Privacy Policy

Welcome to Zatisfied ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how Zatisfied Inc., a Delaware corporation with principal offices in Greenwood Village, Colorado, collects, uses, discloses, and safeguards your information when you use our AI-powered restaurant reputation management platform (the "Service").

This Privacy Policy applies to all information collected through our website located at zatisfied.io (the "Website"), our web-based application, any mobile applications we may offer, APIs, widgets embedded on third-party websites, and any other products, services, or features we provide (collectively, the "Services"). This policy also applies to information collected when you interact with us through social media or other platforms, attend our events, or communicate with our customer support team.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the practices described in this policy, please do not use our Services. Your continued use of the Services following the posting of changes to this policy will be deemed your acceptance of those changes.

We encourage you to read this Privacy Policy carefully and contact us if you have any questions. For purposes of the GDPR, Zatisfied Inc. is the "data controller" of your personal information. Our Data Protection Officer can be reached at dpo@zatisfied.io.

2.1 Information You Provide Directly

We collect information you provide when you create an account, subscribe to our Services, fill out forms, make purchases, communicate with us, or otherwise interact with our platform. This includes:

• Account Registration Information: When you create an account, we collect your full name, email address, phone number, job title, and the name of your restaurant or organization. You may also create a username and password to secure your account.
• Billing and Payment Information: When you subscribe to our paid services, we collect billing information including your billing address, payment card details (card number, expiration date, CVV), and transaction history. Payment processing is handled by our PCI-DSS compliant payment processor, Stripe, and we do not store complete credit card numbers on our servers.
• Profile and Branding Information: You may provide additional information to customize your experience, including profile photographs, company logos, brand colors, brand voice preferences, and custom response templates.
• Review Response Content: Content you create, edit, or customize within our platform, including AI-generated responses you modify, custom response templates, and brand voice settings.
• Communications: When you contact our customer support team, participate in surveys, respond to questionnaires, or communicate with us through any channel, we collect the content of those communications along with associated metadata.
• Team Member Information: If you invite team members to your organization's account, we collect their names, email addresses, and assigned roles and permissions.

2.2 Information Collected Automatically

When you access or use our Services, we automatically collect certain information about your device, your use of our Services, and your interactions with our platform:

• Usage Data: We collect information about how you interact with our Services, including the pages you visit, features you use, actions you take (such as generating AI responses or publishing reviews), the time and duration of your activities, and your navigation patterns within the platform.
• Device Information: We collect information about the devices you use to access our Services, including device type (desktop, mobile, tablet), operating system and version, browser type and version, screen resolution, device identifiers, and hardware specifications.
• Log Data: Our servers automatically record information when you access our Services, including your Internet Protocol (IP) address, access times and dates, pages viewed, referring URL (the page you visited before navigating to our Services), and any errors or crashes that occur.
• Location Information: We collect general geographic location information based on your IP address. We do not collect precise GPS location data unless you explicitly grant permission for specific features.

2.3 Information from Third-Party Integrations

Our Services integrate with various third-party platforms to provide comprehensive reputation management. When you connect these integrations, we may receive information from those platforms:

• Review Platform Data: When you connect review platforms such as Google My Business, Yelp, TripAdvisor, Facebook, OpenTable, Uber Eats, DoorDash, Grubhub, and others, we access and collect customer reviews, ratings, review dates, reviewer display names (as shown publicly on the platform), your responses, and business profile information according to each platform's API terms and conditions.
• OAuth Authentication Data: When you use single sign-on (SSO) to connect third-party accounts, we receive authentication tokens and basic profile information (such as name and email) from the identity provider to verify your identity and maintain your session.
• Analytics Partners: We may receive aggregated, anonymized analytics data from third-party analytics providers to help us understand usage patterns and improve our Services.

2.4 Customer Review Data

A core function of our Service is processing customer reviews from various platforms. This review data may include the reviewer's publicly displayed name or username, the content of their review, star ratings, the date and time of the review, any photos or media attached to the review, and your organization's responses. We process this data solely to provide our reputation management services and in accordance with the terms of service and privacy policies of the respective review platforms. We do not use customer review data for purposes unrelated to providing and improving our Services.

More specifically, we use your information in the following ways:

3.1 To Provide and Maintain Our Services

We use your information to operate, maintain, and provide the features and functionality of our Services. This includes creating and managing your account, authenticating your identity, processing your subscription and payments, aggregating reviews from connected platforms, generating AI-powered response suggestions based on your brand voice settings, sending notifications about new reviews and platform activity, and providing customer support when you need assistance.

3.2 To Improve and Develop Our Services

We analyze usage patterns, feedback, and performance metrics to understand how our Services are used and to identify areas for improvement. This includes developing new features and functionality, optimizing user experience and interface design, training and improving our AI models using aggregated and anonymized data sets, conducting research and analysis to enhance our algorithms, and testing new features and updates before wider release.

3.3 To Communicate With You

We use your contact information to communicate with you about your account and our Services. This includes sending transactional emails such as account confirmations, password resets, subscription receipts, and payment notifications; providing customer support and responding to your inquiries; sending service announcements and updates about changes to our Services or policies; and with your consent, sending marketing communications about new features, promotions, or related services.

3.4 For Security and Fraud Prevention

We use your information to maintain the security and integrity of our Services. This includes detecting, investigating, and preventing fraudulent transactions, abuse, and other harmful activities; monitoring for and addressing security vulnerabilities; enforcing our Terms of Service and other agreements; and protecting the rights, property, and safety of Zatisfied, our users, and the public.

3.5 To Comply with Legal Obligations

We may process your information to comply with applicable laws, regulations, legal processes, or enforceable governmental requests. This includes responding to subpoenas, court orders, or other legal process; cooperating with law enforcement and regulatory agencies; and meeting tax, accounting, and reporting requirements.

Contractual Necessity (Article 6(1)(b)): We process certain personal data because it is necessary to perform our contract with you. This includes processing your account information to create and maintain your account, processing payment information to fulfill your subscription, and processing usage data to provide the core features of our Services.

Legitimate Interests (Article 6(1)(f)): We process certain personal data based on our legitimate interests, where those interests are not overridden by your data protection rights. Our legitimate interests include improving and developing our Services, understanding how users interact with our platform, detecting and preventing fraud and abuse, marketing our Services to existing customers, and ensuring the security of our platform. We conduct a balancing test to ensure our interests do not override your fundamental rights and freedoms.

Consent (Article 6(1)(a)): For certain processing activities, we rely on your explicit consent. This includes sending you marketing communications, using analytics cookies and similar technologies, and processing data for purposes beyond what is necessary to provide our Services. You may withdraw your consent at any time by contacting us or using the preference controls in your account settings.

Legal Obligation (Article 6(1)(c)): We process certain personal data because it is necessary to comply with applicable laws and regulations, such as tax laws, anti-money laundering regulations, and legal process requirements.

Service Providers: We share information with third-party service providers who perform services on our behalf. These providers are contractually bound by data processing agreements that require them to protect your information and prohibit them from using your data for any purpose other than providing services to us. Our service providers include cloud hosting and infrastructure providers, payment processors, email delivery services, SMS notification services, AI and machine learning platforms, analytics providers, and customer support tools.

Legal Requirements: We may disclose your information if required to do so by law or in response to valid legal process, such as a subpoena, court order, or government request. We may also disclose information when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

Business Transfers: If Zatisfied is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of company assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Services of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.

With Your Consent: We may share your information with third parties when you have given us your explicit consent to do so.

Aggregated and Anonymized Data: We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. This data may be used for industry analysis, benchmarking, and other business purposes.

Our security measures include:

• Encryption: All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS) 1.3, the most current and secure encryption protocol. Data stored on our servers is encrypted at rest using AES-256 encryption, an industry-standard encryption algorithm used by governments and financial institutions worldwide.
• Access Controls: We implement strict role-based access controls (RBAC) to ensure that only authorized personnel can access personal data. All employees with access to production systems are required to use multi-factor authentication (MFA). Access is granted on a need-to-know basis and is regularly reviewed.
• Infrastructure Security: Our Services are hosted on SOC 2 Type II compliant cloud infrastructure with built-in DDoS protection, web application firewalls, intrusion detection systems, and 24/7 monitoring. We maintain geographically redundant backups and disaster recovery capabilities.
• Security Assessments: We conduct annual third-party security assessments, including penetration testing by qualified security firms. We also perform regular internal vulnerability scans and code reviews.
• Employee Security: All employees undergo background checks and sign confidentiality agreements. We provide mandatory security awareness training and conduct regular phishing simulations to maintain a security-conscious culture.
• Incident Response: We maintain documented incident response procedures and a dedicated security team. In the event of a data breach, we will notify affected users and relevant authorities within 72 hours as required by GDPR and other applicable laws.

While we implement robust security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents and continuously improving our security practices.

When determining the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, whether we can achieve those purposes through other means, and applicable legal requirements.

Upon account deletion or at your request, we will delete or anonymize your personal data within the timeframes specified above, unless we are required to retain it for legal, regulatory, or legitimate business purposes. Some information may be retained in our backup systems for a limited period before being permanently deleted.

You can control cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or be notified before a cookie is set. However, disabling certain cookies may affect the functionality of our Services. You can also manage your cookie preferences through our cookie consent banner when you first visit our website.

For more information about cookies and how to manage them, please visit www.allaboutcookies.org.

We use Standard Contractual Clauses (SCCs) approved by the European Commission as the primary mechanism for transferring personal data from the EEA to the United States and other third countries. We also enter into Data Processing Agreements with all sub-processors that include appropriate data protection clauses and security requirements.

For transfers from the United Kingdom, we rely on the UK International Data Transfer Agreement or UK Addendum to the EU SCCs, as appropriate. For transfers from Switzerland, we rely on the SCCs as approved by the Swiss Federal Data Protection and Information Commissioner.

Our Services are not intended for, and we do not knowingly collect personal information from, individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect, maintain, or use personal information from children under 16 years of age, and no part of our Services is directed to children.

If we learn that we have collected personal information from a child under 16, we will take steps to delete that information as quickly as possible. If you are a parent or guardian and you believe that your child has provided us with personal information without your consent, please contact us immediately at privacy@zatisfied.io, and we will take steps to remove that information from our systems.

If you are between 16 and 18 years of age, you may only use our Services with the involvement and consent of a parent or legal guardian.

Zatisfied Inc.
Attn: Privacy Team
7600 E Orchard Rd, Greenwood Village, CO 80111

For users in the European Economic Area, you also have the right to lodge a complaint with your local data protection supervisory authority if you believe that we have not complied with applicable data protection laws. However, we encourage you to contact us first so we can try to resolve your concerns directly.

We will respond to all legitimate requests within 30 days, or within the timeframe required by applicable law. In some cases, we may need to request additional information from you to verify your identity before responding to your request.