Privacy Policy

Effective: May 6, 2026 · Karimuu is operated by 2Bright2Clean LLC.

This notice explains what information Karimuu collects, how we use it, and who we share it with. Karimuu is an AI phone-host service for restaurants. There are two kinds of people whose information flows through Karimuu, and we describe how we handle each below:

Restaurant accounts — owners, managers, and staff who sign up for Karimuu, configure their AI, and use the dashboard.
Callers — the diners and prospective guests who call a restaurant's Karimuu phone number to ask a question, make a reservation, or place a takeout order.

If you called a restaurant's Karimuu number — your information is collected on behalf of that restaurant. The restaurant is the primary controller of the data captured during your call (your phone number, what you said, the reservation or order details). Karimuu processes that data to operate the service. You can ask the restaurant directly to delete your call record, or contact us at privacy@karimuu.com.

1. What we collect

From restaurant accounts

Account info: business name, address, business phone, email, owner/staff names, role, and password (stored hashed).
Notification phone: the mobile number where the restaurant wants to receive SMS alerts about new reservations and orders.
Knowledge base content: menu, hours, FAQs, and any text or files the restaurant uploads so the AI can answer questions accurately.
Payment info: handled by Stripe — we never see or store full card numbers. We retain the Stripe customer/subscription IDs and a payment-status flag.
Usage data: dashboard logins, actions (confirm/decline reservations, etc.), and basic device/IP info for security.

From callers (the restaurant's customers)

Phone number: the number you called from, captured automatically by Twilio's caller ID, in international (E.164) format. We use this to send you SMS confirmations of your reservation or order, and to identify return callers.
Voice recording & transcript: the call is recorded by VAPI, transcribed, and summarized so the restaurant has a written record of what was discussed.
Reservation details: if you book a table — your name, party size, date/time, and any notes you gave (allergies, occasion).
Takeout-order details: if you place an order — items, quantities, modifiers, pickup/delivery, the address (delivery only), and timing.
Other context you share: if you ask a question the AI couldn't answer, your phone number is logged with the question so the restaurant can call you back.

2. How we use the information

To operate the AI phone host: the AI reads relevant business context (hours, menu, etc.) to answer your questions and capture your reservation or order.
To send SMS confirmations: when the restaurant confirms or declines your reservation/order, we send you a text from the same Twilio number you called. By giving us your phone number on the call, you consent to receive transactional confirmation messages from the restaurant. Reply STOP to opt out at any time, HELP for help. Standard message and data rates apply.
To send owner alerts: when a new reservation or order comes in, we text the restaurant's notification phone so the owner sees it on their phone.
To run the dashboard: the restaurant uses the dashboard to view calls, transcripts, reservations, orders, and questions, and to confirm/decline customer requests.
To improve service quality: we may review aggregated, de-identified call patterns to improve the AI's prompt and tooling. We do not train AI models on your individual conversations, and we do not sell your data.
For security and abuse prevention: rate limiting, fraud detection, and protecting our infrastructure.
To comply with law: respond to lawful requests, court orders, or subpoenas.

3. Phone number details — what to know

Karimuu is a phone-based service, so phone numbers are central to how it works. Specifically:

The restaurant's Karimuu number is a dedicated phone number we provision with Twilio for each restaurant. The restaurant publishes this number in place of (or alongside) its real number. Calls to this number are answered by Karimuu's AI host. Costs for this number and its usage are billed as part of the restaurant's subscription.
The caller's phone number is captured automatically when the call comes in — that's how phone networks work, and it's the same as caller-ID on any landline. We use this number as the SMS recipient when the restaurant confirms or declines your request, and to recognise repeat callers in the dashboard.
The owner's notification phone is whatever mobile number the restaurant chose in their settings. We text this number when a new reservation or order comes in.
SMS sender: when we text you, the message comes from a Twilio number — usually the same number you called. Reply STOP on any message to opt out of all further SMS from that number.
SMS content: we only send transactional messages — reservation/order confirmations, decline notices, and ready-time updates. We do not send marketing SMS.
SMS frequency: typically zero to a few messages per call you make. There is no recurring SMS subscription.
We do not sell or rent phone numbers to anyone. Caller phone numbers are visible only to the restaurant the call was placed to, and to our processors (below) as needed to deliver the service.

4. Service providers we use

We use the following processors to operate Karimuu. Each handles only the data needed for its role:

Provider	What it does	What it sees
Twilio	Inbound calls, outbound SMS	Phone numbers, call audio, SMS bodies
VAPI	AI call orchestration + transcription	Call audio, transcripts, structured extracts
Anthropic (via VAPI)	The LLM that powers the AI host (Claude)	Transcript text during the call only
ElevenLabs (via VAPI)	Text-to-speech voice synthesis	Text the AI says, in real time
Stripe	Subscription billing	Restaurant payment + billing details only
Supabase	Database (Postgres)	All structured data Karimuu stores
Railway	Backend hosting	Encrypted-in-transit traffic to our app
Netlify	Frontend (this website + dashboard)	Page-load metadata only
Google Places	Optional business-context lookups	The Google Place ID of the restaurant only

Each of these providers is bound by their own privacy commitments and standard data-processing terms. We do not give access to any provider beyond what's needed for the service.

5. Data retention

Call recordings + transcripts: kept for as long as the restaurant's account is active so the owner can review them. The restaurant can request deletion of any specific call.
Reservation/order records: kept for as long as the restaurant's account is active.
Caller phone numbers: kept for as long as associated calls are retained.
Payment data: kept by Stripe under their retention policies; we keep only billing IDs and status flags.
Account closure: when a restaurant cancels its account, we keep operational data for up to 90 days for billing reconciliation, then delete it (or anonymize it for aggregate metrics).

6. Your rights

Depending on where you live, you may have the right to:

Access the personal information we hold about you
Correct inaccurate information
Delete your information
Object to or restrict certain uses
Receive a copy of your information in a portable format
Opt out of SMS by replying STOP

To exercise any of these rights, email privacy@karimuu.com. If you called a restaurant's Karimuu number and want your call record removed, you can also ask the restaurant directly — they have a delete control in their dashboard, and we'll honor either path.

7. Security

We use industry-standard safeguards: TLS for all data in transit, encrypted storage at our database provider, hashed passwords (bcrypt), least-privilege access for our team, and audit logs for sensitive operations. No system is perfectly secure, so if you suspect a security issue, please write to security@karimuu.com.

8. Children

Karimuu is not directed at children under 13, and we don't knowingly collect information from them. If you believe a child has interacted with the service, contact us and we'll delete the data.

9. International users

Karimuu is operated from the United States and our service providers are primarily US-based. If you use Karimuu from outside the US, your information will be transferred to and processed in the United States.

10. Changes to this policy

We may update this policy from time to time. The "Effective" date at the top reflects the latest revision. Material changes will be communicated in the dashboard and/or by email to active accounts.

11. Contact

Karimuu is operated by 2Bright2Clean LLC.
For privacy questions: privacy@karimuu.com
For security: security@karimuu.com
For everything else: hello@karimuu.com

This policy is provided in good faith. It does not create a contract or legal obligations beyond those imposed by applicable privacy law. Where any provision conflicts with mandatory law, that law controls.