Legal

Privacy.

Effective 26 May 2026Last updated 26 May 2026Controller Abiroot SARL, Lebanon

tamr is a conversational menu that sits between a restaurant and its guests. The diner side runs without an account. The restaurant side runs on a normal email login. This page explains exactly what each side touches, who else sees it, and how to ask us to delete it.

Plain-language summary

  • Diners scan and ask. No account, no email, no name. If we remember a returning diner's taste profile, it's tied to a random token in that browser — not to their identity.
  • Restaurants sign in with an email. We process the email, the restaurant's menu and business details, and usage data from the owner dashboard.
  • Three companies see fragments of this data: our model provider (OpenAI / Anthropic) to power the conversation, our analytics provider (PostHog) for the owner dashboard, and our hosting (AWS, Vercel, Cloudflare) to keep the service running.
  • We never sell data and we don't run advertising.
  • You can ask us to delete what we hold — email [email protected].

Who we are

tamr is a product of Abiroot SARL, a Lebanese limited liability company. Abiroot SARL is the data controller for everything described in this policy. When this policy says "we", "us", or "tamr", it means Abiroot SARL operating the tamr service.

Postal address and registered company number available on request at [email protected].

If you're a diner

If you scanned a QR code at a restaurant table and ended up here from inside that menu — this section is for you.

What we collect

Diner token
A random identifier stored in your browser's localStorage (and reconstructed from basic device characteristics if that's cleared). Lets us remember your preferences across visits to the same restaurant. It's not linked to your name, phone, or email.
Your questions
The messages you type or speak to the AI waiter, and the dishes you tap on. Used to answer you, and counted as anonymous demand signal on the owner's dashboard.
Taste profile
Inferred from your questions and choices over time (e.g. "tends to ask about dairy-free", "orders red wine"). Tied to your diner token, not your identity.
Technical signals
Browser language, approximate timezone, device type, and the page you came from. Used to render the menu correctly and to investigate bugs.

What we don't collect

We don't ask diners for a name, email, phone, or any account. We don't fingerprint you across different restaurants — each restaurant's tamr workspace keeps its own diner tokens. We don't track you around the web, and we don't run advertising of any kind.

What the restaurant sees

The restaurant that runs the menu you used can see, in their owner dashboard:

  • Aggregated demand patterns (e.g. "32% of guests asked about dairy-free this week")
  • Individual conversation transcripts, identified only by the anonymous diner token and table/branch
  • Which dishes are being viewed, asked about, and ordered through tamr

The restaurant cannot identify you personally from anything tamr exposes to them. If they identify you another way — for example, because you booked the table by name — that's outside the scope of this policy and falls under the restaurant's own practices.

If you run a restaurant

If you're a restaurant owner or operator with a tamr account, this section is for you.

What we collect about you and your business

  • Account data: your name, email address, role, and any password or magic-link tokens used to sign in.
  • Restaurant data: the name, branches, addresses, phone, public email, hours, and other details you enter for your locations.
  • Menu content: every dish, price, description, allergen, and dietary tag in your published or draft menus, plus any source files (PDFs, photos, URLs) you upload to ingest.
  • Usage data: what you click in the owner dashboard, what reports you open, what changes you make. Used to improve tamr and surface unused features to you.
  • Billing data: if and when paid plans are introduced, billing identifiers will be processed by our payment provider (currently none — this section will be updated when added).
  • Communications: any email or message you send us via support channels.

How we use it

  • To run your tamr workspace and serve your menu to your diners.
  • To produce the analytics, weekly insight, and dashboards we promise you.
  • To send transactional email — sign-in links, verification codes, important service notices, billing.
  • To diagnose problems and improve tamr.
  • To enforce our Terms and meet legal obligations.

We don't sell your menu data, your guest data, or your usage data to anyone. We don't train external commercial AI models on your data — see the next section for what does and doesn't happen with the model providers we use.

Who else touches the data

tamr runs on a handful of vendors. Each one only sees the slice of data needed for what they do, and each is contractually bound to confidentiality and data-protection standards comparable to ours.

OpenAI & Anthropic
Power the conversational AI waiter. Receive the diner's question and the relevant menu context to produce a reply. We use API tiers configured to not retain prompts for training. No diner identity is sent (only the anonymous diner token, if any).
PostHog
Product analytics for the owner dashboard — what features get used, where people drop off. Receives owner-side events identified by your account, plus aggregated diner-side counters (no diner messages).
AWS, Vercel, Cloudflare
Cloud hosting, content delivery, and edge security. Hold the encrypted database, application code, and assets. Process traffic logs to keep the service running and to defend against abuse.
Transactional email provider
Delivers sign-in links, verification codes, and service emails to restaurant accounts. Processes your email address and the email body.

The current list is the canonical one. If we add a new subprocessor that touches personal data, we'll update this page and — for owners on paid plans — notify you in advance.

Cookies and local storage

tamr uses the minimum browser storage required to make the product work. We do not use third-party advertising or cross-site tracking cookies.

On the diner side

  • Diner token in localStorage — anonymous, scoped to the restaurant's tamr workspace. Lets the AI waiter remember you between visits.
  • Language and preference flags in localStorage — your chosen menu language, dietary toggle states.

You can clear both by clearing site data for the tamr page in your browser. Doing so resets your taste profile.

On the owner side

  • Session cookies to keep you signed in.
  • PostHog cookies for product analytics (counts of dashboard usage).
  • Cloudflare cookies for security and bot mitigation.

How long we keep it

Diner conversations
90 days in identifiable form (tied to the anonymous diner token), then aggregated into pattern data with no link back to the original message.
Diner taste profile
Until the diner clears their browser storage, or 12 months without a return visit — whichever comes first.
Owner account data
For as long as the account exists, plus 90 days after deletion for billing, audit, and dispute purposes.
Menu content
For as long as the account exists. You can delete a menu at any time from the dashboard.
Logs and backups
Up to 30 days for operational logs; up to 60 days for encrypted backups.

How we protect it

  • All traffic to tamr is encrypted in transit (TLS 1.2+).
  • Data at rest is encrypted on managed cloud storage.
  • Access to production data is restricted to a small number of named engineers using multi-factor authentication.
  • Sign-in uses passwordless magic links and time-limited verification codes; we don't store reusable passwords for owner accounts.
  • We log access to sensitive systems and review the logs regularly.

No system is bulletproof. If we discover a breach affecting your data, we'll tell you what happened, what we know, and what we're doing about it, without unreasonable delay.

Your rights

Lebanese law and (where it applies, because of where you live or where data is processed) GDPR-style frameworks give you the following rights over data we hold about you:

  • Access — ask us for a copy of what we have.
  • Correction — ask us to fix something inaccurate.
  • Deletion — ask us to delete it, subject to legal retention duties.
  • Portability — ask us to export it in a machine-readable format.
  • Objection — ask us to stop a specific kind of processing.
  • Withdraw consent — where we relied on consent in the first place.

Email [email protected]. We aim to respond within 14 days. If you're a diner asking about data tied to a specific browser, please send the request from that browser, or include enough context for the restaurant to identify the session.

International transfers

Some of our subprocessors are based in or store data in the United States and the European Union. By using tamr you accept that your data may be processed outside Lebanon, in jurisdictions whose data-protection laws may differ from Lebanese law. We rely on each subprocessor's contractual safeguards (including, where applicable, EU Standard Contractual Clauses) to keep the level of protection consistent.

Children

tamr is built for adults — restaurant operators and adult diners. We don't knowingly collect data from anyone under 16. If you believe a child has interacted with tamr and you'd like the data removed, email [email protected].

Changes to this policy

We update this page when the product changes in ways that change how data flows. Material changes will be announced to restaurant owners by email at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

Contact

For anything privacy-related — questions, requests, or complaints — email [email protected].

For general questions, [email protected].

If we can't resolve a complaint

You can refer it to the appropriate Lebanese data-protection authority. If you're in a jurisdiction with its own supervisory authority (for example, an EU member state), you may also raise the complaint there.