Privacy & Data Protection Policy

1. Introduction

August Guest (“we”, “us”, “our”) operates a cloud-based hospitality platform providing queue management, table service requests, and event voucher tools. This Privacy & Data Protection Policy describes how we collect, use, store, and protect personal information when you use our Service.

We are committed to transparency about our data practices. This policy applies to business owners who create accounts (“Customers”) and individuals who join queues (“Guests”).

2. Information We Collect

Business Owners (Customers)

• Full name (first and last) and email address
• Phone number (optional, provided at registration for account recovery and support)
• Email verification status (we require email confirmation during registration)
• Business information (name, type, address, phone number, operating hours)
• Billing and payment information (processed and stored by Stripe; we do not store credit card numbers)
• Account credentials
• Usage data and analytics
• IP address and device information

Queue Guests

• Name (optional, depending on queue configuration)
• Phone number (optional, required only for SMS notifications)
• Email address (optional)
• Party size
• Queue join time and status
• Token number (for token-based queues)
• Device information and IP address (collected automatically)

Table Service Guests (The Purser)

• Items requested (selected from quick-pick menu)
• Free-text message (optional)
• Table identifier
• Request timestamps (submitted, acknowledged, served)
• Device information and IP address (collected automatically)

Note: The Purser does not collect guest names, phone numbers, or email addresses.

Cheers Event Guests

• Email address (provided by the event organizer for invitation delivery)
• Name (optional, provided by the event organizer)
• Phone number (optional, provided by the event organizer)
• RSVP status (confirmed, regretted, or pending)
• Plus-one count (number of additional guests)
• Voucher redemption history (drink type, usage count)
• QR code identifier (unique per invitation)
• Payment status (paid, pending, none) for ticketed events
• Stripe checkout session identifier (for payment reconciliation on ticketed events)

Information Collected Automatically

• Browser type and version
• Operating system
• Pages visited and time spent
• Referring website
• IP address
• Cookies and similar tracking technologies

3. How We Use Your Information

We use collected information to:

• Provide, maintain, and improve the Service
• Verify account ownership via email confirmation during registration
• Contact account holders for support, security, or account recovery (using the phone number provided at registration, if any)
• Process queue entries and send status notifications via SMS
• Send event invitations, vouchers, RSVP reminders, and cancellation notices via email (Cheers product)
• Process payments and manage subscriptions
• Send account-related communications (billing, security, service updates)
• Monitor and analyze usage patterns to improve the Service
• Record payment confirmation status received from Stripe for event ticket purchases processed through the host's connected Stripe account
• Detect, prevent, and address fraud, abuse, and technical issues
• Comply with legal obligations
• Generate anonymized, aggregated analytics for product improvement

We do NOT use your information to:

• Sell personal data to third parties
• Send marketing or promotional SMS through queue notifications
• Build advertising profiles
• Make automated decisions that produce legal effects concerning you

4. Data Retention & Lifecycle

We follow a strict aggregate-then-purge policy. Guest personal data is converted into anonymous aggregate statistics and then permanently deleted. We do not retain guest personal data longer than operationally necessary.

Data lifecycle by product

• Queue guests: Personal data (name, phone, email) is aggregated into anonymous statistics and permanently deleted within 1 hour of the visit completing (seated, no-show, or left). Abandoned entries are deleted after 24 hours regardless.
• Table service requests (The Purser): Request data is aggregated and permanently deleted within 1 hour of being marked as served. Unserved requests are deleted after 12 hours.
• Cheers event guests: After the event ends, a summary report is emailed to the event organizer. Upon successful delivery of that summary, all guest personal data (emails, names, phones, RSVP status, voucher records, QR codes) is permanently deleted. A 7-day maximum retention applies regardless of email delivery.

What we keep

• Aggregate analytics: Anonymous statistics only (e.g., “Tuesday 6pm: 12 parties, avg wait 8 min”). These contain no personal information and cannot be linked back to individuals. Retained indefinitely.
• Customer account data: Business owner's own information (name, email, business details) retained for the duration of the account plus 90 days after deletion.
• Server logs: IP addresses and access logs retained for 30 days.

Billing data

All payment and billing data is processed and stored exclusively by our payment provider, Stripe. August Guest does not store credit card numbers, bank account details, or payment credentials. Retention of billing records, invoices, and payment history is governed by Stripe's privacy policy and applicable tax law.

5. Data Sharing and Third-Party Services

We share personal information only with the following categories of service providers, solely to operate the Service:

When a host enables ticketed events, guest payment data (name and email as provided during Stripe Checkout) is processed by Stripe on behalf of the host through the host's own connected Stripe account. August Guest receives only payment confirmation status (paid, pending, or refunded) via Stripe webhooks — we do not receive or store payment card details, billing addresses, or other financial information from guest ticket purchases.

We do not sell, rent, or trade personal information to third parties for their marketing purposes.

We may disclose information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect personal information, including:

• Encryption of data in transit (TLS/HTTPS)
• Encryption of data at rest
• Access controls and authentication
• Regular security monitoring
• Secure API key management

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

7. SMS Notifications and Consent

When a Guest provides their phone number to join a queue:

• The Guest consents to receiving transactional SMS notifications related to their queue status
• Message frequency: typically 1–3 messages per queue session
• Message and data rates may apply
• Guests may opt out at any time by replying STOP
• SMS notifications are transactional only — we never send marketing messages through queue notifications
• The business Customer is responsible for ensuring proper consent is obtained from Guests

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Right to Access: Request a copy of personal information we hold about you
• Right to Correction: Request correction of inaccurate personal information
• Right to Deletion: Request deletion of your personal information
• Right to Data Portability: Request your data in a machine-readable format
• Right to Opt Out: Opt out of certain data processing activities
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise any of these rights, contact us at hello@augustguest.com.

For Guest data: Queue and service request data is automatically aggregated and permanently deleted within hours of your visit. Cheers event data is deleted within 7 days of the event ending. If you need immediate deletion, use the deletion request form below or contact us.

9. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• We do not sell your personal information
• We do not share your personal information for cross-context behavioral advertising
• You have the right to know what personal information we collect, use, and disclose
• You have the right to request deletion of your personal information
• You have the right to opt out of the sale or sharing of your personal information (not applicable as we do not sell or share)
• You will not be discriminated against for exercising your rights

Categories of personal information collected: Identifiers (name, email, phone number, IP address), commercial information (billing records), internet activity (usage data), and professional information (business details).

10. Healthcare Providers

If you are a healthcare provider using the Service:

• You are the data controller and are solely responsible for HIPAA compliance
• August Guest does not offer Business Associate Agreements (BAAs)
• You must configure the Service to avoid displaying Protected Health Information (PHI) on public screens
• We recommend using token-number-only queue modes for healthcare settings
• Guest queue data is automatically deleted after 24 hours, but this does not constitute a HIPAA-compliant data retention policy
• You assume all responsibility for ensuring your use of the Service complies with HIPAA and applicable state health privacy laws

11. Children's Privacy

The Service is not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at hello@augustguest.com.

12. Cookies and Tracking

We use essential cookies to maintain session state and authentication. We do not use third-party advertising cookies or cross-site tracking technologies. You can configure your browser to refuse cookies, but some features of the Service may not function properly without them.

13. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected individuals without unreasonable delay, and in any event within 72 hours of becoming aware of the breach
• Notify applicable state authorities as required by law
• Provide information about the nature of the breach, the types of information involved, and steps being taken to address it

14. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We do not specifically target users outside the United States.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For material changes, we will provide notice via email or within the Service at least 30 days before the changes take effect. Continued use of the Service after changes take effect constitutes acceptance.

16. Contact Us

For privacy-related questions or to exercise your rights:

Email: hello@augustguest.com

17. Data Deletion