1. Who we are
Tableside AI is the data controller for personal information collected on tablesideai.com. Contact for privacy questions, opt outs, deletion requests, and data subject access requests: [email protected].
2. What we collect
- Form submissions. When you fill the visibility score form, the contact form, or the booking form, we collect your name, business name, email address, phone (if provided), and the information you choose to share in the free text fields.
- Cold email engagement. If you reply to a Tableside AI cold email, your email address and reply content are stored so we can follow up. Outbound emails carry a UTM tag so we can attribute clicks back to the campaign.
- Cookies and analytics. The site uses cookies for two purposes only: a session cookie to keep your visibility score form draft, and a first party analytics cookie to count visits and understand which pages convert. We do not load any third party advertising trackers, retargeting pixels, or social media trackers.
- Server logs. Our edge runtime (Cloudflare Workers) logs IP address, user agent, request path, and response status. Logs are retained 30 days for security and abuse investigation.
3. Why we collect it
- To deliver your visibility score, content, consulting, or Commerce service you asked for.
- To follow up on a form submission or a cold email reply.
- To improve the site and the services (which page leads to the most signed engagements, which subject line gets the most replies).
- To meet legal, accounting, and tax obligations.
4. Data retention
We retain personal data only as long as it is needed for the purpose it was collected.
- Form submissions: 90 days from submission, then deleted from the live database. Aggregated, non personal counts (number of audits requested per month) are kept indefinitely.
- Cold email engagement: 12 months from last activity, then deleted unless you have signed a paid engagement.
- Customer records (paid engagements): for the duration of the engagement plus 7 years for accounting, tax, and dispute defence.
- Server logs: 30 days.
- Cookie consent record: 12 months from your last visit.
5. Cookies
We set the minimum cookies required to operate the site and understand how it is used.
- Session cookie (`tsai_session`). First party. Holds your visibility score form draft and your cookie banner choice. Expires when you close the browser, or 12 months for the consent flag.
- Analytics cookie (`tsai_analytics`). First party. Counts unique visitors and page views. No cross site tracking, no third party network requests.
You can decline non essential cookies through the banner shown on first visit. Declining still allows the site to function; it only disables the analytics cookie. You can clear your choice at any time by deleting the `tsai_session` cookie in your browser.
6. Sharing
We share personal data only with the small set of vendors required to deliver the services.
- Cloudflare (edge runtime, D1 database, Pages hosting). Personal data is processed in the United States.
- Resend (transactional email delivery). Used to send lead notifications to Spencer's Gmail and to deliver cold email and follow ups.
- Google Workspace / Gmail (Spencer's inbox).
- Stripe (payments, only if you become a paying customer).
- OpenAI (LLM and image generation, used internally for content production; we do not send identifiable customer information into third party LLMs without prior written consent).
We do not sell personal data. We do not share personal data with advertising networks.
7. Your rights
If you are in the European Union, the United Kingdom, or California, you have the right to:
- Request a copy of the personal data we hold about you.
- Correct personal data that is inaccurate.
- Request deletion (the GDPR "right to be forgotten" and the CCPA right to delete).
- Object to or restrict processing.
- Withdraw consent for cookies and marketing at any time.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, email [email protected] from the email address associated with the data. We will respond within 30 days.
8. Children
The site and services are intended for business operators and are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has submitted personal data, contact [email protected] and we will delete it.
9. Security
Data in transit is encrypted with TLS 1.3. Data at rest in Cloudflare D1 and Cloudflare R2 is encrypted by the platform. API secrets are stored as Cloudflare Worker secrets and are never written to logs. Access to production secrets is limited to Spencer.
10. International transfers
Tableside AI is operated from the United States and most of the vendors listed in section 6 process data in the United States. If you submit a form from outside the United States, you consent to the transfer of your personal data to the United States for the purposes described above.
11. Changes to this policy
We may update this policy from time to time. Material changes will be posted on this page with a revised last updated date. For significant changes affecting how personal data is processed we will notify customers by email.
12. Contact
Privacy questions, opt out, deletion: [email protected]. General questions: [email protected]. Legal notices: [email protected].
Last updated 2026-05-07.