Privacy Policy

Effective date: April 30, 2026

This Privacy Policy explains how ReserveDeskApp TX LLC ("ReserveDesk", "we", "us") collects, uses, shares, and protects personal information when our reservation platform is used by service businesses ("Business Clients") and their customers ("End Customers"). It also describes how we handle data we receive from Meta Platforms when a Business Client connects a Facebook Page to ReserveDesk.

1. About ReserveDesk and our role

ReserveDesk is a Software-as-a-Service reservation booking platform used by independent service businesses — including restaurants, sports courts, car rental operators, and similar venues — to receive booking requests through Facebook Messenger and to manage day-to-day reservation operations through a web admin portal.

For personal data of End Customers (e.g., a customer messaging a restaurant on Messenger to make a reservation), the Business Client is the data controller. ReserveDesk acts as a data processor, processing that data only on the Business Client's instructions and only to deliver the booking workflow described below. ReserveDesk does not use End Customer data for advertising, profiling, or any purpose unrelated to the Business Client's reservation operations.

For personal data of Business Client staff (e.g., an admin's name, email, login credentials), ReserveDesk acts as a controller for the limited purpose of operating the platform's authentication and audit logging.

2. Information we collect

From Business Clients

• Business name, contact details, and venue configuration (operating hours, resources, booking rules).
• Administrator and staff names, email addresses, hashed passwords, and assigned roles.
• Facebook Page identifiers and Page access tokens granted via Facebook Login when a Business Client connects a Page to ReserveDesk.

From End Customers (processed on behalf of Business Clients)

• Messenger user identifier (PSID), profile name, and profile picture as supplied by Meta.
• Messages exchanged with the Business Client's Page that pertain to reservations.
• Phone number when provided by the customer for booking contact purposes.
• Reservation details: date, time, party size, resource requested, special requests, and reservation status.
• Customer-initiated cancellation or reschedule requests.

Automatically collected

• Server logs, including IP address, request paths, and timestamps, used for service reliability and abuse prevention.
• Audit records of administrator actions on reservations (confirm, reject, cancel, mark paid, add note) for accountability.

3. How we use information

• To operate the reservation booking workflow on behalf of the Business Client: receive incoming customer messages, ask the questions needed to capture a complete booking, save the reservation, and notify the customer of status changes.
• To present the Business Client with a queue of incoming and existing reservations through our admin portal.
• To enable Business Client staff to confirm, reject, cancel, mark paid, add notes to, or send Messenger replies for reservations.
• To deliver transactional emails from ReserveDesk to Business Client staff (e.g., invitation, password reset).
• To maintain audit trails, prevent abuse, and meet legal or contractual obligations.

We do not use End Customer data for advertising, do not sell personal information, and do not share End Customer data between Business Clients.

4. Meta Platform Data

When a Business Client connects their Facebook Page to ReserveDesk, ReserveDesk receives certain data from Meta ("Platform Data"). The permissions we request and how each is used:

• pages_show_list — to display the list of Pages the connecting administrator manages, so they can choose which Page to connect to ReserveDesk.
• pages_manage_metadata — to subscribe the connected Page to webhook events so we can receive incoming customer messages.
• pages_messaging — to send and receive Messenger messages between the Page and its End Customers as part of the booking workflow.
• pages_read_engagement — to read message read-receipts and delivery confirmations, so the booking workflow can respond accurately.
• business_management (optional) — when granted, to list Pages owned by the administrator's Business Manager so business-owned Pages can be connected. This permission is optional and gracefully skipped if not granted.

Platform Data is used solely for the booking workflow described in Section 3. We do not share Platform Data with any third party other than the subprocessors listed in Section 6.

5. Legal bases for processing

Where applicable law requires a legal basis for processing personal data, we rely on:

• The Business Client's instructions and our agreement with them, when processing End Customer data as a processor.
• Performance of a contract or legitimate interest, when operating platform authentication, audit logging, and abuse prevention.
• Consent, where required by law for a specific processing activity.

6. Data sharing and subprocessors

ReserveDesk does not sell personal information. We share data only as needed to operate the platform, and only with the following categories of recipients:

• Business Clients — each Business Client receives access to their own reservations, customer messages, and contact details. Business Clients do not receive any data belonging to other Business Clients.
• Meta Platforms — to deliver and receive Messenger messages on behalf of the Business Client's Page.
• Cloudflare — DNS, content delivery, and the secure tunnel used to expose ReserveDesk to the internet.
• Managed PostgreSQL provider — primary data store for reservations, business configuration, and audit logs.
• Transactional email provider — to deliver invitation and password-reset emails to Business Client staff.
• Service providers strictly necessary to operate the platform, such as monitoring or backup services. Each is bound by confidentiality and processing terms consistent with this Policy.

We may also disclose data when required by law, to enforce our Terms, or to protect the rights, property, or safety of ReserveDesk, our Business Clients, or others.

7. Data retention

• Reservation records and audit notes — retained for the duration of the Business Client's active subscription plus up to 12 months for audit and dispute resolution, then deleted or anonymized.
• End Customer profile mappings (PSID, name, phone) — retained while needed to operate the booking workflow for the Business Client, and deleted on End Customer deletion request or within 90 days of the Business Client disconnecting their Page, whichever comes first.
• Messenger conversation context — minimal session state used to drive the active booking step; cleared on session reset or after 24 hours of inactivity.
• Page access tokens — retained until the Business Client disconnects their Page or the token expires, then deleted within 30 days.
• Server logs and operational telemetry — retained up to 30 days, except where required for security investigations.
• Backups — encrypted database backups are retained for up to 30 days on a rolling basis.

Retention may be extended where required by law, regulation, or to resolve disputes and enforce agreements.

8. Security

ReserveDesk applies administrative, technical, and physical safeguards designed to protect personal data, including:

• TLS 1.2 or higher for all data in transit, with HTTPS-only public endpoints served via Cloudflare.
• Encryption at rest for Page access tokens and other sensitive credentials.
• Role-based access controls separating super-administrator, business-administrator, and staff roles, with per-business data scoping.
• Authenticated, rate-limited admin login with hashed passwords and short-lived session tokens.
• CSRF protection on state-changing admin endpoints.
• Audit logging of administrator actions on reservations.
• Logical isolation of each Business Client's data by business identifier.

No method of transmission or storage is completely secure. We continually review and improve our safeguards.

9. International data transfers

ReserveDesk is operated from the United States. If you access the platform from outside the United States, your data may be transferred to, stored in, and processed in the United States or other countries where our subprocessors operate. Where required, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) to safeguard such transfers.

10. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or port personal data we hold about you, and to object to certain processing. You may also have the right to withdraw consent where processing is based on consent, and to lodge a complaint with a supervisory authority.

If you are an End Customer of one of our Business Clients, please contact that business directly for requests concerning their reservation records. We will support the Business Client in fulfilling your request.

To exercise rights against ReserveDesk directly, contact support@reservedesk.app. See also our Data Deletion Instructions.

11. Children

ReserveDesk is intended for use by businesses and their adult customers and is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact support@reservedesk.app and we will take appropriate action.

12. Changes to this Policy

We may update this Policy from time to time. We will revise the "Effective date" above and, where appropriate, notify Business Clients through the platform or by email. Continued use of the platform after an update constitutes acceptance of the revised Policy.

13. Contact

ReserveDeskApp TX LLC
Privacy inquiries: support@reservedesk.app