# Privacy Policy — La Napa Market

**Last updated:** 2026-05-15

La Napa Market ("we," "us") operates a restaurant in Brooklyn, NY at 656
Nostrand Ave and builds the staff-facing software that runs it. This
policy covers personal data we handle through every La Napa product:

- **La Napa Reservations** — the guest-facing reservation platform that
  takes bookings, handles waitlists, and powers our voice AI phone agent.
- **La Napa Kitchen** — the back-of-house operating system for our
  restaurant staff (iOS / iPad app + web). Manages recipes, dishes,
  inventory, supplier prices, and processes invoice deliveries.
- **lanapamarket.com** — this public website.

If a section below applies only to one product, it's tagged with
**[Reservations]** or **[Kitchen]**.

---

## 1. What we collect

### Reservations (guest-facing)

| Data category | Examples | Source |
|---|---|---|
| Identity | First name, last name | Account creation, reservation booking, voice call |
| Contact | Email address, phone number(s) | Account creation, reservation booking |
| Dietary & preferences | Dietary restrictions, seating preferences, special request notes | Guest profile, reservation notes, voice transcripts |
| Reservation history | Dates, party sizes, table assignments, statuses, cancellation reasons | Booking activity |
| Payment references | Stripe customer ID, payment method tokens, deposit amounts | Stripe (we never store full card numbers) |
| Voice transcripts | Call recordings transcribed to text, AI-generated summaries | Vapi voice AI phone agent |
| Device & access | IP address, login timestamps | Server logs, audit trail |
| Order history | Items ordered, amounts (synced from Toast POS) | Toast integration |

### Kitchen (staff-only)

The Kitchen iOS app is a B2B tool used only by La Napa restaurant
staff. Accounts are created offline by management; staff do not
self-register.

| Data category | Examples | Source |
|---|---|---|
| Staff identity | Synthetic email (e.g. `staff-1234@lanapa.internal`) for PIN-based login, or real email for admin | Account creation |
| User content | Recipes, dishes, ingredients, prep steps, plating notes typed or dictated by staff | Staff input |
| Photos | Dish photos, recipe gallery images, invoice/receipt scans | Camera capture |
| Voice recordings | Brief recordings for voice dictation, sent to OpenAI Whisper for transcription, then **discarded** — only the resulting text is stored | Microphone capture |
| Feedback messages | What staff type into the in-app feedback form | Staff input |
| Crash & performance | Stack traces, app route, app version, OS version, device model (PII scrubbed before send) | Sentry SDK |
| POS sales (aggregate only) | Daily menu item quantities pulled from Toast POS | Toast integration |

### What we do NOT collect (in either product)

- ❌ Location data (no GPS, no IP geolocation)
- ❌ Contacts
- ❌ Health, fitness, or biometric data
- ❌ Browsing history outside our products
- ❌ Advertising identifiers (no IDFA, no IDFV, no fingerprinting)
- ❌ Real customer payment card numbers (Stripe handles all of that)

---

## 2. How we use it

### Reservations

- **Booking operations:** Confirm reservations, assign tables, manage waitlists, send SMS/email reminders.
- **Voice AI:** The phone agent uses your name and phone to identify you, check availability, and create or modify reservations on your behalf.
- **SMS & email:** Booking confirmations, 24-hour reminders, deposit payment links, cancellation notices.
- **Guest profiles:** Track visit history, preferences, and dietary needs so the restaurant can provide personalized service.
- **Payments:** Capture no-show deposits and process pre-order payments via Stripe.
- **Security & abuse prevention:** Rate limiting, audit logging, error monitoring.

### Kitchen

- **Operating the app:** Show staff their recipes, save edits, track inventory, compute food costs.
- **Invoice scanning:** Photographed invoices are sent to Anthropic's Claude Vision model to extract line items.
- **Voice dictation:** Audio recordings are sent to OpenAI Whisper for speech-to-text; the audio is not retained.
- **Recipe parsing:** Dictated recipe transcripts are sent to Anthropic's Claude to structure into components and steps.
- **Diagnostics:** Sentry receives PII-scrubbed crash and performance data for debugging.
- **Sales analytics:** Aggregate daily sales by menu item flow in from Toast to compute food cost percentages.

We never use any of this data for advertising, profiling, or sale to
third parties.

---

## 3. Sub-processors

We share data with third-party services only as needed to operate the
platform. The full list with DPA status and jurisdictions is at
[SUBPROCESSORS.md](./SUBPROCESSORS.md).

Summary by product:

| Provider | Used by | Data they receive | Purpose |
|---|---|---|---|
| Supabase (Functional Software, Inc.) | Both | All app content, auth, storage | Database, authentication, file storage |
| Stripe | Reservations | Payment tokens, deposit amounts | Payment processing |
| Vapi | Reservations | Voice call audio, transcripts | Voice AI phone agent |
| Toast POS | Both | Outbound: nothing. Inbound: daily aggregate sales we pull from POS. | POS sync |
| Anthropic (Claude) | Kitchen | Recipe transcripts, invoice photo bytes | AI parsing (parse-recipe, parse-invoice) |
| OpenAI (Whisper) | Kitchen | Voice recordings (transient; discarded after transcription) | Speech-to-text |
| Sentry (Functional Software dba) | Both | PII-scrubbed crash + performance data | Diagnostics |
| SendGrid / Twilio | Reservations | Email + SMS destination addresses | Booking notifications |
| Apple (Capacitor / iOS) | Kitchen | Push tokens (if push notifications are enabled) | Push notifications |

All sub-processors are bound by Data Processing Agreements or
equivalent. None are used for advertising or data brokering.

---

## 4. Data retention

| Data type | Retention | Rationale |
|---|---|---|
| **[Reservations]** Voice transcripts & summaries | 30 days after call | Sufficient for dispute resolution |
| **[Reservations]** Audit logs | 1 year | Security and compliance investigations |
| **[Reservations]** Reservation records | 7 years | Restaurant accounting and tax obligations |
| **[Reservations]** Guest profiles | Until account deletion or restaurant request | Operational need |
| **[Reservations]** Deleted user accounts | Soft-deleted immediately; hard-purged after 90 days | Allow undo window, then permanent removal |
| **[Kitchen]** Staff content (recipes, photos, feedback) | Until account is deactivated or admin requests deletion | Operational need |
| **[Kitchen]** Voice recordings (audio bytes) | Not retained — discarded after transcription | Privacy by design |
| **[Kitchen]** Crash diagnostics (Sentry) | 90 days, then auto-deleted | Diagnostic window |
| **[Kitchen]** POS sales (aggregate) | Indefinite (no PII attached) | Cost analytics |

---

## 5. Your rights

You have the right to access, correct, delete, or export your personal data.

### Reservations guests

**In-app deletion:** Staff users can delete their account at Settings > Account > Danger Zone > Delete Account. This immediately:

- Deactivates your login (password blanked, session invalidated)
- Anonymizes your linked guest record (name, email, phone removed)
- Preserves reservation history in de-identified form for restaurant audit needs

**Ad-hoc requests:** Email `info@lanapamarket.com` for:

- Data access (we'll provide a JSON export within 30 days)
- Data portability
- Correction of inaccurate records
- Erasure requests beyond what the in-app flow covers
- Objection to processing

### Kitchen staff users

The Kitchen app is a B2B internal tool. Accounts are created and
managed offline by La Napa restaurant management; you do not
self-register. Account deletion is handled offline.

To exercise any data right (access, correction, deletion, export,
restriction, objection), email `info@lanapamarket.com` from the email
tied to your account. We respond within 30 days. Per Apple Guideline
5.1.1(v), this offline-deletion model is acceptable for B2B
internal-staff tools.

### Regional rights

**For EU residents (GDPR):** Our legal basis for processing is
legitimate interest (operating the reservation service / kitchen tool
you or the restaurant engaged) and, where applicable, contract
performance. You may lodge a complaint with your local supervisory
authority.

**For California residents (CCPA):** We do not sell personal
information. We do not use personal information for cross-context
behavioral advertising. You may request deletion or disclosure of
categories collected (see Section 1).

---

## 6. Tracking and analytics

**We do not track.** Neither product uses third-party tracking SDKs.
No advertising identifiers are collected (no IDFA, no IDFV, no
fingerprinting). The iOS apps' privacy manifests set
`NSPrivacyTracking` to `false`. No ATT prompt is required.

Sentry is configured for diagnostics only — error stack traces and
request metadata, with personally identifying fields (email, IP, body)
scrubbed before any data leaves the device. Sentry data is bound by a
DPA and is never combined with other-app data or shared with
advertisers.

---

## 7. Security

- All in-transit data uses TLS via Apple's URLSession and HTTPS.
- At-rest encryption is handled by Supabase.
- Diagnostic data has PII scrubbed at the client before send.
- Role-based access control inside both products limits what each
  staff role can read or write.
- No security model is perfect. Please report suspected
  vulnerabilities to `info@lanapamarket.com`.

---

## 8. International transfers

Our sub-processors operate primarily in the United States. By using
our products, your data is transferred to and processed in the United
States.

---

## 9. Children's privacy

Neither product is designed for or directed at anyone under 13. We do
not knowingly collect data from children under 13. If you believe a
child has provided us with personal information, email
`info@lanapamarket.com` and we will delete it.

---

## 10. Changes to this policy

We may update this policy as our products evolve. The "Last updated"
date at the top reflects the most recent change. Material changes
will be communicated via in-app notice or email.

---

## 11. Contact

**La Napa Market**
656 Nostrand Ave, Brooklyn, NY 11216
Email: `info@lanapamarket.com`

---

## Apple App Privacy summary — Kitchen iOS app

For the App Store privacy nutrition card on the La Napa Kitchen iOS app:

| Data Type | Sub-type | Collected | Linked to User | Tracking | Purpose |
|---|---|---|---|---|---|
| Contact Info | Email Address | Yes (admin login) | Yes | No | App Functionality |
| Identifiers | User ID | Yes (synthetic UUID) | n/a | No | App Functionality |
| User Content | Photos | Yes | Yes | No | App Functionality |
| User Content | Audio Data | Yes (transient, discarded after transcription) | Yes | No | App Functionality |
| User Content | Other | Yes (recipes, feedback) | Yes | No | App Functionality |
| Diagnostics | Crash Data | Yes (Sentry) | Yes | No | App Functionality |
| Diagnostics | Performance Data | Yes (Sentry) | Yes | No | App Functionality |
| Diagnostics | Other Diagnostic Data | Yes (Sentry breadcrumbs) | Yes | No | App Functionality |
| Location | — | No | — | — | — |
| Financial Info | — | No | — | — | — |
| Health | — | No | — | — | — |
| Contacts | — | No | — | — | — |
| Browsing History | — | No | — | — | — |
| Search History | — | No | — | — | — |
| Purchases | — | No | — | — | — |
| Sensitive Info | — | No | — | — | — |