Skip to main content
Back to search

Privacy Policy

Last updated: 16 April 2026

1. Who We Are

Restassure AI Ltd (“we”, “us”, “our”) operates the website at restassure.app. Restassure is an AI-powered venue discovery platform for restaurants, bars, nightclubs, private clubs, cigar lounges, and hotels in London, Manchester, Birmingham, Edinburgh and Glasgow. We are not a booking platform and do not process reservations directly. Reservations are completed on third-party sites you reach via our outbound links.

Restassure AI Ltd is a UK limited company (incorporation pending with Companies House at the date above; registered company number and registered office address will be published here on completion). For this policy, Restassure AI Ltd is the data controller for all personal data described below.

2. What Data We Collect and Why

The data we collect depends on how you use the site. We group it by activity:

a) Anonymous search

You can use the venue search without an account. The text you type is sent to our server, to Google Gemini (via the Vercel AI Gateway) for natural-language understanding, and to the Google Places API to retrieve venue data. Queries are cached server-side for up to 24 hours to improve performance, then automatically deleted. Queries are not linked to an identified user unless you are signed in.

Lawful basis: legitimate interests (providing the service you requested). UK GDPR Art. 6(1)(f).

b) Accounts & authentication

If you sign in (by Google OAuth, by phone one-time password, or by any other auth method we offer), we process your email address, a unique user identifier, and — if using phone OTP — your phone number. Authentication is handled by Supabase on our behalf. A session cookie is set in your browser so we can keep you signed in.

Lawful basis: performance of a contract (providing you the account-based features you requested). UK GDPR Art. 6(1)(b).

c) Contact & venue-enquiry forms

When you submit our contact form, we collect the fields you provide (first and last name, email address, phone number, your query; for venue enquiries also venue name, job title and reason). We send the enquiry to our inbox via Resend and send you a confirmation email. We store enquiries for up to 24 months for customer-service purposes.

Lawful basis: legitimate interests (responding to your enquiry). UK GDPR Art. 6(1)(f).

d) Waitlist sign-up

If you join our waitlist we store your email address in our Supabase database and send you a confirmation email. We will only email you about the waitlist and service launch unless you separately opt in to marketing.

Lawful basis: consent, which you give by submitting the form. UK GDPR Art. 6(1)(a) and PECR reg. 22. You can withdraw consent at any time by emailing privacy@restassure.app.

e) Marketing communications (optional)

If you tick the optional marketing checkbox on the contact form, we may send you occasional product updates by email. Ticking this box is not required to use the service or submit an enquiry. Every marketing email contains an unsubscribe link.

Lawful basis: consent. UK GDPR Art. 6(1)(a) and PECR reg. 22.

f) Security & rate limiting

Your IP address is used transiently for rate limiting (to prevent abuse). For anonymous endpoints IP addresses are held only in server memory and purged within 60 seconds of their expiry window. Standard server logs at our hosting provider may record IP address, user agent, and the path visited.

Lawful basis: legitimate interests (fraud prevention and service integrity). UK GDPR Art. 6(1)(f).

g) Analytics & performance

We use Vercel Analytics and Vercel Speed Insights to understand general usage patterns and page performance. These services are configured to use privacy-preserving, cookie-free measurement and process aggregated, anonymised page-view data and approximate location derived from IP.

Lawful basis: legitimate interests (improving the service). UK GDPR Art. 6(1)(f).

3. What We Do Not Collect

We do not collect payment information (we do not take payments through the site). We do not use advertising trackers, we do not build behavioural advertising profiles, and we do not sell personal data to third parties. We do not use precise GPS location; any location information is approximate and derived from IP.

4. Third-Party Processors

We rely on the following processors and sub-processors to run the service. Each is bound by a data-processing agreement where applicable.

Vercel (hosting & analytics)

Hosts the website and AI Gateway; processes standard server logs and anonymous analytics. See: vercel.com/legal/privacy-policy.

Supabase (authentication & database)

Stores authenticated user records, waitlist emails, and session data. See: supabase.com/privacy.

Google (Places API, Gemini, OAuth)

Search queries are sent to Google Places API for venue data and to Google Gemini for natural-language parsing. If you sign in with Google, your email and user identifier are returned to us by Google. See: policies.google.com/privacy.

Resend (transactional email)

Sends contact-form confirmations, waitlist confirmations and any marketing emails you consent to. See: resend.com/legal/privacy-policy.

Apple (Sign in with Apple, where offered)

If you sign in with Apple, Apple returns an opaque user identifier and (optionally) an email relay address.

External booking links

When you click a booking link (for example to OpenTable or TheFork) you leave Restassure. From that point the third party's own privacy policy applies; we have no control over how they handle your data.

Where a processor stores or processes data outside the UK, we rely on UK-approved transfer mechanisms (UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, as applicable).

5. Cookies

Restassure uses a small number of cookies. None are used for advertising.

Strictly necessary

Authentication session cookies (set by Supabase when you sign in) and short-lived security cookies used by Google / Apple during OAuth sign-in. These are required for sign-in and account features; no consent is required under PECR reg. 6(4) because they are strictly necessary to provide a service you have requested.

Preferences

We may store a small amount of information in your browser's local storage to remember your language, city, and similar preferences. This is not strictly a “cookie” but is noted here for completeness.

Analytics

Vercel Analytics is configured to use cookie-free measurement by default. If this changes in the future we will update this policy and, where required, request your consent.

6. Data Retention

  • Search query caches: up to 24 hours.
  • Photo reference caches: up to 7 days.
  • Rate-limit records (IP-based): purged within 60 seconds of expiry, never persisted to disk.
  • Authenticated user accounts: retained for the life of the account plus 30 days after deletion request.
  • Waitlist emails: retained until you unsubscribe or we close the waitlist, whichever is sooner.
  • Contact-form submissions and confirmation emails: up to 24 months.
  • Standard server / application logs: up to 30 days.

7. Your Rights (UK GDPR)

Under the UK GDPR and the Data Protection Act 2018 you have the right to:

  • Be informed about how we use your data (this policy).
  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your data (“right to be forgotten”), subject to legal exceptions.
  • Restrict or object to processing based on legitimate interests.
  • Withdraw consent at any time for anything relying on consent (marketing, waitlist).
  • Portability: receive a machine-readable copy of data you provided.
  • Lodge a complaint with the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights email privacy@restassure.app. We will respond within one month.

8. Data Breaches

If we suffer a personal-data breach likely to result in a risk to your rights and freedoms we will report it to the ICO within 72 hours and, where the risk is high, notify affected users without undue delay.

9. Children

Restassure is a general-purpose venue discovery tool intended for adults. It is not directed at children under 13. We do not knowingly collect data from children; if you believe a child has provided us with data, please contact us and we will delete it.

10. Changes to This Policy

We may update this privacy policy from time to time. The “last updated” date at the top reflects the most recent revision. Material changes will be brought to your attention where we have an email address for you.

11. Contact

For privacy-related enquiries: privacy@restassure.app. ICO registration status: registration is being obtained; our ICO registration reference will be published here once issued.

© 2026 Restassure AI Ltd. Registered in England & Wales. Company number and registered office address will be published here once Companies House registration is complete.

Terms of Service|Privacy Policy|Accessibility|Back to Restassure