Privacy Policy

Cappish is a service operated by Amberworks Ltd, a company registered in England and Wales. For the purposes of UK GDPR, Amberworks Ltd is the data controller for personal data we collect from our customers (the restaurants who use our platform) and the visitors to our website. For personal data relating to a customer's own guests that flows through our platform, we act as a data processor on behalf of that customer.

You can contact our privacy team at any time at privacy@cappish.com.

We collect the following categories of personal data:

• Account information. Name, work email address, telephone number, password (stored hashed), and role at the restaurant.
• Restaurant business information. Trading name, registered address, opening hours, menus, allergen information, booking policies, and other operational content you provide so Cappish can answer guests on your behalf.
• Guest conversation data. Messages, calls, and metadata (phone numbers, social handles, names, party size, dietary requirements, special requests) exchanged between your guests and Cappish through WhatsApp, Instagram, voice, and other connected channels.
• Payment information. Billing contact, billing address, VAT number, and limited card data. Card details are processed by our payment provider; we never store full card numbers on our systems.
• Technical and usage data. IP address, browser and device type, pages viewed, referring URLs, and product usage events, collected through standard server logs and analytics.

We use personal data to:

• Provide, operate, and maintain the Cappish service, including replying to your guests on your behalf;
• Train, evaluate, and improve our AI models in line with our customer agreement;
• Generate analytics, reports, and weekly summaries for your restaurant;
• Communicate with you about your account, product updates, security notices, and support;
• Bill you for the service and prevent fraud;
• Comply with our legal and regulatory obligations.

Under UK GDPR, we rely on the following lawful bases:

• Contract.Where processing is necessary to deliver the services you have signed up for, including managing your account and processing your guests' messages.
• Legitimate interests. To run, secure, and improve our service, prevent fraud, and conduct limited direct marketing to existing business customers. We balance these interests against your rights.
• Consent. Where required, for example for non-essential cookies and certain marketing communications. You can withdraw consent at any time.
• Legal obligation. Where we must process data to comply with UK law (for example, accounting and tax records).

We share personal data only with trusted parties for the purposes set out above, including:

• Messaging providers such as Meta Platforms (WhatsApp Business API, Instagram), and our voice and SMS partners, to send and receive messages on your behalf.
• Payment processors who handle billing and card data on our behalf.
• Hosting and infrastructure providers who host our application, databases, and logs in the UK and EEA.
• AI model providers who process message content under contractual terms that prohibit them from using your data to train their general-purpose models.
• Professional advisers (lawyers, accountants, auditors) and authorities where required by law.

We do not sell personal data.

We retain personal data only for as long as necessary for the purposes for which it was collected. As a guide:

• Account and billing records: for the life of your account and up to 7 years afterwards (UK tax law);
• Guest conversation data: for the duration of your subscription and up to 24 months afterwards, unless you ask us to delete it sooner;
• Technical logs: typically 30–90 days;
• Marketing data: until you unsubscribe or withdraw consent.

You have the right to:

• Access the personal data we hold about you;
• Have inaccurate data corrected (rectification);
• Have your data erased in certain circumstances (the right to be forgotten);
• Restrict processing in certain circumstances;
• Receive your data in a portable format (data portability);
• Object to processing based on legitimate interests, including direct marketing;
• Withdraw consent where processing is based on consent;
• Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email privacy@cappish.com.

We aim to keep personal data within the United Kingdom and the European Economic Area. Where data is transferred outside the UK, we use appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or transfers to jurisdictions covered by UK adequacy regulations.

Our website uses a small number of strictly necessary cookies and, with your consent, analytics cookies that help us understand how the site is used. You can manage cookies through your browser at any time. We do not use advertising cookies.

Cappish is a business-to-business service and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

We use industry-standard technical and organisational measures to protect personal data, including encryption in transit and at rest, role-based access controls, and regular security reviews. No system is completely secure, but we work hard to protect your information.

We may update this Privacy Policy from time to time. When we do, we'll update the “Last updated” date above and, where the changes are material, notify you by email or in the product.

If you have any questions about this Privacy Policy or how we handle your data, please contact us at privacy@cappish.com.