PRIVACY POLICY

1. Overview

TARIY Inc. d/b/a GrubIQ (“GrubIQ,” “we,” “our,” or “us”) provides an AI-powered operational management platform for multi-unit restaurants. This Privacy Policy explains how we collect, use, disclose, and secure personal information when users access our applications, platform, services, or integrations (collectively, the “Services”).

By using our Services, you acknowledge that you have read and understood this Privacy Policy.

2. Information We Collect

2.1 User Information

We collect information provided by users or their employers, including:

• Name and contact information
• Job role, store assignment, and related employer data
• Login credentials (hashed; we do not store raw passwords)
• Communication and interactions within the platform

2.2 Operational & Integration Data

To provide AI-driven insights and operational automation, we collect structured information from connected systems such as:

• Point-of-sale (POS) data
• Scheduling and labor data
• Inventory, COGS, and waste data
• Sensor and camera-based structured analytics (counts, events, detections — no video storage)
• Store operational metrics (throughput, timing, performance trends)

2.3 Device & Technical Data

We automatically collect:

• IP address, device identifiers, browser type
• App usage logs and performance data
• Cookies or similar tracking technologies
• Diagnostic and security event logs

2.4 AI Interaction Data

We store:

• User queries and system responses
• Feedback provided for training and model optimization
• System-generated operational insights

We do not use customer data to train global models unless explicitly permitted by enterprise agreements.

3. How We Use Information

We use the collected information to:

• Provide, operate, and improve our Services
• Deliver AI-driven recommendations, alerts, and automation
• Enhance scheduling accuracy, reduce waste, and optimize operations
• Monitor system performance and maintain security
• Comply with legal obligations
• Support research and product development (in aggregated or anonymized form)

4. How We Share Information

4.1 Service Providers

Trusted vendors under SOC 2–aligned agreements, such as:

• Hosting providers (e.g., AWS, Azure)
• AI infrastructure providers
• Analytics and observability tools
• Integration partners (POS, scheduling, hardware vendors)

These providers are contractually required to secure data and use it only for authorized purposes.

4.2 Enterprise Customers

For employer-managed accounts, operational data may be accessible to authorized representatives of the customer organization.

4.3 Legal & Compliance

We may disclose information:

• To comply with applicable laws
• To protect our rights, security, or property
• In connection with a business transaction (merger, acquisition, etc.)

We do not sell or rent personal data.

5. Data Security

We maintain SOC 2 Type II controls, including:

• Encryption in transit and at rest
• Access control and identity management
• Continuous monitoring and incident response
• Strict vendor security assessments

Despite safeguards, no system is 100% secure.

6. Data Retention

We retain personal and operational data only as long as necessary to:

• Provide the Services
• Meet contractual obligations
• Satisfy legal requirements

Retention schedules may vary based on customer agreements.

7. International Transfers

For GDPR compliance, transfers from the EU/EEA rely on:

• Standard Contractual Clauses (SCCs)
• Equivalent lawful mechanisms

8. Your Rights

Under GDPR (where applicable):

• Access, rectify, or delete personal data
• Restrict or object to processing
• Data portability
• Right to lodge a complaint with a supervisory authority

Under CCPA/CPRA:

California consumers may request:

• Access to collected data
• Deletion of personal data
• Correction of inaccurate data
• Information regarding data disclosure

We do not sell personal information.

Requests can be sent to: legal@grubiq.co

9. Children’s Privacy

The Services are not intended for use by minors under 16. We do not knowingly collect data from children.

10. Changes to this Policy

We may update this Privacy Policy as needed. Updates will be posted with a new effective date.