Legal ยท Privacy

Privacy Policy

Hesett Pro is the partner-facing side of the Hesett platform โ€” the dashboard your staff log into, the analytics, the payouts. Here is what data flows through it and how we protect it.

Last updated ยท May 15, 2026

Overview

Hesett Technologies Inc., a Delaware corporation (โ€œHesett,โ€ โ€œweโ€), operates the Hesett Pro dashboard, mobile companion apps, and the back-end services that power them. This Privacy Policy explains how we process personal data when restaurant staff use the dashboard, and how we handle the guest data restaurants entrust to us under the data-processing agreement (DPA) every Partner signs at onboarding.

We process personal data under United States privacy laws (including the California Consumer Privacy Act / CPRA where applicable), the European General Data Protection Regulation (GDPR), and Colombia's Law 1581 of 2012.

Who this applies to

  • Restaurant Partners โ€” owners, managers, waiters, chefs, and anyone with a Hesett Pro account. We are the Controller of their account data.
  • Diners served at Partner venues โ€” their data flows through Hesett because the Partner uses our software, but the Partner remains the Controller. We act as Processor under our DPA.

What we collect

Partner account data

Name, email, phone number, role, restaurant name, address, tax identification (where required), bank/Stripe payout details, and the dashboard activity logs we use to detect abuse and improve the product.

Restaurant operational data

Menu items and prices, table layouts, reservation books, order history, payment records, staff rosters and shift data, inventory items, supplier contacts.

Guest data (processed on behalf of Partners)

Diner name, order history at the Partner venue, table number, allergen profile (if the diner provided one), tip amount, payment method tokens (not card numbers). The Partner controls this data; we only process it to deliver the service.

Device and usage data

Browser type, OS, IP address, app version, crash logs. Retained for 90 days for fraud prevention and product diagnostics.

How we use it

  • To run the dashboard โ€” orders, payouts, reservations, analytics, AI briefings.
  • To process payments through Stripe Connect.
  • To detect fraud and protect Partner accounts.
  • To improve the product via aggregated, anonymized usage statistics.
  • To send operational notifications (new order, low stock, payout sent).
  • To send commercial communications only after explicit opt-in.

We do not sell personal data. We do not share it with advertisers. We do not use guest data to train models without the Partner's explicit consent.

When we share data

  • Service providers โ€” Stripe (payments), Firebase / Google Cloud (auth + storage), Crashlytics, SendGrid. Each is bound by DPA.
  • POS & delivery partners โ€” only the specific fields needed to integrate (e.g. an order JSON for Square, a status update for Rappi).
  • Law enforcement โ€” only with binding legal orders in jurisdictions we operate in.

Payment data

Card data never touches Hesett servers. Every card payment goes through Stripe (PCI-DSS Level 1 certified). We store only a Stripe customer identifier and a non-sensitive payment-method token. Restaurant payouts flow through Stripe Connect with a configurable schedule (daily, weekly, monthly).

Guest data โ€” how we act as Processor

For every Partner, we sign a DPA that defines: the scope of guest data we process, the purposes (running the menu, orders, loyalty), retention windows, the Partner's right to audit, and the joint breach-notification protocol. Guests interact with the Partner first, with Hesett second โ€” when a guest exercises their rights, we forward the request to the Partner unless the Partner has delegated handling to us.

Retention

  • Partner account โ€” kept while active. Deletion within 30 days of request, except where law requires longer (US tax records 7 years; Colombian invoices up to 10 years).
  • Guest data โ€” per the Partner's DPA, default 24 months for order history, 90 days for raw event logs.
  • Audit logs โ€” 12 months.
  • Crash + device telemetry โ€” 90 days.

Your rights

Wherever you live, you can:

  • Access a copy of your data.
  • Correct data that is wrong.
  • Delete your account and the personal data attached to it.
  • Export your data in a portable JSON or CSV format.
  • Lodge a complaint with your local DPA โ€” US state Attorneys General (e.g. California AG), Colombian SIC, or EU national DPAs.

Send requests to support@hesett.com. We respond within 30 days.

International transfers

Hesett Technologies Inc. is incorporated in Delaware, USA, with operating presence in Colombia. Core infrastructure runs on Google Cloud (Sรฃo Paulo and Iowa). Cross-border transfers rely on Standard Contractual Clauses, the Colombian SIC adequacy framework, and binding intra-group agreements with our processors.

Changes to this policy

Material changes are announced at least 30 days in advance via email and in-app banner. Continued use after the effective date constitutes acceptance.

Contact

Hesett Technologies Inc. ยท A Delaware corporation ยท support@hesett.com ยท Our DPO reads every privacy request.