Privacy Policy

This Privacy Policy explains how ServeStack ("Company," "we," "us," or "our") collects, uses, discloses, and protects information in connection with the ServeStack conversational ordering platform, our merchant dashboard, our websites, APIs, mobile applications, and any related services (the "Services"). This Policy applies to (i) Merchants and their personnel who use the dashboard and administrative tools, (ii) Customers who place orders through ServeStack-powered numbers, and (iii) visitors to our websites.

1. Our Role

When Customers interact with the Services to place orders, ServeStack acts as a controller (or "business") of the information needed to operate the ordering platform and as a service provider/processor for information handled on behalf of a Merchant for order fulfillment. When Merchants use the dashboard, we act as a controller for account, billing, and platform operations, and as a processor for order, menu, and customer data processed on the Merchant's behalf. Each Merchant is responsible for its own privacy practices with respect to its customers.

2. Information We Collect

2.1 Information Customers Provide

• Mobile phone number, collected when a Customer initiates a text message conversation;
• Order details, including items selected, quantities, modifications, and special instructions;
• Location information, including GPS coordinates shared during an ordering session to identify the nearest participating Merchant;
• Delivery or pickup address, when provided;
• Payment information, processed by our third-party payment processors; we do not store full card numbers;
• Optional profile information, such as name, dietary preferences, or saved addresses, if provided.

2.2 Information Merchants Provide

• Business information, such as legal entity name, locations, hours, tax identification, bank account and payout information;
• User and staff information, such as names, email addresses, phone numbers, roles, and access permissions;
• Menu, item, pricing, allergen, and other Merchant Content;
• Communications and support requests.

2.3 Information Collected Automatically

• Device and log information, such as IP address, browser type, operating system, referring URLs, and access timestamps;
• Usage information, such as pages viewed, features used, and actions taken in the dashboard;
• Message metadata, such as timestamps, delivery status, and carrier information;
• Cookies and similar technologies used to authenticate users, remember preferences, and analyze usage.

2.4 Information from Third Parties

We may receive information from third parties, including Twilio and other messaging providers (message delivery data), payment processors (transaction confirmation and risk signals), mapping and geocoding providers, point-of-sale and delivery integrations, identity verification providers, single sign-on providers, and fraud-prevention vendors.

3. How We Use Information

We use information to:

• Operate and provide the Services, including processing orders, routing them to the correct Merchant, and sending status updates;
• Authenticate users, manage access, and secure the Services;
• Process payments, payouts, refunds, chargebacks, and related accounting;
• Provide the merchant dashboard, including analytics, reporting, and staff and location management;
• Improve and train the conversational ordering experience, including our AI ordering agent, using de-identified or aggregated data where feasible;
• Communicate with you about the Services, including service announcements, security notices, and support;
• Detect, investigate, and prevent fraud, abuse, and violations of our Terms;
• Comply with legal obligations and respond to lawful requests;
• Establish, exercise, and defend legal claims.

We do not use Customer phone numbers or personal information for marketing or promotional messaging unless the Customer separately and explicitly opts in to such communications.

4. How We Share Information

We do not sell personal information. We share information only as described below:

4.1 With Merchants

When a Customer places an order, we share the Customer's order details and necessary contact information (such as phone number and pickup or delivery information) with the Merchant fulfilling the order. The Merchant's use of this information is governed by the Merchant's own privacy practices.

4.2 Within a Merchant Organization

Information in the dashboard is accessible to authorized users within the Merchant's organization based on their role and permissions. The Merchant's account Owner controls access and permissions.

4.3 Service Providers

We share information with vendors and service providers that help us operate the Services, including cloud hosting, payment processing, SMS and RCS delivery (including Twilio), mapping and geocoding, analytics, customer support, email delivery, e-signature, identity verification, and fraud prevention. These providers are contractually required to protect information and use it only for authorized purposes.

4.4 Legal and Safety

We may disclose information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of ServeStack, our users, or others.

4.5 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred to the successor entity, subject to this Policy or a substantially similar policy.

4.6 With Your Direction

We share information with additional third parties when directed by you, such as when you connect a third-party integration to the Services.

5. Location Data

When a Customer shares GPS location during an ordering session, we use it solely to identify the nearest participating Merchant and to route the order. We do not track Customer location continuously or outside of an active ordering conversation, and we do not share precise location with any party other than as needed to fulfill the order. Merchants may receive approximate or delivery-relevant location information as part of an order.

6. Cookies and Similar Technologies

Our websites and dashboard use cookies and similar technologies to authenticate users, remember preferences, measure performance, and analyze usage. You can control cookies through your browser settings. Disabling cookies may affect the functionality of the Services. Where required by law, we will request your consent for non-essential cookies.

7. Data Retention

We retain information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Representative retention periods include:

• Order records: retained for twenty-four (24) months for customer service, tax, and dispute resolution;
• Conversation logs: retained for twelve (12) months for quality assurance, AI improvement, and compliance;
• Merchant account records: retained for the duration of the subscription plus a reasonable period thereafter for legal and financial recordkeeping;
• Phone numbers and consent records: retained for the period required by applicable telecommunications law.

Customers may request deletion of their data at any time by emailing antonio_kodheli@icloud.com. Deletion requests are processed within thirty (30) days subject to legal retention requirements.

8. Security

We maintain administrative, technical, and physical safeguards designed to protect information, including encryption in transit, access controls, logging, and regular security reviews. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security. You are responsible for safeguarding your account credentials and using strong authentication where available.

9. Your Rights and Choices

9.1 Messaging Opt-Out (Customers)

Customers may stop receiving text messages from ServeStack at any time by replying STOP to any message. Reply START to re-subscribe. Reply HELP for assistance.

9.2 Access, Correction, and Deletion

You may request access to, correction of, or deletion of your personal information by contacting antonio_kodheli@icloud.com. Merchants can update much of their information directly in the dashboard. Deletion requests will be processed within the timeframes required by applicable law, subject to legal retention obligations.

9.3 California Residents (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act, as amended by the CPRA, including the right to know what personal information we collect, the right to delete or correct personal information, the right to limit use of sensitive personal information, and the right to opt out of the sale or sharing of personal information. We do not sell personal information and we do not share it for cross-context behavioral advertising. To exercise your rights, contact antonio_kodheli@icloud.com.

9.4 Other U.S. State Rights

Residents of certain other U.S. states (for example, Virginia, Colorado, Connecticut, and Utah) may have similar rights. You may exercise these rights by contacting antonio_kodheli@icloud.com. We will respond within the timeframes required by applicable law.

9.5 Marketing Communications

Where we send marketing emails, you may opt out by following the unsubscribe instructions in those messages. We may still send you operational communications related to your account, orders, and the Services.

10. International Data Transfers

We operate primarily in the United States. If you access the Services from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States and other jurisdictions where we or our service providers operate. We take steps to ensure that transfers of personal information comply with applicable law.

11. Children's Privacy

The Services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact antonio_kodheli@icloud.com so we can delete it.

12. Third-Party Links and Integrations

The Services may contain links to, or integrate with, third-party websites and services. This Policy does not apply to third-party services, and we encourage you to review their privacy practices before using them.

13. AI and Automated Processing

Our conversational ordering platform uses AI and machine learning to understand Customer messages and generate responses. We may use de-identified or aggregated conversation data to improve the accuracy and quality of our AI ordering agent. We do not use the content of Customer conversations to train third-party general-purpose AI models. We do not make automated decisions that produce legal or similarly significant effects about individuals without human involvement.

14. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will provide notice (for example, by email, by SMS to the phone number on record for Customers, or by posting a notice within the Services) before the changes take effect. The "Effective Date" at the top of this Policy indicates when it was last revised. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

15. Contact Us

ServeStack
Email: antonio_kodheli@icloud.com
Support: support@servestack.ai
Website: https://www.servestack.ai