Privacy Policy

1. Data controller

SousMarketer is the data controller responsible for processing your personal data. If you have questions about how we handle your data, or if you wish to exercise your rights, contact us at hello@sousmarketer.com.

2. What data we collect

We collect and process the following categories of personal data:

• Account information: your name, email address, and password (hashed) when you create an account.
• Restaurant information: restaurant name, cuisine type, address, phone number, website URL, and operating hours. This data is provided by you during onboarding and is used to personalize your marketing output.
• Brand Voice data: your answers to the Brand Voice questionnaire, including your restaurant's personality, visual preferences, pricing, target audience, marketing priorities, and origin story. This data is used exclusively to generate personalized marketing content for your restaurant.
• Generated content: photos, captions, review responses, and social media posts created through the platform. These are stored in your account and belong to you.
• Usage data: pages visited, features used, timestamps, browser type, and device information. We collect this to improve the platform and diagnose technical issues.
• Payment data: if you subscribe to a paid plan, your payment is processed by Stripe. We do not store your credit card number. Stripe provides us with a customer ID, subscription status, and billing history.
• Integration data: when you connect third-party accounts (Google Business Profile, Facebook, Instagram), we store encrypted OAuth tokens and your connected page/account identifiers. We never store your Google or Meta passwords.

3. How we use your data

We use your data for the following purposes:

• Providing the service: generating personalized photos, content, and review responses based on your Brand Voice and restaurant profile. This is the core function of SousMarketer and represents our legitimate interest in delivering the service you signed up for.
• Account management: authenticating your login, managing your subscription, and communicating with you about your account.
• Third-party publishing: when you choose to publish content to Facebook, Instagram, or Google Business Profile, we transmit your content and media through those platforms' APIs using the OAuth tokens you authorized.
• Improving the platform: analyzing aggregate usage patterns to improve features, fix bugs, and develop new capabilities. We do not sell or share your data for advertising purposes.
• Legal compliance: retaining records as required by Dutch tax and commercial law.

4. Third-party services and data processors

We use the following third-party services to operate SousMarketer. Each processes data on our behalf under a data processing agreement:

• Supabase (Supabase Inc., USA): hosts our database, authentication system, and file storage. Your account data, restaurant profile, and generated content are stored in Supabase's EU-West region (Frankfurt). Supabase is SOC 2 Type II certified.
• Anthropic (Anthropic PBC, USA): provides the Claude language model that generates your brand voice documents, content captions, and review responses. Your restaurant profile and Brand Voice data are sent to Anthropic's API as part of generation prompts. Anthropic does not use your data to train their models.
• Google (Google LLC, USA): provides the Gemini image generation API that creates your restaurant photos, and the Google Business Profile API for review management and publishing.
• Meta Platforms (Meta Platforms Inc., USA): provides the Graph API used to publish content to your connected Facebook Pages and Instagram Business accounts.
• Stripe (Stripe Inc., USA): processes subscription payments. Stripe is PCI DSS Level 1 certified.
• Vercel (Vercel Inc., USA): hosts our website and frontend application.
• Railway (Railway Corp., USA): hosts our backend API server.
• Sentry (Functional Software Inc., USA): captures error reports to help us fix bugs. Error reports may contain technical request data but not your restaurant content.

For services based in the USA, data transfers are protected under the EU-US Data Privacy Framework or Standard Contractual Clauses.

5. Data sent to AI providers

When you use SousMarketer's features, the following data is sent to AI providers to generate your content:

• For content generation (Anthropic Claude): your restaurant name, cuisine type, segment, Brand Voice parameters (tone, vocabulary, archetype), and the specific content request (topic, angle, platform).
• For photo generation (Google Gemini): a text prompt describing the desired photo, which includes your restaurant's visual style preferences and cuisine type. No personal data is included in photo prompts.
• For review responses (Anthropic Claude): the review text, star rating, sentiment classification, and your Brand Voice parameters. The reviewer's personal information is included only as it appears in the review itself.
• For brand voice generation (Anthropic Claude): your complete questionnaire answers.

Anthropic and Google process this data solely to generate the requested output. Neither provider uses your data to train or improve their models. Outputs are returned to SousMarketer and stored in your account.

6. How long we keep your data

• Account and restaurant data: retained for as long as your account is active, plus 12 months after account deletion to allow for reactivation.
• Generated content (photos, captions, review responses): retained for as long as your account is active. You can delete individual items at any time.
• Brand Voice data: retained for as long as your account is active. Deleted upon account deletion.
• Payment records: retained for 7 years after the transaction as required by Dutch fiscal law (Algemene wet inzake rijksbelastingen).
• Usage and error logs: retained for 90 days, then automatically purged.

After deletion, we remove your data from our active systems within 30 days. Encrypted backups are purged within 90 days.

7. Your rights under GDPR

As a data subject in the European Economic Area, you have the following rights:

• Right of access: request a copy of all personal data we hold about you.
• Right to rectification: request correction of inaccurate data.
• Right to erasure: request deletion of your data ("right to be forgotten"). We will comply unless we are legally required to retain certain records.
• Right to data portability: receive your data in a structured, machine-readable format.
• Right to restriction: request that we limit processing of your data.
• Right to object: object to processing based on our legitimate interests.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.
• Right to lodge a complaint: you may file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

To exercise any of these rights, email us at hello@sousmarketer.com. We will respond within 30 days.

8. Cookies

sousmarketer.com and app.sousmarketer.com use essential cookies for authentication and session management. We do not use advertising cookies or tracking cookies. We use Sentry for error monitoring, which may set a session cookie for error correlation.

9. Security

We implement appropriate technical and organizational measures to protect your data: all data is transmitted over HTTPS/TLS, database access is controlled through Row Level Security ensuring tenants cannot access each other's data, OAuth tokens for third-party integrations are encrypted at rest using Fernet symmetric encryption, passwords are hashed using bcrypt (handled by Supabase Auth), and access to production systems is restricted to authorized personnel.

10. Children

SousMarketer is a business tool designed for restaurant professionals. We do not knowingly collect data from individuals under 16 years of age. If we learn that we have collected data from a child, we will delete it promptly.

11. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or through a notice on the platform. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

For any privacy-related questions, data access requests, or concerns:

Email: hello@sousmarketer.com

SousMarketer
The Netherlands