← Back to Sorello

Privacy Policy

Last updated: 11 July 2026

This policy covers business account users and people who call, message, order from, or make reservation requests with a business using Sorello.

1. Controller and processor roles

Sorello is the controller for account, security and platform-billing data. For caller transcripts, phone numbers, messages, orders and reservations, the restaurant is normally the controller and Sorello acts as its processor.

2. Data we process

3. AI and call transparency

Callers interact with an AI assistant, not a human. It uses the business's approved menu, hours and instructions. Prices are validated by Sorello's server rather than trusted from AI output. Allergen questions and requests for a person are escalated to staff. Sorello does not use this assistant to make legal, employment, credit or similarly significant decisions about callers.

Callers receive an audio notice that they are speaking with an AI assistant and that the call is transcribed to handle their request. Live audio is processed by our communications and AI providers. Sorello does not retain an audio recording in the current standard service; transcripts and call records may be retained as set out below.

4. Purposes and lawful bases

5. Retention

Call transcripts and call records are retained for 90 days by default and are then deleted by an automated retention process, unless a different lawful period is agreed with the restaurant. Account data is deleted or anonymised after closure when no longer needed. Financial records may be retained for up to six years where UK tax or accounting law requires it. Restaurants control their operational order and reservation retention and can request export or deletion.

6. Individual rights

UK data-protection rights may include access, correction, erasure, restriction, portability and objection, subject to legal limits. Account users can contact privacy@sorello.io. End customers should normally contact the restaurant, which can instruct Sorello to export or erase their data. Individuals may complain to the Information Commissioner's Office at ico.org.uk.

7. Recipients and sub-processors

We use Supabase for database and authentication services, Twilio for calls and messaging, OpenAI for real-time speech and language processing, Stripe for payments and billing, and hosting/monitoring providers needed to operate the service. Access is limited to the service each provider performs.

8. International transfers

Where information leaves the UK, we use an adequacy regulation, the UK International Data Transfer Agreement, the UK Addendum to Standard Contractual Clauses, or another lawful safeguard as applicable.

9. Security

We use encryption in transit, provider encryption at rest, tenant-level access controls, signed webhooks, restricted administrative access, rate limits, audit records and monitoring. No service can be guaranteed completely secure. We notify affected customers or regulators when legally required.

10. Cookies and messaging

We use necessary authentication and security cookies for the dashboard, not third-party advertising cookies. See our Cookie Notice. Operational payment, order and reservation messages are sent on the restaurant's instructions. Sorello does not use end-customer contact details for unrelated marketing.

11. Changes

We review this policy when our processing or the law changes. Material changes will be communicated through the dashboard or account email.

12. Contact

Contact privacy@sorello.io for privacy questions or rights requests. See also our Terms of Service.