Privacy Policy

1. Introduction

At Gid AI ("we," "our," or "us"), we are committed to protecting your privacy and being transparent about how we collect, use, and safeguard your information. This Privacy Policy explains our data practices for the Gid AI platform, our restaurant management and employee engagement service.

We built Gid with privacy by design, using enterprise-grade security measures and industry-standard practices to protect your data.

2. Information We Collect

Account and Profile Information

• Contact details (name, email, phone number)
• Company information (business name, role, industry)
• Account credentials and authentication data
• Profile preferences and settings

Service Usage Data

• Training session participation and progress
• Communication logs (SMS, voice, app interactions)
• Performance metrics and feedback
• Scheduling and attendance data

Technical Information

• Device information and browser details
• IP addresses and location data (general geographic area)
• Usage analytics and system performance data
• Log files and error reports

Integration Data

• POS and PMS system data (when integrated)
• Sales metrics and operational data
• Employee scheduling and time tracking information

3. How We Use Your Information

Service Delivery

• Provide personalized AI coaching and training
• Generate insights and performance analytics
• Facilitate communication between team members
• Optimize scheduling and workforce management

Platform Improvement

• Analyze usage patterns to improve our services
• Develop new features and capabilities
• Ensure system reliability and performance
• Conduct security monitoring and threat detection

Communication

• Send service updates and important notices
• Provide customer support and technical assistance
• Share product updates and new features

4. Data Infrastructure and Security

Cloud Infrastructure

We utilize enterprise-grade cloud infrastructure to ensure data security and availability:

• Google Cloud Platform: Primary hosting and data processing
• Amazon Web Services (AWS): Additional services and redundancy
• Firebase: Real-time database and authentication services

Security Measures

• End-to-end encryption for data in transit and at rest
• Multi-factor authentication and access controls
• Regular security audits and penetration testing
• Built on SOC 2 Type II and ISO 27001 certified infrastructure (Google Cloud Platform, Firebase)
• Automated backup systems and disaster recovery

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share data only in these limited circumstances:

Service Providers

• Trusted third-party services that help us operate our platform
• Cloud infrastructure providers (Google Cloud, AWS)
• Analytics and monitoring services
• Payment processors and billing services

Legal Requirements

• When required by law, regulation, or legal process
• To protect our rights, property, or safety
• To prevent fraud or security threats

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

6. Your Rights and Choices

Access and Control

• Access: Request copies of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your personal data
• Portability: Export your data in a standard format
• Restriction: Limit how we process your information

Account Deletion

You can delete your account and all associated data at any time:

• In the app: Go to Settings → Delete My Account
• Online: Visit www.gidai.ca/delete-account
• By email: Send a request to privacy@gidai.ca with subject "Account Deletion Request"

Upon deletion, we will permanently remove your account credentials, personal profile information, training records, chat messages, and uploaded media. Deletion is completed within 30 days. Some data may be retained for legal compliance purposes as described in Section 7.

Communication Preferences

• Opt out of marketing communications
• Control notification settings
• Manage data sharing preferences

7. Data Retention

We retain your information only as long as necessary to:

• Provide our services and support your account
• Comply with legal obligations
• Resolve disputes and enforce our agreements
• Improve our services and security

Typically, we retain:

• Account data: While your account is active plus 90 days after closure
• Usage analytics: 24 months
• Communication logs: 12 months
• Financial records: 7 years (as required by law)

8. International Data Transfers

We primarily operate in Canada, the United States, and India. When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard contractual clauses approved by data protection authorities
• Adequacy decisions from relevant regulatory bodies
• Certification schemes and codes of conduct

9. Compliance and Regulations

We comply with applicable data protection laws, including:

• GDPR: European General Data Protection Regulation (EU and UK)
• CCPA: California Consumer Privacy Act
• PIPEDA: Personal Information Protection and Electronic Documents Act (Canada, federal)
• DPDP: Digital Personal Data Protection Act, 2023 (India)
• Industry standards: Restaurant and hospitality data protection requirements

9.A Your data subject rights and how to exercise them

Wherever you live, you have the same operational toolkit to control your personal data. We process every request within 72 hours, with a 30-day grace window on deletions in case you change your mind.

Right to portability (GDPR Art 20, PIPEDA Principle 9, DPDP Section 11)

Receive a copy of every piece of data we hold on your behalf, in a structured, commonly used, machine-readable format (JSON in a single ZIP archive).

• Inside the Gid app: Account Settings (top-right menu) and tap "Export my data". Email arrives within 30 minutes.
• From the web: gidai.ca/data-export. Two-step magic-link confirmation by email.
• Sensitive fields like access tokens, password hashes, and API keys are redacted by design. They have no portability value and exporting them would weaken your security.

Right to erasure (GDPR Art 17, PIPEDA Principle 9, DPDP Section 12)

Permanently delete your account and personal data. We use a 30-day grace window so accidental clicks never lose your data.

• Inside the Gid app: Account Settings, then "Delete my account". You confirm by typing your email and acknowledging the consequences.
• From the web: gidai.ca/delete-account. Same magic-link confirmation as the export flow.
• Cancel anytime within 30 days by signing back in. On day 31 we permanently delete your profile, schedules, tasks, training records, chat messages, and uploaded files.
• Stripe subscription is cancelled the moment you submit the request (no further charges).
• Compliance audit row retained 7 years per GDPR Art 30 record-of-processing requirement. The audit row contains a hashed email and timestamps. No personal data beyond that.

Right of access, correction, restriction, and objection

Email privacy@gidai.ca with the right you want to exercise. We respond within 72 hours and complete the action within 30 days, in line with GDPR Art 12, PIPEDA's Openness principle, and DPDP Section 13.

India Grievance Officer (DPDP Section 13)

Our designated Grievance Officer is Alexandre Verville, founder, reachable at privacy@gidai.ca. Response time: 72 hours. If your concern is not resolved, you may contact the Data Protection Board of India.

Cookie consent

We do not load any analytics cookies until you accept them in the consent banner shown on your first visit. Decline is honored permanently for 12 months; we also auto-decline when your browser sends Do Not Track or Global Privacy Control signals. You can change your choice anytime by clicking Cookie preferences.

Suppression list

If you exercise your right to erasure or unsubscribe from our cold-email outreach, your email address (hashed) is added to a global suppression list. We will never contact you again unless you explicitly subscribe back. This protects you from accidental re-engagement after deletion.

10. Children's Privacy

Our services are designed for business use and are not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such information, we will take steps to delete it promptly.

11. Updates to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. We will:

• Notify you of material changes via email or platform notification
• Post the updated policy on our website
• Update the "Last Updated" date at the top of this policy

Your continued use of our services after such changes constitutes acceptance of the updated policy.

12. Contact Us