Implenta logo
Contact Book a Demo
Problem Solution Offering Pricing FAQ Compliance Book a Demo
Home / Compliance & Legal

Compliance frameworks and data practices.

Practical defaults designed to reduce risk while maintaining operational flexibility. Built for restaurant operations, not legal departments.

Service configuration defaults

Baseline settings designed to balance functionality with risk management.

Call Handling & Recording

  • Call recording: Optional, configured per client
  • Recording disclosure: Announced only when enabled
  • Transcript logging: Always enabled (text only)
  • Data retention: 7 days default (configurable)
  • Customer data: Name, phone, reservation details only

SMS Communications

  • Consent method: Implied verbal consent during call
  • Message types: Transactional only (confirmations, updates)
  • Opt-out mechanism: Reply STOP to any message
  • TCPA compliance: No marketing messages, clear sender ID
  • Message frequency: One confirmation per reservation

Legal and liability framework

Clear boundaries around service delivery, support, and liability allocation.

Service Level Expectations

  • Uptime target: 99.9% availability
  • Performance guarantee: None (best-effort basis)
  • Error rate: No specific guarantees
  • Response accuracy: Continuously optimized, not guaranteed
  • Liability cap: Limited to service fees paid

We provide professional-grade service with enterprise infrastructure, but do not guarantee specific business outcomes.

Support & Issue Resolution

  • Standard support: Email response within 24 hours
  • Urgent issues: Phone support during business hours (9 AM - 6 PM ET)
  • System outages: 24/7 automated monitoring and alerts
  • Escalation path: Technical team for critical failures
  • SLA credits: Not offered for downtime or errors

Support focuses on system operation and configuration, not individual call outcomes.

Data privacy and security practices

How we handle customer information and protect sensitive data.

Data Collection & Use

What we collect: Customer names, phone numbers, reservation details (date, time, party size), and special requests. Call audio (if recording enabled) and transcripts are stored temporarily.

How we use it: Exclusively for providing reservation services, sending confirmations, improving AI performance, and fulfilling legal obligations. No data sales or third-party marketing.

Third-party sharing: Only with service providers essential to operation (Twilio for telephony, OpenAI for AI processing, Airtable for data storage). All vendors operate under strict data processing agreements.

Security Measures

  • Data encryption: TLS 1.3 for transmission, AES-256 at rest
  • Infrastructure security: SOC 2 Type II compliant cloud providers (AWS)
  • Access controls: Role-based access, principle of least privilege
  • Monitoring: 24/7 automated security event logging
  • Incident response: Defined procedures for security events
  • Data backups: Encrypted daily backups with 30-day retention

Data Retention & Deletion

Default retention: Call recordings (if enabled) and transcripts are retained for 7 days. This provides sufficient time for quality review and issue resolution while minimizing data exposure.

Extended retention: Available upon request for compliance or operational needs. Typically 30 or 90 days. Additional storage fees may apply.

Deletion requests: Customers or restaurants can request deletion of specific personal information. We fulfill requests within 30 days. Anonymized analytics may be retained.

Regulatory compliance

How our service aligns with telecommunications and data privacy regulations.

TCPA Compliance (SMS)

The Telephone Consumer Protection Act regulates automated text messages. Our implementation complies through:

  • Implied verbal consent obtained during reservation call
  • Clear disclosure before sending ("I'll text you a confirmation")
  • Transactional messages only (no marketing content)
  • Easy opt-out mechanism (reply STOP)
  • Sender identification in every message

Note: We are not legal advisors. Restaurants should consult counsel for specific compliance questions.

Call Recording Laws

Call recording laws vary by state. We support compliance through:

  • Call recording is optional per client
  • When enabled, disclosure announcement plays
  • One-party consent assumed in most states
  • Two-party consent available for CA, FL, PA, others
  • Clients responsible for compliance in their jurisdiction

We configure recording announcements based on your location. Final compliance responsibility rests with restaurant.

Data Privacy (GDPR-style)

While GDPR applies to EU residents, we implement similar principles for all customers:

  • Clear disclosure of data collection and use
  • Data minimization (collect only what's needed)
  • Right to access personal information
  • Right to deletion upon request
  • Data portability (export available)

Industry Standards

Our infrastructure and practices align with recognized security frameworks:

  • SOC 2 Type II compliant cloud infrastructure
  • Payment card data never collected or stored
  • OWASP security guidelines for web applications
  • ISO 27001 information security principles
  • Regular security audits and penetration testing

Risk considerations for restaurants

Deploying AI phone agents introduces specific operational and legal considerations. We address common concerns:

Incorrect Reservation Information

Risk: AI misunderstands party size, time, or date.
Mitigation: SMS confirmation shows all details. Customers reply if incorrect. Multiple verification points reduce errors to <1% in production.

Inappropriate Responses

Risk: AI provides incorrect information or responds unprofessionally.
Mitigation: Extensive testing before launch. Escalation triggers for uncertain scenarios. Continuous monitoring identifies issues quickly. Brand voice configured during setup.

System Downtime

Risk: Service outage prevents call answering.
Mitigation: 99.9% uptime through redundant systems. Automatic failover to your backup number within 30 seconds if failure detected. Lost revenue liability limited to service fees.

Data Breach

Risk: Customer information exposed through security compromise.
Mitigation: Enterprise-grade security (encryption, access controls, SOC 2 infrastructure). Minimal data retention (7 days). Incident response procedures in place. Cyber insurance coverage maintained.

Regulatory Violations

Risk: Non-compliance with TCPA, recording laws, or data privacy regulations.
Mitigation: Conservative default settings. SMS consent clearly obtained. Call recording optional with disclosure. Compliance assistance during setup. Final responsibility rests with restaurant (we're not legal counsel).

Questions about compliance?

Schedule a consultation to discuss your specific compliance requirements, data handling needs, or regulatory concerns. We'll explain how our defaults work and what customizations are available.

Discuss Compliance