Legal Document

Privacy Policy

Effective Date: May 3, 2026  ·  Last Updated: May 3, 2026

1. Introduction

NeoBreed ("Company," "we," "us," or "our") operates a business-to-business (B2B) Software-as-a-Service (SaaS) platform that enables physical businesses — such as restaurants, car dealerships, cava bars, and other venues — to deploy QR-code-driven AI concierge experiences, digital menus, and staff training tools (collectively, the "Platform").

This Privacy Policy explains how we collect, use, disclose, and safeguard information in connection with:

  • Business Owners — the companies and individuals who purchase and administer a NeoBreed account through our dashboard at menu.neobreed.org.
  • End Customers — members of the public who scan a NeoBreed-generated QR code at a venue. End customers do not create accounts with NeoBreed; they interact anonymously with the customer-facing experience powered by our Platform.

By using the Platform or by permitting your customers to interact with QR experiences you have generated, you agree to the practices described in this Privacy Policy. If you do not agree, you should not use the Platform.

2. Two Distinct User Categories

Important: NeoBreed serves two fundamentally different groups

Business Owners

Authenticated users who purchase the Platform, manage their inventory, create QR codes, and view analytics via the dashboard. Subject to account terms and this Privacy Policy in full.

End Customers

Members of the public who scan QR codes at a venue. No account is created. No personally identifiable information (PII) is required or collected by NeoBreed. The data they generate is processed on behalf of the business owner.

3. Information We Collect

3.1 From Business Owners (Account Holders)

When a business owner is registered on the Platform, the following information is collected:

  • Account Credentials: Email address and hashed password; or Google OAuth token for accounts using Google Sign-In.
  • Business Profile: Full name, business name, business description, country of operation, preferred currency, business timezone, and phone number.
  • Visual Assets: Business logo and background image (uploaded to AWS S3). These assets are incorporated into generated QR code designs and the customer-facing digital menu.
  • Inventory Data: Menus (Lists), items, categories, modifiers, and pricing information — all of which constitute content you voluntarily upload to the Platform.
  • AI Configuration: Custom AI prompts, AI character preferences, staff training content, and common question shortcuts you configure for your AI chatbot.
  • Financial Information: Monthly subscription fee and staff hourly wage (used for ROI analytics). Payment details are collected and processed directly by Stripe — NeoBreed does not store credit card numbers.
  • Google Business Data: Google Place ID, Google Review URL, and review count if you link your Google Business profile.
  • QR Code Orders: A record of each QR code you generate, including the linked list or item, template selection, passcode (if any), and link name.

3.2 From End Customers (QR Code Scanners)

NeoBreed intentionally minimizes data collection from end customers. No account creation is required, and no personally identifiable information is collected or required to interact with the AI chatbot or digital menu.

  • Anonymous Session ID: A randomly generated identifier stored in the browser's localStorage. This ID allows the AI chatbot to retrieve prior conversation history if the same customer scans the QR code again from the same browser. This ID is not linked to any personal identity.
  • Conversation Messages: The text messages sent to and received from the AI chatbot during a session. Stored anonymously under the session ID in our database. No name, email, or contact information is associated with these messages.
  • Analytics Events: Aggregated behavioral data collected via Google Tag Manager (GTM) and Google Analytics 4, including QR code scans, page engagement duration, digital menu category clicks, item views, and AI-assisted session counts. This data is anonymized and used solely to provide business analytics to business owners.
  • Device & Technical Data: Standard web server logs may incidentally capture IP addresses, browser type, and device type. This information is not stored or used to profile individuals.

Data Minimization Commitment

NeoBreed processes end customer data exclusively as a service provider on behalf of the business owner. We do not sell, broker, or independently use end customer conversation data for any purpose other than delivering the AI chatbot service and providing business analytics to the account holder.

3.3 Automatically Collected Technical Data (Platform-Wide)

  • Server access logs: timestamps, HTTP request paths, response codes.
  • Error logs and performance metrics via AWS CloudWatch.
  • QR code scan event counts tracked per short link in our database.
  • Authentication tokens (JWTs) issued upon login — stored client-side; validated server-side.

4. How We Use Information

4.1 To Provide and Operate the Platform

  • Creating and managing business owner accounts and authenticating logins.
  • Rendering the customer-facing AI chatbot and digital menu experiences when a QR code is scanned.
  • Storing and retrieving menu inventory data so the AI chatbot can accurately answer customer questions.
  • Generating and managing QR code short links tied to your lists or items.
  • Delivering staff training AI responses using recipe and preparation data you upload.
  • Enabling passcode-protected QR codes for staff-only content.

4.2 For Analytics and Business Intelligence

  • Providing dashboard analytics to business owners: QR scan counts, AI-assisted session rates, engagement time, and menu item view counts.
  • Generating AI Insights: anonymized conversation messages are analyzed by an AI model (AWS Bedrock / AI21 Jamba) to produce business improvement suggestions delivered to the business owner.
  • Calculating cost-savings metrics using the staff hourly wage value you provide.
  • Identifying peak customer interaction hours (displayed in the business owner's timezone).

4.3 For Communications

  • Sending transactional emails related to account activity (e.g., password resets) via our Nylus email integration.
  • Push notifications to business owner devices when a table order is placed (via Firebase FCM).
  • Responding to support or legal requests.

4.4 For Security and Legal Compliance

  • Preventing unauthorized access, fraud, and abuse.
  • Enforcing our Terms of Service.
  • Complying with applicable laws, regulations, and valid legal process.
  • Maintaining IP-based rate limiting and CSRF protection.

5. AI Processing and Automated Systems

NeoBreed is an AI-first platform. Understanding how AI processes data is important.

5.1 AI Models Used

  • OpenAI (ChatGPT): Powers the primary customer-facing AI chatbot for list-based QR codes. Customer messages and prior conversation history are transmitted to OpenAI's API to generate responses. Menu data (item names, descriptions, prices, modifiers) is included in the prompt context.
  • AWS Bedrock — Anthropic Claude: Used for AI-powered menu parsing and OCR — extracting structured menu data from uploaded images or PDFs to rapidly populate a business owner's inventory.
  • AWS Bedrock — AI21 Jamba: Processes anonymized conversation history from a business's QR sessions to generate trend analysis and business improvement insights shown on the dashboard.
  • Google Gemini: An alternative AI model available on the Platform.
  • AWS Polly: Converts AI text responses to audio (text-to-speech) for the voice response feature.

5.2 What Data Is Transmitted to AI Providers

When an end customer sends a message to the AI chatbot, the following is transmitted to the AI provider (OpenAI):

  • The customer's text message (no name or identity attached).
  • Prior messages in the same anonymous session (conversation history).
  • The business's menu data: item names, descriptions, prices, modifiers.
  • The business owner's configured AI prompt, character settings, and list description.
  • The business name.

No PII from end customers is transmitted. The business owner's personal information (name, email, etc.) is not transmitted; only their menu content and AI configuration.

5.3 AI Output Disclaimer

AI-generated responses are automated and may contain errors, inaccuracies, or hallucinations. NeoBreed does not guarantee the accuracy of AI chatbot responses. Business owners are responsible for reviewing and keeping their inventory data accurate so that AI responses reflect their actual offerings.

6. Data Sharing and Third-Party Service Providers

We do not sell personal information. We share data only with trusted third-party service providers necessary to operate the Platform:

Amazon Web Services (AWS)

Purpose: Cloud infrastructure: API hosting (Lambda), database (DynamoDB), file storage (S3), authentication (Cognito), AI models (Bedrock), text-to-speech (Polly), monitoring (CloudWatch).

Data Shared: All Platform data including business owner profile, inventory, QR records, conversation data.

Location: United States (us-west-1, us-east-1 for Bedrock).

OpenAI

Purpose: AI chatbot responses for customer-facing QR experiences.

Data Shared: Anonymous conversation messages, menu data, AI configuration. No business owner PII.

Location: United States.

Stripe

Purpose: Payment processing, subscription management, and Stripe-based payouts.

Data Shared: Business owner billing information and transaction records.

Location: United States.

Google (Analytics, Tag Manager, Places, Gemini)

Purpose: Platform analytics, QR scan event tracking, business location lookup, alternative AI model.

Data Shared: Anonymized usage events; Place ID and Google Review data (business owner-linked).

Location: United States.

Firebase (Google) — FCM

Purpose: Push notifications to business owner devices for table orders.

Data Shared: Device push tokens registered by the business owner.

Location: United States.

Nylus

Purpose: Transactional email delivery.

Data Shared: Business owner email address and relevant notification content.

Location: United States.

Twilio

Purpose: SMS OTP delivery for account verification.

Data Shared: Business owner phone number when OTP is requested.

Location: United States.

HubSpot

Purpose: Demo booking from the landing page.

Data Shared: Contact information voluntarily submitted via the Book a Demo form.

Location: United States.

We may also disclose information: (a) to comply with applicable law or respond to valid legal process; (b) to protect the rights, property, or safety of NeoBreed, our clients, or the public; (c) in connection with a merger, acquisition, or sale of assets, in which case we will provide notice; or (d) with your explicit consent.

7. Data Retention

  • Business Owner Account Data: Retained for the duration of the active account relationship plus a reasonable period afterward for legal and financial compliance obligations.
  • Inventory Data (Lists, Items, Categories, Modifiers): Retained while the account is active. Deleted upon account termination at the business owner's request.
  • AI Conversation Data (End Customers): Stored indefinitely in association with the business owner's account to power dashboard analytics and AI Insights. The data is anonymous and cannot be traced to any individual end customer.
  • Payment Records: Retained as required by applicable financial regulations and Stripe's data retention policies.
  • QR Code Short Links: Retained while the account is active; scan count history may be retained for analytics purposes.
  • Server Logs: Retained for a standard operational period (typically 30–90 days) for security and debugging purposes.

8. Data Security

We implement industry-standard technical and organizational safeguards to protect the information we process:

  • All data transmitted between clients and the Platform is encrypted via TLS/HTTPS.
  • Business owner authentication uses JWT tokens with server-side validation on all protected API routes.
  • User passwords are hashed using industry-standard algorithms; they are never stored in plain text.
  • All data is hosted on Amazon Web Services infrastructure within secure, access-controlled environments.
  • Business owner visual assets (logos, images) are stored in AWS S3 with access controls.
  • Payment processing is handled entirely by Stripe, which is PCI-DSS compliant. NeoBreed does not store payment card numbers.
  • IP-based rate limiting and CSRF protection are enforced at the API layer.

No system can guarantee absolute security. In the event of a data breach that may materially affect your information, we will notify affected business owners without undue delay in accordance with applicable law.

9. Your Rights (Business Owners)

As a business owner with a NeoBreed account, you have the following rights with respect to your personal information:

  • Access: You may request a copy of the personal information we hold about you.
  • Correction: You may update most profile information directly from your dashboard settings.
  • Deletion: You may request deletion of your account and associated personal information. Contact us at the address below. Note that certain data (e.g., transaction records) may be retained as required by applicable law.
  • Portability: You may export your inventory data (lists, items, categories) from within the Platform.
  • Opt-Out of Marketing: You may opt out of marketing communications at any time. Transactional and operational messages will continue.

To exercise any of these rights, contact us using the details in Section 13. We will respond within a reasonable period and may need to verify your identity.

End customers interacting with QR codes do not have a direct contractual relationship with NeoBreed. Requests from end customers regarding conversation data should be directed to the business owner who operates the relevant QR code experience.

10. Cookies and Local Storage

10.1 Business Owner Dashboard

The dashboard application uses cookies and session storage to maintain your login session (JWT access token) and user role information. These are essential cookies required to operate the authenticated dashboard experience.

10.2 Customer-Facing QR Experience

The customer-facing QR experience uses browser localStorage (not cookies) to store an anonymous session ID. This enables AI chatbot conversation continuity if the same customer returns to the same QR code from the same browser. No cookies tracking personal identity are set on end customers.

10.3 Analytics (Google Tag Manager)

The customer-facing QR pages load Google Tag Manager, which may set analytics cookies to track aggregated engagement metrics. These are used solely to provide business analytics to the account holder and are subject to Google's Privacy Policy.

11. Children's Privacy

The NeoBreed Platform is intended for use by business operators (adults). We do not knowingly collect personal information from individuals under 18 years of age. The customer-facing QR experience is accessible to anyone who scans a QR code; however, no PII is collected from any end customer, regardless of age.

If you believe a child has provided personal information through our Platform, please contact us immediately and we will take appropriate steps to delete such information.

12. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time. When we make material changes, we will update the Effective Date at the top of this page and, where appropriate, notify registered business owners by email. Your continued use of the Platform following the effective date of any update constitutes your acceptance of the revised policy.

13. Governing Law

This Privacy Policy and any disputes arising from it are governed by the laws of the State of Colorado and the United States of America, without regard to conflict of law principles. Any dispute not resolved informally shall be subject to the exclusive jurisdiction of the state and federal courts located in Colorado.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

NeoBreed

Email: shayan.rasouli@neobreed.org

Phone: +1 (303) 909-3426

Location: United States

Acknowledgment

BY USING THE NEOBREED PLATFORM, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND CONSENT TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED HEREIN.

← Back to Home·Terms of Service →