Privacy Policy

1. Introduction

ElyteFlow (“we,” “our,” or “us”) operates elyteflow.com and app.elyteflow.com (the “Platform”), an AI-native point-of-sale and restaurant operating system. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our Platform, visit our website, or interact with our services.

By using ElyteFlow, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Platform.

2. Who We Are

ElyteFlow is the data controller for personal data collected through our website and Platform. For inquiries regarding this policy, contact us at:

Email: privacy@elyteflow.com

3. Information We Collect

3.1 Information You Provide Directly

• Account information: Name, email address, phone number, business name, and password when you create an account
• Business information: Restaurant name, location(s), business type, and operational details
• Payment information: Billing details processed through Stripe (we do not store full card numbers — Stripe handles all payment data under their own PCI-DSS compliance)
• Customer data you input: Guest profiles, order history, loyalty points, and dietary preferences entered by you or your staff into the Platform
• Communications: Messages you send to our support team or via our demo booking system

3.2 Information Collected Automatically

• Usage data: Features accessed, pages visited, actions taken within the Platform, and time spent
• Device and browser data: IP address, browser type, operating system, device identifiers
• Log data: Server logs including access times, pages viewed, and error reports
• Cookies and tracking technologies: As described in our Cookie Policy

3.3 Information from Third Parties

• Stripe: Subscription status, payment method type, and transaction metadata (not full card details)
• Supabase: Database and authentication infrastructure — data stored within your account
• Cal.com: Name, email, and booking details when you schedule a demo
• Vercel Analytics: Anonymized page view and performance data

4. How We Use Your Information

We use the information we collect to:

• Provide and operate the Platform: Process orders, manage inventory, display analytics, and run AI agent features
• Process payments and manage subscriptions: Handle billing, trial periods, upgrades, and cancellations via Stripe
• Power AI agent features: Your operational data (sales, orders, inventory, staff activity) is processed by Anthropic's Claude API to generate insights, forecasts, and recommendations through our AI agents. See Section 7 for details.
• Communicate with you: Send transactional emails (receipts, trial reminders, billing notifications), product updates, and respond to support requests
• Improve the Platform: Analyze usage patterns to fix bugs, improve features, and develop new capabilities
• Ensure security: Detect fraud, unauthorized access, and abuse of our systems
• Comply with legal obligations: Meet requirements under applicable laws in the US, Egypt, UAE, Saudi Arabia, and the EU

5. Legal Basis for Processing (GDPR — EU Users)

For users in the European Union, we process personal data under the following legal bases:

• Contract performance: Processing necessary to provide the Platform services you have subscribed to
• Legitimate interests: Security monitoring, fraud prevention, product improvement, and analytics — where our interests do not override your rights
• Legal obligation: Compliance with applicable laws and regulations
• Consent: Where we have obtained your explicit consent, such as for marketing communications

You have the right to withdraw consent at any time where consent is the legal basis for processing.

6. Data Sharing and Disclosure

We do not sell your personal data. We share data only in the following circumstances:

6.1 Service Providers (Sub-processors)

We share data with trusted third-party service providers who process data on our behalf:

All sub-processors are bound by data processing agreements and required to maintain appropriate security standards.

6.2 Legal Requirements

We may disclose your information if required by law, court order, or government authority in any jurisdiction where we operate, including the US, Egypt, UAE, Saudi Arabia, or EU member states.

6.3 Business Transfers

If ElyteFlow is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6.4 With Your Consent

We may share your data for any other purpose with your explicit consent.

7. AI Agent Data Processing

ElyteFlow's AI agents are powered by Anthropic's Claude API. When you use AI agent features (including the Ops Assistant, Anomaly Detector, Demand Forecaster, and other agents), your operational data — including sales figures, order data, inventory levels, and staff activity — is transmitted to Anthropic's API for processing to generate insights and recommendations.

For more information on how Anthropic handles data, see: anthropic.com/privacy

8. Payment Data

All payment processing is handled by Stripe, Inc. ElyteFlow does not store credit card numbers, CVV codes, or full payment account details. Stripe is PCI-DSS Level 1 compliant.

For POS terminal payments processed through Stripe Connect, card data is handled directly by Stripe's secure payment infrastructure. Encrypted payment provider credentials for MENA gateways (Paymob, HyperPay, Tap Payments) are stored using AES-256-GCM encryption and are never transmitted in plain text.

9. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Specifically:

• Account data: Retained for the duration of your subscription plus 90 days after account closure
• Transaction and order data: Retained for 7 years to comply with financial record-keeping requirements
• Support communications: Retained for 3 years
• Analytics data: Retained in aggregated, anonymized form indefinitely
• Deleted data: When you delete your account, personal data is purged within 30 days, except where retention is required by law

10. Data Security

We implement industry-standard security measures including:

• TLS/HTTPS encryption for all data in transit
• AES-256-GCM encryption for sensitive stored credentials
• Row-level security (RLS) policies in our database to enforce multi-tenant data isolation
• Role-based access controls limiting staff access to authorized data only
• Regular security monitoring and anomaly detection

However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

11. International Data Transfers

ElyteFlow operates globally. Your data may be transferred to and processed in countries outside your own, including the United States, where our primary infrastructure is hosted.

For EU users: When transferring data outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards as required by GDPR Chapter V.

For users in Egypt and MENA: We comply with applicable local data protection regulations including Egypt's Personal Data Protection Law (Law No. 151 of 2020) and relevant UAE and Saudi data regulations. Where required, data may be processed locally or subject to additional safeguards.

12. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

All Users

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Data portability: Request your data in a machine-readable format

EU Users (GDPR)

• Restriction: Request that we restrict processing of your data
• Objection: Object to processing based on legitimate interests
• Complaint: Lodge a complaint with your local supervisory authority

US Users (where applicable)

California residents may have additional rights under the CCPA/CPRA including the right to opt out of sale of personal information (we do not sell personal information).

To exercise any of these rights, contact us at privacy@elyteflow.com. We will respond within 30 days (or within the timeframe required by applicable law).

13. Children's Privacy

ElyteFlow is a business-to-business platform intended for use by adults operating food and beverage businesses. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected such data, please contact us immediately at privacy@elyteflow.com.

14. Third-Party Links

Our Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties and encourage you to review their privacy policies.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a prominent notice on our Platform. Your continued use of ElyteFlow after changes are posted constitutes your acceptance of the updated policy.

16. Contact Us

For privacy-related questions, requests, or concerns:

Email: privacy@elyteflow.com

Website: elyteflow.com

For EU-specific inquiries or to exercise GDPR rights, you may also contact us at the above email with the subject line “GDPR Request.”