Privacy Policy
Last updated: 11 July 2026
This policy covers business account users and people who call, message, order from, or make reservation requests with a business using Sorello.
1. Controller and processor roles
Sorello is the controller for account, security and platform-billing data. For caller transcripts, phone numbers, messages, orders and reservations, the restaurant is normally the controller and Sorello acts as its processor.
2. Data we process
- Account users: email, authentication records, business details, roles, settings, billing contact and legal-consent records. Stripe handles card details; Sorello does not store full card numbers.
- End customers: phone number, live audio processed for transcription and response, transcript and call events, order or reservation details, and SMS/WhatsApp delivery information.
- Technical data: security, audit, device, network and service-performance information needed to protect and operate the platform.
3. AI and call transparency
Callers interact with an AI assistant, not a human. It uses the business's approved menu, hours and instructions. Prices are validated by Sorello's server rather than trusted from AI output. Allergen questions and requests for a person are escalated to staff. Sorello does not use this assistant to make legal, employment, credit or similarly significant decisions about callers.
Callers receive an audio notice that they are speaking with an AI assistant and that the call is transcribed to handle their request. Live audio is processed by our communications and AI providers. Sorello does not retain an audio recording in the current standard service; transcripts and call records may be retained as set out below.
4. Purposes and lawful bases
- Contract: accounts, calls, orders, reservations, messaging, payments and billing requested by business customers.
- Legitimate interests: security, abuse prevention, auditability, reliability and customer support, balanced against individual rights.
- Legal obligation: tax, accounting, fraud-prevention and regulatory records where required.
- Consent: optional processing where consent is legally required; it may be withdrawn for future processing.
5. Retention
Call transcripts and call records are retained for 90 days by default and are then deleted by an automated retention process, unless a different lawful period is agreed with the restaurant. Account data is deleted or anonymised after closure when no longer needed. Financial records may be retained for up to six years where UK tax or accounting law requires it. Restaurants control their operational order and reservation retention and can request export or deletion.
6. Individual rights
UK data-protection rights may include access, correction, erasure, restriction, portability and objection, subject to legal limits. Account users can contact privacy@sorello.io. End customers should normally contact the restaurant, which can instruct Sorello to export or erase their data. Individuals may complain to the Information Commissioner's Office at ico.org.uk.
7. Recipients and sub-processors
We use Supabase for database and authentication services, Twilio for calls and messaging, OpenAI for real-time speech and language processing, Stripe for payments and billing, and hosting/monitoring providers needed to operate the service. Access is limited to the service each provider performs.
8. International transfers
Where information leaves the UK, we use an adequacy regulation, the UK International Data Transfer Agreement, the UK Addendum to Standard Contractual Clauses, or another lawful safeguard as applicable.
9. Security
We use encryption in transit, provider encryption at rest, tenant-level access controls, signed webhooks, restricted administrative access, rate limits, audit records and monitoring. No service can be guaranteed completely secure. We notify affected customers or regulators when legally required.
10. Cookies and messaging
We use necessary authentication and security cookies for the dashboard, not third-party advertising cookies. See our Cookie Notice. Operational payment, order and reservation messages are sent on the restaurant's instructions. Sorello does not use end-customer contact details for unrelated marketing.
11. Changes
We review this policy when our processing or the law changes. Material changes will be communicated through the dashboard or account email.
12. Contact
Contact privacy@sorello.io for privacy questions or rights requests. See also our Terms of Service.