Privacy Policy

1. Data Controller

The Batlr application and the batlr.app website are published by Lucas Khoury, an individual. In the absence of a designated Data Protection Officer, any question about data protection can be addressed to: privacy@batlr.app.

2. Data Collected

2.1 Restaurant Operator Data (app user)

• Identity and account: first name, last name, email address, hashed password, interface language
• Authentication identifiers: Sign in with Apple credentials (the "Hide My Email" relay is supported); Google OAuth credentials if you use Sign in with Google
• Restaurant: establishment name and address, professional phone number, currency, timezone, floor-plan configuration, and service settings
• Team members: first name, last name, email (managers), role, hashed PIN code (servers)
• Subscription: StoreKit transaction identifiers transmitted by Apple (productID, subscription dates, status), App Store Server Notification (V2) receipts
• Stripe Connect account: acct_… identifier of the Stripe account connected to your restaurant when you enable the Payments feature; KYC identity checks are performed and stored by Stripe and never by Batlr

2.2 Restaurant Customer Data

• Contact details: first name, last name, phone number, email address
• Reservation history: date, time, party size, assigned table, status, notes, source (app, widget, walk-in), preferred language
• CRM: tags, stars, free-form notes, allergies, preferences (entered by the restaurant operator)
• Marketing consent: marketing_consent boolean collected via the public widget at booking time, or directly by the restaurant operator in the application
• Payment: Stripe payment_method_id, Stripe payment_intent_id, payment status, pre-authorized or charged amount. Card numbers never transit through Batlr and are never stored on our servers: they are entered directly into a secure Stripe iframe (Stripe Elements)

2.3 Technical and Analytics Data

• Network: IP address collected by the infrastructure providers (Vercel, Supabase, Stripe), for fraud-prevention and technical-log purposes
• Product analytics (PostHog): Once you are signed in, your Batlr account identifier (Supabase user UUID), the identifier of your active restaurant, your subscription tier, and feature-interaction events (which screens you open, which actions you take, errors you encounter) are sent to the EU instance of PostHog (Frankfurt, Germany). These events are linked to your Batlr account so we can investigate bugs you report and prioritize the features you actually use. Analytics never include your restaurant's end-customers (guests). You can disable analytics at any time from Settings → Privacy → Usage analytics in the application.
• Transactional Link-Open Tracking: When you open a transactional link we have sent you (payment, reconfirmation, review request), we record the timestamp and open count for that specific link. This measure is strictly necessary for the restaurant to track your reservation and is based on our legitimate interest (GDPR Article 6.1.f). No personal data (IP address, browser, geographic location) is stored. To exercise your right to object, contact us at privacy@batlr.app.
• Diagnostics: application version, OS version, locale, build environment, crash and error reports (PostHog error tracking auto-captures Mach exceptions, POSIX signals, and uncaught NSExceptions), Supabase Edge Function logs (without guest personal content). Crash and diagnostic reports are linked to your Batlr account.

2.4 Data NOT Collected

The Batlr iOS application requests no broad system permissions: no access to your device location, contacts, camera, microphone, full photo library, calendar, or any other device sensor. When you upload a restaurant logo, cover image, or feedback screenshot, the iOS system photo picker (PhotosPicker) lets you choose specific items — Batlr only ever receives the images you explicitly select, never the rest of your library, and we never request "all photos" access. No advertising or third-party tracking cookies are placed on the batlr.app website.

3. Purposes of Processing

• Provision, maintenance, and improvement of the Batlr service
• Reservation, floor-plan, and waitlist management
• Restaurant customer relationship management (CRM)
• Sending confirmations, reminders, and post-visit messages by email and SMS
• Payment processing and no-show billing via Stripe Connect
• Transactional notifications to the restaurant's customers (email/SMS)
• Product analytics linked to your Batlr account (PostHog)
• Error and crash detection and correction
• Customer support and accounting/tax obligations

4. Legal Bases

• Performance of the contract: processing necessary to provide the Batlr service and execute reservations
• Legitimate interest: product improvement, fraud prevention, product analytics, infrastructure security
• Legal obligation: retention of billing data (Article L.123-22 of the French Commercial Code — 10 years)
• Consent: sending marketing communications by email/SMS (opt-in via the booking widget), use of Sign in with Apple or Sign in with Google when you choose to

5. Sub-processors and Data Sharing

Your data is never sold. It is processed by the following sub-processors, each bound by GDPR-compliant data-processing agreements (DPAs):

| Sub-processor | Purpose | Primary location | |---|---|---| | Supabase (Supabase Inc.) | Database, authentication, file storage, Edge Functions, realtime | Frankfurt, Germany (eu-central-1) | | Apple (Apple Inc. / Apple Distribution International Ltd) | App distribution, StoreKit in-app purchases, Sign in with Apple, App Store Server notifications | United States / Ireland | | Stripe (Stripe, Inc. / Stripe Payments Europe Ltd) | Card holds, prepayments, refunds, KYC verification for Stripe Connect | Ireland / United States | | Google (Google LLC / Google Ireland Ltd) | Sign in with Google (when used) | Ireland / United States | | Resend (Resend Inc.) | Transactional email delivery (confirmations, reminders, follow-ups, team invitations) | United States | | Twilio (Twilio Inc.) | Transactional and marketing SMS delivery | United States | | PostHog (PostHog Inc.) | Product analytics and crash/error capture (EU instance eu.i.posthog.com) | Frankfurt, Germany | | Vercel (Vercel Inc.) | Hosting of the batlr.app website and public restaurant pages | United States (global edge network) | | jsDelivr (Prospect One sp. z o.o.) | Runtime CDN for the public booking widget (Supabase JS, web fonts) | Global network |

For data transfers outside the European Union, Batlr relies on the European Commission's Standard Contractual Clauses (SCCs) and/or on the EU-U.S. Data Privacy Framework where applicable to the relevant sub-processor.

6. Retention Period

| Data category | Retention period | |---|---| | Account data (Batlr user) | For the lifetime of the account, then 3 years after the last activity | | Reservation data | 3 years from the last visit | | Billing data and invoices | 10 years (legal obligation, Art. L.123-22 of the French Commercial Code) | | Technical logs and audit logs | 12 months | | PostHog analytics data | 12 months |

When an account is deleted, certain invoices subject to legal retention may be kept in anonymized form (customer-name hash) in the legal_retention_invoices registry for the legal duration of 10 years, and then permanently deleted.

7. Your Rights

In accordance with GDPR, you have the following rights:

• Right of access to your data
• Right of rectification
• Right to erasure ("right to be forgotten")
• Right to data portability
• Right to object to and limit processing
• Right to withdraw your consent at any time
• Right to set post-mortem directives

To exercise these rights, contact us at privacy@batlr.app. We will respond within 30 days.

You may also file a complaint with the CNIL (the French Data Protection Authority — www.cnil.fr), or with your local equivalent data-protection authority.

8. Account Deletion

You may request the deletion of your account and all your data at any time:

• From the application: Settings → Account → Delete my account
• By email to privacy@batlr.app

More details on our dedicated account deletion page.

The deletion procedure run from the application chains the following steps:

1. Automatic Stripe refund of any unconsumed prepayments (future-dated reservations)
2. Anonymized archival of invoices subject to legal retention (10 years)
3. Best-effort closure of attached Stripe Connect accounts
4. Cascade deletion of restaurants, teams, reservations, floor plans, and waitlists
5. Revocation of Sign in with Apple tokens, where applicable
6. Permanent deletion of the Supabase authentication account (auth.admin.deleteUser) — without backup copy

Deletion takes effect within 30 days. Data subject to legal retention is kept for the required duration and then automatically purged.

9. Security

We implement appropriate technical and organizational measures:

• Encryption in transit (TLS 1.2+) and encryption at rest on Supabase databases
• Password hashing (bcrypt via Supabase Auth) and salted hashing of team PIN codes
• Role-based access control via Postgres Row-Level Security (RLS)
• Access logging and regular permission reviews
• Cryptographic verification of Apple App Store notifications (x5c certificate chain)
• Short-lived JWT authentication tokens, stored in the iOS Keychain and remotely revocable

10. Cookies and Local Storage

The batlr.app website uses only cookies strictly necessary for its operation and for remembering your language preference. No advertising or third-party tracking cookies are used.

The public booking widget and restaurant pages may use the browser's local storage (localStorage) to temporarily remember the information entered into the form, in order to avoid losing it in the event of a network error.

11. Changes

This policy may be updated. In case of a substantial change, we will notify you by email or through the application at least 30 days before the change takes effect.

12. Contact

For any questions about this policy: privacy@batlr.app