Privacy Policy
Last updated: July 2026
This Privacy Policy describes how Miso ("we", "our"), publisher of the Miso Resa platform, collects, uses, shares, and protects personal data in connection with the Site and the Miso Resa application.
1. Data controller
The data controller is:
Miso, a French SAS with a share capital of €10,000, registered under SIREN number 105 989 305 (RCS Rennes), whose registered office is located at 2 rue de la Mabilais, 35000 Rennes, France.
For any question regarding your personal data: contact@misogroup.ai
2. Who this policy applies to
Miso Resa connects two categories of individuals, whose data is processed differently:
- Restaurant operators and their teams (Owner, Manager, Staff): users who hold a Miso Resa account to manage their establishment.
- Restaurant end customers: individuals who make a reservation via the web widget, the AI voice agent, WhatsApp, or whose reservation is entered manually by restaurant staff.
3. Data we collect
3.1 Restaurant operator accounts (Owner / Manager / Staff)
- Identity: first name, last name, email address, phone number
- Login credentials, or Google identifier if signing in via Google Sign-In
- Restaurant information: name, address, opening hours, floor plan configuration, menu
- Billing data: managed by our payment provider Stripe (see section 5)
- Connection and platform usage logs
3.2 End customers (individuals booking a table)
- Identity: first name, last name, phone number, email address (if provided)
- Reservation details: date, time, number of covers, assigned table, special requests
- Dietary preferences and restrictions, including allergens: this data may constitute health data within the meaning of Article 9 of the GDPR. It is only collected if the customer voluntarily provides it (e.g., when booking) and is used exclusively so the restaurant can prepare the service. Legal basis: the customer's explicit consent.
- Reservation history, reliability status (calculated from no-shows/late cancellations), VIP status
- Content of exchanges with the AI voice agent (call transcript) or the WhatsApp agent, limited to what is necessary to process the reservation request
- Data transmitted through third-party reservation channels (WhatsApp, phone)
3.3 Data from the Google Business Profile connection
When a restaurant operator connects their Google Business Profile account to Miso Resa, we access, with their explicit authorization (OAuth), the following data:
- Public information from the business listing (name, address, hours, category)
- Customer reviews (Google Reviews) left on the business listing
3.4 Data from the point-of-sale (POS) integration
If the restaurant connects its POS system (Zelty, or in the future L'Addition/Lightspeed), we receive POS tickets (amounts, timestamps) to enrich attendance statistics and the customer CRM profile.
4. Purposes and legal bases of processing
| Purpose | Legal basis |
|---|---|
| Providing the reservation service and account management | Performance of a contract |
| Automatic table placement and AI recommendations | Legitimate interest (optimizing service for the restaurant) |
| Sending reservation-related notifications (confirmation, reminder, cancellation) | Performance of a contract |
| Sending marketing communications (email/SMS/WhatsApp) | Consent (opt-in), revocable at any time |
| Managing allergens and dietary preferences | Explicit consent |
| Billing and payment | Performance of a contract / legal obligation |
| Security, fraud prevention, no-show detection | Legitimate interest |
| Service improvement | Legitimate interest |
5. Data sharing — subprocessors and recipients
We use the following providers, who process data on our behalf strictly within the purposes described above:
| Provider | Role | Data involved |
|---|---|---|
| Supabase | Database and file hosting | All platform data |
| Vercel | Web application hosting | Navigation data, logs |
| VAPI | AI voice agent orchestration | Call content, reservation data |
| Telnyx | Telephony (numbers, inbound calls, SMS) | Phone number, call/SMS content |
| Cartesia | Text-to-speech (AI agent voice) | Text to be spoken (no personal data stored by this provider) |
| Anthropic (Claude) | AI model used for certain features (e.g., table placement, dashboard analysis) | Reservation data necessary for the relevant feature (no data is used to train Anthropic's models) |
| OpenAI | AI model used for certain features (e.g., WhatsApp conversational agent) | Exchange content necessary for the relevant feature (no data is used to train OpenAI's models, in accordance with their API policy) |
| Resend | Transactional email delivery | Email address, email content |
| Brevo | SMS delivery and marketing campaigns | Phone number, message content |
| Stripe | Payment and billing | Payment data (Miso Resa never stores card data) |
| Zelty (and future POS systems) | POS synchronization | POS tickets, floor plan |
| Sign-In and Google Business Profile | Google identifier, email, customer reviews, business listing |
We do not sell any personal data. We do not share data with third parties for advertising purposes.
6. International data transfers
Data hosted on Supabase is stored in the EU region (eu-west-1, Ireland). Vercel Functions are configured to run in the EU region (cdg1, Paris). The application's primary storage and compute therefore remain within the EU.
That said, a transfer outside the EU still occurs, for two reasons:
- Vercel Inc. is a U.S. company: even with compute configured on
cdg1, some data passes through Vercel's U.S. infrastructure (in particular IP addresses, required for DDoS protection to function), and Vercel may transfer data to the United States as part of its operations. - Other providers (VAPI, Cartesia, OpenAI, Anthropic) may process data outside the EU depending on their own infrastructure.
These transfers are governed by the European Commission's Standard Contractual Clauses and/or the EU-U.S. Data Privacy Framework (Vercel is certified under it), a mechanism recognized as adequate under the GDPR for transferring data outside the EU.
7. Data retention
- Restaurant operator account data: for the duration of the contractual relationship, then archived in accordance with legal obligations (accounting, etc.)
- End customer profile (contact data, preferences, history): automatically anonymized after 36 months of inactivity (no new reservation), a period configurable by the restaurant (Owner) from their settings
- Full AI voice call transcripts: retained for 14 days (via Vapi), after which only a structured summary (without verbatim data) is kept on the customer record — in line with a data minimization principle
- WhatsApp conversation history: retained, then deleted within 90 days following a customer opt-out request (STOP)
- Billing data: statutory accounting retention period (10 years)
8. Data security
We implement appropriate technical and organizational measures to protect data: multi-tenant isolation via Row Level Security (each restaurant only accesses its own data), encryption of secrets and third-party API keys (Supabase Vault), and role- and permission-based access management per user.
9. Your rights
In accordance with the GDPR, every data subject has the following rights over their data:
- Right of access and rectification
- Right to erasure
- Right to restriction of processing
- Right to object
- Right to data portability
- Right to withdraw consent at any time (without retroactive effect)
- Right to lodge a complaint with the CNIL (cnil.fr)
To exercise these rights: contact@misogroup.ai. End customers of a restaurant may also contact the relevant restaurant directly, which acts as the data controller for the data it collects via Miso Resa.
10. Use of data obtained from Google APIs
Miso Resa offers a connection via Google Sign-In (account creation / login) and an integration with Google Business Profile (review management, business listing). Miso Resa's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements:
- Data obtained via Google APIs (identifier, email, Google reviews, business listing information) is used solely to provide and improve user-facing features (account login, display and management of customer reviews).
- This data is never sold to third parties.
- This data is never used for advertising purposes, including advertising remarketing/retargeting.
- This data is not used to train generalized artificial intelligence models.
- Access to this data can be revoked at any time by the user from their Google account settings (myaccount.google.com/permissions) or from Miso Resa's settings.
11. Cookies
The Site uses cookies strictly necessary for its operation (session, authentication).
We plan to use audience measurement cookies (e.g., Google Analytics) and, potentially, marketing pixels (e.g., for advertising conversion tracking) in the future. These cookies are not yet in place as of the publication date of this policy; once deployed, a consent management banner (CMP) will be implemented in accordance with applicable regulations (ePrivacy Directive), and this section will be updated accordingly.
12. Minors
Miso Resa is not intended for minors under the age of 15, and the Site does not knowingly solicit data from this population.
13. Changes to this policy
We may amend this Privacy Policy from time to time. Any material change will be notified to users (banner on the application and/or email) before it takes effect, and renewed consent will be requested where necessary, in particular regarding the use of Google data.
14. Contact
For any question regarding this policy or your personal data: contact@misogroup.ai