Privacy Policy

YeboGuest

Last updated: 8 April 2026

1. Introduction

Yebo-AI (Pty) Ltd ("we", "us", "our"), a company registered in the Republic of South Africa, operates YeboGuest ("the Service"), a restaurant reservation management platform. This Privacy Policy explains how we collect, use, store, and protect personal information when you use our Service, whether you are a restaurant operator ("Subscriber") or a dining guest ("Guest").

We are committed to complying with the Protection of Personal Information Act, 2013 (POPIA) and, where applicable, the EU General Data Protection Regulation (GDPR).

2. Information Officer

In accordance with POPIA, we have appointed an Information Officer who is responsible for ensuring compliance with data protection legislation:

You may contact the Information Officer to exercise any of your rights described in this policy, to lodge a complaint, or to ask questions about how we process your personal information.

3. Data We Collect

We collect and process the following categories of personal information:

• Subscriber account information: Restaurant name, contact person name, email address, phone number, and billing details collected during registration and managed via Amazon Cognito authentication.
• Guest information: Guest names, email addresses, phone numbers, dining preferences, dietary requirements, and special requests as entered by the Subscriber or by the Guest through our booking widget.
• Reservation data: Booking date, time, party size, table assignments, reservation status, and history.
• Payment information: Subscription billing is processed by Stripe. We do not store full credit card numbers, CVVs, or sensitive payment credentials on our servers. Stripe retains payment instrument details in accordance with PCI DSS standards.
• Usage data: Log data including IP addresses, browser type, pages visited, and feature usage for service improvement and troubleshooting.
• AI-generated insights: Sentiment analysis results, booking suggestions, and guest research summaries produced by our AI features (see Section 5).

4. How We Use Your Data

We process personal information for the following purposes:

• Creating, managing, and displaying restaurant reservations.
• Authenticating Subscriber accounts and managing access controls.
• Processing subscription payments and managing billing.
• Sending reservation confirmations, reminders, and status updates via email (Amazon SES).
• Providing AI-powered features including sentiment analysis, booking assistance, and guest research (see Section 5).
• Monitoring online reviews via Google Places API to help Subscribers manage their reputation.
• Improving the Service, diagnosing technical issues, and ensuring security.

We process personal information on the following legal bases: (a) performance of a contract (providing the Service to Subscribers); (b) legitimate interest (improving the Service, security monitoring); (c) consent (where required for specific processing activities, such as AI-powered guest research); and (d) legal obligation (record-keeping, tax compliance).

5. AI Data Processing

YeboGuest uses artificial intelligence features to enhance the reservation experience. It is important that you understand how your data is processed by these features:

• Sentiment analysis: Guest feedback and review data may be sent to Anthropic's Claude API for sentiment analysis. This helps Subscribers understand guest satisfaction trends.
• Booking assistant: Reservation details and guest preferences may be processed by Anthropic's Claude API to provide intelligent booking suggestions and optimise table assignments.
• Guest research: When enabled by the Subscriber, guest information (such as name and associated business details) may be sent to Perplexity AI's API to provide contextual information that helps Subscribers prepare for guest visits.
• Review monitoring: Restaurant names and locations are sent to the Google Places API to retrieve publicly available reviews for reputation management.

Important: When data is processed by Anthropic (Claude API) and Perplexity AI, it is transmitted to servers located in the United States. These providers process data in accordance with their respective privacy policies and data processing agreements. We do not permit these providers to use your data for training their AI models beyond what is necessary to provide the service. Subscribers may disable AI features at any time through the Service settings.

6. Data Sub-Processors

We use the following third-party sub-processors to deliver the Service:

• Amazon Web Services (AWS): Cloud infrastructure, hosting (af-south-1, Cape Town), database (DynamoDB), authentication (Cognito), and email delivery (SES). Subject to the AWS Privacy Policy.
• Anthropic: AI processing for sentiment analysis and booking assistance via the Claude API (US-based). Subject to the Anthropic Privacy Policy.
• Perplexity AI: AI-powered guest research (US-based). Subject to the Perplexity AI Privacy Policy.
• Stripe: Subscription payment processing. Subject to the Stripe Privacy Policy.
• Google: OAuth authentication and Places API for review monitoring. Subject to the Google Privacy Policy.

7. Cross-Border Data Transfers

Your personal information is primarily stored in AWS af-south-1 (Cape Town, South Africa). However, certain processing activities require data to be transferred outside of South Africa:

• Anthropic (Claude API): Data is transferred to the United States for AI processing.
• Perplexity AI: Data is transferred to the United States for guest research features.
• Stripe: Payment data is processed internationally in accordance with PCI DSS standards.
• Google: OAuth tokens and Places API requests may be processed on Google's global infrastructure.

Where personal information is transferred outside of South Africa, we ensure that appropriate safeguards are in place, including contractual data processing agreements, to protect your information in compliance with POPIA Section 72 and, where applicable, GDPR Chapter V. You may request a copy of the relevant safeguards by contacting our Information Officer.

8. Data Storage and Security

• Primary storage: Reservation and guest data is stored in Amazon DynamoDB within the AWS af-south-1 (Cape Town) region.
• Encryption in transit: All data in transit is encrypted using TLS 1.2 or higher.
• Encryption at rest: Data at rest within AWS is encrypted using AES-256.
• Authentication: Subscriber accounts are secured via Amazon Cognito with support for multi-factor authentication.
• Access controls: Access to production infrastructure is restricted to authorised personnel using multi-factor authentication and role-based access controls.
• Monitoring: We employ logging and monitoring to detect and respond to security incidents.

9. Data Retention

• Active accounts: Reservation and guest data is retained for the duration of the Subscriber's active subscription.
• After cancellation: Upon cancellation of a subscription, we retain Subscriber data for 90 days to allow for reactivation. After this period, data is permanently deleted unless retention is required by law.
• Guest data: Guest personal information is retained for as long as the Subscriber's account is active. Guests may request deletion of their personal data at any time (see Section 10).
• Billing records: Payment and invoice records are retained for 5 years in accordance with South African tax legislation.
• AI-generated insights: Sentiment analysis results and research summaries are retained for as long as the associated reservation or guest record exists.
• Logs: System and access logs are retained for 12 months for security and troubleshooting purposes.

10. Your Rights

Under POPIA and, where applicable, the GDPR, you have the following rights regarding your personal information:

• Access: Request confirmation of whether we hold your personal information and obtain a copy of it.
• Rectification: Request correction of inaccurate or incomplete personal information.
• Deletion: Request erasure of your personal information, subject to legal retention obligations.
• Restriction: Request that we limit processing of your personal information in certain circumstances.
• Portability: Request your personal information in a structured, machine-readable format (GDPR only).
• Objection: Object to processing of your personal information where we rely on legitimate interests.
• Withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Lodge a complaint: You have the right to lodge a complaint with the Information Regulator (South Africa) at inforegulator.org.za or, for EU residents, with your local supervisory authority.

To exercise any of these rights, contact our Information Officer at privacy@yeboguest.com. We will respond within 30 days.

11. Cookies and Tracking

The Service uses the following cookies and similar technologies:

• Session cookies: Essential cookies used to maintain your authenticated session. These are strictly necessary for the Service to function and cannot be disabled.
• Authentication tokens: Managed by Amazon Cognito to securely identify logged-in Subscribers.

We do not use third-party advertising cookies, tracking pixels, or analytics cookies that track you across other websites. We do not sell or share cookie data with third parties for marketing purposes.

12. Data Processing (General)

• We do not sell, rent, or share your personal information with third parties for their own marketing purposes.
• We do not use automated decision-making that produces legal effects concerning you without human involvement.
• AI features produce advisory suggestions only; final decisions regarding reservations and guest management are always made by the Subscriber.

13. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact our Information Officer so that we can promptly delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the Subscriber's registered email address and through a notice within the Service. Continued use of the Service after changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

15. Contact Us

For questions, concerns, or data-related requests: