Privacy Policy

Last updated: April 17, 2026 · Effective: April 17, 2026

Weavify ("Weavify", "we", "us", or "our") operates the weavify.io website, the eatandrink.weavify.io supplier portal, our public API, our Model Context Protocol (MCP) server, and our ChatGPT app "Bangkok Restaurant Booking by Weavify" (collectively, the "Service"). Weavify is an AI infrastructure platform that makes local businesses — restaurants, bars, nightclubs, and other venues — discoverable and bookable by AI assistants such as ChatGPT, Claude, and Gemini.

This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have over it. By using the Service you agree to this Policy.

Contents

1. Who we are & how to contact us
2. Information we collect
3. How we use your information
4. Legal basis for processing (EEA/UK)
5. Information sharing and disclosure
6. AI assistants, ChatGPT app & MCP
7. Data security
8. Data retention
9. Your rights
10. International transfers
11. Children's privacy
12. Cookies & local storage
13. Changes to this Policy
14. Contact

1. Who we are & how to contact us

Weavify is operated out of Bangkok, Thailand. Weavify is the data controller for personal information processed through the Service.

For privacy enquiries, data subject requests, or to exercise any of the rights described below, contact us at privacy@weavify.io.

2. Information we collect

Information venue managers provide

When a venue manager registers on the Supplier Portal (eatandrink.weavify.io), we collect:

Name, email address, and phone number of the account holder
The venue's business name, address, contact details, opening hours, menu, pricing, photos, and availability
Authentication credentials (passwords are stored as bcrypt hashes; we never store plaintext passwords)
API keys issued to the account (stored as SHA-256 hashes; plaintext keys are shown only once at creation)

Information we collect when a reservation is made

When someone makes a reservation through Weavify — whether via an AI assistant, the public API, or a booking widget — we collect:

Guest name (required)
Party size, date, and time of the booking
Email address and/or phone number (optional, for confirmation and venue contact)
Special requests or dietary notes the guest chooses to share (optional)
The venue the booking is for and the booking confirmation code

If the reservation is placed via a third-party AI assistant (e.g. ChatGPT), the assistant provides this information to us on the user's behalf. We do not receive the user's underlying conversation with the AI assistant — only the booking request parameters.

Information we collect automatically

API request logs: IP address, request timestamp, endpoint, HTTP method, response status, and the hashed API key used (where applicable). Used for rate limiting, abuse prevention, and debugging.
Basic analytics via Google Analytics (gtag.js) on the public marketing website and the directory: page views, referrer, approximate geographic region, device/browser type. We do not use Google Analytics on the Supplier Portal or the booking flow.
Error and performance telemetry from the Supplier Portal.

3. How we use your information

To process, confirm, cancel, and look up table reservations
To display venue profiles, menus, and availability to AI assistants, the public website, and the directory
To authenticate venue managers and operate the Supplier Portal
To issue, authenticate, and rate-limit API keys
To enforce usage limits, prevent abuse, and investigate security incidents
To communicate with venue managers about their accounts, bookings received, and material changes to the Service
To measure aggregate traffic and improve the Service
To comply with applicable law and enforce our Terms

We do not use personal information to train machine-learning models, and we do not sell or rent personal information.

4. Legal basis for processing (EEA/UK)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:

Performance of a contract — to create and manage venue accounts, and to process reservations you request.
Legitimate interests — to secure the Service, prevent abuse, measure aggregate traffic, and keep venue managers informed about their accounts. You may object to processing based on legitimate interests at any time.
Consent — where required by law, for example for certain analytics cookies. You can withdraw consent at any time.
Legal obligation — where we must retain records to comply with applicable law.

Public venue data

Venue profile information — business name, address, description, menu, photos, price range, opening hours, and availability — is public by design. It is served to AI assistants, website visitors, and via our public API, OpenAPI spec, and MCP endpoints. That is the core purpose of the Service.

Booking details

When a reservation is made, we share the guest's name, party size, date/time, and any contact details or special requests provided with the booked venue so they can honor the reservation and contact the guest if needed. We do not share guest contact details with any other party.

Service providers

We use a small number of vetted sub-processors to operate the Service, including:

Cloud hosting and database providers (to run the API and store venue and booking data)
Transactional email providers (to deliver booking confirmations and account notifications)
Google Analytics (aggregate website analytics only)

These providers process personal information only on our instructions and under confidentiality obligations.

AI assistants and agent platforms

When you access the Service through a third-party AI assistant (including the ChatGPT app), that assistant's provider (e.g. OpenAI) has its own privacy policy that governs your conversation with it. We only receive the specific booking parameters the assistant sends to our API. See Section 6 for details.

Legal disclosures

We may disclose personal information if required by law, legal process, or a binding order from a competent authority, or where we believe disclosure is necessary to protect the rights, property, or safety of Weavify, our users, venues, or the public.

Business transfers

If Weavify is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected users and ensure continuity of privacy protections.

We do not sell personal information.

6. AI assistants, ChatGPT app & MCP

Weavify is designed to be called by AI assistants. We publish a public OpenAPI spec, a Model Context Protocol (MCP) server, and a ChatGPT app ("Bangkok Restaurant Booking by Weavify") so that assistants can discover venues, check availability, and make reservations on a user's behalf.

When an AI assistant calls the Weavify API:

We receive only the parameters the assistant chooses to send — typically venue ID, date, time, party size, and the guest's name (plus optional contact details).
We do not receive the user's conversation transcript with the assistant, the assistant's system prompt, or any other context beyond the API request itself.
We log the request for rate limiting, auditing, and debugging. Where an API key is used, its hashed identifier is logged against the request.
We return the venue data or booking confirmation to the assistant, which may then relay it to the user.

When you use the Weavify ChatGPT app, OpenAI's Privacy Policy governs your interaction with ChatGPT itself (including how your prompts, conversation history, and account information are handled). This Policy governs only the data that ChatGPT sends to Weavify in order to complete a booking or search request.

If you do not want a booking to be recorded by Weavify, do not instruct an AI assistant to make a reservation through our Service.

7. Data security

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

TLS/HTTPS encryption for all data in transit
Passwords hashed with bcrypt
API keys stored only as SHA-256 hashes; plaintext keys are shown once at creation and never retrievable afterwards
Database access restricted to the application layer and authorized personnel
Rate limiting, request auditing, and monitoring for anomalous activity
Principle of least privilege for internal access

No system is perfectly secure. If you believe your account has been compromised or you discover a vulnerability, please contact security@weavify.io.

8. Data retention

Venue account data — retained for the life of the account, then deleted within 30 days of account closure (except where we must retain records for legal, tax, or dispute-resolution purposes).
Booking records — retained for 12 months after the booking date, then deleted or anonymized.
API request logs — retained for 90 days.
Security and audit logs — retained for up to 12 months.
Analytics data — Google Analytics is configured with Google's standard retention settings (currently 14 months).

You may request earlier deletion at any time by contacting us, subject to limited legal exceptions.

9. Your rights

Depending on where you live, you may have some or all of the following rights in relation to your personal information:

Access — request a copy of the personal information we hold about you
Rectification — ask us to correct inaccurate or incomplete data
Erasure — ask us to delete your personal information
Restriction — ask us to limit how we process your data
Portability — receive a machine-readable copy of data you provided to us
Objection — object to processing based on our legitimate interests
Withdraw consent — where processing is based on consent, withdraw it at any time
Complain — lodge a complaint with your local data protection authority

To exercise any of these rights, email privacy@weavify.io. We will respond within 30 days and may need to verify your identity before fulfilling a request.

10. International transfers

Weavify is operated from Thailand and our infrastructure may be located in Thailand, Singapore, the United States, or other jurisdictions. If you are in the EEA, UK, or another region with data export restrictions, your personal information may be transferred to and processed in countries whose data-protection laws differ from your own. Where required, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

11. Children's privacy

The Service is not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, please contact privacy@weavify.io and we will delete it.

12. Cookies & local storage

The public marketing website and directory use Google Analytics (gtag.js) to measure aggregate traffic. These set first-party analytics cookies.

The Supplier Portal uses browser localStorage to store authentication tokens so venue managers stay signed in. No third-party tracking cookies are set on the Supplier Portal.

The booking API and MCP endpoints are stateless and do not use cookies.

You can block or clear cookies and localStorage through your browser settings; doing so may prevent you from staying signed in to the Supplier Portal.

13. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will change the "Last updated" date at the top of this page and, for material changes, provide additional notice (for example, by email to venue managers or a banner on the Service). Continued use of the Service after an update constitutes acceptance of the revised Policy.

14. Contact

For privacy enquiries or to exercise any of the rights above:

Weavify
Bangkok, Thailand
privacy@weavify.io