Privacy Policy

Nirvah AI is a restaurant automation software-as-a-service (SaaS) platform provided by Radhron LLC, a Texas Limited Liability Company. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

We value your privacy and are committed to protecting your personal and business data. We use your data solely to provide our automation services, including AI-powered guest communication, review management, and voice agent capabilities. We do not sell your data to third parties.

Identity Data

When you create an account, we collect your name, email address, and phone number through our authentication provider (Supabase Auth). If you sign in with Google, we receive your basic profile information (name, email, profile picture) as authorized.

Business Data

To provide our services, we collect information about your restaurant, including:

• Restaurant name, address, and location identifiers
• Operating hours (regular and holiday schedules)
• Menu items, categories, prices, and modifiers
• Service policies (reservations, delivery, pickup, catering, etc.)
• Contact information and social media links

Content Data

• Reviews: Customer reviews synced from Google Business Profile
• Review Replies: AI-generated draft responses that you approve before posting
• Knowledge Base: FAQs, documents, PDFs, and other materials you upload to train your voice agent
• Menus: Menu data extracted from uploaded files or synced from POS systems

Inventory & Receipt Data

When using our Inventory Intelligence feature, we collect:

• Vendor receipts submitted via photograph (processed by OpenAI Vision OCR)
• Extracted line items: vendor name, product name, quantity, unit, and price per order
• Z-tape and daily sales summary data you upload for food cost calculations
• Food cost percentage history and trends calculated from your receipt data
• HACCP compliance checklist entries and temperature log records

POS Integration Data

When connecting your POS system (Square, Toast via KitchenHub, or Clover via KitchenHub), we access:

• Menu items, categories, modifiers, and pricing
• Order data for voice agent orders injected into your POS
• OAuth tokens to maintain the connection (encrypted at rest)

Voice & Call Data

When using our AI Voice Agent feature (powered by LiveKit, Deepgram, and Cartesia), we collect:

• Call transcripts (audio processed by Deepgram speech-to-text)
• Caller phone numbers (from and to)
• Call duration, timestamps, and AI analysis (sentiment, intent, topic)
• Orders placed during voice calls (customer name, items, fulfillment details)

Technical Data

• IP address and browser information (for security and session management)
• Session cookies (httpOnly, secure) to maintain your authenticated state
• OAuth tokens (encrypted) to maintain connections to integrated services

• Account Provisioning: To create and manage your account, verify your identity, and provide access to our platform
• AI-Powered Features: To generate draft responses to reviews, power your voice agent with accurate information, and extract menu data from uploaded files
• Review Management: To sync reviews from Google Business Profile, analyze sentiment, and enable you to respond efficiently
• Voice Agent Operation: To handle incoming calls, process orders, answer customer questions, and provide call analytics
• Business Automation: To automate updates to your business listings and streamline operations
• Transactional Communications: To send invoices, security alerts, service updates, and other essential notifications
• Service Improvement: To analyze usage patterns and improve our platform (aggregated, non-identifying data only)

Your data is sent to AI models only for the purpose of generating the specific response or analysis you requested. This includes:

• Generating review response drafts based on review content
• Powering real-time voice agent conversations
• Extracting structured menu data from uploaded files
• Analyzing review sentiment and themes

We use API access to these AI providers, which means your data is processed in real-time and is not retained by these providers for training purposes, in accordance with their enterprise API terms.

We implement industry-standard security measures to protect your data:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL protocols
• Database Security:Row Level Security (RLS) policies ensure data isolation between customers—you can only access your own restaurant's data
• Token Security: Sensitive tokens (like Google OAuth Refresh Tokens) are encrypted at rest and stored securely
• Session Management: Authentication cookies are httpOnly, secure, and use SameSite protections to prevent cross-site attacks
• Access Controls: Administrative access is protected with verification codes and role-based permissions
• Customer PII (phone numbers, names, email addresses, delivery addresses) is encrypted at the application level using AES-256-GCM before storage

We use the following third-party services to provide our platform. These sub-processors may process your data as described:

Depending on your location, you may have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Correction: Request correction of inaccurate or incomplete data
• Right to Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Right to Portability: Request your data in a structured, machine-readable format
• Right to Object: Object to processing of your data for certain purposes
• Right to Withdraw Consent: Withdraw consent for processing where consent is the legal basis

We retain your data for as long as your account is active or as needed to provide you with our services. Specific retention periods include:

• Account Data: Retained until you request account deletion
• Call Recordings: Retained for 90 days for quality and dispute resolution, then automatically deleted
• Transaction Records: Retained for 7 years as required for tax and legal compliance
• Log Data: Retained for 30 days for security and debugging purposes
• Google Business Profile Data: Retained while your account is active and the integration is connected. All synced Google review data (reviews, analysis, draft replies, and cached data) is immediately deleted when you disconnect the Google Business Profile integration or delete your account.

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

If you have questions about this Privacy Policy or our data practices, please contact us:

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. We encourage you to review this Privacy Policy periodically.