Privacy Policy

Effective as of April 4, 2026

This Privacy Policy describes how DinePro ("DinePro," "we," "us," or "our") collects, uses, shares, and protects your personal information when you visit our website (dinepro.io), use our QR-code-based ordering platform, or interact with our services. It applies to restaurant operators, their staff, and guests (diners) who place orders through DinePro.

1. Personal Information We Collect

We collect personal information in the following categories, depending on how you interact with DinePro:

Information you provide directly

  • Account data. When a restaurant operator signs up for DinePro, we collect the restaurant name, contact name, email address, phone number, and login credentials (hashed PIN).
  • Staff data. Names, phone numbers, roles, and push notification device tokens for restaurant staff who use the DinePro staff app.
  • Guest check-in data. When guests check in via QR code or kiosk, we collect their name, phone number, and party size.
  • Order data. Menu items selected, quantities, modifiers, special instructions, and order totals.
  • Payment data. Transaction amounts, payment status, and tip amounts. We do not store payment card numbers — all card data is handled directly by Square.
  • Communications. Messages you send through our contact forms, support channels, or in-app chat with the AI assistant.

Information collected automatically

  • Device data. Browser type and version, operating system, screen resolution, and device type (mobile, tablet, desktop).
  • Usage data. Pages visited, features used, session duration, and interaction patterns within the ordering interface.
  • Network data. IP address, approximate location (city/region level, derived from IP), and referring URL.
  • Cookie data. Essential session cookies for maintaining your ordering session. See Section 9 (Cookies and Tracking) for details.

Information from third parties

  • Square POS. Order fulfillment status, payment confirmation, and refund data synced from the restaurant's Square account.
  • Twilio. SMS delivery status and inbound message content (e.g., STOP/HELP keyword responses).

2. How We Use Your Personal Information

We use the personal information we collect for the following purposes:

To provide and operate our services

  • Process and fulfill restaurant orders placed through the platform
  • Facilitate payments between guests and restaurants via Square
  • Send transactional SMS messages (e.g., ordering links, queue updates) with your consent
  • Deliver real-time notifications to restaurant staff about new orders and help requests
  • Maintain and restore your ordering session across page refreshes

To improve and develop our services

  • Analyze usage patterns to improve the ordering experience
  • Monitor AI assistant performance and response quality
  • Debug technical issues and ensure platform reliability
  • Develop new features based on aggregated, anonymized usage data

To communicate with you

  • Send service-related communications (order confirmations, account updates)
  • Respond to support requests and inquiries
  • Send marketing communications only with your explicit opt-in consent

To ensure safety and compliance

  • Prevent fraud, abuse, and unauthorized access to our systems
  • Comply with legal obligations and respond to lawful requests
  • Enforce our Terms of Service and Acceptable Use Policy

3. AI and Conversation Data

DinePro uses AI technology powered by the Anthropic Claude API to provide a conversational ordering experience for restaurant guests.

What data is sent to the AI

When a guest chats with DinePro to place an order, the conversation content — including menu selections, dietary preferences, order modifications, and general questions — is sent to Anthropic's API for processing. The restaurant's menu data and relevant context (table number, restaurant name) are also included to generate accurate responses.

How conversation data is handled

  • Purpose limitation. Conversation data is used solely to generate responses during the active ordering session. DinePro does not use conversation data to train AI models.
  • Zero-retention API. Anthropic processes this data under a zero-retention API agreement and does not store or use it for model training.
  • AI disclosure. The chat interface clearly identifies the assistant as an AI (not a human) in compliance with California SB 1001 and the EU AI Act.
  • Allergen safety. The AI assistant always defers food allergy and dietary restriction questions to restaurant staff and displays a persistent disclaimer in the chat interface.

Retention of conversation data

Order details derived from AI conversations are stored by DinePro for fulfillment purposes. Conversation message history is automatically deleted after 90 days. See Section 8 (Data Retention) for complete retention schedules.

4. POS Integration and Data Flow

DinePro integrates with Square POS to process orders and payments. Understanding this data flow is important to your privacy.

Data sent to Square

When an order is placed, the following data is transmitted to Square for processing:

  • Menu items, quantities, and modifiers
  • Transaction amounts (subtotal, tax, tips)
  • Order reference identifiers

Payment security

  • PCI DSS Level 1. Square is PCI DSS Level 1 certified — the highest level of payment security certification.
  • No card data access. DinePro does not have access to full payment card numbers at any point in the transaction flow. All card data is handled directly by Square's secure payment infrastructure.
  • Square's privacy policy. Square processes payment data under its own privacy policy, available at squareup.com/legal/privacy.

5. SMS Communications and Consent

DinePro sends SMS messages in connection with the restaurant check-in and ordering flow.

Types of SMS messages

  • Transactional SMS. With your consent at check-in, we send a one-time text message containing your ordering link when your table is ready. Message and data rates may apply.
  • Marketing SMS. Only sent with separate, explicit opt-in consent. You may receive promotions and updates from the specific restaurant you visited. You can opt out at any time by replying STOP.

Your SMS choices

  • STOP. Reply STOP to any DinePro SMS to immediately unsubscribe from all non-essential messages.
  • HELP. Reply HELP for support information and contact details.

We check opt-out status before sending any SMS. If you have opted out, we will not send marketing messages. Transactional messages essential to an active ordering session may still be sent where legally permitted.

6. How We Share Your Personal Information

We do not sell your personal information. We share data only with the following categories of recipients, and only as necessary to operate DinePro:

  • Payment processor (Square). Order details and transaction amounts for payment processing and kitchen fulfillment.
  • AI provider (Anthropic). Conversation content for generating AI ordering assistant responses, under a zero-retention agreement.
  • SMS provider (Twilio). Phone numbers and message content for delivering transactional and marketing SMS messages.
  • Cloud infrastructure (AWS). All platform data is hosted on AWS infrastructure, encrypted at rest and in transit.
  • Billing provider (Stripe). Restaurant operator billing information for subscription payment processing.
  • Push notifications (Expo). Device tokens and notification content for delivering alerts to the staff mobile app.
  • Analytics (Plausible). Privacy-focused, cookie-free website analytics on dinepro.io. No personal data is collected.

For a complete list of sub-processors with their purposes, data categories, and processing locations, see our Sub-Processor Disclosure page.

We may also disclose information if required by law, to protect our rights, or to prevent fraud or abuse of our services.

7. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit. All data transmitted between your device and DinePro servers is encrypted using TLS 1.2+.
  • Encryption at rest. Data stored in our databases is encrypted at rest using AES-256.
  • HttpOnly cookies. Session cookies are set with HttpOnly, Secure, and SameSite=Lax flags to prevent cross-site attacks.
  • Payment isolation. Payment processing is handled entirely by Square (PCI DSS Level 1 certified). DinePro never accesses full card numbers.
  • Access controls. Role-based access controls limit data access to authorized personnel only.

While we take reasonable precautions, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security of your data.

8. Data Retention

We retain your information only as long as necessary for the purposes described in this policy. Our retention periods are:

  • Account information. Retained for as long as the restaurant operator's account is active, or as needed to provide services.
  • Order history. Retained for up to 24 months for analytics, support, and financial reporting purposes.
  • Conversation messages. Automatically deleted after 90 days.
  • Waitlist entries. Automatically deleted after 30 days.
  • Inactive customer records. Customer records with no session activity are automatically purged after 24 months.

Requesting data deletion

You may request deletion of your personal data at any time by:

  • Using our self-service data deletion API (DELETE /api/v1/privacy/delete-my-data)
  • Contacting us at privacy@dinepro.io

We will process deletion requests within 30 days, subject to any legal obligations to retain certain records. Deletion cascades through all associated data: conversation messages, session records, waitlist entries, and customer records.

9. Cookies and Tracking

Essential cookies (ordering app)

The DinePro ordering interface uses essential cookies only to maintain your session:

  • session_id. Identifies your active ordering session. HttpOnly, Secure, SameSite=Lax. Expires after 24 hours.
  • participant_id. Identifies you within a shared table session. Same security attributes. Expires after 24 hours.

These cookies are strictly necessary for the service to function and do not require consent.

Analytics cookies (marketing website)

Our marketing website (dinepro.io) uses Google Analytics, which sets non-essential tracking cookies. These cookies are only loaded after you explicitly accept cookies via our consent banner. If you reject cookies, no analytics tracking occurs.

We also use Plausible Analytics, a privacy-focused analytics tool that does not use cookies and does not collect personal data.

No advertising cookies

We do not use third-party advertising cookies or trackers, and we do not sell data to advertisers.

10. Your Rights Under the CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to know. You have the right to know what personal information we collect, use, and disclose about you.
  • Right to delete. You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to opt out. You have the right to opt out of the sale of your personal information. DinePro does not sell personal information.
  • Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA rights.

To exercise your CCPA rights, contact us at privacy@dinepro.io. We will verify your identity before processing your request and respond within 45 days.

11. Your Rights Under the GDPR (EEA/UK Residents)

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), we process your personal data under the following lawful bases:

  • Contractual necessity. To provide the ordering service you requested (processing orders, maintaining sessions).
  • Legitimate interest. To improve our services, prevent fraud, and ensure platform security.
  • Consent. For optional marketing communications and non-essential analytics cookies.

Your data rights

Under the GDPR, you have the right to:

  • Access. Request a copy of your personal data.
  • Rectification. Correct inaccurate or incomplete personal data.
  • Erasure. Request deletion of your personal data ("right to be forgotten").
  • Restrict processing. Limit how we use your data in certain circumstances.
  • Data portability. Receive your data in a structured, machine-readable format.
  • Object. Object to processing based on legitimate interest.
  • Withdraw consent. Withdraw consent for marketing communications at any time.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. You may also contact our Data Protection Officer at privacy@dinepro.io.

12. International Data Transfers

DinePro is based in the United States. If you access our services from outside the US, your personal data will be transferred to and processed in the United States.

For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and we ensure our sub-processors maintain equivalent safeguards. See our Sub-Processor Disclosure page for processing locations.

13. Children's Privacy

DinePro is not directed to children under 13. We do not knowingly collect personal information from children under 13. When DinePro is used in kiosk mode, we display a notice that the service is intended for users 13 and older and that a parent or guardian should complete check-in for minors.

If you believe we have inadvertently collected information from a child under 13, please contact us at privacy@dinepro.io and we will promptly delete it.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated policy on this page and updating the "Effective as of" date at the top.

Your continued use of DinePro after changes are posted constitutes acceptance of the updated policy. We encourage you to review this page periodically.

15. How to Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about our data practices, you can reach us at:

  • Email. privacy@dinepro.io
  • Data deletion requests. privacy@dinepro.io or use our self-service API
  • Website. dinepro.io/contact

Last updated: April 4, 2026