Legal · Privacy

Privacy Policy

We built Hesett so guests and restaurants can move faster — not so we could collect more data than we need. Here's exactly what we keep, what we don't, and what you can do about it.

Last updated · May 15, 2026

Overview

Hesett Technologies Inc., a Delaware corporation (“Hesett,” “we,” “our,” or “us”) operates a QR-based ordering, reservation, and loyalty platform consisting of a mobile app (iOS and Android), a web app served at hesett.com and partner restaurant subdomains, and the back-end services that power them. This Privacy Policy explains what personal data we process when you, as a diner or restaurant staff member, use any of those surfaces.

We process personal data lawfully under United States privacy laws (including the California Consumer Privacy Act / CPRA where applicable), the European General Data Protection Regulation (GDPR), and Colombia's Law 1581 of 2012 on the Protection of Personal Data. If you are a resident of another jurisdiction, you are still protected by the same baseline rights we describe below.

What we collect

Account information

When you create a Hesett mobile account, we collect a name, email address or phone number, a profile photo if you choose to upload one, and your country. You can use Hesett in “guest mode” from the web app at a table without creating an account — in that case we only retain the data tied to that single session.

Order and reservation data

For each order or reservation we store the dishes ordered, party size, table number, restaurant, timestamps, and any notes you write for the kitchen. This data is shared with the restaurant you ordered at so they can serve you.

Device and usage data

We log device type, operating system, app version, IP address, and crash diagnostics. We use this data to keep the apps stable and to protect against fraud.

Communication preferences

Push-notification tokens, email opt-ins, and the device language we auto-detect to translate the menu.

How we use it

  • To run the service. We need your order data to send it to the kitchen, your reservation data to hold a table, and your payment method to charge it.
  • To personalize the experience. Your allergen profile, favourite dishes, and preferred language let us tailor every menu you see.
  • To keep you informed. Push and email notifications about the order, table, group invitations, and earned rewards.
  • To improve the product. Aggregated, anonymized usage statistics help us decide what to build next. We never sell this data and we never re-identify individuals from it.
  • To prevent abuse. Fraud detection, rate-limiting, and account-recovery.

When we share data

We share personal data only with:

  • The restaurant you ordered at. Your name, table, order, reservation, and any allergen notes. The restaurant uses this data exclusively to serve you and does not receive your email, phone number, or payment details.
  • Friends you invite to a table. Your display name and ordered items become visible to people in your dining group.
  • Service providers. Stripe (payments), Firebase / Google Cloud (authentication and storage), Crashlytics (crash reporting), and SendGrid (transactional email). Each provider is contractually bound by Data Processing Agreements that meet the GDPR and Law 1581 standards.
  • Law enforcement, only when we receive a binding legal order from a court in a jurisdiction we operate in.

We do not sell personal data. We do not share it with advertisers.

Payment data

All card payments are processed by Stripe, which is certified to PCI-DSS Level 1. Your card number never touches Hesett servers — it is captured by Stripe Elements directly in your phone or browser. We store only a Stripe customer identifier and a non-sensitive payment-method token so you can reorder without re-entering your card.

If you choose to pay in cash, we record only the amount and the restaurant; no payment-instrument data is collected.

Allergens and dietary data

Hesett offers an allergen profile — gluten, nuts, dairy, shellfish, eggs, soy, fish, sesame, sulphites, vegan, vegetarian, kosher, halal. This is special-category data and is processed only with your explicit consent (you set it the first time you open a menu).

The profile is shared with the restaurant only when it is relevant — that is, when a dish you are looking at contains an allergen that matches your profile. You can clear or change it at any time from Settings → Allergens.

Location data

On the mobile app, we ask for your approximate location only when you open the map to discover restaurants nearby. We do not track your location in the background, and turning the permission off does not break any other feature.

Data retention

  • Order history: kept for 24 months for receipts, then anonymised.
  • Reservation history: 24 months.
  • Account profile: kept until you delete your account. Deletion removes all personal identifiers within 30 days, except where we are legally required to keep records (e.g. tax invoices, kept for 7 years under US federal requirements and up to 10 years for Colombian operations).
  • Crash logs and device telemetry: 90 days.

Your rights

Wherever you live, you can:

  • Access a copy of the data we hold about you.
  • Correct any data that is wrong.
  • Delete your account and the personal data attached to it.
  • Withdraw consent for non-essential processing (marketing, analytics, location, allergen profile).
  • Object to processing or restrict it.
  • Export your data in a portable JSON format.
  • Lodge a complaint with your local data-protection authority — in the United States, your state Attorney General (e.g. the California AG for CCPA matters); in Colombia, the Superintendencia de Industria y Comercio (SIC); in the EU, your national DPA.

Submit any of these requests at support@hesett.com — we respond within 30 days.

International transfers

Hesett Technologies Inc. is incorporated in Delaware, USA, with operating presence in Colombia. Our core infrastructure runs on Google Cloud in São Paulo and Iowa. When we transfer data across borders, we rely on Standard Contractual Clauses (for EEA-to-US transfers), the Colombian SIC adequacy framework, and binding intra-group agreements with our processors.

Children's privacy

Hesett is not directed at children under 13. If you believe a child has created an account, please contact us and we will delete it.

Changes to this policy

When we change this policy in a way that materially affects you, we notify you at least 30 days in advance via email or an in-app banner. Smaller editorial changes are reflected by updating the “Last updated” date at the top of this page.

Contact

Questions, requests, or complaints — write to support@hesett.com. Our Data Protection Officer reads every message.