Privacy Policy

We keep it simple — your data helps us run the service, nothing else.

📅 Last updated: May 2026 🇲🇾 Governed by PDPA Malaysia 📖 ~5 min read
📋 TL;DR — The Short Version
  • We collect your name, email, and phone when you sign up or book a table — only what we need to run the service.
  • We never sell your data to anyone, and we don't use it for advertising.
  • Customer messages are processed by Anthropic's Claude AI to power the chatbot — this is how the AI works.
  • You can request deletion of your data at any time by emailing us.
  • We're governed by Malaysian PDPA 2010 and take reasonable steps to comply with GDPR where applicable.

1. Who We Are

DineBot ("we", "our", "us") is an AI-powered restaurant booking chatbot platform operated by Wilson Lee, based in Malaysia. Our platform is available at dinereserveai.com.

This Privacy Policy explains how we collect, use, store, and protect personal data when you use DineBot — whether you are a restaurant owner using our platform, or a customer booking a table through a DineBot-powered chatbot.

Questions? Email us: [email protected]

2. What We Collect

🏪 Restaurant Owners (Merchants)

When you sign up and manage DineBot as a restaurant owner, we collect:

  • Name, email address, and phone number
  • Restaurant name, address, operating hours, and menu details you provide
  • Billing details processed by Stripe — we never store card numbers directly
  • Channel credentials for Telegram or Facebook Messenger (Pro/Premium plans)
  • Admin activity logs (settings changes, logins) for security purposes

👤 End Customers (Restaurant Guests)

When a customer chats with a DineBot-powered chatbot to make a reservation, we collect:

  • Name, phone number, and email address provided during booking
  • Booking details: date, time, party size, and special requests
  • Chat message history with the AI chatbot
  • Payment screenshots uploaded to confirm deposits (where applicable)

💬 Support Chat Users

If you use our AI support chat at /support, we collect your name, email, phone, and chat messages to provide assistance and prevent abuse.

We collect only the minimum data needed to deliver the service. We do not collect sensitive personal data such as identity card numbers, passport numbers, or financial account credentials.

3. How We Use Your Data

We process your data on the following lawful bases under PDPA Malaysia and, where applicable, GDPR:

  • Contract performance: To provide the booking chatbot service you subscribed to
  • Legitimate interest: To send booking confirmations, deposit reminders, and admin link recovery emails
  • Legal obligation: To retain billing records as required by Malaysian tax law
  • Consent: To send marketing communications (you can opt out at any time)

Specifically, we use your data to:

  • Run and operate the AI booking chatbot and admin dashboard
  • Process subscription payments and send billing receipts
  • Send booking confirmations, reminders, and notifications to customers
  • Email restaurant owners their admin link every 10 days as a recovery backup
  • Respond to support requests
  • Detect abuse, enforce our Terms of Service, and maintain platform security
  • Improve our AI responses and service quality

4. What We Don't Do

🚫 We do not sell your personal data — ever, to anyone.

🚫 We do not use your data for targeted advertising.

🚫 We do not use tracking cookies or third-party ad trackers.

🚫 We do not share your data with any third party except the service providers listed in Section 5, solely to operate the platform.

🚫 We do not train AI models on your private booking data or customer conversations.

5. Third-Party Service Providers

We share data with the following providers only as necessary to deliver the service. Each is contractually required to protect your data.

Provider Purpose Data Shared Privacy Policy
Anthropic Powers the AI chatbot Customer chat messages, payment screenshots anthropic.com/privacy
Stripe Subscription billing Email, billing details (card data handled by Stripe directly) stripe.com/privacy
MongoDB Atlas Database storage All platform data (encrypted at rest) mongodb.com/privacy
Resend Transactional emails Email address, email content resend.com/privacy
Twilio SMS notifications (Pro/Premium) Phone numbers, SMS message content twilio.com/privacy
Railway Application hosting Application data (server-side only) railway.app/privacy

6. AI & Data Processing — Important Disclosure

DineBot's chatbot is powered by Anthropic's Claude AI. This means:

  • Every message a customer sends to the chatbot is transmitted to Anthropic's API servers for processing
  • If a customer uploads a payment screenshot, that image is also sent to Anthropic for analysis
  • Anthropic processes this data to generate the AI's response and may retain it subject to their own retention policies
  • SMS notifications sent via Twilio include phone numbers and booking summary text only — no full chat history
⚠️ For restaurant owners: By using DineBot, you are deploying an AI chatbot that sends customer conversations to Anthropic's servers (located in the United States). You should inform your customers that they are chatting with an AI assistant, as required by applicable law in your jurisdiction.

We do not use customer conversations to train our own AI models. Anthropic's data handling practices are governed by their privacy policy.

7. Data Retention

We keep data only as long as necessary:

  • Basic plan: Booking records deleted 1 day after the booking date
  • Pro plan: Booking records retained for 30 days after the booking date
  • Premium plan: Booking records retained for 365 days after the booking date
  • Account data: Retained while your subscription is active, then deleted 90 days after cancellation
  • Billing records: Retained for 7 years as required by Malaysian tax regulations
  • Support chat logs: Retained for up to 12 months for quality and abuse prevention

You can request early deletion at any time — see Section 9.

8. Security

We implement the following security measures to protect your data:

  • All data transmitted over HTTPS/TLS encryption
  • Admin panels protected by unique token-based URLs — no shared passwords
  • Optional 4-digit PIN protection on admin panels
  • Rate limiting on all public API endpoints to prevent brute force and spam
  • No plain-text passwords stored on our systems
  • Database encrypted at rest via MongoDB Atlas

In the event of a data breach that poses a risk to your rights or freedoms, we will notify affected parties without undue delay and, where required, report to the relevant authority within the timeframes required by law.

⚠️ Please keep your admin link and PIN private. Anyone with your admin link can access your panel. If you believe your link has been compromised, contact us immediately.

9. Your Rights

Under PDPA Malaysia and, where applicable, GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — ask us to correct inaccurate or incomplete information
  • Deletion — request that we delete your personal data (subject to legal retention requirements)
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interest
  • Withdrawal of consent — withdraw any consent you've given at any time

To exercise any right, email [email protected] with the subject "Data Request". We will respond within 14 business days. Identity verification may be required before we can fulfil your request.

If you are unsatisfied with our response, you may lodge a complaint with the Department of Personal Data Protection Malaysia.

10. International Data Transfers

DineBot is operated from Malaysia, but some of our service providers store or process data outside Malaysia:

  • Anthropic — processes data in the United States
  • MongoDB Atlas — may store data in the US or Singapore
  • Stripe — processes payments in the United States

By using DineBot, you acknowledge that your data may be transferred to and processed in these countries. We ensure all providers maintain adequate security standards and, where required, have appropriate data processing agreements in place.

11. Cookies & Tracking

DineBot does not use advertising cookies or third-party tracking. We use browser session storage only to maintain your admin login state while you are using the panel. This data is not persistent — it is cleared when you close your browser.

We do not use Google Analytics, Facebook Pixel, or any other third-party analytics tracker.

12. Children's Privacy

DineBot is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has submitted personal information through our platform, please contact us immediately and we will delete it promptly.

13. Changes to This Policy

We may update this policy from time to time. When we do, we will update the date at the top of this page. For significant changes, we will notify restaurant owners by email at least 14 days before the changes take effect.

Continued use of DineBot after a policy update constitutes acceptance of the revised policy.

14. Contact Us

For any privacy-related questions, data requests, or concerns:

We aim to respond to all privacy enquiries within 2 business days.