Privacy Policy

We respect your privacy and are committed to protecting it. This privacy policy (“Policy”) explains what personal data we collect, how we use it, and the rights you have.

This Policy applies to the Elyra restaurant table-management platform, our AI booking channels (including phone agent, email agent, web widget, and other agents), and any related products or services that reference this Policy (collectively, the “Services”). It does not apply to services we do not control or to individuals we do not manage.

This Policy is a legally binding agreement between you (“User,” “you,” or “your”) and Elyra, Inc. (“Elyra,” “we,” “us,” or “our”), 1111B S Governors Ave # 53156, Dover, DE 19904, United States. If you accept this Policy on behalf of a business, you confirm you are authorized to do so.

Controller (when we decide purposes/means): We act as data controller for our own operations (e.g., your Elyra account, billing, platform security, product analytics, and our marketing).

Processor (on behalf of restaurants): When a restaurant uses Elyra to manage bookings, we typically act as data processor and the restaurant is the data controller for diner data collected via our dashboard, AI phone/email agents, widget, and integrations—unless we say otherwise in a data processing agreement (DPA).

Contact: info@elyrasystems.com (Subject: “Privacy”) | Postal: Elyra, Inc., 1111B S Governors Ave # 53156, Dover, DE 19904, United States.

You can use parts of the Services without identifying yourself. If you choose certain features or create an account, we may ask for personal data. We collect data you provide, data generated by your use of the Services, and data from third-party sources (e.g., restaurants, integrations, or publicly available records).

Examples of data we may process (as applicable):

• Account & profile: name, role, restaurant name, email, password, phone, country.
• Contact & communications: emails, messages, call metadata; with our AI phone/email agents we may process call audio, transcripts, and voicemail.
• Booking & venue data: party size, date/time, seating preferences, notes, special requests (which may include dietary restrictions/allergies you choose to share).
• Payment & transactions: billing details, payment method token, invoices. Card data is processed by Stripe; we do not store full card numbers or CVV.
• Device/usage data: IP address, device identifiers, app version, browser type, language, time zone, crash logs, performance and interaction events.
• Location data: approximate location derived from IP; precise device geolocation only with your consent.
• Publicly available business data: business address, phone, email, social profiles.

You may choose not to provide certain data, but some features may then be unavailable.

Special categories: If you voluntarily share health-related information (e.g., allergies), we process it only as necessary to provide the requested service (e.g., inform the restaurant) and in accordance with applicable law and your instructions/consent.

We process personal data only where a legal basis applies:

• Provide and operate the Services: create and manage accounts; enable bookings, confirmations, modifications, and cancellations; power AI agents to capture requests and route them to the restaurant per your/its rules; provide support.
• Communications: send administrative messages, service updates, security alerts, and—where required—marketing with your consent (you can opt out).
• Payments: process subscriptions, usage fees, deposits, no-show fees (via processors like Stripe).
• Safety, security, and fraud prevention: protect accounts and our platform; detect abuse or anomalous activity; prevent fake bookings or chargeback fraud.
• Analytics, service improvement, and training: analyze aggregated or pseudonymized usage data to improve reliability and features (including our AI agents and speech/email understanding). Where law requires consent for certain analytics/cookies, we will rely on consent.
• Compliance and enforcement: comply with law and respond to lawful requests; enforce terms; resolve disputes.
• Other purposes with your consent: we will ask before using data for a materially different purpose.

Automated decisions: Our AI agents assist with booking intake and routing. We do not make decisions with legal or similarly significant effects solely by automated means.

Within the App or via support, you can access, update, or delete certain profile and booking data. If you delete information, we may retain necessary records for legal, security, accounting, or contractual reasons and for the periods stated below.

We share data only as needed and subject to appropriate safeguards:

• Restaurants (controllers): Diner booking details and related communications are shared with the restaurant you are booking with, so they can seat and serve you and enforce their policies.
• Service providers (processors): cloud hosting, telecom/SMS, email delivery, call handling/transcription, analytics, error monitoring, customer support, and payment processing (e.g., Stripe). Providers may process data only under our instructions and must protect it appropriately.
• Integrations/partners (separate controllers or processors): POS, CRM, or channel partners you or the restaurant choose to connect. Their use of data follows their own privacy terms.
• Corporate transactions: if we undergo a merger, acquisition, or asset sale, data may transfer as part of the transaction.
• Legal and safety: to comply with law, respond to lawful requests, protect rights, safety, and security, and prevent fraud or abuse.

We do not sell your personal data.

Our Services are hosted in the United States. If we transfer data outside the country of collection (e.g., to service providers in other regions), we use lawful transfer mechanisms such as Standard Contractual Clauses and apply additional safeguards as appropriate.

We keep personal data only as long as necessary for the purposes described here:

• Account/contract data: for the term of your account/contract and a reasonable period thereafter for record-keeping, dispute resolution, and legal compliance.
• Bookings and communications: for operational needs and audit/security, then archived or anonymized where feasible.
• Payment records: as required by tax and financial laws.

When retention ends, we delete or anonymize data. Aggregated data that no longer identifies you may be retained for analytics.

Subject to conditions and exceptions in applicable law (including applicable U.S. state privacy laws and, where applicable, the GDPR), you may have the right to:

• Access your personal data;
• Rectify inaccurate data;
• Erase data (“right to be forgotten”);
• Restrict processing;
• Object to processing based on legitimate interests or to direct marketing;
• Portability of data you provided;
• Withdraw consent at any time (does not affect prior processing);
• Opt out of the sale or sharing of personal data (we do not sell personal data, but you may exercise this right if applicable law requires it);
• Lodge a complaint with a supervisory authority or your state attorney general, as applicable.

To exercise rights, contact info@elyrasystems.com. We may verify your identity before responding.

Our Services are not directed to children under 13, and we do not knowingly collect their data. If you believe a child under 13 has provided personal data, contact us and we will delete it.

We use cookies/SDKs and similar technologies to operate the Services, remember preferences, keep you signed in, measure performance, and, where permitted, support marketing/attribution. Where required, we will request your consent for non-essential cookies. You can manage cookies in your browser or device settings (functionality may be limited if you disable them).

To improve performance, security, and reliability, we automatically collect server logs (IP address, device and browser type, language, referring/exit pages, timestamps) and app diagnostics/crash data. We do not combine this with directly identifying data unless needed for security, support, or legal reasons.

If you opt in, we may send push notifications or SMS for confirmations, reminders, and updates. Device tokens/SMS routing data identify your device/number but not you by name. You can opt out in your device or account settings. We also email you about your account and bookings; you can unsubscribe from marketing at any time.

We use administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, use, alteration, or disclosure. No system is perfectly secure, and transmission over the Internet carries inherent risks. Please protect your account credentials and devices.

If we learn of a data breach affecting your personal data, we will investigate and, where required by law, notify you and/or the relevant authorities, including describing the categories of data concerned and protective steps you can take.

The Services may link to third-party sites or services we do not control. Their privacy practices are their own. Review their policies before sharing data with them.

We may update this Policy from time to time. We will post the new date at the top of this page and, when appropriate, provide additional notice. Changes take effect upon posting unless stated otherwise. We will not use your personal data for materially new purposes without your consent where required by law.

By accessing or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Services.

Questions, requests, or complaints about privacy:

We aim to respond promptly and within applicable legal timeframes.