BevTek.ai Privacy Policy

BevTek provides SaaS software and AI‑powered tools to independent beverage retailers to help them manage inventory, support staff training, and assist shoppers via chat, text, and voice interactions.

Our legal entity details:

• BevTek.ai, Inc.
• Contact: privacy@bevtek.ai
• Postal address: 3000 Old Alabama Road, Alpharetta, Georgia, USA

1.1. Controller vs. processor

Our role depends on the data and the context:

• For retailer and staff data (e.g., admin accounts, usage telemetry, and billing data), BevTek generally acts as an independent “controller” (or “business” under California law).
• For shopper data that we process on behalf of a specific retailer (e.g., calls, text messages, chat transcripts associated with that store), BevTek generally acts as a “processor” or “service provider” to that retailer, which is the primary controller or business for that shopper data.

If you are a shopper and have questions about how your local store uses your data beyond what is described here, you should also review that store’s own privacy policy.

The categories of personal data we collect depend on whether you are a Retailer or a Shopper, and how you interact with our Services.

2.1. Data we collect from retailers and their staff

Account and profile data

• Name
• Email address
• Password hash (we do not store raw passwords)
• Role (e.g., owner, manager, staff)
• Store(s) you are associated with
• Any preferences or settings you configure in your account

Business content you provide

• Inventory data (product names, SKUs, descriptions, tasting notes, categorization, stock levels)
• Pricing and promotional information
• Store profile (store name, address, hours, branding, imagery)
• Team roster and internal role assignments
• Other content or metadata that you upload or configure in the Services

Billing and payment data

• Subscription plan, billing contact, and billing history
• Limited payment data (e.g., last 4 digits of card, card type, billing country) as returned by our payment processor
• We do not store full payment card numbers; these are handled by our payment provider (currently Stripe) pursuant to its own terms and privacy policy.

Usage, telemetry, and device data

• Log data (timestamps, IP address, browser type, OS, app version, referral URL)
• Feature usage (which modules, pages, or API endpoints are accessed and when)
• Error logs, performance metrics, and diagnostic information
• Approximate location (e.g., city/region) inferred from IP address for security and analytics

We generally collect this data directly from you (when you sign up, configure your store, or use the dashboard and APIs) or automatically from your browser or device when you access the Services.

2.2. Data we collect from shoppers

When shoppers interact with BevTek‑powered channels (e.g., Gabby on a store’s website, SMS/iMessage, or a voice assistant that answers a store’s phone line), we may collect and process:

Interaction content

• Messages you send to AI assistants (e.g., chat content, questions, feedback)
• Voice call audio, where applicable, and transcripts of those calls
• SMS/iMessage content and replies

Identifiers and contact details

• Phone number, when you text or call a BevTek‑powered number
• Technical identifiers such as IP address and user agent (browser or device type)
• Session identifiers or other technical IDs used to associate interactions with a store’s session or conversation

Consent and preference data

• Text messaging consent status (opt-in/opt-out) and timestamp
• Records of STOP or similar keywords used to opt out of SMS or iMessage communications
• Records of any other communication preferences you set (where available)

Basic analytics on shopper‑facing sites

• Device type, referrer, and pages viewed on a BevTek‑powered store website
• Timestamps and interaction events (e.g., opening the assistant, sending a message)
• We do not use third‑party advertising cookies for cross‑site behavioral advertising on shopper‑facing surfaces.

We generally collect this data directly from you (your messages, calls, and clicks) and automatically from your browser or device as you use the channel.

2.3. Sensitive and special categories of data

Our Services are not designed to collect sensitive personal data (such as health, biometric, or financial account details) or special category data under GDPR. We also do not intend to collect data about children (see Section 10).

If you inadvertently share sensitive data through an interaction (e.g., in a chat message), we will process it only as necessary to provide the requested service and in accordance with this Policy and applicable law.

We use the personal data described above for the following purposes, and, where applicable, under the legal bases indicated for GDPR/UK GDPR.

3.1. To provide and operate the Services

• Set up and manage retailer and staff accounts
• Authenticate users and maintain sessions
• Ingest and store retailer inventory, product, and store data
• Facilitate shopper interactions with AI assistants (chat, text, and voice)
• Display and search inventory and store details to shoppers and staff
• Route, process, and log calls and messages on behalf of retailers

Legal bases (EEA/UK, where applicable): performance of a contract (Article 6(1)(b) GDPR); legitimate interests in providing and improving the Services (Article 6(1)(f)).

3.2. To communicate with you

• Send you service‑related communications (e.g., account notices, security alerts, feature updates)
• Respond to your support requests and inquiries
• Send transactional messages (e.g., password resets, billing notices)
• For retailers who opt in, send product updates or newsletters

Legal bases: performance of a contract; legitimate interests in operating and growing our business; your consent, where required (e.g., certain marketing communications).

You may opt out of non‑essential marketing emails at any time via the unsubscribe link, but we may still send important service or security notices.

3.3. To power AI features and improve response quality

• Use AI model providers (currently Anthropic) to process messages and generate responses on behalf of retailers
• Provide inventory‑aware recommendations, answer store‑specific questions, and support staff training scenarios
• Analyze anonymized or aggregated interaction patterns to improve prompts, reliability, and user experience

We configure our AI model providers so that data we send is not used to train their general‑purpose models, to the extent such configuration is available under our agreements with them.

We may create and use de‑identified or aggregated data (for example, statistics on the types of questions asked or feature usage) for analytics, product improvement, and research. We do not attempt to re‑identify individuals from this aggregated information.

Legal bases: performance of a contract (providing the AI features the retailer signed up for); legitimate interests in improving and securing our AI systems.

3.4. To comply with messaging and carrier rules

• Maintain required records of text messaging opt‑in and opt‑out states
• Honor STOP and similar keywords for all BevTek‑powered lines
• Help retailers comply with carrier and telecom rules regarding consent, frequency, and content of messages

Legal bases: compliance with legal obligations; legitimate interests in maintaining lawful, reliable messaging services.

3.5. To bill and prevent fraud

• Process payments and manage subscriptions via our payment processor
• Track usage for billing, quota management, and enforcement of fair use limits
• Monitor and detect fraudulent or abusive activity (e.g., spam, misuse of AI endpoints)

Legal bases: performance of a contract; legitimate interests in protecting our business and customers; compliance with legal obligations (e.g., accounting, tax).

3.6. To secure, maintain, and improve the Services

• Monitor system performance, uptime, and reliability
• Investigate and remediate incidents, errors, and security events
• Run internal analytics to understand which features are used and where to invest product resources
• Test and roll out new features and improvements

Legal bases: legitimate interests in operating, securing, and developing our Services.

Where the EU General Data Protection Regulation (“GDPR”) or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract— where processing is necessary to provide the Services (e.g., account management, AI responses, messaging).
• Legitimate interests— for purposes such as improving our Services, securing our systems, preventing fraud, and understanding usage patterns, provided these interests are not overridden by your rights and interests.
• Consent— for certain activities where required by law (e.g., some marketing communications, specific cookies, or optional data uses). You may withdraw consent at any time using the mechanisms provided or by contacting us.
• Compliance with legal obligations— where we must process data to comply with applicable laws (e.g., telecom rules, accounting standards, or responding to lawful requests from authorities).

If you have questions about a specific processing activity or its legal basis, you can contact us at privacy@bevtek.ai.

We do not sell personal data in the traditional sense, and we do not use shopper data for cross‑context behavioral advertising.

We share personal data with the following categories of recipients, only as necessary for the purposes described above and subject to appropriate safeguards:

5.1. Retailers and their staff

If you are a shopper, your interactions with a BevTek‑powered assistant, phone line, or site are typically associated with a specific retailer. That retailer and its authorized staff may have access to:

• Call transcripts and, where applicable, recordings
• Message content (e.g., SMS, chat) and associated metadata (timestamp, phone number)
• Conversation logs and analytics related to their store’s interactions

We provide tools for retailers to review, export, and delete this data in line with their compliance needs and our contractual obligations.

5.2. Service providers (subprocessors)

We use carefully selected third‑party service providers to help us operate the Services. These providers process personal data only on our instructions and are contractually required to use it solely to provide services to BevTek and to protect it appropriately. As of the effective date, our key subprocessors include:

• Supabase — database, authentication, file storage
• Vercel — application hosting and edge delivery
• Anthropic — AI model inference for chat and related features
• Retell AI — voice receptionist, call transport, transcription
• Sendblue — iMessage/SMS delivery
• Stripe — payments and billing
• Resend — transactional email delivery

We may update this list from time to time as we evolve the Services. Where required by law or contract, we will enter into appropriate data processing agreements (DPAs) and, for international transfers, implement Standard Contractual Clauses or equivalent mechanisms.

5.3. Professional advisors and corporate transactions

We may disclose personal data to:

• Legal, accounting, auditing, or other professional advisors, where necessary to obtain advice or protect our rights
• A potential buyer, investor, or successor in connection with a merger, acquisition, financing, or sale of all or part of our business, subject to confidentiality obligations and applicable law

5.4. Legal and regulatory disclosures

We may disclose personal data when we believe in good faith that such disclosure is:

• Required by law, regulation, or legal process (e.g., court orders, subpoenas)
• Necessary to respond to lawful requests from public or government authorities
• Necessary to protect the rights, property, or safety of BevTek, our customers, users, or the public
• Necessary to detect, prevent, or address fraud, security, or technical issues

5.5. Aggregated or de‑identified data

We may share aggregated, anonymized, or de‑identified information that does not reasonably identify any individual with third parties for research, analytics, or product improvement. We do not attempt to re‑identify individuals from this data.

BevTek is based in the United States and uses service providers that may process personal data in the United States and other countries.

If you access the Services from the EEA, UK, or other regions with data protection laws that differ from those in the United States, please note that we may transfer your personal data to countries that may not provide the same level of data protection as your home jurisdiction.

Where required by law, we use appropriate safeguards to protect personal data during such transfers, such as:

• Standard Contractual Clauses approved by the European Commission
• The UK International Data Transfer Addendum or equivalent mechanisms for UK transfers
• Other contractual, organizational, and technical measures

You may contact us at privacy@bevtek.ai for more information about these safeguards or to request a copy (subject to redaction for confidentiality).

We retain personal data for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.

In particular:

Retailer account and configuration data

Retained for the life of the retailer account and for up to 90 days after cancellation to support export, dispute resolution, and account recovery, unless a longer period is needed to comply with legal obligations or to establish, exercise, or defend legal claims.

Call, chat, and message transcripts for shoppers

Retained in accordance with the retailer’s configured retention settings, subject to applicable law and technical limits. Retailers may choose shorter windows for their own compliance or preference. We may retain limited records beyond that window where required by law or carrier rules, or to resolve disputes and investigate abuse.

Text messaging opt‑out records

Retained for as long as telecommunications and applicable consumer protection rules require, even if the related retailer account is closed, to ensure that opt‑out preferences are honored.

Logs and security data

Retained for a period that is reasonably necessary for security, auditing, debugging, and analytics (typically between 30 and 365 days, depending on the log type), unless a longer period is required for incident investigations or legal purposes.

When we no longer need personal data for the purposes described, we will delete or anonymize it, or, if that is not possible (for example, because it is stored in backup archives), we will securely store it and isolate it from further processing until deletion is feasible.

We use technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• Encryption of data in transit (TLS) and at rest
• Role‑based access controls and authentication safeguards
• Row‑level security in our primary database to isolate each retailer’s data
• Secret management and rotation policies for service‑role keys and webhook secrets
• Logging, monitoring, and automated secret scanning in our development workflows
• Regular backups and business continuity planning

However, no method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.

If we become aware of a data breach that affects your personal data in a way that presents a high risk to your rights and freedoms, we will notify you and/or the relevant retailer and regulators as required by applicable law.

Your privacy rights depend on your location and how we interact with you. We strive to honor valid rights requests from individuals, either directly (where we are a controller/business) or in coordination with the relevant retailer (where we are a processor/service provider).

9.1. Rights available to many users

Subject to applicable law, you may have the right to:

• Access— Request confirmation of whether we process your personal data and receive a copy.
• Correction (rectification)— Ask us to correct inaccurate or incomplete personal data.
• Deletion (erasure)— Request deletion of your personal data, subject to certain exceptions (e.g., legal obligations, ongoing disputes).
• Restriction— Ask us to restrict processing of your personal data in certain circumstances.
• Objection— Object to certain processing, including where we rely on legitimate interests.
• Portability— Request a copy of your personal data in a structured, commonly used, machine‑readable format, where processing is based on consent or contract and carried out by automated means.
• Withdraw consent— Where we rely on your consent, you can withdraw it at any time, without affecting the lawfulness of processing already carried out.

9.2. California privacy rights (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (as amended by the CPRA), including the right to:

• Know the categories and specific pieces of personal information we have collected about you
• Know the categories of sources from which we collected personal information
• Know the purposes for which we use personal information
• Know the categories of third parties with whom we disclose personal information
• Request deletion of your personal information (subject to certain exceptions)
• Request correction of inaccurate personal information
• Request information about personal information “sold” or “shared” (as those terms are defined under California law) and to opt out of such “sales” or “sharing”
• Not be discriminated against for exercising your privacy rights

BevTek does not sell or share personal data for cross‑context behavioral advertising as those terms are defined under California law. If this changes, we will update this Policy and provide appropriate notices and opt‑out mechanisms.

9.3. Exercising your rights

Retailers and staff

• You can access, update, or delete much of your account and store data directly via the BevTek dashboard.
• For additional requests, contact us at privacy@bevtek.ai from the email address associated with your account, and we will assist you.

Shoppers

• For SMS/iMessage communications, you can reply STOP at any time to opt out of further messages from that BevTek‑powered number.
• To request access to or deletion of your messages and associated phone number from a particular store’s logs, email privacy@bevtek.ai and include:
  • The phone number you used
  • The approximate timeframe and store (if known)
• In many cases, we will coordinate with the relevant retailer, who acts as the primary controller/business for that shopper data.

We may need to verify your identity (for example, by confirming control of the phone number or email address you provide) before responding to a rights request. We may deny or limit requests where we are unable to verify your identity, where another party’s rights would be affected, or where we need to retain data for legal, security, or compliance reasons. Where we act solely as a processor/service provider, we may refer your request to the relevant retailer.

The Services are designed for use by beverage retailers and adult shoppers. We do not knowingly collect personal data from children under the age of 13 (or a higher age of consent where required by local law), and we do not target or direct the Services to children.

Shopper‑facing AI assistants and tools are explicitly restricted from recommending or facilitating the sale of alcoholic beverages to anyone who appears to be under the applicable legal drinking age. Retailers are responsible for their own age‑verification practices offline (e.g., ID checks at the point of sale).

If you believe we have collected personal data from a child in violation of this Policy, please contact us at privacy@bevtek.ai, and we will take appropriate steps to delete the data and, if necessary, terminate the associated account or access.

Our use of cookies and similar technologies is intentionally limited:

• We may use first‑party cookies or local storage to remember session state, authentication, and basic preferences.
• We may use first‑party analytics or privacy‑respecting tools to understand aggregate usage of retailer dashboards and shopper‑facing sites (e.g., page views, feature adoption).
• We do not use third‑party advertising cookies or track individuals across unrelated websites for behavioral advertising.

Where required by law (e.g., in the EEA/UK), we may display a notice or banner and, where necessary, request your consent for certain cookies or similar technologies. You can manage cookie preferences through your browser or device settings, though disabling some cookies may limit the functionality of the Services.

We may update this Privacy Policy from time to time to reflect changes in our Services, our data practices, or applicable laws. When we make material changes, we will:

• Update the “Effective date” at the top of this page, and
• Notify retailers by email or through in‑app notices, and
• Where required by law, obtain your consent to material changes.

We encourage you to review this Policy periodically to stay informed about our privacy practices.

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, or if you wish to exercise your rights, please contact us:

• Email: privacy@bevtek.ai
• Postal mail: 3000 Old Alabama Road, Alpharetta, Georgia, USA

If you are in the EEA, UK, or another jurisdiction that provides a right to lodge a complaint with a supervisory authority, you may also have the right to contact your local data protection authority. We would, however, appreciate the chance to address your concerns first.