Privacy Policy

Introduction

This Privacy Policy explains how GetBackplate ("GetBackplate," "we," "us," or "our") collects, uses, stores, shares, and protects information when you use the GetBackplate restaurant operations management platform (the "Service" or "Platform").

GetBackplate is headquartered at 1321 Upland Dr., Suite 9894, Houston, Texas 77043, United States.

This Privacy Policy applies to all users of the Platform, including account administrators (owners and managers) and employees who access the Platform through the employee portal. By using the Service, you consent to the practices described in this Policy.

Information We Collect

2.1 Account and Business Information

When you register for the Platform, we collect:

• Business name, address, and contact information
• Administrator name, email address, and phone number
• Billing information processed through Stripe (we do not store full credit card numbers)
• Subscription plan and billing preferences
• Number of locations and operational configuration

2.2 Employee Information

Account administrators may enter and manage the following employee data through the Platform:

• Personal information: full name, date of birth (where required), address, phone number, email address
• Employment information: job title, department, location, start date, salary, employment status
• Identification documents: government-issued ID, SSN (where required for employment records), work authorization documents
• Certifications and licenses: Food Handler certifications, TABC certifications, and other professional licenses required for employment
• Signed contracts: digitally signed employment agreements and other workplace documents
• Performance and disciplinary records: incident logs, performance reviews, disciplinary actions, and time-off records
• Photographs: employee profile photos uploaded by administrators or employees

2.3 Operational Data

The Platform collects and stores operational data entered by users, including:

• Shift communication logs, checklists, and task completion records
• Equipment maintenance logs and incident reports
• Supplier and vendor directory information
• Document uploads and file attachments
• Checklist responses and audit trails

2.4 Communications Data

When you use the Platform's communication features, we collect and store:

• In-platform notification history
• Email communication logs (sent via Brevo)
• WhatsApp message logs (sent via ManyChat), for users who have provided explicit opt-in consent

2.5 Technical and Usage Data

Our systems automatically collect:

• IP addresses, browser type, device information, and operating system
• Session data, login timestamps, and activity logs
• Feature usage and navigation patterns within the Platform
• Error logs and performance metrics

How We Use Information

We use the information collected for the following purposes:

1. Service delivery: to provide all Platform features, including employee management, operations tools, document storage, scheduling, and communication;
2. AI-powered features: to generate operational reports, insights, and recommendations based on your data. We do not use your Customer Data to train general-purpose AI models without your explicit consent;
3. Notifications and communications: to send operational alerts, document expiration notices, checklist reminders, and service-related communications via in-app notifications, email (Brevo), and WhatsApp (ManyChat, with explicit opt-in);
4. Billing and account management: to process subscription payments, manage plan limits, and send billing-related communications;
5. Support and troubleshooting: to investigate issues you report and provide customer support;
6. Security: to detect, prevent, and respond to fraud, abuse, or unauthorized access;
7. Compliance: to comply with applicable laws, regulations, and court orders; and
8. Platform improvement: to analyze aggregated, anonymized usage data to improve Platform features and performance.

We do not use your data for advertising, sale to third parties, or any purpose unrelated to providing and improving the Service.

Employee Data — Special Considerations

4.1 Employer as Data Controller

Account administrators act as the data controller for their employees' personal data entered into the Platform. GetBackplate acts as a data processor, processing employee data only on behalf of and under the instructions of the account administrator.

4.2 Employee Rights

Employees whose personal data is stored in the Platform may have rights under applicable law to access, correct, or delete their personal data. Employees should direct such requests to their employer (the account administrator) in the first instance. GetBackplate will cooperate with administrators in honoring lawful employee data requests.

4.3 Certification and License Data

Food Handler certifications, TABC certifications, and similar professional licenses are stored as employment records. This data is used solely to support compliance tracking within your organization and is not shared with any third party except as required by law or as directed by the account administrator.

4.4 Document Security

All documents uploaded to the Platform, including identification documents and signed contracts, are stored with encryption at rest and access controls that restrict viewing to authorized users within your organization.

How We Share Information

5.1 With Third-Party Service Providers

We use the following infrastructure and service providers, which process data on our behalf:

• Vercel Inc. — application hosting and serverless compute
• Supabase Inc. — managed PostgreSQL database, file storage, and real-time services
• Stripe Inc. — payment processing and subscription billing
• Brevo (Sendinblue SAS) — transactional email delivery
• ManyChat Inc. — WhatsApp messaging (only for users who have provided explicit opt-in consent)
• Twilio Inc. — SMS and communication infrastructure
• DocuSeal — digital contract signing
• Sentry — error monitoring and performance tracking
• Upstash — rate limiting and caching infrastructure
• Anthropic — AI-powered features via Claude API

These providers are contractually obligated to use your data only to provide their services to us and to maintain appropriate security safeguards.

5.2 Legal Disclosures

We may disclose information when required by law, subpoena, court order, or other legal process, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.3 Business Transfers

If GetBackplate is involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction. We will notify affected users before any such transfer takes effect.

5.4 With Your Consent

We will share information for any other purpose only with your explicit consent.

We do not sell or rent personal information to third parties.

Data Storage and Retention

• Account and business data is retained for the duration of your active subscription plus 90 days after termination, during which you may request a data export.
• Employee records are retained as configured by the account administrator. Administrators may delete employee records at any time, subject to any legal retention requirements applicable to employment records in their jurisdiction.
• Operational data (checklists, logs, shift communications) is retained for the duration of your subscription and deleted within 90 days after account termination.
• Documents and file uploads are retained as configured by the account administrator. Deleted files are permanently removed from storage within 30 days.
• Billing records are retained for seven (7) years as required for financial and tax compliance.
• Technical logs (error logs, access logs) are retained for twelve (12) months.

You may request export or deletion of your data at any time by contacting us at the address in Section 13.

Communications Consent and Preferences

7.1 Email

By using the Platform, administrators and employees consent to receive transactional and operational emails related to their use of the Service. These may include document expiration alerts, checklist notifications, account updates, and billing communications. Users may manage notification preferences within the Platform settings.

7.2 WhatsApp

WhatsApp messaging is only activated upon express opt-in from the individual recipient. By opting in, you consent to receive operational notifications via WhatsApp through ManyChat. You may opt out at any time by responding STOP to any WhatsApp message or by updating your notification preferences in the Platform.

7.3 Marketing Communications

We do not send marketing communications without your separate, explicit consent. If you consent to marketing communications, you may withdraw that consent at any time.

Data Security

We implement industry-standard administrative, technical, and physical safeguards, including:

• TLS 1.2+ encryption for all data in transit
• Encryption at rest for all database records and stored files
• Row-level security controls ensuring each organization's data is isolated and inaccessible to other organizations on the Platform
• Role-based access controls within each organization
• Multi-factor authentication support for administrator accounts
• Regular software updates and dependency vulnerability scanning
• Error monitoring and anomaly detection via Sentry
• Rate limiting to prevent unauthorized bulk access

Despite these measures, no method of transmission or storage is 100% secure. Please notify us immediately at the address in Section 13 if you suspect any unauthorized access to your account or data.

Data Isolation Between Organizations

The Platform is designed so that each organization's data is strictly isolated from all other organizations. Organizational data is segregated at the database level using row-level security policies. No organization can access the data of any other organization through normal use of the Platform.

Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you
• Correction: request that we correct inaccurate information
• Deletion: request that we delete your personal information, subject to legal retention obligations
• Restriction: request that we limit the processing of your information
• Portability: request a copy of your information in a structured, machine-readable format
• Objection: object to certain types of processing
• Withdrawal of consent: withdraw any consent you previously provided

To exercise these rights, contact us using the information in Section 13. We will respond within the timeframe required by applicable law (typically 30–45 days).

California Privacy Rights

If you are a California resident, the CCPA and CPRA provide additional rights, including the right to know what personal information is collected, to request deletion, and to opt out of the sale or sharing of personal information. We do not sell or share personal information as defined by these laws. To exercise your rights, contact us as described in Section 13.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top and notify affected users by email or through the Platform. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

We will acknowledge your inquiry within a reasonable time and respond as required by applicable law.