Privacy Policy
Last Updated: October 14, 2025 | Effective Date: October 14, 2025
🔒 Your Data Never Leaves Your Premises
VBPi AI is a LOCAL, ON-PREMISES solution. Your restaurant data remains 100% within your
infrastructure. We do not use public cloud APIs, we do not store your data externally, and we do not
transmit your operational data to any third-party services. Complete data sovereignty guaranteed.
1. Overview
Vitabyte Inc. ("Vitabyte," "we," "us," or "our") operates VBPi AI, an AI-powered analytics platform
for Oracle Simphony POS systems. This Privacy Policy explains how we handle information in connection
with our services.
Key Principle: VBPi AI is designed as an on-premises, local deployment.
Your operational data (sales, employees, transactions) stays within your infrastructure and is never
transmitted to external servers or third-party services.
2. Information Architecture
2.1 Data That Stays Local (Your Premises)
The following data is processed entirely within your infrastructure and never leaves your premises:
- Sales Data: Daily sales, transactions, revenue by location, time periods
- Employee Information: Staff performance, tips, hours worked, scheduling
- Menu Data: Menu items, pricing, sales by item, inventory levels
- Guest Check Data: Individual transactions, payment methods, check details
- Operational Metrics: Labor costs, void rates, service times, table turns
- Custom Reports: All generated reports and analytics
- AI Analysis Results: Recommendations, predictions, anomaly detection results
How Your Data Flows (100% Local):
┌─────────────────────────────────────────────────────────┐
│ YOUR PREMISES (Everything stays here) │
├─────────────────────────────────────────────────────────┤
│ │
│ Oracle Simphony POS │
│ ↓ │
│ VBPi AI Server (Local Installation) │
│ • Data processing │
│ • AI analysis (local models) │
│ • Report generation │
│ ↓ │
│ Your Database (Local) │
│ ↓ │
│ User Interface (Local network only) │
│ │
│ NO EXTERNAL CONNECTIONS │
│ NO CLOUD STORAGE │
│ NO PUBLIC APIs │
│ │
└─────────────────────────────────────────────────────────┘
2.2 Information We Collect (For Service Delivery Only)
We collect minimal information necessary to provide and support our services:
Account Information:
- Contact name, email address, phone number
- Company name and billing address
- Number of locations (for licensing purposes)
Technical Support Information:
- Support tickets and correspondence
- System logs for troubleshooting (no operational data)
- Software version and deployment configuration
Billing Information:
- Payment method details (processed by third-party payment processor)
- Billing history and invoices
3. AI Processing & Public APIs
🤖 100% Local AI - No External AI Services
We do NOT use public AI APIs (OpenAI, Google, AWS, etc.) for processing your data.
All AI models run locally on your infrastructure. Your operational data never touches external AI services.
3.1 How Our AI Works
- Local Deployment: AI models are deployed on your server infrastructure
- On-Premises Processing: All analysis happens within your network
- No External APIs: No calls to OpenAI, Google AI, AWS Bedrock, or similar services for operational data
- Private Models: Your custom-trained models remain your property
3.2 Optional External Services (Opt-In Only)
The following external services are optional and require explicit opt-in.
They do NOT process your operational data:
- Weather Data: Public weather APIs for correlation analysis (no operational data sent)
- Industry Benchmarks: Anonymized, aggregated industry comparisons (no identifiable data)
- Software Updates: Version checks and security updates (no operational data transmitted)
4. Data Security
4.1 Security Measures
- Encryption: 256-bit AES encryption for data at rest and in transit (within your network)
- Access Controls: Role-based access control (RBAC) with granular permissions
- Authentication: Multi-factor authentication (MFA) support
- Audit Logging: Complete audit trail of all system access and changes
- Network Isolation: Runs within your private network (no internet exposure required)
- Regular Updates: Security patches and updates provided promptly
4.2 Compliance
- SOC 2 Type II: Certified for security, availability, and confidentiality
- PCI DSS Ready: Compliant architecture for payment card data
- GDPR Compliant: Designed for EU data protection requirements
- CCPA Compliant: California Consumer Privacy Act compliance
- HIPAA Ready: Can be configured for healthcare compliance (if needed)
5. Data Retention
5.1 Operational Data (Your Control)
Since all operational data remains on your infrastructure, you control retention periods.
We provide tools to manage data retention based on your policies:
- Configure custom retention periods (90 days, 1 year, 7 years, unlimited)
- Automated archival and purging based on your schedule
- Export capabilities for long-term archival to your systems
5.2 Account Information
We retain account information for the following periods:
- Active Accounts: Duration of service agreement
- After Termination: 90 days (for reactivation purposes)
- Billing Records: 7 years (tax and legal requirements)
- Support Tickets: 3 years (for service improvement)
6. Data Sharing
6.1 We Do NOT Share Your Operational Data
Your operational data never leaves your premises. We do not share, sell, rent,
or otherwise disclose your restaurant data to any third parties.
6.2 Limited Service Provider Access
We may share account information with:
- Payment Processors: To process subscription payments (Stripe, PayPal)
- Email Service: To send service notifications (SendGrid) - contact info only
- Support Tools: To provide customer support (Zendesk) - support tickets only
These providers are contractually required to protect your information and use it only for specified purposes.
6.3 Legal Requirements
We may disclose information if required by law or legal process, such as:
- Court orders or subpoenas
- Government investigations
- Legal claims or disputes
- Protection of our rights or safety of others
7. Your Rights
7.1 Data Access and Control
You have the right to:
- Access: Request copies of your account information
- Correction: Update or correct inaccurate information
- Deletion: Request deletion of your account information
- Export: Export all your data in standard formats
- Opt-Out: Disable optional external services at any time
7.2 California Residents (CCPA)
California residents have additional rights:
- Right to know what personal information is collected
- Right to know if personal information is sold or disclosed
- Right to opt-out of sale of personal information (we don't sell data)
- Right to deletion of personal information
- Right to non-discrimination for exercising privacy rights
7.3 EU Residents (GDPR)
EU residents have rights including:
- Right to access personal data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object to processing
8. Cookies and Tracking
8.1 Local Interface Only
Since VBPi AI operates within your local network, we use minimal cookies for essential functionality:
- Session Cookies: Maintain your login session (deleted when you log out)
- Preference Cookies: Remember your settings (theme, language, dashboard layout)
- Security Cookies: Prevent CSRF attacks and ensure secure connections
8.2 No Third-Party Tracking
We do NOT use:
- Google Analytics or similar tracking services
- Social media tracking pixels
- Advertising cookies or remarketing
- Cross-site tracking
9. Data Breach Notification
In the unlikely event of a data breach affecting your account information, we will:
- Notify you within 72 hours of discovering the breach
- Provide details about what information was affected
- Explain what steps we're taking to address the breach
- Recommend actions you can take to protect yourself
- Notify relevant regulatory authorities as required by law
Note: Since your operational data remains on your premises, any breach of that data
would be within your infrastructure, not ours.
10. Children's Privacy
VBPi AI is designed for business use and is not directed at children under 13. We do not knowingly
collect information from children. If we learn we have collected information from a child under 13,
we will delete it immediately.
11. International Data Transfers
Since VBPi AI is deployed on your premises, your operational data does not cross borders.
For account information processed by us:
- Our servers are located in the United States
- We use Standard Contractual Clauses (SCCs) for EU data transfers
- We comply with applicable data protection frameworks
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes:
- We will update the "Last Updated" date at the top
- We will notify you via email for material changes
- We will provide 30 days notice before changes take effect
- Continued use of services after changes constitutes acceptance
We encourage you to review this policy periodically.
13. Contact Us
For questions about this Privacy Policy or to exercise your rights, contact us:
14. Summary: Your Data Privacy Guarantee
✓ Our Commitment to You
- ✓ 100% Local Deployment: Your data stays on your premises
- ✓ No Public Cloud APIs: No external AI services process your data
- ✓ Complete Data Sovereignty: You own and control all data
- ✓ No Data Selling: We never sell, rent, or share your operational data
- ✓ Military-Grade Security: 256-bit encryption, SOC 2 certified
- ✓ Transparent: Clear privacy practices, no hidden data collection
- ✓ Your Rights Protected: Full GDPR, CCPA, and PCI DSS compliance
Version 1.0 | Effective October 14, 2025 | Terms & Conditions