OFO Labs
Back to RestaurantAi

Privacy Policy

RestaurantAi

Privacy Policy for RestaurantAI

Last Updated: February 24, 2026

1. Data Controller

The data controller responsible for processing personal data under GDPR and German BDSG is:

RestaurantAI Faruk Orman 24105 Kiel, Germany Email: ofolabs@gmail.com

No Data Protection Officer is required as fewer than 20 persons engage in automated data processing.

2. Overview of Data Processing

Contractual necessity (Art. 6(1)(b)): We process account data (email, display name, phone number, profile photo URL) for account creation, authentication, and communication; payment data (Stripe customer ID, subscription plan, billing period — no card numbers, bank details, or billing addresses stored) for subscription billing and credit purchases; content data (restaurant info, menu items, uploaded images, AI-enhanced images, 3D models) for core service functionality; and AI processing data (AI job records including type, status, URLs, credits, timestamps) for managing AI requests, credit tracking, and error handling.

Legitimate interest (Art. 6(1)(f)): We process social data (comments, likes via hashed visitor ID, feedback) for restaurant visitor engagement; technical data (IP address, browser user agent, request timestamps) for security, rate limiting, and abuse prevention; error data (error stack traces, request context — anonymized, no PII) for bug detection and service reliability; and usage counters (aggregated counts only, no individual tracking) for dashboard statistics.

For legitimate interest (Art. 6(1)(f)), a balancing test confirms interests don't override fundamental rights. You may object anytime.

3. Detailed Processing Activities

3.1 Account Registration & Authentication

Email address and optional display name, phone number, and profile photo are collected. Google OAuth sign-in is supported. Firebase Authentication stores email, hashed password, OAuth tokens, and verification status. Last login timestamps update at most hourly for security monitoring.

3.2 Content Management

Restaurant information and menu items are stored in Cloud Firestore. Images go to Firebase Storage. All user text is validated and HTML-escaped to prevent cross-site scripting. Published content is publicly accessible via restaurant website URLs.

3.3 Payment Processing

Stripe processes payments exclusively. We never receive or store your credit card number, CVV, or full billing address. Only Stripe customer ID, subscription plan, billing period, and credit balance are stored locally.

3.4 AI-Powered Features

Uploaded images are sent to third-party AI providers only upon explicit user action. Data is not used for model training.

3.5 Social Features (Visitors)

Comments: Visitor name and text stored; require owner approval before publication; rejected comments deleted after 90 days.

Likes: Pseudonymous visitor identifier derived server-side via SHA-256 hashing of IP and user agent (truncated). Prevents duplicate likes without storing raw IP addresses. Random visitor ID and like state stored in browser localStorage.

Feedback: Visitor name, email, rating, and message stored; auto-expire after 180 days.

Social submissions protected by Cloudflare Turnstile (CAPTCHA) and rate limiting.

3.6 Security & Rate Limiting

Upstash Redis stores hashed IP addresses and request counts temporarily for rate limiting (e.g., 60 requests per minute). Data is ephemeral, not used for tracking or profiling.

4. Third-Party Service Providers (Data Processors)

Data Processing Agreements (DPAs) are in place per Art. 28 GDPR:

Firebase Auth (Google LLC, USA) handles user authentication and identity, receiving email, password hash, OAuth tokens, and verification status.

Cloud Firestore (Google LLC, USA) serves as the application database, storing account, content, social data, AI records, and analytics.

Firebase Storage (Google LLC, USA) provides file storage for uploaded images, AI-enhanced images, 3D models, and profile photos.

Stripe (Stripe, Inc., USA) handles payment processing and billing, receiving payment method, billing address, and email — we store only the Stripe customer ID.

RunwayML (Runway AI, Inc., USA) provides AI image enhancement (Gen4 Image), receiving composited food images temporarily and not retaining them.

fal.ai (Fal AI, Inc., USA) provides background removal and 3D generation, receiving user-uploaded food images temporarily and not retaining them.

OpenAI (OpenAI, LLC, USA) provides menu text extraction (GPT-4o Vision), receiving user-uploaded menu photos as base64 without retaining them.

Netlify (Netlify, Inc., USA) provides hosting, CDN, edge functions, and optimization, receiving IP address, request metadata, and custom domain configuration.

Sentry (Functional Software, Inc., USA) provides error monitoring and performance tracking, receiving error stack traces and context with PII excluded and 10% sampling.

Upstash (Upstash, Inc., USA) provides distributed rate limiting via Redis, receiving hashed IP addresses and request counts ephemerally.

Cloudflare Turnstile (Cloudflare, Inc., USA) provides bot protection (CAPTCHA), receiving IP address, browser signals, and challenge token.

5. AI Processing & Transparency (EU AI Act)

Per Regulation (EU) 2024/1689, Art. 50:

Image Enhancement uses RunwayML (Gen4 Image) to generate professional food photos. It takes a user-uploaded food image (after background removal) and produces an AI-generated image. Processing occurs on RunwayML's servers.

Background Removal uses fal.ai (BiRefNet) as a preprocessing step. It takes a user-uploaded food image and produces a transparent PNG. Processing occurs on fal.ai's servers.

3D Model Generation uses fal.ai (Hunyuan3D v3.1) to create 3D dish models from photos. It takes a user-uploaded food image and produces an AI-generated .glb model. Processing occurs on fal.ai's servers.

Menu Extraction uses OpenAI (GPT-4o Vision) to extract menu text from photos. It takes a user-uploaded menu photo (base64) and produces structured text, which is returned for user review before saving. Processing occurs on OpenAI's servers.

Important Disclosures:

  • AI-enhanced images and 3D models are AI-generated synthetic content pursuant to Art. 50(2) and may not represent actual dish appearance.
  • AI processing occurs only by your explicit action (clicking buttons). No automated processing without user initiation.
  • Data is not used to train AI models. Images sent to providers only for requested tasks.
  • AI providers process images temporarily, not retained beyond processing per their terms.
  • Extracted menu text returned for user review and manual confirmation before saving; no autonomous decisions.

6. International Data Transfers

USA-based providers safeguarded by:

EU-US Data Privacy Framework (DPF): Google (Firebase), Stripe, and Cloudflare certified under European Commission adequacy decision (July 10, 2023, Commission Implementing Decision (EU) 2023/1795) per Art. 45 GDPR.

Standard Contractual Clauses (SCCs): For non-DPF providers (RunwayML, fal.ai, others) or supplementary safeguard, we rely on SCCs per Art. 46(2)(c) GDPR as adopted by Commission Implementing Decision (EU) 2021/914.

Contact ofolabs@gmail.com for specific transfer safeguard details.

7. Cookies & Local Storage

Per § 25 German TTDSG and Art. 5(3) ePrivacy Directive, only technically necessary cookies and local storage used. Exempt from consent under § 25(2) TTDSG as strictly necessary for requested service.

  • Firebase Auth token — maintains the authenticated user session; duration is 1 hour, auto-refreshed by the SDK; provider is Google (Firebase)
  • cf_clearance (cookie) — CAPTCHA bot protection verification; session duration; provider is Cloudflare
  • sidebar_expanded (localStorage) — remembers dashboard sidebar state; persistent; first-party
  • rai_visitor_id (localStorage) — anonymous visitor identifier for the likes UI; persistent; first-party
  • rai_liked_items (localStorage) — tracks visitor-liked menu items for client-side UI; persistent; first-party

We do not use advertising cookies, tracking cookies, analytics cookies, or any third-party marketing pixels. No consent banner required — all storage is strictly necessary.

8. Provision of Personal Data

Email and account data are a contractual requirement necessary for service use. Without this data, account creation and service provision are impossible. Payment data required only for paid plans. Display name, phone, profile photo, and restaurant content are voluntary.

9. Data Subject Rights

Under GDPR and BDSG, you have:

  • Right of access (Art. 15 GDPR, § 34 BDSG) — obtain personal data copy and processing information
  • Right to rectification (Art. 16 GDPR) — correct inaccurate data via profile settings
  • Right to erasure (Art. 17 GDPR, § 35 BDSG) — delete account and all associated data via settings (cascade deletion of websites, menus, images, AI jobs, comments)
  • Right to restriction (Art. 18 GDPR) — restrict processing in certain circumstances
  • Right to data portability (Art. 20 GDPR) — receive data in structured, machine-readable format (Section 12)
  • Right to object (Art. 21 GDPR, § 36 BDSG) — object to legitimate interest processing anytime; we cease unless demonstrating compelling grounds
  • Right not to be subject to automated decisions (Art. 22 GDPR) — see Section 10
  • Right to withdraw consent (Art. 7(3) GDPR) — withdraw anytime without affecting prior processing lawfulness

Contact ofolabs@gmail.com to exercise rights. Response within one month per Art. 12(3) GDPR. Period may extend two further months for complex requests with first-month notice.

10. Automated Decision-Making

No automated decision-making or profiling producing legal effects or significantly affecting you per Art. 22 GDPR. No user profiling based on behavior, purchase history, or AI usage. These automated processes don't constitute Art. 22 automated decision-making:

  • Rate limiting: Automated request throttling by IP for security and abuse prevention
  • Plan enforcement: Automatic subscription limit checks (websites, menu items, credits) as contractual service delivery
  • CAPTCHA verification: Automated bot detection via Cloudflare Turnstile during registration and social submissions
  • Credit deduction: Automatic AI credit charges on user-initiated requests (auto-refunded if processing fails)
  • Subscription lifecycle: Automatic downgrade on payment failure (7-day grace period); automatic excess website unpublishing on downgrade

11. Right to Lodge a Complaint

Lodge complaints with data protection supervisory authorities per Art. 77 GDPR. Competent authority for Kiel, Schleswig-Holstein:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD) Holstenstraße 98, 24103 Kiel, Germany Website: https://www.datenschutzzentrum.de

You may also contact supervisory authorities in your EU member state of habitual residence, work, or alleged infringement location.

12. Data Retention & Portability

  • Account data — retained until deletion; inactive free accounts auto-deleted after 180 days (contractual necessity)
  • Content data (websites, menus, images) — retained until you delete them or your account is deleted (contractual necessity)
  • AI job records — 90 days, auto-expired via Firestore TTL (legitimate interest — debugging)
  • Social data — comments — retained until owner deletion; rejected comments auto-deleted after 90 days (legitimate interest)
  • Social data — feedback — 180 days, auto-expired via Firestore TTL (legitimate interest)
  • Social data — likes — retained until associated website is deleted; orphaned records cleaned by scheduled job (legitimate interest)
  • Payment records (Stripe customer ID) — 6 years after account deletion (legal obligation — § 147 AO, § 257 HGB, German tax/commercial law)
  • Error logs (Sentry) — 90 days (legitimate interest)
  • Webhook event records — 30 days, auto-expired via Firestore TTL (legitimate interest — idempotency)

Data Portability (EU Data Act): Per Regulation (EU) 2023/2854, request data export in structured, machine-readable format including account info, restaurant data, menu items, and images. Contact ofolabs@gmail.com. No excessive fees; reasonable timeframe provided.

13. Children's Privacy

Service not directed at children under 16. We don't knowingly collect personal data from children under 16. If aware a child under 16 provided data, we promptly delete per Art. 8 GDPR and § 25 TTDSG.

14. Security Measures

Appropriate technical and organizational measures per Art. 32 GDPR:

  • HTTPS/TLS encryption for all transit data
  • Encryption at rest via Google Cloud infrastructure (Firebase/Firestore)
  • Content Security Policy (CSP) headers preventing cross-site scripting
  • Input sanitization and HTML escaping on all user-generated content
  • Rate limiting (Upstash Redis with in-memory fallback) preventing abuse and brute-force
  • CAPTCHA (Cloudflare Turnstile) on registration and social submissions preventing automated abuse
  • Firebase Security Rules and server-side ownership checks for access control
  • Cryptographic hashing (SHA-256) for visitor identifiers instead of raw IP storage
  • Constant-time comparison (crypto.timingSafeEqual) for secret validation preventing timing attacks
  • Stripe webhook signature verification for payment event authentication

15. Changes to This Policy

Privacy policy may update reflecting practice or legal changes. "Last updated" date indicates most recent revision. Material changes communicated to registered users via email at least 30 days in advance. Previous versions available upon request.

16. Contact

For privacy inquiries or exercising data subject rights:

Faruk Orman 24105 Kiel, Germany Email: ofolabs@gmail.com