Your Privacy Matters to Us

PRIVACY POLICY SPEAKLOUDER

Effective Date: March 9, 2026

Last Updated: March 9, 2026

1. Who We Are (Data Controller)

SpeakLouder operates the voice-AI ordering platform accessible at speaklouder.ai and app.speaklouder.ai ("Service"). For the purposes of applicable data protection laws, SpeakLouder acts as the data controller in relation to account and usage data of restaurant operators who use our platform.

Contact for data protection inquiries: speaklouderpl@gmail.com

Note: Where SpeakLouder processes data about end-customers of restaurants (e.g., phone order data), the restaurant operator is the data controller, and SpeakLouder acts as a data processor on the operator's behalf.

2. Scope of This Policy

This Privacy Policy applies to:

• Restaurant operators and their staff who register and use the SpeakLouder platform ("Business Users")

• End-customers of restaurants who interact with the SpeakLouder AI voice system when placing phone orders ("Callers")

• Visitors to speaklouder.ai and app.speaklouder.ai

It does not apply to data practices of third-party services we integrate with. Please refer to their respective privacy policies for information on how they handle data.

3. Data We Collect and Process

3.1 Business User Account Data

• Registration: email address, hashed password, user identifier (UUID)

• Profile: display name and business preferences

• Session: authentication tokens (JWT) stored in your browser

3.2 Restaurant and Location Data

• Restaurant name, location name, address, time zone, currency, phone number

• POS credentials (encrypted with AES-256-GCM) used solely to integrate with your POS system

• Agent configuration: opening hours, greeting text, voice settings, delivery options

3.3 Menu and Order Data

• Menu items, categories, prices, modifiers, and availability synchronized from your POS system

• Orders: customer name, phone number, delivery address, items ordered, order value, status

• This data may include personal data of your end-customers; you are responsible as the controller for collecting necessary consents from them

3.4 Voice Call Data (Callers)

• Caller phone number and call metadata (call ID, duration, success metrics)

• Order details derived from the call (items, delivery address, name)

• Call transcript summaries and AI-generated order extractions

• Raw audio recordings are processed and stored by ElevenLabs on their infrastructure; SpeakLouder does not store raw audio

3.5 Subscription and Billing Data

• Email address, Stripe customer ID, subscription tier, billing period

• Full card details are never stored by SpeakLouder; they are processed and held solely by Stripe

3.6 Technical and Usage Data

• Log data, automation logs (sanitized; no full PII or credentials)

• IP addresses, browser type, and device identifiers for security and fraud prevention

• Analytics events (with your consent): Google Analytics, Google Ads conversion data, Meta/Facebook Pixel events

3.7 Cookie and Local Storage Data

• speaklouder-cookie-consent: stores your cookie preference (365-day expiry)

• Supabase Auth tokens (JWT/refresh token) stored in localStorage for session management

• Google and Meta tracking cookies set upon consent

4. How We Use Your Data and Legal Basis

We process data for the following purposes:

Purpose  |  Legal Basis (GDPR / UK GDPR)

Providing and operating the Service (account management, order processing, POS integration) | Performance of contract

Processing phone orders via AI voice assistant | Legitimate interests / Performance of contract

Sending transactional notifications (order confirmations, rejections) | Performance of contract / Legitimate interests

Subscription billing and payment processing | Performance of contract

Security, fraud prevention, and abuse detection | Legitimate interests

Analytics and product improvement (aggregated, anonymized) | Legitimate interests

Marketing analytics via Google/Meta (with consent only) | Consent

Compliance with legal obligations | Legal obligation

5. Data Retention

• Account data: retained until you delete your account

• Order and call data: retained as long as your account is active; deleted upon account deletion

• Automation logs: retained for up to [90 days / to be confirmed] for operational purposes

• Billing data: retained as required by law (typically 5-7 years for financial records)

• Analytics data (Google / Meta): subject to those providers' retention policies

Upon account deletion, we initiate a cascade deletion process: all orders, voice conversation records, menu data, agent configurations, phone number records, and your user profile are deleted from our database. You will receive an email confirmation of deletion. Certain data may be retained by our sub-processors in accordance with their own retention policies.

6. Who We Share Data With (Sub-processors and Third Parties)

We share data only to the extent necessary to provide the Service. The following sub-processors may receive and process your data:

Supabase (supabase.com)

Database hosting, authentication, and backend functions. Region: [EU Frankfurt / US East - confirm in Supabase dashboard]. Supabase processes all core application data.

ElevenLabs (elevenlabs.io)

AI voice assistant, speech recognition, text-to-speech. Processes caller voice audio and call transcripts. ElevenLabs may process data in the United States.

OpenAI (openai.com)

May process call transcripts or order summaries for AI extraction purposes. Data processed in the United States.

Stripe (stripe.com)

Payment processing and subscription management. Processes billing email, payment details, and subscription data. Stripe is PCI-DSS certified.

Twilio (twilio.com)

Phone number provisioning, inbound call routing, and SMS. Processes caller phone numbers and call metadata.

Resend (resend.com)

Transactional email delivery. Processes recipient email addresses and email content (order confirmations, account notifications).

POS Hub

POS system integration. Processes restaurant identifiers, menu data, and order details to communicate with your POS system.

Slack (slack.com)

Internal operational notifications (e.g., order failures). Only sanitized, truncated identifiers are transmitted; no full personal data.

Google Analytics / Google Ads

Web analytics and advertising measurement. Activated only upon user consent. May transfer data to the United States.

Meta / Facebook Pixel

Advertising conversion tracking. Activated only upon user consent. May transfer data to the United States.

We do not sell your personal data to third parties.

7. International Data Transfers

The Service uses infrastructure and sub-processors located in the United States and potentially other countries outside the European Economic Area (EEA) and United Kingdom. Transfers to the United States rely on the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission or the UK ICO

• Adequacy decisions where applicable

• Binding Corporate Rules or equivalent mechanisms as maintained by individual sub-processors

Where sub-processors are participants in the EU-US Data Privacy Framework or the UK Extension thereof, we rely on that framework as an additional transfer mechanism. You can request details of the specific safeguards in place by contacting us at speaklouderpl@gmail.com

8. Your Rights

8.1 Rights Under GDPR and UK GDPR

If you are located in the EEA or UK, you have the following rights:

• Right of access: request a copy of personal data we hold about you

• Right to rectification: correct inaccurate or incomplete data

• Right to erasure ("right to be forgotten"): request deletion of your data (see account deletion process)

• Right to restriction: request that we limit processing of your data

• Right to data portability: receive your data in a structured, machine-readable format

• Right to object: object to processing based on legitimate interests or for direct marketing

• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at: speaklouderpl@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your supervisory authority:

• In Poland: UODO (uodo.gov.pl)

• In the EU: the supervisory authority in your country of residence

• In the UK: the Information Commissioner's Office (ICO) at ico.org.uk

8.2 Rights Under US State Laws (including California CCPA/CPRA)

If you are a California resident or resident of another US state with applicable privacy laws, you may have rights including:

• Right to know what personal information is collected, used, shared, or sold

• Right to delete personal information

• Right to opt out of sale or sharing of personal information (we do not sell personal data)

• Right to non-discrimination for exercising your privacy rights

To submit a request, contact us at: speaklouderpl@gmail.com. We will respond within the timeframe required by applicable law (generally 45 days for CCPA).

9. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

Strictly Necessary

Authentication tokens (Supabase JWT), cookie consent preference. These cannot be disabled as they are essential for the Service to function.

Analytics (requires consent)

Google Analytics: tracks page views and user behavior to help us improve the Service.

Advertising (requires consent)

Google Ads conversion tracking and Meta/Facebook Pixel: measure the effectiveness of our advertising campaigns.

You can manage your cookie preferences via the consent banner on our website. Withdrawing consent disables analytics and advertising cookies but does not affect strictly necessary cookies.

10. Security

We implement the following security measures:

• AES-256-GCM encryption for stored POS credentials and Twilio tokens

• HTTPS/TLS encryption for all data transmitted between your browser, our servers, and sub-processors

• Row-Level Security (RLS) on our database to restrict data access by user and restaurant

• HMAC signature verification for all inbound webhooks (ElevenLabs, Stripe, POS Hub)

• Sanitized logging: logs do not contain full credentials, payment data, or complete personal identifiers

Despite these measures, no electronic transmission or storage is 100% secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the timeframes required by applicable law.

11. Children's Privacy

The Service is intended solely for business use by adults. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected such data, please contact us immediately at speaklouderpl@gmail.com

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice in the app. The updated policy will be effective upon posting. We encourage you to review this page periodically.

13. Contact and Data Protection Inquiries

For any questions about this Privacy Policy, to exercise your rights, or to submit a data protection inquiry, please contact:

SpeakLouder

[Company Legal Name and Address - to be confirmed]

Email: speaklouderpl@gmail.com

Website: speaklouder.ai

SpeakLouder | https://app.speaklouder.ai | speaklouderpl@gmail.com