Privacy Policy

Effective: May 29, 2026

Premia is a loyalty platform for restaurants operated by Greenfield AI. This policy explains what data we collect, why we collect it, who we share it with, and what rights you have over it. It is written in plain language because we do not believe legal terms should be obscure.

If you have questions or want to exercise your rights, write to us at privacy@premia.vip.

1. Who we are

The data controller is Greenfield AI, the company that operates the Premia platform. If you are a member of a specific restaurant’s loyalty program, the restaurant acts as joint controller of your data together with us.

2. What data we collect

2.1 If you are a restaurant customer (member)

  • Identification: your WhatsApp number in E.164 format is your primary identity. Optionally: name, email, language, birthday.
  • Transactions: each receipt you scan (photo + amount + merchant + date + items detected by the AI), points credited, redemptions made, current tier.
  • Communications: the messages we send you via WhatsApp / SMS / email, their delivery status, and whether you opened them (where applicable).
  • Session: if you sign in to the /me portal, we store a signed httpOnly cookie for 30 days. We do not use third-party tracking cookies without your consent.
  • Location (optional): only if you explicitly enable it from your profile. We store only the last known location, not your full history.

2.2 If you are a restaurant operator

  • Identification: email, name, role within the organization.
  • Configuration: restaurants, rewards, points rules, templates, segments, branding.
  • Audit: every administrative action (create a reward, adjust points, change a role) is recorded in the log with your identity, IP, and timestamp. The log is append-only and retained indefinitely for compliance.

3. What we use it for

  • Operate the loyalty program (earn points, redeem rewards).
  • Send transactional communications (OTP codes, redemption confirmations).
  • Send marketing campaigns only if you gave explicit consent (separate toggle in your profile).
  • Generate aggregate predictions for the operator (churn risk, LTV, next visit). The models are heuristic and are not shared outside the organization.
  • Detect fraud (duplicate receipts, fake numbers).
  • Meet the operating restaurant’s legal and tax obligations.

4. Who we share your data with

Premia runs as a layer on top of several external services. Each one has its own policy and processes data only for the function described.

  • Twilio (US): sending SMS and voice. Receives your number and the message content (OTP codes, alerts).
  • Meta WhatsApp Cloud API (US/IE): sending WhatsApp messages. Receives your number and the content. Subject to WhatsApp’s policies.
  • Google (US): reading the receipt photo. The image is sent base64-encoded; the service returns the extracted text. Google does not use this data to train models (enterprise-grade API).
  • Resend (US): sending transactional and marketing emails.
  • n8n self-hosted (Greenfield AI): orchestrates the communications dispatcher. Data does not leave our infrastructure.
  • Supabase (PostgreSQL, US): our database. Isolated per organization via Row Level Security.
  • Vercel (US/EU edge): frontend hosting.
  • Sentry (US/EU): error monitoring. Receives only stack traces and technical metadata — not message content or phone numbers.
  • Restaurant integrations: if the operator configured outbound webhooks, events such as transaction.validated are sent to their system (for example, their POS or CRM). They only see events relating to their own organization.

We never sell your data. We never share it with advertisers or marketing agencies. The only exceptions are legal obligations (court order, tax requirement).

5. How long we keep it

  • While you are active: your data is kept while your account is active in any program.
  • If you request erasure (GDPR article 17): we delete your data within 30 days, keeping only what tax law requires (for example, aggregate transaction amounts without personal identifiers).
  • If you opt out: your account is marked opt-out and we stop sending you communications immediately. Your data is kept aggregated/anonymized for 6 months for historical reporting.
  • Audit: append-only logs are kept for 5 years for compliance requirements.

6. Your rights

You have the right to:

  • Access: request a copy of all the data we hold about you.
  • Rectification: correct incorrect data from your profile or by emailing us.
  • Erasure: request that we delete your data (subject to legal exceptions).
  • Portability: export your data in JSON format from your profile.
  • Withdraw consent: opt out of marketing at any time from your profile.
  • Object: object to processing based on legitimate interest (for example, profiling for predictions).

To exercise any of these rights, write to us at privacy@premia.vip from the email associated with your account. We respond within 30 days.

7. Cookies

We use three types of cookies:

  • Necessary (always on): session cookies (httpOnly), language preference, sidebar collapse state.
  • Analytics (opt-in): help us understand which features are used. Anonymized. No individual tracking.
  • Marketing (opt-in): we do not use any currently. Reserved for future integrations with explicit consent.

You can review and adjust your preferences from the banner that appears the first time you visit the site, or from the “Cookies” link in the footer.

8. Security

  • All connections use TLS 1.2+.
  • Passwords and tokens are stored with SHA-256 + unique salts (argon2id reserved where applicable).
  • Access to your data is limited to authorized staff of your organization, via RLS (Row Level Security) at the database level.
  • No servers in countries that do not meet minimum standards (all in US/EU).
  • Continuous auditing of administrative changes.

If we detect a security breach that affects you, we notify you within 72 hours, per GDPR article 33.

9. Minors

Premia is not directed at minors under 16. If we discover that a member is a minor without verifiable parental consent, we delete the account without delay.

10. International transfers

Some of our processors (Twilio, Google, Vercel, Supabase) are in the United States. Where applicable, transfers are made under the EU’s Standard Contractual Clauses (SCCs).

11. Changes to this policy

If we change the policy, we notify you through your active channel (WhatsApp by default if you are a customer, email if you are an operator) with 30 days’ notice when the change is material.

12. Contact and supervisory authority

Questions or complaints: privacy@premia.vip. If you are not satisfied with our response, you can escalate to the data protection authority in your country (in Nicaragua, the Dirección General de Bienes Inmuebles; in Costa Rica, PRODHAB; in Mexico, INAI; in the EU, your national authority).

Back to home

Privacy Policy · Premia