Privacy Policy

Belan AI (“Belan AI,” “we,” “us,” or “our”) is operated by Yusra Institute LLC, headquartered in Plano, TX. We provide an AI-powered phone and SMS ordering platform for restaurants, including Voice AI, Text AI, Dashboard Analytics, Marketing AI, and Sales AI (collectively, the “Service”).

This Privacy Policy explains how we collect, use, disclose, and protect information about (a) restaurant patrons who interact with our AI through phone calls or text messages, and (b) restaurant operators who subscribe to and configure the Service.

By using the Service — whether as a patron ordering food or as a restaurant operator — you agree to the practices described in this policy. If you do not agree, do not use the Service.

Yusra Institute LLC operates as Belan AI, a restaurant technology company founded in 2025 and headquartered in Plano, Texas. We build AI systems that handle phone calls and SMS conversations on behalf of restaurants, enabling automated ordering without requiring customers to download an app.

For privacy inquiries, contact us at nayeem@belan.tech or (203) 300-7233.

3.1 From Restaurant Patrons (customers who call or text a restaurant)

• Phone number: Collected automatically from every inbound call or text. Stored as the primary identifier for your profile.
• Name: Collected during conversation if you provide it. Optional, but used to personalize your experience.
• Email address: Collected via SMS only, optionally, for payment confirmation. Not required to place an order.
• Conversation history: Every SMS message and voice call transcript is recorded and stored. This includes everything you say or type during an ordering session.
• Order history: Every order you place — items, quantities, modifiers, prices, timestamps — is stored permanently.
• Taste profile: Our AI extracts preferences from your conversation history: foods you like, foods you dislike, allergens you have mentioned, and dietary restrictions you have expressed. This profile is updated over time and used to personalize recommendations.
• Dietary and allergy information: Any allergy or dietary restriction you mention during a call or text is recorded and stored as part of your taste profile.
• Card last 4 digits and card brand: Stored after a successful payment for display purposes only. Full card numbers are never stored on our servers.
• Call metadata: Call duration, call outcome (e.g., order placed, call transferred), and timestamps are recorded for each call.
• TCPA consent status: Your opt-in and opt-out history for SMS communications with each restaurant is stored.

3.2 From Restaurant Operators (business subscribers)

• Account credentials: Email address and hashed password stored via Supabase Authentication.
• Restaurant information: Restaurant name, phone number, business hours, tax rate, and physical address.
• POS integration credentials: OAuth access and refresh tokens for Clover POS, stored encrypted. Automatically refreshed before expiry.
• AI configuration: Custom AI greeting text, voice ID selection, forwarding phone number, FAQ content, and upsell rules — all stored per restaurant.

3.3 Information We Do Not Collect

We do not store full credit card numbers, CVV codes, or card expiration dates on our servers. All payment card data is tokenized by Stripe or Clover before reaching us. We are PCI DSS SAQ A compliant.

We use the information we collect for the following purposes:

• Order processing: To receive your order, confirm items and modifiers, calculate pricing, process payment, and deliver the completed order to the restaurant's POS system.
• Personalization: To greet you by name on return visits and surface your taste profile (likes, dislikes, allergies) to our AI so it can make relevant suggestions and flag potential allergy conflicts.
• SMS marketing: To send promotional text messages on behalf of the restaurant, but only if you have affirmatively opted in and only while you remain opted in. You can opt out at any time by texting STOP.
• Analytics and reporting: To provide restaurant operators with aggregated analytics: total revenue, order volume, top-selling items, and customer trends. Individual patron identities are not surfaced in operator-facing analytics.
• Service improvement: To train and improve our AI models, monitor service quality, and debug issues. Conversation data used for training is processed by third-party AI providers under data processing agreements.
• Security and fraud prevention: To detect, investigate, and prevent unauthorized access, fraud, and abuse.
• Legal compliance: To comply with applicable law, respond to legal process, and enforce our Terms of Service.

We do not sell your personal information to third parties. We do not use your information for advertising on other platforms.

We share information with the following third-party service providers solely to operate the Service. Each provider is bound by data processing terms:

We may also disclose information when required by law, court order, or government request; to protect the rights, property, or safety of Belan AI, our users, or the public; or in connection with a business transfer such as a merger or acquisition (with advance notice to users).

When you text a restaurant that uses Belan AI, you will receive the following consent message before your first conversation begins:

Reply YES to order by text. Msg freq varies. Msg&Data Rates May Apply. STOP=opt out, HELP=help. Privacy: https://belan.tech/privacy-policy

Your consent is specific to each restaurant. Opting in to receive texts from one restaurant does not opt you in to receive texts from any other restaurant on the Belan AI platform.

• Text STOP at any time to immediately opt out of all messages from that restaurant.
• Text START to re-enable text ordering after opting out.
• Text HELP for support information.
• Marketing SMS messages are only sent to customers who have an active opt-in status.
• We do not send marketing messages to customers who have texted STOP.

Payment for orders placed through Belan AI is handled by Stripe (for Voice AI orders) or Clover (for SMS orders). Both providers are PCI DSS compliant and handle all card tokenization.

Belan AI does not store full card numbers, CVV codes, or expiration dates on our servers. We store only the last 4 digits of your card and the card brand (e.g., Visa, Mastercard) for display purposes after a successful transaction.

Our PCI DSS compliance level is SAQ A, which applies to merchants that have fully delegated all cardholder data functions to PCI DSS compliant third parties.

We retain your information for as long as it is needed to provide the Service or as required by law:

You may request deletion of your personal data at any time by emailing nayeem@belan.tech. We will process verified deletion requests within 45 days.

We implement the following measures to protect your information:

• Encryption at rest: All data stored in Supabase (PostgreSQL) is encrypted at rest.
• Encryption in transit: All data transmitted over the network uses HTTPS/TLS 1.2 or higher. Voice call audio is encrypted via RTP.
• Multi-tenant isolation: Row-Level Security (RLS) ensures that each restaurant can only access its own customer data.
• Credential management: API keys and secrets are stored in Google Cloud Secret Manager in production. No credentials are hardcoded in source code.
• Payment security: Webhook payloads from Stripe are verified using HMAC SHA-256 signature validation.
• Access controls: Access to production systems is limited to authorized personnel only.

Security incident response: In the event of a data breach that affects your personal information, we will notify affected users within 72 hours of discovering the breach (where feasible), provide details of the information involved and the steps we are taking, and advise on steps you can take to protect yourself. We will also notify applicable regulatory authorities as required by law.

No method of transmission over the internet or electronic storage is 100% secure. While we use commercially reasonable security measures, we cannot guarantee absolute security.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for which it is used, and the categories of third parties with whom it is shared.
• Right to Delete: You have the right to request deletion of your personal information. We will honor verified deletion requests within 45 days, subject to exceptions required by law (e.g., we may retain records required for fraud prevention or legal compliance).
• Right to Opt Out of Sale: We do not sell personal information. There is nothing to opt out of.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge you different prices, or provide you a different level of service because you exercised a privacy right.

To exercise any of these rights, email nayeem@belan.tech with the subject line “Privacy Request.” We may ask you to verify your identity before processing your request.

These rights also apply in substance to residents of other US states with similar consumer privacy laws. We will process requests from all US residents in good faith.

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us at nayeem@belan.tech and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy on this page and update the effective date. We will provide at least 30 days’ advance notice of material changes by posting a notice on our website at belan.tech.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, please contact us: