booteek platform ("Service"). This Privacy Policy explains how we collect, use, process, and protect your personal data when you use our Service.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Legal Basis for Processing

We process personal data under the following legal bases:

• Contract Performance: To provide our Service and fulfill our contractual obligations
• Legitimate Interests: To improve our Service, prevent fraud, and ensure security
• Legal Obligation: To comply with applicable laws and regulations
• Consent: Where explicitly provided for specific processing activities

3. Data We Collect

3.1 Information You Provide Directly

• Account Information: Name, email address, phone number, business name
• Business Profile Data: Restaurant type, location, staff information (non-personal aggregated data only)
• Payment Information: Processed by Stripe (we do not store full payment card details)
• Communication Data: Support messages, feedback, and correspondence

3.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent, click patterns
• Device Information: IP address, browser type, operating system, device identifiers
• Performance Data: Service performance metrics, error logs (anonymized)

3.3 Third-Party Platform Data

With your active use of the booteek Chrome Extension on platforms where you manage your venue, we collect the following publicly available review data so that you can aggregate, analyse, and respond to reviews from all your platforms in one place:

• Public reviews: Review text, star rating, relative publish date, and publicly-displayed reviewer name as shown on the platform (Google Business Profile, Google Maps, TripAdvisor, OpenTable, TheFork, Facebook, Instagram, SevenRooms, DesignMyNight). We only ingest reviews for venues you have linked in the extension.
• Owner responses: Your own published responses to reviews, so that the AI can learn your voice.
• Venue metadata: Business name, address, category, aggregate rating and review count, opening hours, photos, menu — sourced from Google Places API, Serper Maps, and SerpAPI.
• Google Business Profile data (optional): If you connect your GBP via OAuth, we access business information, listings, and review data with your explicit authorization.
• Analytics data: Website and extension usage statistics (anonymized where possible).

4. How We Use Your Data

4.1 Service Provision

• Provide and maintain the booteek platform
• Process your requests and transactions
• Generate AI-powered insights and recommendations
• Integrate with your Google Business Profile and other authorized platforms

4.2 Service Improvement

• Analyze usage patterns to improve features
• Develop new functionalities and services
• Conduct research and analytics (using anonymized data)
• Train and improve our AI models (using non-personal data only)

5. Chrome Extension Data Processing

The booteek Chrome Extension is installed on your own device and is designed to help you manage reviews across multiple platforms. Different categories of data are handled differently, and this section is authoritative for what the extension does and does not do.

5.1 Data stored on your device only

The following data never leaves your computer and is stored in Chrome's local extension storage:

• Your UI preferences (selected platforms, theme, dismissed notices)
• Your linked venue details after you confirm them (Place ID, business name, address, type, rating, review count)
• A list of review IDs the extension has already sent to our server, used only to avoid sending duplicates
• Response usage counter (how many AI responses you've used this month)

5.2 Data sent to booteek.ai servers

The following data is transmitted over HTTPS to our servers and stored in our database (hosted by Neon PostgreSQL in the EU) for the purposes described below:

• Venue search queries: When you search for your venue during onboarding, your query string and the resulting venue list are sent to our search endpoint. Country is inferred from your IP via Cloudflare's CF-IPCountry header to scope results to your country.
• Public reviews you view: When you visit a Google Maps page for your own linked venue, the extension reads the publicly-displayed review cards (reviewer name, rating, text, date, any published owner response) and sends them to our ingestion endpoint. We only ingest reviews for venues you have explicitly linked — we do not scrape other businesses you happen to browse.
• AI response generation requests: The text of a review you want to respond to, your venue ID, and any optional reviewer name or tone preferences you specify.
• Anonymous error telemetry: Generic error types and HTTP status codes (no personal data) if the extension encounters a bug.

5.3 What the extension does NOT do

• We do not track which websites you visit outside of the platforms explicitly listed in the extension's permissions.
• We do not read or transmit the content of any page other than review cards on your own linked venue's review platforms.
• We do not access your browser history, cookies, passwords, or any data from other extensions.
• We do not collect microphone, camera, or location data unless you actively opt in to voice recording for a specific feature.
• We do not sell, rent, or share any data with advertising networks or third-party marketers.

5.4 Chrome Extension permissions explained

• storage: Store your preferences and linked venue on your device.
• sidePanel: Display the booteek interface in Chrome's side panel.
• tabs: Open new tabs when you click links inside the extension.
• alarms: Periodically refresh your AI usage counter.
• offscreen: Required by Chrome for optional voice recording features.
• Host permissions for business.google.com, google.com/maps, tripadvisor.com, opentable.com, thefork.com, designmynight.com, sevenrooms.com, facebook.com, and instagram.com: these are the review platforms the extension injects into when you visit them. The extension only activates on pages that match these hostnames.

6. Sub-processors

To operate the Service, we share certain data with trusted third-party processors. Each processor is bound by contractual data protection obligations (GDPR Article 28) and only processes data on our instructions for the specific purposes listed below.

This list is kept current. We will update this Privacy Policy and notify affected users if we add or materially change a sub-processor that handles your personal data.

7. Data Security

7.1 Technical Measures

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication
• Infrastructure Security: Industry-standard cloud security practices
• Regular Updates: Security patches and system updates

7.2 Organizational Measures

• Staff Training: Regular data protection and security training
• Access Limitation: Access to personal data limited to authorized personnel only
• Incident Response: Documented procedures for security incident response
• Vendor Management: Due diligence on all data processors

8. Your Data Protection Rights

Under GDPR, you have the following rights:

9. Data Retention

10. International Data Transfers

When transferring data outside the UK/EEA, we ensure adequate protection through:

• Adequacy Decisions: Transfers to countries with adequate protection findings
• Standard Contractual Clauses: EU-approved contract terms for data protection
• Certification Schemes: Providers with recognized data protection certifications

11. Cookies and Tracking

We use cookies and similar technologies for:

• Essential: Required for Service functionality
• Performance: Analytics to improve user experience
• Functional: Remember your preferences and settings
• Marketing: Deliver relevant advertisements (with consent)

12. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have violated data protection laws:

13. Contact Information

For privacy-related questions or to exercise your rights:

We will respond to all privacy inquiries within one month.