Privacy Policy

What we collect — merchants & staff

When you onboard, we stitch together business-facing profile data (slug, visuals, curated menu signatures, outbound review URLs), operational pacing (staff schedules used for attribution), notification preferences such as SMS alert numbers, Stripe customer identifiers, ledger rows for prepaid messaging wallets, and authentication handles managed through our hosted auth provider.

What we collect — guests

When you enter your mobile number here, we send a short text with a one-time code — the same approach your bank uses — so the owner knows a real guest left the note. Your star picks, written feedback, and dish tags stay tied to fair-use routing so we can keep private reviews off the public listings until you decide otherwise.

You check a separate box before continuing: the venue (or HankEats helping them) may text you about this visit. We never ask for extra passwords on this page — just the number you already use.

Why we retain it & for how long

Ledgers need durable references for payouts and dispute handling. Operational analytics stay hot while merchants remain active subscribers. Older rows may linger in encrypted backups bounded by SOC-aware vendor SLAs unless law compels narrower windows. Request deletion workflows through the publicly posted operations inbox — we escalate within pragmatic timelines (often under thirty days) noting legal holds when litigation or audits require pause.

Subprocessors you should know

Vercel fronts our edge. Supabase persists structured data beneath strict denial-by-default row policies surfaced only through audited service-role calls. Clerk handles authentication choreography. Stripe tokenizes commerce. Twilio relays optional SMS when owners crave instant bedside alarms for soft spots. Each vendor maintains published DPAs referenced in HankEats’s vendor register available on request during diligence packs.

Your toolbox

Operators may request CSV exports describing recent ledger deltas, rectify inaccurate storefront profile fields inside the authenticated dashboard, or escalate privacy inquiries to the stewardship alias published on HankEats's contact surfaces. Regulatory notices get acknowledged by humans — founders still answer escalation threads alongside counsel when territory demands it.

Cookies & similar tech

HankEats and our authentication partner use session cookies and similar technologies so you stay signed in and so abuse signals can be rate-limited. You control cookies through your browser. Disabling cookies may break Dashboard access until you authenticate again.

Security

We encrypt data in transit (HTTPS everywhere on hankeats.com), restrict database access to audited server paths, hash sensitive tokens at rest where applicable, and rely on SOC-oriented vendors listed above — but no online service is flawless. Notify us promptly if you suspect misuse of an API key or other credentials we issued so we can rotate access.

U.S. state notices (summary)

Depending on your jurisdiction you may have rights to know, delete, or correct certain personal information, and to appeal denials consistent with applicable state law. We honor verified consumer requests unless a legal exception applies. Authorized agents may submit requests with documentation as required by statute.

Contact / privacy inquiries

Email privacy@hankeats.com for privacy questions, data subject requests, or vendor diligence packages. Operational security reports may be routed through the same inbox with “Security” in the subject line.