• User Information

  • Identification Data: Name, phone number, email address (only if provided by the API).

  • Account Data: Username, encrypted password (if users have accounts).

  • Preferences: Saved settings, preferred language, …

  • Reservations: Information about future and past reservations.

• Reservation Details

  • Reservation ID: Unique identifier for each reservation.

  • Date and Time: The desired date and time of the reservation.

  • Number of People: How many people the reservation is for.

  • Special Requests: Any special requests or accommodations, like dietary restrictions.

• Voice Interaction Data

  • Transcriptions: Text representation of what the user said. The text is redacted to remove any personal data information.

  • Interaction Logs: Timestamps, success/failure of requests, any errors.

• Venue Information

  • Venue Name: Name of the restaurant, hotel, or other establishments.

  • Venue Location: Address, GPS coordinates.

  • Contact Details: Phone number, email.

  • Available Times: Times when the venue is available for reservations.

  • Other configuration information such as maximum diners, messages to be said at specific situations, …

• API Transaction Data

  • Request and Response Logs: Timestamps, endpoints accessed, parameters sent, response received.

  • Error Logs: Any errors encountered during API calls.

  • Authentication Data: Client ID and Client Secret (which are specific per venue)

• Call Data

  • Call ID: Unique identifier for each interaction session.

  • Duration: How long the session lasted.

  • Actions Taken: What the user did during the call.

  • Origin phone number: Number used to make a call to the venue.

  • Destination phone number: Number where the customer called to contact the venue.

• Metadata

  • Timestamps: When each piece of data was created, modified, accessed.

  • Source: Where the data came from (e.g., phone call, manual entry, …).

Data is collected through:

• Voice interactions over the phone
• Text interactions via WhatsApp application
• API interactions with the reservation software of the restaurant

The lawful basis for collecting this data is legitimate interest of the venue which is the data owner. Both Bookline and the reservation software partner, when it applies, act as subprocessors.

Bookline ensures the protection of personal data through a combination of advanced cybersecurity measures and compliance with data protection regulations. We adhere to the NIST Cybersecurity Framework, which guides our security practices and policies.

We've implemented multiple layers of protection such as:

• Data encryption: All data, both at rest and in transit, is encrypted using industry-standard encryption algorithms.
• Regular security audits: We conduct periodic security audits and vulnerability assessments to identify and rectify any potential weaknesses in our system with an external provider.
• Access control: Strict access controls are in place, ensuring that only authorized personnel can access sensitive data. We use a principle of least privilege, granting access only when necessary and only to the extent required for job functions.
• Incident response plan: In the unlikely event of a security breach, we have a robust incident response plan in place to quickly address and mitigate any risks.
• Backup and recovery: Regular backups are conducted, and data recovery plans are in place to ensure business continuity and data integrity.
• Continuous monitoring: Our systems are continuously monitored for any suspicious activities, and alerts are set up to notify us of any anomalies.
• Security training: All our staff undergo regular security training to ensure they are aware of the latest threats and best practices to prevent potential breaches

Our approach to data retention is crafted to strike a balance between operational efficiency and the utmost respect for user privacy. We are committed to ensuring that personal data is processed responsibly and stored for only as long as is strictly necessary.

• User Information
  • Identification Data: While we process identification data such as name, phone number, and email address during interactions, this data is not stored in our systems post-processing.
  • Preferences: Similar to identification data, preferences are processed to offer a tailored experience during interactions but are not stored in our systems once the session concludes.

• Reservation Details
  • Special Requests: Special requests related to reservations are retained until 2 months post the reservation date. This period allows us to assist venues with any inquiries or issues related to past interactions, ensuring a seamless experience for both users and venues.

• Voice Interaction Data
  • Transcriptions: We store transcriptions from voice interactions, but any personal data within these transcriptions is rigorously redacted to ensure user privacy. It's important to note that these redacted transcriptions are not used for machine learning purposes. Our system's learning process is supervised by a dedicated tech engineer and is exclusively done using transcriptions that are devoid of personal data.

• Cloud Services Providers
  These providers offer robust and scalable cloud computing and data storage solutions.
  • Amazon Web Services, Inc. (AWS)
  • Google Cloud (part of Google LLC)
  • Google Firebase (part of Google LLC)
• Speech Synthesis and Transcription Services
  These services are crucial for our voice recognition and response capabilities in the voicebot product.
  • Amazon Web Services, Inc. (AWS)
  • Google Cloud (part of Google LLC)
  • Microsoft Azure (part of Microsoft Corporation)
  • Deepgram, Inc.
• SIP Trunking and telephony carriers
  Essential for ensuring high-quality and reliable telephony connections for our services.
  • TELCOM BUSINESS SOLUTIONS S.L.
  • Twilio Inc.
  • Bandwidth Inc.
  • Telnyx LLC
• Additional Services
  These services augment various aspects of our bot operations.
  • 360dialog GmbH: Manages the WhatsApp Business API.
  • Mixpanel Inc.: For business analytics and user interaction data.
  • SendGrid, Inc.: Handles email communications.
• Reservation Software Partners
  Integrated to streamline and automate the reservation process as many of our clients utilize our bots for automating the reservation process at their restaurants. While this integration is recommended for efficiency, it’s not obligatory. We provide a detailed list of reservation software partners that Bookline has integrated with via their API.
  • La Fourchette SAS (The Fork)
  • Restaurant Booking & Distribution Services SL (CoverManager)
  • Team Interactive S.L. (Restoo)
  • SPOTLINKER SL (Spotlinker)
  • ALTA TECNOLOGIA APLICADA SL (Cuiner)
  • n-tropia Consulting SL (nTaules)

• Viewing your personal data
  You have the right to obtain information about how we process your personal data and to request that we inform you about what data we hold about you.
• Transfer your personal data
  You have the right to a copy of all information we hold about you in a machine-readable form for use in a non-Bookline service.
• Modify your personal information
  You have the right to have us add, update, modify or delete some or all of the personal information we hold about you.
• Delete your personal information
  You have the right to have us delete all of your personal information.
• Object to the use of personal information
  You have the right to object to the use of your personal data for automated decisions such as sending reminder notifications or confirmations.
• Restrict the use of your personal data
  You have the right to decide for which activities you want your personal data to be used.

For any of these requests or for further information, contact us at dpo@bookline.ai. Please provide identification and proof of ownership to verify your association with the relevant phone number.