Legal · Privacy Policy

Privacy Policy

How Rai collects, uses, stores, and protects information for the AI phone-agent service.

Last updated:2026-05-17. Status: Draft pending counsel review. Final version will be issued before paid billing begins for any customer.

1. Who we are

R.ai, Inc. (“Rai,” “we,” “us”) operates R.ai — an AI phone-agent service for restaurants. We are based in the United States. You can reach us at hello@r-ai.com.

2. What we collect

We collect three categories of data:

Category	Examples	How we get it
Restaurant data	Business name, address, phone numbers, business hours, tax rate, menu items, allergens, owner-supplied instructions.	You provide it during onboarding.
Call data	Inbound caller phone number, call duration, full transcript, audio recording (with payment portions automatically muted), AI-derived intent/outcome.	Captured by our voice infrastructure (Vapi, Twilio) at the moment of each call.
Order & account data	Items ordered, totals, delivery addresses, your customers' phone numbers, your account login (email), your subscription & billing records.	Generated as calls occur and as you administer the account.

We do notstore credit card numbers, CVVs, or expiration dates. Card payments are processed by Stripe under Stripe's privacy policy.

3. How we use it

To operate the service — answer calls, take orders, push to your POS, send receipts.
To show you metrics on your dashboard.
To improve call quality — we may anonymize transcripts/audio for model fine-tuning. We do not sell call data to third parties.
To send service emails (digests, trial notifications, payment failures). Marketing emails only with separate consent.

4. Call recording & two-party consent

Every call begins with an audible disclosure: “This call is being recorded for data analytics.” This disclosure plays for both open-hours and after-hours calls and cannot be disabled. The disclosure is designed to satisfy two-party-consent recording laws in CA, FL, MA, MD, IL, PA, WA, and similar jurisdictions.

Recording is automatically paused before any card information is collected and resumed only after the payment portion ends.

5. Who we share with

Service providers— Vapi (voice infrastructure), Twilio (telephony & SMS), Stripe (payments), Resend (email), Vercel (hosting), Neon (database), Sentry (error tracking), PostHog (product analytics). Each acts as a processor under our instructions and a written data-processing agreement.
Your restaurant — you see all data tied to your account. Your team members you grant access also see it.
Legal & safety — we will disclose data to comply with a court order or to protect against serious harm.
Successor — in a merger or acquisition, data transfers to the buyer under these same commitments.

We never sell your data.

6. Where we store it

Data is stored on Vercel and Neon in the United States. Audio recordings live in Vercel Blob. We use TLS in transit and AES-256 at rest where the underlying provider supports it.

7. How long we keep it

Call recordings: 90 days, then auto-deleted.
Call transcripts: 365 days, then auto-deleted.
End-customer phone numbers and order history: 730 days from last activity.
Your restaurant account data: for the lifetime of your account, deleted within 60 days of account closure (we may retain billing records longer to meet tax/audit obligations).

8. Your rights

You can:

Access — export your data anytime via dashboard or by emailing us.
Correct — fix any inaccurate data via the dashboard.
Delete — request full deletion via hello@r-ai.com. We'll confirm within 30 days.
Opt out — turn off marketing emails in Settings, or reply STOP to any SMS.

California residents have additional rights under the CCPA, including a right to know about data sales (we don't sell). Email us to exercise them.

9. SMS

Order-confirmation SMS messages are sent only to phone numbers that have called your restaurant — these are transactional. Every SMS includes “Reply STOP to opt out.” Replying STOP immediately writes sms_opt_out=true on the customer record and stops future texts.

10. Your customers' privacy

You are the controller for the personal data of the people who call your restaurant. Rai processes that data on your behalf under a data-processing agreement (available on request). If a caller asks how their data is handled, point them to this policy or have them reply STOP / email us.

11. Children

Rai is not directed to children under 13. We do not knowingly collect data from children. If a child has called your restaurant and you wish for that data to be deleted, email us.

12. Changes

We'll email account owners at least 14 days before any material change to this policy. The “Last updated” date at the top reflects the current revision.

13. Contact

Privacy questions: hello@r-ai.com. We respond within five business days.

R.ai, Inc. — operating as R.ai. This policy applies to r-ai.com and any subdomain operated by Rai.