Privacy Policy

• We only collect what we need to run your account and the product.
• We don't sell your data, ever.
• Sub-processors are listed below: Stripe, Twilio, AWS, Google Cloud, Anthropic, Google Gemini, PostHog, Sentry, Resend, Mapbox.
• You can export or delete everything from your dashboard or by emailing privacy@eatfuti.ai.
• Restaurant customer data is held by the restaurant. We process it on the restaurant's behalf.
• EatFuti does not operate a delivery fleet. Delivery is handled by the restaurant or by third-party delivery networks.

EatFuti Inc., a Delaware C-corporation, registered at: 700 Locust Street, Suite 304 Des Moines, IA 50309

For privacy questions, write to privacy@eatfuti.ai or call (515) 493-0243. For appeals of any privacy decision, contact our Data Privacy Officer at the same email or write to us at the address above.

We collect information from different sources depending on how you interact with us.

2.1 Information you give us

If you place an order through a restaurant powered by EatFuti:

• Name, phone number, email address, delivery address
• Payment information (processed by Stripe, we don't store full card numbers)
• Order details, special instructions, allergens
• Loyalty program activity if the restaurant runs one
• Reviews, ratings, and feedback you submit

If you create an EatFuti customer account:

• The above, plus a password, account preferences, and saved addresses

If you're a restaurant signing up as a merchant:

• Restaurant legal name and DBA
• Business address(es)
• Contact name, email, phone
• Tax identification number (EIN or, for sole proprietors, SSN)
• Bank account / payout information
• Government-issued ID where required for KYC/AML compliance
• Information about your menu, hours, photos, branding, and operations
• If you join a sales demo, we may record video and audio of the call (with consent)

If you apply for a job at EatFuti:

• Contact info, resume, work history, references, work eligibility documents

If you contact support, fill out a form, or sign up for our newsletter:

• The information you provide

2.2 Information we collect automatically

When you use our websites, dashboards, or apps:

• Device info: IP address, browser, OS, device identifiers, language
• Usage info: pages visited, buttons clicked, time on page, navigation paths, drop-off points
• Location: approximate location from IP for fraud prevention and analytics; precise location only with your explicit permission, for showing nearby restaurants or for order pickup directions
• Cookies and similar technologies: see Section 5 and our Cookie Policy at eatfuti.ai/cookies

2.3 Information we get from third parties

• Restaurants share customer order history with us when those orders flow through our platform
• Stripe shares limited payment information (e.g., last four digits, billing zip)
• Marketing partners may share advertising attribution data (we use only de-identified attribution and don't combine it with personal identifiers)
• POS integrations (Toast, Clover, Square, etc.) share menu and order data restaurants authorize
• Third-party delivery networks (DoorDash, Uber Eats, and similar) share delivery status and confirmations for orders the restaurant routed to them

• Run your account: sign you in, take payments, send transactional email and SMS, fulfill orders
• Provide the product: menu imports, AI replies, analytics, integrations, third-party delivery routing
• Improve the product: figure out what's broken and what to build next
• Stay safe: fraud prevention, abuse detection, security incidents, account verification
• Talk to you: onboarding, support, occasional product updates
• Comply with law: tax reporting, responding to legal process, regulatory compliance
• Marketing (with consent): tell you about new features or restaurants in your area

We don't make decisions about you using solely automated processing in a way that has legal or similarly significant effects on you, except for routine fraud detection where flagged transactions get a human review before any final action.

We use a small set of trusted sub-processors. Each one is contracted under a Data Processing Agreement that mirrors our commitments to you.

We share data with restaurants when you order from them, they need your name, contact, and delivery info to fulfill the order.

We share data with third-party delivery providers (such as DoorDash or Uber Eats) only when a restaurant routes an order to them for delivery. Those providers process delivery data under their own privacy policies.

We share data when required by law (court order, subpoena, lawful government request) and where reasonably necessary to protect EatFuti, you, or third parties from fraud, security threats, or violations of our terms.

We do not sell personal data to third parties. We do not share personal data with advertisers for cross-context behavioral advertising in a way that would constitute a "sale" or "sharing" under California, Colorado, Connecticut, or comparable state laws. If we ever change this, we'll update this policy and offer you a clear opt-out before any sale or sharing happens.

In the event of a merger, acquisition, financing, or sale of business assets, personal data may be transferred to the successor entity, which will be bound by the same privacy commitments.

We use cookies to make the site work, remember preferences, measure analytics, and (with your consent) measure marketing performance. Full details and how to opt out are in our Cookie Policy at eatfuti.ai/cookies.

We honor the Global Privacy Control (GPC) signal. If your browser sends GPC, we treat it as an opt-out of marketing/analytics cookies and of any "sale" or "sharing" of personal data within the meaning of applicable state laws.

We don't respond to the legacy "Do Not Track" browser signal because it's not a standardized opt-out.

EatFuti is an AI-powered restaurant platform. Some features use third-party AI providers, currently Anthropic Claude and Google Gemini, to generate text outputs (review replies, marketing copy, menu descriptions, guest engagement messages, support assistance, analytics summaries).

When you use an AI feature:

• Your inputs may be sent to the AI provider to generate output
• We have contractual commitments from these providers that your data is not used to train their public foundation models
• Outputs are generated in real time and stored in your account
• AI output can be wrong, biased, or fabricated; you should review before publishing or sending
• You can disable AI features in your dashboard at any time

If you ask an AI feature about a specific customer, we'll redact obvious personal identifiers (full names, phone numbers, email addresses) where the feature design allows before sending the prompt.

We may also use de-identified, aggregated data from across the platform to improve our own models and product features. De-identified data does not contain personal identifiers and cannot reasonably be re-linked to you.

• Precise geolocation: collected only with permission and used for nearby-restaurant features or pickup directions
• Financial account information: used for processing payments and payouts via Stripe
• Government IDs: used for KYC/AML compliance for restaurants, and stored encrypted
• Biometric-adjacent data: sales demo recordings (for restaurants who consent)
• Health-related data: dietary preferences or food allergies you submit are processed only to help fulfill the order, not for any other purpose

Where state law requires, we'll obtain your explicit consent before processing sensitive data. You can withdraw consent at any time, though it may limit our ability to provide certain services.

Wherever you live, you can ask us to:

• Access the personal data we hold about you
• Correct anything that's wrong
• Delete your data
• Port your data to another service in a portable format
• Opt out of marketing communications
• Object to certain processing, including profiling
• Withdraw consent where we rely on it for processing

Most of these you can do yourself from the dashboard. For anything bigger, write to privacy@eatfuti.ai, and we'll respond within 30 days (we may extend by another 45 days if your request is complex; we'll tell you if so).

We'll verify your identity before fulfilling sensitive requests, usually by confirming the email on your account.

If you're an authorized agent making a request on someone else's behalf, you'll need to provide written authorization and proof of identity.

The U.S. is a patchwork of state privacy laws. Here are the highlights of what residents of certain states can additionally request.

9.1 California (CCPA / CPRA)

California residents have the right to:

• Know what categories of personal data we collect, the sources, the business purpose, and the categories of third parties we share with
• Access specific pieces of personal data
• Delete personal data, subject to legal exceptions
• Correct inaccurate personal data
• Opt out of "sale" or "sharing" of personal data, we don't sell or share, but you can submit a request to confirm
• Limit use of sensitive personal information
• Non-discrimination for exercising these rights

In the last 12 months, the categories of personal data we collected include: identifiers (name, email, phone, IP), customer records (billing info), commercial information (orders, transactions), internet activity, approximate geolocation, professional/employment info (for restaurant merchants), and inferences.

The categories of personal data we shared for business purposes include: identifiers, customer records, commercial info, and internet activity. Recipients were the sub-processors listed in Section 4 and the restaurants whose orders you placed.

We did not sell or share personal information for cross-context behavioral advertising in the last 12 months.

To exercise rights, email privacy@eatfuti.ai or call (515) 493-0243.

9.2 Colorado, Connecticut, Texas, Virginia, Utah, Iowa, Indiana, Oregon, Tennessee, Delaware, Montana, New Hampshire, New Jersey, Florida, Minnesota, Maryland, Rhode Island, Kentucky, and other states with comprehensive privacy laws

Residents of these states have similar rights to California, including the rights to access, delete, correct, port, opt out of targeted advertising and profiling, and appeal denied requests.

To exercise these rights, write to privacy@eatfuti.ai. We respond within the timeframes required by each state's law.

9.3 Appeals

If we deny a request, you can appeal by replying to our denial email or writing to the Data Privacy Officer at the address in Section 16. We respond to appeals within the time required by applicable law.

We send marketing communications only to people who opt in. You can opt out at any time by:

• Email: clicking the unsubscribe link in any marketing email
• SMS: replying STOP to any marketing text
• Push: turning off notifications in your device settings
• Dashboard: toggling marketing preferences

Even after opting out, you'll still receive transactional communications (order confirmations, receipts, security alerts, etc.) because they're necessary to provide the service.

Standard message and data rates may apply for SMS. Reply HELP at any time for help.

We retain personal data as long as necessary to provide the service and for the legal purposes described below. Specific retention periods:

• All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Production database access broken-glass, logged, and reviewed weekly
• Multi-factor authentication required for all employee access
• Quarterly penetration tests by a third party
• Annual employee security training
• SOC 2 Type II in progress, target completion 2026

If we discover a security incident affecting your personal data, we'll notify you and applicable regulators within the timeframes required by law.

EatFuti is not directed to anyone under 18. We do not knowingly collect personal data from children under 13. If you believe a child has signed up or that a child's information has been collected through our service, write to privacy@eatfuti.ai and we'll delete it.

Our services are operated from and intended for users in the United States. If you access our services from outside the U.S., you understand that your personal data will be transferred to, stored, and processed in the U.S.

By using our services from outside the U.S., you consent to this transfer, storage, and processing.

If you're a resident of the European Economic Area, United Kingdom, or Switzerland, we currently don't offer services in those regions. If you've reached our service from those regions and would like your data deleted, write to privacy@eatfuti.ai.

We can update this policy. Material changes get 30-day notice by email to people with an active account. Smaller edits (typos, broken links, clarifications) we apply right away. The "Last updated" date at the top will always reflect the latest version.

If you don't agree with a change, your remedy is to stop using EatFuti and request deletion of your data.

A human will reply within one business day.

EatFuti Inc. Data Privacy Officer 700 Locust Street, Suite 304 Des Moines, IA 50309 privacy@eatfuti.ai hello@eatfuti.ai (515) 493-0243