Privacy Policy

1. Introduction

booteek AI Limited ("Company", "we", "us", "our") operates the booteek platform ("Service"). This Privacy Policy explains how we collect, use, process, and protect your personal data when you use our Service.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Legal Basis for Processing

We process personal data under the following legal bases:

• Contract Performance: To provide our Service and fulfill our contractual obligations
• Legitimate Interests: To improve our Service, prevent fraud, and ensure security
• Legal Obligation: To comply with applicable laws and regulations
• Consent: Where explicitly provided for specific processing activities

3. Data We Collect

3.1 Information You Provide Directly

• Account Information: Name, email address, phone number, business name
• Business Profile Data: Restaurant type, location, staff information (non-personal aggregated data only)
• Payment Information: Processed by Stripe (we do not store full payment card details)
• Communication Data: Support messages, feedback, and correspondence

3.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent, click patterns
• Device Information: IP address, browser type, operating system, device identifiers
• Performance Data: Service performance metrics, error logs (anonymized)

3.3 Third-Party Platform Data

With your active use of the booteek Chrome Extension on platforms where you manage your venue, we collect the following publicly available review data so that you can aggregate, analyse, and respond to reviews from all your platforms in one place:

• Public reviews: Review text, star rating, relative publish date, and publicly-displayed reviewer name as shown on the platform (Google Business Profile, Google Maps, TripAdvisor, OpenTable, TheFork, Facebook, Instagram, SevenRooms, DesignMyNight). We only ingest reviews for venues you have linked in the extension.
• Owner responses: Your own published responses to reviews, so that the AI can learn your voice.
• Venue metadata: Business name, address, category, aggregate rating and review count, opening hours, photos, menu — sourced from Google Places API, Serper Maps, and SerpAPI.
• Google Business Profile data (optional): If you connect your GBP via OAuth, we access business information, listings, and review data with your explicit authorization.
• Analytics data: Website and extension usage statistics (anonymized where possible).

3.5 AI Knowledge Base (RAG System)

Our platform operates an AI knowledge base using Retrieval-Augmented Generation (RAG) technology, which enables our AI tools — including breo, the Review Response Generator, and the donde-onde-where.com venue discovery platform — to generate contextually relevant outputs.

The AI knowledge base stores anonymised and/or pseudonymised text passages derived from: (a) publicly available hospitality job postings from UK and EU job boards; (b) publicly available venue, city intelligence, and hospitality market data; and (c) review content processed in connection with our Clients' businesses, anonymised as described in Section 3.4 above.

Text passages are converted into vector embeddings using OpenAI's text embedding service (see Section 3.3.1). Embeddings are stored in our database and used to retrieve relevant context when generating AI outputs. Raw review text is discarded post-embedding — embeddings do not contain human-readable source text.

4. How We Use Your Data

4.1 Service Provision

• Provide and maintain the booteek platform
• Process your requests and transactions
• Generate AI-powered insights and recommendations
• Integrate with your Google Business Profile and other authorized platforms

4.2 Service Improvement

• Analyze usage patterns to improve features
• Develop new functionalities and services
• Conduct research and analytics (using anonymized data)
• Generate vector embeddings of review content to power semantic search and AI response generation (review text is transmitted to OpenAI's API for this purpose — see Section 3.3.1)
• Analyse aggregated, anonymised usage patterns to improve platform features (we do not use individual customer data or review content to train external AI models)

5. Chrome Extension Data Processing

The booteek Chrome Extension is installed on your own device and is designed to help you manage reviews across multiple platforms. Different categories of data are handled differently, and this section is authoritative for what the extension does and does not do.

5.1 Data stored on your device only

The following data never leaves your computer and is stored in Chrome's local extension storage:

• Your UI preferences (selected platforms, theme, dismissed notices)
• Your linked venue details after you confirm them (Place ID, business name, address, type, rating, review count)
• A list of review IDs the extension has already sent to our server, used only to avoid sending duplicates
• Response usage counter (how many AI responses you've used this month)

5.2 Data sent to booteek.ai servers

The following data is transmitted over HTTPS to our servers and stored in our database (hosted by Neon PostgreSQL in the EU) for the purposes described below:

• Venue search queries: When you search for your venue during onboarding, your query string and the resulting venue list are sent to our search endpoint. Country is inferred from your IP via Cloudflare's CF-IPCountry header to scope results to your country.
• Public reviews you view: When you visit a Google Maps page for your own linked venue, the extension reads the publicly-displayed review cards (reviewer name, rating, text, date, any published owner response) and sends them to our ingestion endpoint. We only ingest reviews for venues you have explicitly linked — we do not scrape other businesses you happen to browse.
• AI response generation requests: The text of a review you want to respond to, your venue ID, and any optional reviewer name or tone preferences you specify.
• Anonymous error telemetry: Generic error types and HTTP status codes (no personal data) if the extension encounters a bug.

5.3 What the extension does NOT do

• We do not track which websites you visit outside of the platforms explicitly listed in the extension's permissions.
• We do not read or transmit the content of any page other than review cards on your own linked venue's review platforms.
• We do not access your browser history, cookies, passwords, or any data from other extensions.
• We do not collect microphone, camera, or location data unless you actively opt in to voice recording for a specific feature.
• We do not sell, rent, or share any data with advertising networks or third-party marketers.

5.4 Chrome Extension permissions explained

• storage: Store your preferences and linked venue on your device.
• sidePanel: Display the booteek interface in Chrome's side panel.
• tabs: Open new tabs when you click links inside the extension.
• alarms: Periodically refresh your AI usage counter.
• offscreen: Required by Chrome for optional voice recording features.
• Host permissions for business.google.com, google.com/maps, tripadvisor.com, opentable.com, thefork.com, designmynight.com, sevenrooms.com, facebook.com, and instagram.com: these are the review platforms the extension injects into when you visit them. The extension only activates on pages that match these hostnames.

6. Sub-processors

To operate the Service, we share certain data with trusted third-party processors. Each processor is bound by contractual data protection obligations (GDPR Article 28) and only processes data on our instructions for the specific purposes listed below.

This list is kept current. We will update this Privacy Policy and notify affected users if we add or materially change a sub-processor that handles your personal data.

7. Data Security

7.1 Technical Measures

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication
• Infrastructure Security: Industry-standard cloud security practices
• Regular Updates: Security patches and system updates

7.2 Organizational Measures

• Staff Training: Regular data protection and security training
• Access Limitation: Access to personal data limited to authorized personnel only
• Incident Response: Documented procedures for security incident response
• Vendor Management: Due diligence on all data processors

8. Your Data Protection Rights

Under GDPR, you have the following rights:

9. Data Retention

10. International Data Transfers

Certain sub-processors are located outside the UK/EEA. Transfers are protected by the following mechanisms:

• Standard Contractual Clauses (SCCs): Used for transfers to US-based processors including OpenAI (vector embedding generation), Serper, SerpAPI, and Stripe. EU-approved SCCs provide a contractual guarantee of adequate data protection.
• Adequacy decisions: Where transfers are to countries with an adequacy finding, no additional mechanism is required.
• Certification schemes: Where relevant, providers hold recognized data protection certifications (e.g. ISO 27001) as a supplementary safeguard.

OpenAI specifically: Review text passages are transmitted to OpenAI's API (hosted in the US) for vector embedding generation. This transfer is covered by OpenAI's API Data Processing Agreement and EU SCCs. OpenAI's API product does not use customer-submitted data for model training.

11. Cookies and Tracking

We use cookies and similar technologies for:

• Essential: Required for Service functionality
• Performance: Analytics to improve user experience
• Functional: Remember your preferences and settings
• Marketing: Deliver relevant advertisements (with consent)

12. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have violated data protection laws:

13. Contact Information

For privacy-related questions or to exercise your rights:

We will respond to all privacy inquiries within one month.

14. donde-onde-where.com Supplementary Notice

donde-onde-where.com (DOW) is an AI-powered venue discovery platform operated by booteek AI Limited. This notice supplements the main Privacy Policy for visitors to that site.

• Venue data: DOW ranks hospitality venues based on publicly available review data (aggregate ratings, review counts) sourced from Google via SerpAPI. Aggregate scores and ranking positions are displayed publicly.
• Anonymised review excerpts: DOW zone pages may display short, curated excerpts derived from public Google reviews. These excerpts are selected and anonymised by automated AI processing — no reviewer names, profile links, or identifying information are displayed alongside them.
• Reviewer identities: Individual reviewer identities are never displayed on DOW. Reviewer names are stored as initials internally and are not surfaced publicly.
• Visitor analytics: DOW collects standard anonymised website analytics (page views, session duration, device type, approximate country). No personal profiling is conducted on DOW visitors.
• Venue operators: Venue operators whose venues appear on DOW may contact privacy@booteek.ai to update business information, correct inaccuracies, or request removal from the platform.

DOW is a proof-of-concept platform demonstrating AI visibility optimization. It does not offer subscription services and does not collect payment data from venue discovery users.