Privacy Policy
Last updated: April 27, 2026
This Privacy Policy describes how QUANTEMI S.R.L. ("Rezervatio", "we") collects, uses, stores, shares and protects personal data, in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679), Romanian Law no. 190/2018 and applicable legislation.
This policy applies to Users (business owners using the platform), End Customers (persons who call and interact with the AI voice agent), and Rezervatio Book app users (customers who make reservations directly through our mobile app).
1. Identity of the Controller / Processor
Tax ID (CUI): 54694424
Trade Registry No.: J2026031979003
Registered office: Năvodari, Jud. Constanța, Str. Liniștii nr. 8
General email: contact@rezervatio.ai
Data protection email (DPO): privacy@rezervatio.ai
Website: www.rezervatio.ai
1.1 GDPR Roles
| Context | Rezervatio Role | Explanation |
|---|---|---|
| User data (account, billing) | Data Controller | Rezervatio decides the purpose and means of processing the User's account data |
| End Customer data (reservations, calls) | Data Processor | Rezervatio processes End Customer data on behalf of and in accordance with the instructions of the User (the controller) |
2. Personal Data We Collect
2.1 User Data (business owners) — Rezervatio as Controller
| Category | Specific Data | Purpose | Legal Basis |
|---|---|---|---|
| Account and authentication | First name, last name, email address, password (cryptographic hash) | Account creation, authentication, communication | Performance of contract — Art. 6(1)(b) |
| Business data | Business name, address, phone, email, business sector, Tax ID (optional) | AI agent configuration, service personalization | Performance of contract — Art. 6(1)(b) |
| Operational configuration | Operating hours, zones, tables/seats, agent preferences, custom messages | Proper operation of the reservation service | Performance of contract — Art. 6(1)(b) |
| Billing data | Card data (processed exclusively by a certified payment processor — Rezervatio does not store card numbers), billing address, Tax ID | Payment processing, invoicing | Performance of contract — Art. 6(1)(b) + Legal obligation — Art. 6(1)(c) |
| Usage data | Minutes consumed, number of calls, dashboard activity logs | Billing, statistics, service improvement | Performance of contract — Art. 6(1)(b) + Legitimate interest — Art. 6(1)(f) |
| Technical data | IP address, browser type, operating system, pages accessed | Security, troubleshooting, fraud prevention | Legitimate interest — Art. 6(1)(f) |
2.2 End Customer Data (callers) — Rezervatio as Processor
| Category | Specific Data | Purpose | Legal Basis (of the User) |
|---|---|---|---|
| Reservation data | First name, last name, phone number (caller ID), email (optional), number of persons | Creating, managing and confirming the reservation | Legitimate interest of the business — Art. 6(1)(f) or Consent — Art. 6(1)(a) |
| Preferences | Food allergies, special occasions, special requests, preferred zone | Personalizing the experience, food safety | Legitimate interest — Art. 6(1)(f) / Consent — Art. 6(1)(a) |
| Voice data | Voice in real-time (processed via streaming, not stored as audio file on Rezervatio servers), text transcript of the conversation | Understanding and processing the reservation request via the AI agent | Legitimate interest — Art. 6(1)(f) |
| Call metadata | Caller phone number (caller ID), called number, call duration, date and time, session identifier | Billing the User, statistics, technical support, audit | Performance of contract with the User — Art. 6(1)(b) + Legitimate interest — Art. 6(1)(f) |
2.3 Demo Call (unauthenticated visitor)
When you initiate a demo call from the homepage ("Call me" form):
| Category | Specific Data | Source |
|---|---|---|
| Call identification | Phone number, IP address, timestamp | Visitor (manual input) |
| Anti-abuse | Temporary OTP code (SMS, valid 10 minutes), Cloudflare Turnstile token | Generated automatically to verify number ownership |
Legal basis: explicit consent (Art. 6(1)(a) GDPR). You grant permission by pressing "Call me" and entering the OTP code received via SMS.
Sub-processors: the same as for the entire platform — see section 5 (Telnyx for telephony/SMS, ElevenLabs for AI voice agent, Cloudflare for Turnstile anti-bot).
The voice conversation transits ElevenLabs for real-time processing. We do not store the audio; the automatic transcript is retained by ElevenLabs for a maximum of 30 days at source.
Demo-specific retention: phone number and IP are automatically deleted after 7 days (strict period for abuse prevention — multiple calls to third-party numbers). OTP codes expire in 10 minutes and are cleaned up after 24 hours.
Your rights: you can request immediate deletion of the number used by emailing privacy@rezervatio.ai. Data is deleted within 72 hours.
2.4 Data collected from Rezervatio Book app users
Users who create an account in the Rezervatio Book mobile app to book directly (without a phone call):
| Category | Specific data |
|---|---|
| Account identification | Phone number (OTP login); name is required at first login; email (if you sign in with Google or Apple) |
| Own reservations | History of reservations made via the app, status, notes |
| Reservation messages | Content of messages exchanged with the business in connection with a reservation. Deleted when the account is deleted. Basis: performance of the contract (Art. 6(1)(b)). |
| Favorites | Businesses / specialists saved as favorites |
| Push notifications | Push notification token / notification identifier generated by the device operating system, used solely for reservation-related notifications; can be disabled anytime in settings. Basis: consent (Art. 6(1)(a)). |
| Location | On-device only (if you grant access), to display the map and nearby businesses — it is not transmitted to or stored on our servers. |
| Camera | Camera access is used only to scan a business QR code (quick booking). The image is processed on-device; it is not transmitted to or stored on our servers. |
| Calendar | If you choose "Add to calendar", the reservation is written as an event to your device calendar. This is a strictly local operation; we do not access or store your calendar data. |
| Usage data | Login IP addresses, device, operating system |
| Consents | Acceptance by continued use (Terms + Privacy Policy); the app does not record versions/date/IP — unlike the business dashboard account, where consents are recorded with versioning. |
3. Legal Basis for Processing (Art. 6 GDPR)
| Legal Basis | GDPR Article | Applicability |
|---|---|---|
| Performance of contract | Art. 6(1)(b) | Providing services to Users under the chosen subscription; processing reservations |
| Legitimate interest | Art. 6(1)(f) | Service improvement, fraud prevention, security, aggregated statistics, technical support |
| Consent | Art. 6(1)(a) | Marketing communications (newsletter, promotions) — optional, with the possibility of withdrawal at any time |
| Legal obligation | Art. 6(1)(c) | Tax and accounting compliance (retention of invoices for 10 years per the Tax Code), responding to authority requests |
4. How We Use the Data
We use personal data exclusively for:
- Service provision — call processing via the AI agent, creation and management of reservations, sending confirmations
- Account administration — authentication, subscription management, billing
- Essential communications — service notifications, Terms changes, security alerts
- Technical support — resolution of issues reported by Users
- Platform improvement — aggregated and anonymized usage analysis to optimize the service
- Security — detection and prevention of fraud, abuse, cyberattacks
- Legal compliance — fulfilment of tax, accounting and reporting obligations
We DO NOT use data for: automated profiling with legal effects, sale to third parties, behavioural advertising, exclusively automated decision-making with significant impact.
5. Sub-processors
We do not sell or rent your data to anyone. We share data only with service providers strictly necessary for the operation of the platform:
| Provider | Purpose |
|---|---|
| AI voice agent | Voice processing (Speech-to-Text and Text-to-Speech) |
| Telephony | Telephony and SMS services |
| Hosting | ISO 27001 certified infrastructure in the European Union |
| Transactional email | Certified provider with EU localization |
| CDN and security | Cloudflare |
| Payment processing | PCI DSS Level 1 certified processor |
| Authentication (Apple) | "Sign in with Apple" — identity (DPF + SCC) |
| Authentication (Google) | "Google Sign-In" — identity (DPF + SCC) |
| Push notifications (Expo) | Delivery of push notifications — Expo Push (DPF + SCC) |
The complete, detailed and up-to-date list of sub-processors (with exact names, server locations and specific roles) is available in the Annex to the Data Processing Agreement (DPA), provided to all active B2B customers at onboarding.
The Controller (B2B User) will be notified at least 30 days before the addition or replacement of a sub-processor, in accordance with Art. 28(2) GDPR.
6. International Transfers
Data is stored predominantly in the European Union. For providers with operations outside the EU we use the EU-US Data Privacy Framework and Standard Contractual Clauses (SCC) as legal mechanisms in accordance with Chapter V of GDPR. All transfers are encrypted.
7. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected or as required by law:
| Data Type | Retention Period | Justification |
|---|---|---|
| User account (active) | For the entire duration of the active account | Necessary for service provision |
| User account (after deletion) | 30 days after the deletion request | Grace period for recovery |
| Reservations and related data | 12 months from the reservation date | Statistics, disputes, support |
| Voice conversation summaries | 30 days from the call date | Support, troubleshooting, service improvement |
| Audio recordings | Not stored on Rezervatio servers — real-time processing only (streaming) | N/A |
| Call metadata (call logs) | 12 months | Billing, statistics, audit |
| Orphan call sessions (no associated reservation) | 30 days | Complete deletion |
| Billing and tax data | 10 years | Legal obligation — Tax Code, Accounting Law |
| Technical logs (server, errors) | 30 days | Security, troubleshooting |
| Security logs (authentication) | 6 months | Detection of unauthorized access, compliance |
| Demo calls from homepage (phone, IP) | 7 days | Strict abuse prevention — automatic daily cron |
| Demo OTP codes (SMS verification) | 10 minutes (validity) → 24 hours (full cleanup) | Automatic deletion |
Upon expiry of the retention period, data is automatically deleted or irreversibly anonymized.
8. Your Rights (Art. 15-22 GDPR)
As a data subject, you have the following rights, exercisable free of charge:
8.1 Right of Access (Art. 15)
You may request confirmation that we process personal data concerning you and a copy of such data, together with information on the purpose, categories, recipients and retention periods.
8.2 Right to Rectification (Art. 16)
You may request the correction of inaccurate data or completion of incomplete data concerning you, without undue delay.
8.3 Right to Erasure — "Right to be Forgotten" (Art. 17)
You may request the deletion of personal data in the following situations: the data is no longer necessary for the original purpose; you withdraw your consent; you object to the processing; the data has been processed unlawfully. This right does not apply if we have a legal obligation to retain.
8.4 Right to Restriction of Processing (Art. 18)
You may request the limitation of processing if: you contest the accuracy of the data; the processing is unlawful but you do not want deletion; we need the data for the establishment/exercise of a right in court; you have objected to the processing (pending verification).
8.5 Right to Data Portability (Art. 20)
You may request your data in a structured, commonly used and machine-readable format (JSON) by contacting privacy@rezervatio.ai, and you have the right to transmit such data to another controller. We respond within the legal time limit (one month, Art. 12(3) GDPR).
8.6 Right to Object (Art. 21)
You may object at any time to processing based on legitimate interest (Art. 6(1)(f)), including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
8.7 Right not to be Subject to an Automated Decision (Art. 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similar. Our AI agent processes reservation requests but does not make decisions with significant legal effects on data subjects.
8.8 Right to Withdraw Consent (Art. 7(3))
In case of processing based on consent, you may withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
8.9 Exercising Your Rights
Response time: maximum 30 calendar days from receipt of the request (extendable by 60 days in complex cases, with notification)
Identification: We may request identity verification to prevent unauthorized access to data
Cost: Free. In case of repetitive or excessive requests, we may charge a reasonable fee or refuse the request, in accordance with Art. 12(5) GDPR.
End Customers (persons making reservations): since the User (the business) is the controller of your data, please first address the respective business. If you do not receive a satisfactory response within 30 days, you may contact us directly at privacy@rezervatio.ai.
9. Data Security (Art. 32 GDPR)
We implement appropriate technical and organizational measures, in accordance with Art. 32 GDPR, including:
9.1 Technical Measures
- Encryption in transit via modern TLS protocols for all data transfers
- Secure password storage via robust cryptographic hash functions
- Database-level isolation via row-level security mechanisms
- Network protection — firewall, DDoS protection and rate limiting
- Automatic backup daily, encrypted, with disaster recovery plan
- Restricted administrative access — multi-factor authentication and unauthorized access detection mechanisms
- Modern authentication — limited-duration tokens and MFA support
- Active monitoring — secure logging and incident response
The complete technical details regarding security measures are available to active B2B customers under the Data Processing Agreement (DPA) and may be presented in the context of security audits with prior notice.
9.2 Organizational Measures
- Data minimization principle — we collect only data strictly necessary
- Storage limitation principle — automatic deletion upon expiry of the retention period
- Role-based access — access limited to the data necessary for each function
- Confidentiality — all collaborators with access to data have contractual confidentiality obligations
- Incident procedures — documented security incident response plan
- Periodic review — annual evaluation of security measures
10. Notification of Security Incidents (Art. 33-34 GDPR)
In the event of a personal data security breach:
- We will notify the National Supervisory Authority (ANSPDCP) within a maximum of 72 hours of becoming aware of the incident, unless the breach is unlikely to result in a risk to individuals' rights
- We will inform the affected Users (in our capacity as data processor) without undue delay and within a maximum of 48 hours of becoming aware of the incident
- If the breach is likely to result in a high risk to individuals' rights, we will directly inform the affected data subjects
- We will document each incident, the measures taken and the outcomes in our internal incident register
11. Cookies and Similar Technologies
For detailed information regarding the use of cookies and localStorage, please consult the Cookie Policy section of this page.
12. Changes to the Privacy Policy
This policy may be updated periodically. The date of the last update is displayed at the top of the document. Significant changes will be communicated by email to registered Users, a visible banner on the platform and publication on this page.
13. Right to Lodge a Complaint
If you consider that the processing of your personal data infringes GDPR, you have the right to lodge a complaint with the supervisory authority:
Address: B-dul G-ral. Gheorghe Magheru no. 28-30, Sector 1, postal code 010336, Bucharest, Romania
Phone: +40.318.059.211 / +40.318.059.212
Email: anspdcp@dataprotection.ro
Website: www.dataprotection.ro
14. Contact
Data Protection Officer (DPO): privacy@rezervatio.ai
General contact: contact@rezervatio.ai
Website: www.rezervatio.ai
EU · GDPR Compliant