Privacy Policy

1. Introduction

TabSettle, Inc. ("TabSettle," "we," "our," or "us") operates the TabSettle payment service and restaurant platform. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use our services, visit our website (tabsettle.com), or interact with our QR-code-based payment system at participating restaurants.

This policy is designed to comply with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA"), and other applicable privacy laws.

2. Categories of Personal Information We Collect

We collect the following categories of personal information:

2.1 Information You Provide Directly

• Contact Information: Name, email address, and phone number (when provided for receipt delivery).
• Transaction Information: Items you claim from a restaurant check, tip amount, and total payment amount. We receive a payment confirmation token from Stripe but do not receive or store your full card number.

2.2 Information Collected Automatically

• Device Information: Device type, operating system, browser type, and unique device identifiers.
• Usage Data: Interaction data including pages visited, time spent on the payment interface, and QR codes scanned.
• IP Address and Approximate Location: Used for fraud prevention and to associate payments with the correct restaurant. We do not collect precise GPS location.

2.3 Information from Third Parties

• Payment Processor (Stripe): Payment status, transaction ID, last four digits of card, card brand, and any disputes or chargebacks.
• Restaurant POS Systems (Toast, Square, Clover): Itemized check data, table number, and order details. We do not receive diner identity information from POS systems.

3. How We Use Your Personal Information

We use personal information for the following business purposes:

• Payment Processing: To facilitate split-payment transactions, calculate individual portions, apply tips, and process payments through Stripe.
• Receipt Delivery: To send transaction receipts via email (through Resend) or SMS (through Twilio).
• Service Operation: To operate, maintain, and improve the TabSettle payment experience and restaurant platform.
• Fraud Prevention and Security: To detect, prevent, and respond to fraud, abuse, security risks, and technical issues.
• Analytics: To understand usage patterns and improve our services. Analytics data is aggregated and de-identified where possible.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.
• Communications: To respond to your inquiries and send service-related communications. We do not send marketing messages unless you have opted in.

4. Who We Share Your Information With

We do not sell your personal information. We share personal information only with the following categories of recipients and only as necessary to provide our services:

SMS/Text Messaging Consent: All categories above exclude text messaging originator opt-in data and consent. This information will not be shared with or sold to any third parties or affiliates for marketing or promotional purposes.

4.1 Service Providers

• Stripe, Inc. — Payment processing. Stripe receives your payment credentials directly and processes transactions on behalf of the restaurant. Stripe's privacy policy: stripe.com/privacy
• Twilio, Inc. — SMS delivery for receipts and verification codes. Twilio receives your phone number only when you provide it for SMS receipts.
• Resend — Email delivery for receipts. Resend receives your email address only when you provide it for email receipts.
• Supabase — Database infrastructure. Transaction and session data is stored on Supabase's cloud infrastructure with row-level security.
• Render — Application hosting infrastructure.
• Sentry — Error monitoring and performance tracking. Sentry may receive anonymized technical data.

4.2 Restaurant Partners

Participating restaurants receive transaction data related to their own checks (items claimed, payment amounts, tip amounts) through their POS system integration. Restaurants do not receive your email address, phone number, or payment card details through our platform.

4.3 Legal and Safety

We may disclose personal information if required by law, subpoena, court order, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of TabSettle, our users, or the public.

5. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA/CPRA:

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (such as data needed to complete a transaction or comply with a legal obligation).
• Right to Correct: You have the right to request that we correct inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. However, you may exercise this right at any time by using the "Do Not Sell or Share My Personal Information" link on our website.
• Right to Limit Use of Sensitive Personal Information: We only use sensitive personal information as necessary to provide our services.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

5.1 How to Exercise Your Rights

To submit a request to know, delete, or correct your personal information, you may:

• Email us at: privacy@tabsettle.com
• Use the request form on our website at tabsettle.com/privacy

We will verify your identity before processing your request by matching information you provide against information we have on file. We will respond to verifiable requests within 45 days. If we need more time (up to an additional 45 days), we will notify you of the extension and the reason.

5.2 Do Not Sell or Share My Personal Information

TabSettle does not sell your personal information as defined under the CCPA/CPRA. We do not share your personal information for cross-context behavioral advertising purposes. A "Do Not Sell or Share My Personal Information" link is available in the footer of our websites for your convenience and to exercise this right at any time.

6. Data Retention

We retain personal information only as long as necessary to fulfill the purposes described in this policy:

• Transaction Records: All transaction records are secured with Stripe and retained for 7 years to comply with financial record-keeping requirements and to support dispute resolution.
• Contact Information for Receipts: Email addresses and phone numbers provided for receipt delivery are retained for 90 days after the transaction, then automatically deleted unless you make another transaction.
• Device and Usage Data: Retained for up to 12 months for analytics and fraud prevention, then aggregated or deleted.
• Payment Data: We do not store payment card data. All payment credentials are processed and stored by Stripe in accordance with PCI DSS standards.

7. Data Security

We implement reasonable and appropriate technical and organizational security measures to protect personal information, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Row-level security policies isolating restaurant data
• Regular security monitoring and error tracking
• No storage of payment card data on our systems
• Access controls limiting employee access to personal information on a need-to-know basis

8. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us at privacy@tabsettle.com and we will promptly delete that information.

9. Cookies and Tracking Technologies

The TabSettle payment interface uses minimal, strictly necessary cookies to maintain your payment session (e.g., tracking which items you have claimed on a check). We do not use advertising cookies or cross-site tracking pixels.

Our marketing website (tabsettle.com) may use analytics cookies to understand website traffic. You can manage cookie preferences through your browser settings.

10. Third-Party Links

Our services may contain links to third-party websites or services (e.g., Stripe's payment interface). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing personal information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on our websites with a revised effective date. Your continued use of our services after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

TabSettle, Inc.
Email: privacy@tabsettle.com
Website: tabsettle.com/privacy
Entity: TabSettle, Inc., a Delaware C-Corporation

13. Notice at Collection (CCPA/CPRA)

Pursuant to the CCPA/CPRA, the following table summarizes the categories of personal information we collect, the purposes for collection, and whether each category is sold or shared:

Category	Purpose	Sold?	Shared?
Identifiers (name, email, phone)	Receipt delivery, communications	No	No
Commercial information (transaction records)	Payment processing, analytics	No	No
Internet/electronic activity (device info, usage data)	Service operation, fraud prevention	No	No
Geolocation (approximate, via IP)	Fraud prevention, restaurant association	No	No

We do not collect sensitive personal information as defined under the CCPA/CPRA, with the exception of payment information which is processed directly by Stripe and never stored on our systems.