Privacy Policy
Last updated: 13 June 2026
This Privacy Policy explains how GembaKitchen handles personal data when you use our website and the Service. We keep what we collect to the minimum needed to run a kitchen-operations platform, and we never sell your data.
1. Who is responsible (controller)
The data controller is GEMBA EOOD (EIK 208656371), Varna, Bulgaria. For any privacy question or to exercise your rights, contact [email protected].
2. What we collect
- Account data — your name (optional), email address, hashed password, and any two-factor settings you enable.
- Workspace data — the business information you enter: restaurant name, products, stock, recipes, menus, sales and reports. This is normally business data, not personal data, and stays isolated to your tenant.
- Assistant interactions — the messages, and optionally the voice audio, you send to the AI assistant, so it can answer and act on your kitchen data.
- Billing data — your plan and payment status. Card details are handled by GembaPay; we do not see or store card numbers.
- Technical data — basic logs (IP address, timestamps, errors) needed for security and reliability, plus Cloudflare Turnstile signals to block bots on our forms.
3. How we use it
- To create and run your account and provide the Service.
- To process the AI assistant's chat and voice requests and return answers.
- To take payment and manage your subscription (via GembaPay), and to send service emails such as verification codes and expiry reminders.
- To keep the Service secure, prevent abuse, and fix problems.
- To comply with our legal obligations.
4. Legal bases (GDPR)
We process personal data to perform our contract with you (running your account and the Service), on the basis of our legitimate interests (security, abuse prevention, improving the Service), to meet legal obligations (e.g. accounting), and on your consent where it applies (e.g. optional communications). You can withdraw consent at any time.
5. Processors we use
We share data only with service providers who process it on our behalf, under contract:
| Processor | Purpose |
|---|---|
| Anthropic (Claude) | Powers the AI assistant. Receives the message text (and relevant kitchen data) needed to answer your request. |
| ElevenLabs | Text-to-speech and speech-to-text for the assistant's voice features. |
| GembaPay | Payment processing for subscriptions. Handles card data so we don't have to. |
| Hetzner | Cloud hosting of the Service and its database (EU data centres). |
| Cloudflare | Network/CDN, TLS and Turnstile bot protection. |
6. AI processing
When you use the assistant, the text (and, for voice, the audio) of your request is sent to our AI processors to generate a response. Avoid putting unnecessary personal data into assistant messages. AI output can be inaccurate — please review it before acting on it.
7. Data retention
We keep your account and workspace data for as long as your account is active. If you close your account or it stays inactive, we delete or anonymise the data after a reasonable period, except where we must keep certain records (for example, billing records for accounting and tax purposes). You can request earlier deletion as described below.
8. Your rights
Under the GDPR you have the right to access, correct, delete or export your personal data, to restrict or object to certain processing, and to withdraw consent. To exercise any of these, email [email protected]. You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) or your local supervisory authority.
9. Security
We protect data with measures appropriate to the risk: encryption in transit (TLS), hashed passwords, optional two-factor authentication, per-tenant isolation in a dedicated database, signed payment webhooks, and access controls. No system is perfectly secure, but we work to keep your data safe and to respond quickly to incidents.
10. International transfers
Our hosting is in the EU. Some processors (for example, AI providers) may process data outside the EEA; where they do, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.
11. Cookies & local storage
The website and app use only what they need to function — for example, a token in your browser's local storage to keep you signed in, and Cloudflare Turnstile on forms. We do not use advertising or cross-site tracking cookies.
12. Children
The Service is intended for businesses and adults. It is not directed at children, and we do not knowingly collect data from anyone under 18.
13. Changes
We may update this Policy. The "Last updated" date above shows the current version; material changes affecting you will be communicated where appropriate.
14. Contact
Privacy questions or requests: [email protected] · GEMBA EOOD, Varna, Bulgaria.