What we know and what we don't.

1. Who we are

[Fork Time Pty Ltd, ABN XXX XXX XXX] (Australia) and [Fork Time, Inc., a Delaware corporation] (United States) (together "Fork Time", "we", "us") are the controllers of personal data described in Sections 2–4 of this Policy.

For data we process on behalf of restaurants — primarily reservation guest data and call audio — restaurants are the data controllers and Fork Time is the data processor. The Data Processing Addendum (DPA) governs that relationship.

Contact us at privacy@forktime.ai. EU/UK customers may contact our representative at [representative address — TBD].

2. What data we collect

From restaurant operators (account data — Fork Time as controller)

• Name, work email, work phone, restaurant name, restaurant URL, role.
• Billing details processed by Stripe (we don't store card numbers).
• Login activity, IP address, device, browser, and other technical metadata.
• Support tickets, emails, and conversations with our team.

From guests calling, chatting, or being booked (guest data — Fork Time as processor)

• Phone number (caller ID), and any name or party-size details given during the booking.
• Audio recording and transcript of the call.
• Booking metadata: date, time, party size, dietary notes, callback messages.
• Web-chat transcripts and ChatGPT-bridge messages.

From the website itself (visitor data — Fork Time as controller)

• Pages visited, referrer, broad geolocation (city level), device and browser.
• First-party analytics cookies for traffic measurement.
• If you fill the contact form: name, email, restaurant, message.

3. How we use this data

Account data is used to provide the Service, bill you, support you, communicate product changes, and prevent fraud or abuse.

Guest data is used only to deliver the booking, confirm the reservation by SMS/email, hand off to your reservation system, and (in aggregated form) to improve voice quality and AI accuracy. We don't sell guest data, we don't use it for advertising, and we don't train third-party models on identifiable guest content.

Visitor data is used to understand which marketing pages convert and to improve the site. We don't run third-party advertising trackers.

4. Legal bases (GDPR / UK GDPR)

If you are in the EU or UK, our legal bases are:

• Contract: account data is necessary to deliver the Service you signed up for.
• Legitimate interests: security logging, fraud prevention, product improvement, aggregated analytics — balanced against your rights and freedoms.
• Consent: non-essential cookies and any optional marketing emails. You can withdraw consent at any time.
• Legal obligation: tax, accounting, and law-enforcement requests.

For guest data we process on behalf of restaurants, the restaurant's lawful basis applies; ours is the processor relationship under the DPA.

5. Subprocessors & third parties

We use the following subprocessors to deliver the Service. The list is updated when material changes occur; we'll notify customers in advance of new categories of subprocessors.

• Twilio (US) — voice / SMS infrastructure for the AI phone line.
• ElevenLabs (US) — synthetic-voice generation for the AI host.
• OpenAI and/or Anthropic (US) — large language models for understanding caller intent and drafting responses. We use enterprise / no-training endpoints; provider does not train on our data.
• Stripe (US/IE) — payment processing for subscriptions.
• [AWS / GCP — region TBD] — application hosting and database storage. Primary regions: [ap-southeast-2 Sydney, us-west-2 Oregon].
• Cloudflare (US) — CDN, DDoS protection, edge caching.
• SendGrid or equivalent (US) — transactional email (booking confirmations, account emails).
• CloudWaitress and other reservation/POS systems you choose to connect — used only to deliver bookings into your existing tools.

We do not sell personal data and we don't share it with advertisers or data brokers.

6. International data transfers

Personal data may be transferred between Australia, the United States, and (depending on your hosting region) the EU. For EU/UK transfers we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented with our internal technical and organisational measures.

For Australian data, transfers comply with Australian Privacy Principle 8 (cross-border disclosure).

7. Retention

• Account data: kept for as long as your account is active, plus 7 years for tax/accounting after closure (or shorter where required by local law).
• Call audio: retained for 30 days by default, then automatically deleted. Customers on higher tiers may configure retention up to 12 months.
• Call transcripts & booking data: retained for 12 months by default; deleted on account closure within 90 days unless legal hold applies.
• Web analytics: raw logs for 30 days; aggregated metrics indefinitely.
• Marketing emails: until you unsubscribe.

8. Security

We protect personal data with industry-standard measures: TLS 1.2+ in transit, AES-256 at rest, role-based access control, audit logging, MFA on all internal accounts, principle-of-least-privilege subprocessor access. We're working toward SOC 2 Type II and will publish the report when ready.

No system is perfectly secure. If we detect a breach affecting your personal data, we'll notify you without undue delay and (where required) within 72 hours per GDPR.

9. Your rights

Subject to your jurisdiction, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data ("right to be forgotten" under GDPR; "right to deletion" under CCPA/CPRA).
• Port your data to another provider in a structured, commonly used format.
• Restrict or object to certain processing.
• Opt out of any automated decision-making with legal effects (we don't currently do this — humans review escalations).
• Withdraw consent at any time without affecting prior lawful processing.
• Lodge a complaint with a supervisory authority — the Office of the Australian Information Commissioner (OAIC), the UK Information Commissioner's Office (ICO), an EU data protection authority, or the California Privacy Protection Agency (CPPA), as applicable.

To exercise any right, email privacy@forktime.ai. We'll respond within 30 days. We may need to verify your identity.

If your data is held by Fork Time on behalf of a restaurant (e.g. you're a guest who made a booking), please contact the restaurant first; we'll cooperate with their response.

10. CCPA / CPRA notice (California residents)

In the past 12 months, Fork Time has collected the categories of personal information described in Section 2 from the sources described there, for the purposes described in Section 3. We do not sell or share personal information for cross-context behavioural advertising.

You have the right to know, delete, correct, and limit the use of sensitive personal information. We do not discriminate against you for exercising these rights. To submit a request, email privacy@forktime.ai or call [+1-XXX-XXX-XXXX].

11. Cookies & similar technologies

We use a small number of cookies:

• Strictly necessary — session and CSRF cookies required to keep you logged in.
• Functional — remember your preferences (e.g. theme, language).
• Analytics — first-party measurement of which pages convert. No cross-site advertising.

You can clear cookies at any time via your browser settings. We don't currently set non-essential cookies that require explicit consent under the EU ePrivacy Directive — when we do, you'll see a banner.

12. Children's privacy

The Service is not intended for children under 16. We don't knowingly collect personal data from children. If a child's data has been collected (e.g. as a guest of a restaurant), parents/guardians may request deletion via privacy@forktime.ai.

13. AI & voice-specific notes

Calls answered by Fork Time are recorded and transcribed. Restaurants are responsible (under our Terms) for ensuring their call disclosures comply with local recording laws.

The synthetic voices used by the AI host are licensed from ElevenLabs and represent voice actors who consented to the cloning — they are not biometric data of your guests. Caller voice audio is processed for transcription and not used to identify or biometrically profile callers.

We don't share guest call recordings with the underlying LLM providers; we send only the transcript text needed to generate a response, via no-training enterprise endpoints.

14. Changes to this policy

We may update this Policy from time to time. Material changes will be announced by email and on the website at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

15. Contact

Privacy questions: privacy@forktime.ai. General support: support@forktime.ai.

Postal:

• Australia: [Fork Time Pty Ltd, address — Brisbane, QLD]
• United States: [Fork Time, Inc., address — Seattle, WA]

— The Fork Time team · Brisbane & Seattle