Privacy Policy
Privacy Policy for Fleksa, Inc. - How we collect, use, and protect your data
Privacy Policy
Fleksa, Inc. Effective Date: December 2024 Last Updated: December 2024
1. Introduction
Fleksa, Inc. ("Fleksa," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our restaurant technology platform and related services.
2. Information We Collect
2.1 Information You Provide
Account Information:
- Business name and details
- Contact information (name, email, phone)
- Billing and payment information
- Restaurant location and operating hours
Restaurant Data:
- Menu items and pricing
- Order history and transaction data
- Customer reservation information
- Employee/staff information
2.2 Information Collected Automatically
Usage Data:
- Log files and device information
- IP addresses and browser type
- Pages visited and features used
- Time and date of access
Cookies and Tracking:
- Session cookies for authentication
- Analytics cookies for service improvement
- Marketing cookies (with consent)
2.3 Information from Third Parties
- Payment processors (transaction status, not full card numbers)
- Delivery service integrations
- Marketing and analytics partners
3. How We Use Your Information
We use your information to:
- Provide Services: Operate our platform, process orders, manage reservations
- Improve Services: Analyze usage patterns, develop new features
- Communicate: Send service updates, support responses, and (with consent) marketing
- Security: Detect fraud, protect against unauthorized access
- Legal Compliance: Meet regulatory requirements, respond to legal requests
4. Information Sharing
We may share your information with:
4.1 Service Providers (named)
A current list, including categories of data and country of processing, is maintained at /en/legal/us/subprocessors.
| Vendor | Purpose | Country |
|---|---|---|
| Vercel Inc. | Hosting, CDN, edge network | USA (EU region available) |
| Supabase Inc. | Database, auth, storage | USA / EU |
| Cloudflare Inc. | DNS, DDoS, WAF, CDN | Global |
| Stripe, Inc. | Payment processing | USA |
| Resend Inc. | Transactional & marketing email | USA |
| PostHog Inc. | Product analytics, feature flags | USA / EU |
| Vercel AI Gateway | LLM routing layer | USA |
| Anthropic PBC | LLM (zero retention) | USA |
| OpenAI, LLC | LLM (zero retention) | USA |
| Google LLC | LLM (Gemini), Maps, Google Business Profile, Firebase Auth | USA |
| Langfuse GmbH | LLM tracing & observability | Germany |
| DataForSEO LLC | SEO data | USA / EU |
| Serper.dev | Search-result data | USA |
| Twilio Inc. | SMS / voice (when enabled) | USA |
| Sentry (Functional Software, Inc.) | Error monitoring | USA / EU |
4.2 Business Partners
Integration partners when you connect third-party services to your account (e.g., delivery aggregators, accounting software, marketing tools).
4.3 Legal Requirements
When required by law, valid legal process, court order, or to protect Fleksa's rights, property, or safety, or that of users or the public.
4.4 Business Transfers
In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets.
We do not sell your personal information in the conventional sense and do not share it for cross-context behavioral advertising. To the extent any disclosure could be deemed a "sale" or "share" under the CCPA/CPRA, you may opt out via Do Not Sell or Share My Personal Information.
5. Data Retention
We retain your information for as long as your account is active or as needed to provide services and meet legal obligations.
| Data type | Retention | Basis |
|---|---|---|
| Account & contact information | Duration of account + 90 days | Service provision |
| Transaction & payment records | 7 years from transaction date | IRS / state tax law |
| System & security logs | 12 months | Security monitoring |
| Marketing data | Until opt-out | Consent |
| Aggregated / de-identified data | Indefinitely | Not personally identifiable |
After account termination, personal data is deleted or anonymized within 90 days, subject to the statutory retention periods above.
5a. Sensitive Personal Information (CPRA)
Categories of "sensitive personal information" we may collect:
- Account credentials (username + password) used to access an account;
- Precise geolocation, only when explicitly enabled (e.g., delivery range tools);
- Payment-account identifiers in tokenized form (full card numbers are handled exclusively by PCI-DSS certified processors and not stored by Fleksa);
- Government identifiers, only to the extent required for tax forms or KYC by payment partners.
We use sensitive personal information only for the purposes permitted under Cal. Civ. Code § 1798.121 (providing the Service, security, fraud prevention, compliance) and do not use it to infer characteristics about you.
6. Data Security
We implement appropriate security measures including:
- Encryption in transit (TLS/SSL) and at rest
- Access controls and authentication
- Regular security assessments
- Employee training on data protection
See our Data Protection page for more details.
7. Your Rights and Choices
7.1 Access and Correction
You can access and update your account information through our platform or by contacting us.
7.2 Data Export
You can request a copy of your data in a portable format.
7.3 Deletion
You can request deletion of your personal information, subject to legal retention requirements.
7.4 Marketing Opt-Out
You can unsubscribe from marketing communications at any time.
7.5 Cookie Preferences
You can manage cookie preferences through your browser settings or our cookie consent tool.
8. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
8.1 Right to Know
You can request disclosure of:
- Categories of personal information collected
- Sources of personal information
- Business purposes for collection
- Categories of third parties with whom we share data
- Specific pieces of personal information collected
8.2 Right to Delete
You can request deletion of your personal information, with certain exceptions.
8.3 Right to Correct
You can request correction of inaccurate personal information.
8.4 Right to Opt-Out of Sale/Sharing
We do not sell personal information. If this changes, we will provide opt-out mechanisms.
8.5 Right to Limit Use of Sensitive Personal Information
You can limit our use of sensitive personal information to necessary purposes.
8.6 Non-Discrimination
We will not discriminate against you for exercising your privacy rights.
8.7 How to Exercise Rights
- Email: privacy@fleksa.com
- Phone: +1 512-777-0405
- We will respond within 45 days (extendable by 45 additional days where reasonably necessary, with notice).
8.8 Authorized Agent
You may designate an authorized agent to make a request on your behalf. We may require verification of the agent's authority and your identity.
8.9 Annual CCPA Metrics
For the prior calendar year, Fleksa received fewer than 250 individual CCPA/CPRA requests across all categories combined. A current metrics table will be published here once Fleksa's California-resident user base exceeds the Cal. Civ. Code § 999.317(g) reporting threshold.
| Request type | Received | Complied (in whole or part) | Denied | Avg. days to respond |
|---|---|---|---|---|
| Right to Know | < 5 | < 5 | 0 | < 14 |
| Right to Delete | < 5 | < 5 | 0 | < 14 |
| Right to Correct | 0 | 0 | 0 | n/a |
| Right to Opt-Out of Sale/Share | 0 | 0 | 0 | n/a |
| Right to Limit Use of SPI | 0 | 0 | 0 | n/a |
9. Other State Privacy Rights
We honor consumer rights under the following state laws. Residents may contact privacy@fleksa.com to access, correct, delete, port, or opt out, and to appeal a denied request.
| State | Statute | Effective |
|---|---|---|
| Virginia | VCDPA | 2023-01-01 |
| Colorado | CPA | 2023-07-01 |
| Connecticut | CTDPA | 2023-07-01 |
| Utah | UCPA | 2023-12-31 |
| Texas | TDPSA | 2024-07-01 |
| Oregon | OCPA | 2024-07-01 |
| Montana | MCDPA | 2024-10-01 |
| Iowa | ICDPA | 2025-01-01 |
| Delaware | DPDPA | 2025-01-01 |
| New Jersey | NJDPA | 2025-01-15 |
| New Hampshire | NHDPA | 2025-01-01 |
| Tennessee | TIPA | 2025-07-01 |
| Indiana | INCDPA | 2026-01-01 |
Nevada
Nevada residents may opt out of the sale of personally identifiable information under NRS 603A by emailing privacy@fleksa.com.
Appeals
If we deny a privacy rights request, you may appeal by replying to our denial email. We will respond to your appeal within 60 days. If your appeal is denied, you may contact your state Attorney General.
10. Children's Privacy
Our Services are B2B tools for restaurant operators and are not directed to children. We do not knowingly collect personal information from children under 13 (COPPA) and do not knowingly process the personal information of consumers under 16 for targeted advertising or sale/share without affirmative consent (CCPA/CPRA, and similar laws in CT, CO, MT). If we learn we have collected such information, we will delete it promptly.
10a. AI-Assisted Processing
Portions of the Services use large language models (Anthropic, OpenAI, Google) routed through the Vercel AI Gateway to draft suggestions (e.g., review replies, social posts, SEO recommendations). These features:
- operate on a human-in-the-loop basis — drafts require user approval unless auto-publish is explicitly configured;
- do not make decisions producing legal or similarly significant effects on you or your guests;
- are subject to zero data retention and no-training contractual commitments from each LLM provider.
You may disable AI features for your account by contacting privacy@fleksa.com.
11. International Data Transfers
If you are accessing our Services from outside the United States, your information may be transferred to and processed in the United States. We implement appropriate safeguards for international transfers.
12. Third-Party Links
Our Services may contain links to third-party websites. We are not responsible for the privacy practices of these websites.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through our Services. Your continued use after changes constitutes acceptance.
14. Contact Us
For privacy-related inquiries:
Fleksa, Inc. 10900 Research Blvd 160c 1059 Austin, TX 78759, USA
- Email: privacy@fleksa.com
- Phone: +1 512-777-0405
For general inquiries: hello@fleksa.com