Privacy Policy
Last updated 21 June 2026
Service status: sandbox MVP. OrderBee is an early preview. Payments run in Stripe test mode, so no real money is charged and no live card number is stored. The data practices below reflect that scope.
This Privacy Policy explains how OrderBee ("OrderBee," "we," "us") collects, uses, and shares personal information across everything we operate: the orderbee.app website; the OrderBee skill / API that lets AI agents place orders on a person's behalf; the in-restaurant ("dine-in") waiter agent reached by scanning a table QR code; the owner dashboard used by restaurants and shops; and our internal admin tools.
By using any of these, you agree to this Policy. If you do not agree, do not use the service. Your use is also governed by our Terms of Use.
1. Who this Policy covers
Where it matters, we call out which group a practice applies to:
- Site visitors — anyone browsing orderbee.app.
- Skill / API users — people (or their AI agents) who create an API key and order through the OrderBee skill.
- Diners — guests who scan a table QR code and chat with the in-restaurant waiter agent to order and pay.
- Owners — restaurant and shop operators who run a business account on OrderBee.
2. Information we collect
From site visitors
- The email address you submit to join the waitlist or request access.
- Basic technical and usage data (IP address, browser/device type, pages viewed) collected by our hosting provider.
From skill / API users
- The email address you provide to create an API key, and your API key.
- An optional default delivery address you choose to save.
- The orders you place — items, quantities, merchant, fulfilment type, totals, and the delivery address for that order.
From diners (in-restaurant waiter agent)
- Your chat messages with the waiter agent and the conversation transcript, retained so the conversation survives a page reload.
- Your order — items, quantities, table, and the restaurant.
- Payment for the order, handled through Stripe (see §5). Card details are entered on Stripe's hosted payment element; OrderBee never sees or stores your full card number, and in the current sandbox these run in Stripe test mode (no real charge). For cash ("pay onsite") orders we record only that the order was placed.
- You do not need an OrderBee account to use the waiter agent.
From owners
- Account details — email and the sign-in session created with a magic link; optionally a phone number verified by one-time code.
- Business profile — name, address, phone, category, hours, photos, service area, and display language.
- Agent settings — the waiter agent's name, persona, and supported languages you configure.
- Point-of-sale connection — when you connect Square (or another POS), the OAuth access tokens and the menu/catalog and order data needed to keep them in sync.
- Payout details — handled through Stripe Connect. Banking and identity-verification details are collected and held by Stripe, not by OrderBee.
- Messaging connection — if you enable Telegram order alerts, your Telegram chat identifier.
Collected automatically (all surfaces)
- Log and device data — IP address, timestamps, user agent, request paths — for security, debugging, and abuse prevention.
- Cookies / local storage — see §7.
3. How we use information
We use personal information to: create and authenticate your account or API key; fulfil orders (send details to the merchant's POS and, for delivery, the courier; process payment); operate the waiter agent (see §4); validate and geocode addresses; send transactional messages (magic-link sign-ins, verification codes, order alerts, account email); provide owner analytics about that owner's own business; maintain security, fraud prevention, and an internal audit log of administrative actions; and comply with legal obligations and enforce our terms.
Our legal bases are performing our contract with you, our legitimate interests (security, abuse prevention, improving the service), your consent where required (e.g. marketing email), and legal obligation where applicable.
4. AI processing of your messages
The waiter agent, and certain owner features such as menu import and note polishing, are powered by a third-party large-language-model provider (Anthropic). To provide these features we send the relevant content — for diners, your chat messages and the menu context; for owners, the menu/notes being processed — to that provider so it can generate a response.
We do not use this content to train our own models. The provider processes it under its own terms as our service provider. Please avoid sending sensitive personal information in chat that is not needed to place your order.
5. Payments
Card payments are processed by Stripe. In the current sandbox MVP, payments run in Stripe test mode — no real money is charged and no live card number is stored. Card details are entered directly into Stripe's hosted fields; OrderBee receives only confirmation of the payment and limited metadata (amount, status, order reference) — never your full card number. Owner payouts run through Stripe Connect, and Stripe collects the banking and identity information required to pay out. Your use of payment features is also subject to Stripe's Privacy Policy.
6. How we share information
We share personal information only as needed to run the service. We do not sell your personal information, and we do not "share" it for cross-context behavioural advertising.
| Recipient | Why |
|---|---|
| Merchant's point-of-sale (e.g. Square, Toast) | To send the order to the restaurant or shop |
| Couriers (e.g. DoorDash Drive, Uber Direct) | To deliver the order — includes the delivery address and contact for handoff |
| Stripe | To process payments and owner payouts |
| Anthropic | To power AI chat and menu/notes features (see §4) |
| Twilio | To send SMS one-time verification codes |
| Telegram | To deliver order alerts to owners who enable it |
| Smarty | To validate and autocomplete addresses |
| Nominatim / OpenStreetMap | To geocode business addresses for the map |
| Email provider (Fastmail SMTP) | To send account and transactional email |
| Hosting & database (Vercel, Neon) | To host the application and store data |
We may also disclose information to comply with law or valid legal process, to protect rights, safety, and security, and to a successor entity in a merger, acquisition, or sale of assets.
7. Cookies and similar technologies
We use cookies and browser local storage to keep owners signed in (session cookies), keep an admin user signed in to admin tools, and preserve a diner's waiter-agent conversation across page reloads (local storage). Our website also loads Google Fonts, which may expose your IP address to Google when the font is fetched. We do not use third-party advertising cookies. You can block or delete cookies in your browser, but parts of the service may stop working.
8. Data retention
- Account and order records are kept while your account or API key is active and as needed to provide the service, meet legal/tax/accounting obligations, and resolve disputes.
- Diner chat transcripts are retained to support the live conversation and order; we remove or de-identify them once no longer needed for that order, support, or fraud purposes.
- Logs are kept for a limited period for security and debugging.
When we no longer need information, we delete or de-identify it.
9. Security
We use measures such as encrypted transport (HTTPS), restricted access, scoped API keys, and reliance on PCI-compliant processors (Stripe) for card data. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. Keep your API key and sign-in links secret — you are responsible for activity under your credentials.
10. Your privacy rights
Depending on where you live, you may have the right to access, correct, delete, or port your information, to opt out of sale or sharing for targeted advertising (note: we do not sell or share in this way), and to be free from discrimination for exercising these rights.
To exercise any right, contact support@orderbee.app. We will verify your request (typically via the email associated with your account) before acting. You may use an authorised agent where the law allows.
California (CCPA/CPRA). We do not sell or share personal information as defined under California law. California residents have the rights above and the right to limit use of sensitive personal information; we do not use sensitive information for purposes that trigger that right.
EEA / UK (GDPR). Where the GDPR applies, our legal bases are in §3. You may lodge a complaint with your local supervisory authority. Where we transfer data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses.
11. Children
OrderBee is not directed to children under 13 (or the minimum age in your jurisdiction), and we do not knowingly collect their personal information. Some goods are age-restricted (e.g. alcohol, dispensary items); you must meet the legal age and comply with local law to order them. If you believe a child has given us information, contact us and we will delete it.
12. International users
OrderBee is operated from the United States and data is processed there and in the regions used by our service providers. By using the service you understand your information may be transferred to and processed in the United States.
13. Changes to this Policy
We may update this Policy from time to time. We will revise the "Last updated" date above and, for material changes, provide additional notice where required. Continued use after a change means you accept the updated Policy.
14. Contact
Questions, requests, or complaints: FREE HIM INC. (operating as OrderBee), support@orderbee.app.
This Policy is governed by the laws of the State of California, United States, without regard to conflict-of-laws rules.