Privacy Policy

Suko ("we", "us", or "our") operates getsuko.com and provides AI-powered website and chat services for independent restaurants. This Privacy Policy explains how we collect, use, and protect information when you use our services.

By using Suko, you agree to the collection and use of information in accordance with this policy. If you are a restaurant owner using our platform, this policy applies to both your account data and the data of your guests that flows through our system.

Contact: hello@getsuko.com · getsuko.com

We collect the following categories of data:

2.1 Restaurant Owner Data

• Name and email address (for account creation and communication)
• Billing information (processed by Stripe — we do not store card details)
• Business name, address, and phone number

2.2 Restaurant Configuration Data

• Menu items, descriptions, and prices
• Opening hours and location information
• FAQs and custom AI training content
• Widget appearance preferences

2.3 Guest Reservation Data

• Guest name, email address, and phone number
• Reservation date, time, and party size
• Special requests or notes

2.4 Chat Session Data

• Messages exchanged between restaurant guests and the AI assistant
• Timestamps and session identifiers
• Device type and browser information (no personal identification)

2.5 Contact Form Submissions

• Name, email, restaurant name, city, phone number, and message content
• Submitted via our contact form at getsuko.com/contact

We use the data we collect for the following purposes:

• Service delivery — to power the AI chat assistant, manage reservations, and operate your restaurant website.
• Account management — to create and maintain your Suko account, send onboarding communications, and provide support.
• AI training — restaurant configuration data (menu, hours, FAQs) is used to train and personalise the AI assistant for your restaurant. This data is not used to train general AI models.
• Billing — to process subscription payments and send invoices via Stripe.
• Communication — to respond to contact form submissions, send service updates, and provide customer support.
• Service improvement — aggregated, anonymised chat data may be used to improve our service quality. We do not use guest personal data for this purpose.

We do not sell your data or your guests' data to any third party, ever.

We retain different types of data for different periods:

• Guest reservation data — automatically and permanently deleted 10 days after the reservation date. This is a core commitment of our service.
• Chat session data — retained for 30 days to allow restaurant owners to review recent conversations, then permanently deleted.
• Restaurant owner account data — retained for the duration of your subscription plus 90 days after cancellation, to allow for reactivation. After 90 days, your account data is permanently deleted upon request.
• Contact form submissions — retained for up to 12 months for business communication purposes.
• Billing records — retained for 7 years as required by financial regulations.

You may request early deletion of any data by emailing hello@getsuko.com. We will process all deletion requests within 30 days.

We use the following third-party services to operate Suko. Each has its own privacy policy and data processing terms:

• Anthropic— powers our AI chat assistant (Claude). Guest messages are processed by Anthropic's API. Anthropic does not use API data to train their models. anthropic.com/privacy
• Supabase — our database and backend infrastructure. All data is stored in the EU (Frankfurt, Germany) region. supabase.com/privacy
• Stripe — payment processing. We never store or see your full card details. stripe.com/privacy
• Resend — transactional email delivery (contact form confirmations, system notifications). resend.com/privacy
• Vercel — website hosting and edge delivery. vercel.com/legal/privacy-policy

We only share the minimum data necessary with each third party to provide our service. We do not share restaurant owner or guest data with any advertising networks or data brokers.

If you are located in the European Union or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access — you can request a copy of all personal data we hold about you.
• Right to rectification — you can ask us to correct inaccurate or incomplete data.
• Right to erasure — you can request deletion of your personal data ("right to be forgotten").
• Right to data portability — you can request your data in a machine-readable format (JSON or CSV).
• Right to object — you can object to processing of your data for certain purposes.
• Right to restrict processing — you can ask us to pause processing of your data in certain circumstances.

To exercise any of these rights, email us at hello@getsuko.com with the subject line "Data Request". We will respond within 30 days. We may ask you to verify your identity before processing the request.

For guest data specifically, restaurant owners bear responsibility as the data controller. Guests may contact hello@getsuko.com directly and we will coordinate with the relevant restaurant owner.

Our legal basis for processing restaurant owner data is contract performance (to deliver the service you signed up for). Our legal basis for processing guest reservation data is legitimate interest of the restaurant to manage bookings, with automatic deletion after 10 days.

Suko uses a minimal set of cookies necessary to operate the service:

• Authentication cookies— to keep restaurant owners logged in to their dashboard. These are session cookies and expire when you close your browser, or persistent cookies lasting up to 30 days if you choose "Remember me".
• CSRF protection cookies — to protect against cross-site request forgery attacks.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies on our marketing website (getsuko.com). We do not use Google Analytics or Facebook Pixel.

The AI chat widget embedded on your restaurant's website may set a session cookie to maintain chat continuity during a guest's visit. This cookie contains no personal information and expires at the end of the browser session.

We take reasonable technical and organisational measures to protect your data:

• All data is transmitted over HTTPS/TLS encryption
• Database access is restricted and authenticated
• Reservation data is automatically purged after 10 days
• We do not store payment card details (handled entirely by Stripe)
• Access to production systems is limited to authorised personnel only

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify you within 72 hours as required by GDPR.

Suko is a business service intended for restaurant owners and their adult guests. We do not knowingly collect personal information from children under the age of 16. If you believe a child has provided us with personal information, please contact us at hello@getsuko.com and we will delete it promptly.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify active restaurant owners by email at least 14 days before the changes take effect.

Continued use of Suko after changes take effect constitutes acceptance of the updated policy.

For any questions, requests, or concerns about this Privacy Policy or how we handle your data, please contact us:

• Email: hello@getsuko.com
• Website: getsuko.com/contact
• Response time: We aim to respond within 2 business days.

For GDPR-related requests, use the subject line "Data Request" and we will respond within 30 days as required by law.