Back to site
Terms and Conditions Privacy Policy Cookie Policy GDPR

Privacy Policy

Last updated: April 27, 2026

This Privacy Policy describes how QUANTEMI S.R.L. ("Rezervatio", "we") collects, uses, stores, shares and protects personal data, in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679), Romanian Law no. 190/2018 and applicable legislation.

This policy applies to Users (business owners using the platform), End Customers (persons who call and interact with the AI voice agent), and Rezervatio Book app users (customers who make reservations directly through our mobile app).

1. Identity of the Controller / Processor

Name: QUANTEMI S.R.L.
Tax ID (CUI): 54694424
Trade Registry No.: J2026031979003
Registered office: Năvodari, Jud. Constanța, Str. Liniștii nr. 8
General email: contact@rezervatio.ai
Data protection email (DPO): privacy@rezervatio.ai
Website: www.rezervatio.ai

1.1 GDPR Roles

ContextRezervatio RoleExplanation
User data (account, billing)Data ControllerRezervatio decides the purpose and means of processing the User's account data
End Customer data (reservations, calls)Data ProcessorRezervatio processes End Customer data on behalf of and in accordance with the instructions of the User (the controller)

2. Personal Data We Collect

2.1 User Data (business owners) — Rezervatio as Controller

CategorySpecific DataPurposeLegal Basis
Account and authenticationFirst name, last name, email address, password (cryptographic hash)Account creation, authentication, communicationPerformance of contract — Art. 6(1)(b)
Business dataBusiness name, address, phone, email, business sector, Tax ID (optional)AI agent configuration, service personalizationPerformance of contract — Art. 6(1)(b)
Operational configurationOperating hours, zones, tables/seats, agent preferences, custom messagesProper operation of the reservation servicePerformance of contract — Art. 6(1)(b)
Billing dataCard data (processed exclusively by a certified payment processor — Rezervatio does not store card numbers), billing address, Tax IDPayment processing, invoicingPerformance of contract — Art. 6(1)(b) + Legal obligation — Art. 6(1)(c)
Usage dataMinutes consumed, number of calls, dashboard activity logsBilling, statistics, service improvementPerformance of contract — Art. 6(1)(b) + Legitimate interest — Art. 6(1)(f)
Technical dataIP address, browser type, operating system, pages accessedSecurity, troubleshooting, fraud preventionLegitimate interest — Art. 6(1)(f)

2.2 End Customer Data (callers) — Rezervatio as Processor

CategorySpecific DataPurposeLegal Basis (of the User)
Reservation dataFirst name, last name, phone number (caller ID), email (optional), number of personsCreating, managing and confirming the reservationLegitimate interest of the business — Art. 6(1)(f) or Consent — Art. 6(1)(a)
PreferencesFood allergies, special occasions, special requests, preferred zonePersonalizing the experience, food safetyLegitimate interest — Art. 6(1)(f) / Consent — Art. 6(1)(a)
Voice dataVoice in real-time (processed via streaming, not stored as audio file on Rezervatio servers), text transcript of the conversationUnderstanding and processing the reservation request via the AI agentLegitimate interest — Art. 6(1)(f)
Call metadataCaller phone number (caller ID), called number, call duration, date and time, session identifierBilling the User, statistics, technical support, auditPerformance of contract with the User — Art. 6(1)(b) + Legitimate interest — Art. 6(1)(f)
Important regarding voice data: The End Customer's voice is processed in real-time (streaming) by the AI agent for speech recognition (Speech-to-Text) and voice response generation (Text-to-Speech). Rezervatio servers do not store audio or full transcripts — only a text summary of the conversation is retained, automatically deleted after 30 days. Audio and the full transcript are temporarily stored by the AI voice sub-processor on their EU-based servers, with automatic deletion after 30 days.
Important — special-category data (Art. 9 GDPR): In the context of medical clinics or dental practices, phone conversations or bookings made with healthcare providers may incidentally reveal health information (symptoms, reason for visit). The AI voice agent is instructed not to explicitly request such data — in particular, it no longer asks about allergies. If the caller mentions it on their own initiative, it is processed strictly for managing the reservation and benefits from the same security measures as all other data.

2.3 Demo Call (unauthenticated visitor)

When you initiate a demo call from the homepage ("Call me" form):

CategorySpecific DataSource
Call identificationPhone number, IP address, timestampVisitor (manual input)
Anti-abuseTemporary OTP code (SMS, valid 10 minutes), Cloudflare Turnstile tokenGenerated automatically to verify number ownership

Legal basis: explicit consent (Art. 6(1)(a) GDPR). You grant permission by pressing "Call me" and entering the OTP code received via SMS.

Sub-processors: the same as for the entire platform — see section 5 (Telnyx for telephony/SMS, ElevenLabs for AI voice agent, Cloudflare for Turnstile anti-bot).

The voice conversation transits ElevenLabs for real-time processing. We do not store the audio; the automatic transcript is retained by ElevenLabs for a maximum of 30 days at source.

Demo-specific retention: phone number and IP are automatically deleted after 7 days (strict period for abuse prevention — multiple calls to third-party numbers). OTP codes expire in 10 minutes and are cleaned up after 24 hours.

Your rights: you can request immediate deletion of the number used by emailing privacy@rezervatio.ai. Data is deleted within 72 hours.

2.4 Data collected from Rezervatio Book app users

Users who create an account in the Rezervatio Book mobile app to book directly (without a phone call):

CategorySpecific data
Account identificationPhone number (OTP login); name is required at first login; email (if you sign in with Google or Apple)
Own reservationsHistory of reservations made via the app, status, notes
Reservation messagesContent of messages exchanged with the business in connection with a reservation. Deleted when the account is deleted. Basis: performance of the contract (Art. 6(1)(b)).
FavoritesBusinesses / specialists saved as favorites
Push notificationsPush notification token / notification identifier generated by the device operating system, used solely for reservation-related notifications; can be disabled anytime in settings. Basis: consent (Art. 6(1)(a)).
LocationOn-device only (if you grant access), to display the map and nearby businesses — it is not transmitted to or stored on our servers.
CameraCamera access is used only to scan a business QR code (quick booking). The image is processed on-device; it is not transmitted to or stored on our servers.
CalendarIf you choose "Add to calendar", the reservation is written as an event to your device calendar. This is a strictly local operation; we do not access or store your calendar data.
Usage dataLogin IP addresses, device, operating system
ConsentsAcceptance by continued use (Terms + Privacy Policy); the app does not record versions/date/IP — unlike the business dashboard account, where consents are recorded with versioning.

3. Legal Basis for Processing (Art. 6 GDPR)

Legal BasisGDPR ArticleApplicability
Performance of contractArt. 6(1)(b)Providing services to Users under the chosen subscription; processing reservations
Legitimate interestArt. 6(1)(f)Service improvement, fraud prevention, security, aggregated statistics, technical support
ConsentArt. 6(1)(a)Marketing communications (newsletter, promotions) — optional, with the possibility of withdrawal at any time
Legal obligationArt. 6(1)(c)Tax and accounting compliance (retention of invoices for 10 years per the Tax Code), responding to authority requests

4. How We Use the Data

We use personal data exclusively for:

We DO NOT use data for: automated profiling with legal effects, sale to third parties, behavioural advertising, exclusively automated decision-making with significant impact.

5. Sub-processors

We do not sell or rent your data to anyone. We share data only with service providers strictly necessary for the operation of the platform:

ProviderPurpose
AI voice agentVoice processing (Speech-to-Text and Text-to-Speech)
TelephonyTelephony and SMS services
HostingISO 27001 certified infrastructure in the European Union
Transactional emailCertified provider with EU localization
CDN and securityCloudflare
Payment processingPCI DSS Level 1 certified processor
Authentication (Apple)"Sign in with Apple" — identity (DPF + SCC)
Authentication (Google)"Google Sign-In" — identity (DPF + SCC)
Push notifications (Expo)Delivery of push notifications — Expo Push (DPF + SCC)

The complete, detailed and up-to-date list of sub-processors (with exact names, server locations and specific roles) is available in the Annex to the Data Processing Agreement (DPA), provided to all active B2B customers at onboarding.

The Controller (B2B User) will be notified at least 30 days before the addition or replacement of a sub-processor, in accordance with Art. 28(2) GDPR.

6. International Transfers

Data is stored predominantly in the European Union. For providers with operations outside the EU we use the EU-US Data Privacy Framework and Standard Contractual Clauses (SCC) as legal mechanisms in accordance with Chapter V of GDPR. All transfers are encrypted.

7. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected or as required by law:

Data TypeRetention PeriodJustification
User account (active)For the entire duration of the active accountNecessary for service provision
User account (after deletion)30 days after the deletion requestGrace period for recovery
Reservations and related data12 months from the reservation dateStatistics, disputes, support
Voice conversation summaries30 days from the call dateSupport, troubleshooting, service improvement
Audio recordingsNot stored on Rezervatio servers — real-time processing only (streaming)N/A
Call metadata (call logs)12 monthsBilling, statistics, audit
Orphan call sessions (no associated reservation)30 daysComplete deletion
Billing and tax data10 yearsLegal obligation — Tax Code, Accounting Law
Technical logs (server, errors)30 daysSecurity, troubleshooting
Security logs (authentication)6 monthsDetection of unauthorized access, compliance
Demo calls from homepage (phone, IP)7 daysStrict abuse prevention — automatic daily cron
Demo OTP codes (SMS verification)10 minutes (validity) → 24 hours (full cleanup)Automatic deletion

Upon expiry of the retention period, data is automatically deleted or irreversibly anonymized.

8. Your Rights (Art. 15-22 GDPR)

As a data subject, you have the following rights, exercisable free of charge:

8.1 Right of Access (Art. 15)

You may request confirmation that we process personal data concerning you and a copy of such data, together with information on the purpose, categories, recipients and retention periods.

8.2 Right to Rectification (Art. 16)

You may request the correction of inaccurate data or completion of incomplete data concerning you, without undue delay.

8.3 Right to Erasure — "Right to be Forgotten" (Art. 17)

You may request the deletion of personal data in the following situations: the data is no longer necessary for the original purpose; you withdraw your consent; you object to the processing; the data has been processed unlawfully. This right does not apply if we have a legal obligation to retain.

8.4 Right to Restriction of Processing (Art. 18)

You may request the limitation of processing if: you contest the accuracy of the data; the processing is unlawful but you do not want deletion; we need the data for the establishment/exercise of a right in court; you have objected to the processing (pending verification).

8.5 Right to Data Portability (Art. 20)

You may request your data in a structured, commonly used and machine-readable format (JSON) by contacting privacy@rezervatio.ai, and you have the right to transmit such data to another controller. We respond within the legal time limit (one month, Art. 12(3) GDPR).

8.6 Right to Object (Art. 21)

You may object at any time to processing based on legitimate interest (Art. 6(1)(f)), including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.

8.7 Right not to be Subject to an Automated Decision (Art. 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similar. Our AI agent processes reservation requests but does not make decisions with significant legal effects on data subjects.

8.8 Right to Withdraw Consent (Art. 7(3))

In case of processing based on consent, you may withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

8.9 Exercising Your Rights

Contact: privacy@rezervatio.ai
Response time: maximum 30 calendar days from receipt of the request (extendable by 60 days in complex cases, with notification)
Identification: We may request identity verification to prevent unauthorized access to data
Cost: Free. In case of repetitive or excessive requests, we may charge a reasonable fee or refuse the request, in accordance with Art. 12(5) GDPR.

End Customers (persons making reservations): since the User (the business) is the controller of your data, please first address the respective business. If you do not receive a satisfactory response within 30 days, you may contact us directly at privacy@rezervatio.ai.

9. Data Security (Art. 32 GDPR)

We implement appropriate technical and organizational measures, in accordance with Art. 32 GDPR, including:

9.1 Technical Measures

The complete technical details regarding security measures are available to active B2B customers under the Data Processing Agreement (DPA) and may be presented in the context of security audits with prior notice.

9.2 Organizational Measures

10. Notification of Security Incidents (Art. 33-34 GDPR)

In the event of a personal data security breach:

11. Cookies and Similar Technologies

For detailed information regarding the use of cookies and localStorage, please consult the Cookie Policy section of this page.

12. Changes to the Privacy Policy

This policy may be updated periodically. The date of the last update is displayed at the top of the document. Significant changes will be communicated by email to registered Users, a visible banner on the platform and publication on this page.

13. Right to Lodge a Complaint

If you consider that the processing of your personal data infringes GDPR, you have the right to lodge a complaint with the supervisory authority:

National Supervisory Authority for Personal Data Processing (ANSPDCP)
Address: B-dul G-ral. Gheorghe Magheru no. 28-30, Sector 1, postal code 010336, Bucharest, Romania
Phone: +40.318.059.211 / +40.318.059.212
Email: anspdcp@dataprotection.ro
Website: www.dataprotection.ro

14. Contact

QUANTEMI S.R.L.
Data Protection Officer (DPO): privacy@rezervatio.ai
General contact: contact@rezervatio.ai
Website: www.rezervatio.ai