Privacy Policy

1. Introduction

Excuseme ("the Service") is a table ordering system for restaurants operated by GeekStyleJapan Inc. ("we", "us"). This Privacy Policy explains what information we collect, how we use it, how we share it, and how we protect it. This policy applies to both the Shopify Edition and the Standalone Edition of the Service.

We comply with Japan's Act on the Protection of Personal Information (APPI), the EU General Data Protection Regulation (GDPR) where applicable, and Shopify's data handling requirements.

2. Information We Collect

2.1 Shop / Account Information

[Shopify Edition]

• Shopify store domain name
• API access token (obtained through Shopify OAuth)
• Shop information auto-populated from Shopify API: shop name, owner email, phone, address, timezone, currency, Shopify plan

[Standalone Edition]

• Shop name, owner email address, phone number (optional)
• Password (stored as a bcrypt hash, never as plain text)
• Billing information: Stripe customer ID, subscription status, billing cycle dates (actual credit card numbers are handled solely by Stripe and never stored by the Service)

2.2 Staff Information

• Staff name, email address, role (manager/staff)
• Login credentials (bcrypt hashed passwords)
• Last login timestamp, activity logs for audit purposes

2.3 Order Information

• Table number, order details (product name, quantity, amount), order status
• Payment method and payment status (for subscription or customer payments)
• Language used to place the order

2.4 Waitlist & Reservation Information

• Customer name (for reservations)
• Phone number (used for check-in identification; displayed masked in analytics)
• Party size and seat type preference
• Reservation date and time

2.5 Customer Payment Information (Standalone Edition with Stripe Connect)

• Stripe PaymentIntent ID and charge ID (not card numbers)
• Payment amount, application fee, currency, status
• Card numbers and personal card details are handled exclusively by Stripe and are never transmitted to or stored by the Service

2.6 Information We Do Not Collect

Except for the waitlist/reservation phone number and name (which are provided voluntarily by customers), the Service does not collect end-customer personal information. Table ordering itself is conducted anonymously — no customer name, address, or payment details are required to place an order.

3. How We Use Information

• Providing and operating the table ordering service
• Staff authentication and order management
• Waitlist and reservation management, seat assignment optimization
• [Shopify Edition] Order integration with Shopify POS via Draft Orders API
• [Standalone Edition] Subscription billing via Stripe
• [Standalone Edition, optional] Customer payment processing via Stripe Connect (when enabled by the shop owner)
• Aggregate analytics for service improvement (anonymized where possible)
• Security monitoring and abuse prevention
• Legal compliance and responding to lawful requests

4. Third-Party Data Sharing

We do not sell personal information. We share information with the following third parties only to the extent necessary to provide the Service:

4.1 Shopify

For Shopify Edition users: order information, product data, and Draft Orders are exchanged with Shopify via the Shopify API. Shop information (name, address, email, phone) is fetched from Shopify during OAuth. Subject to Shopify's Privacy Policy.

4.2 Stripe (Standalone Edition)

For Standalone Edition users: billing information (shop email, phone, subscription details) is shared with Stripe for subscription processing. Card numbers and payment details are collected and processed directly by Stripe and are never handled by our servers.

For shops that enable Stripe Connect for customer payments, customer transaction data (order amount, metadata) is transmitted to Stripe. The shop's own Stripe account (separate from ours) holds the funds; we receive only a 0.5% platform fee per transaction.

Subject to Stripe's Privacy Policy and DPA: https://stripe.com/privacy

4.3 Optional Third-Party Integrations

The following integrations transmit data to external services only when explicitly enabled by the shop owner. All integrations are OFF by default.

• LINE Notify: When enabled, new order, staff call, waitlist check-in, reservation, and daily report notifications are sent to the configured LINE account. Data sent: shop name, table number, order total, customer name (if provided).
• GearSystem AI Gateway: When AI daily report or AI menu recommendations are used, aggregated and anonymized business data is sent to our AI provider (GearSystem) for summarization and suggestion generation. No personal customer data is transmitted.
• Google Business Profile: When enabled, aggregate busyness levels (not individual customer data) can be published to Google. No personal information is shared.
• iCal / Calendar Sync: When enabled, reservation information (date, time, name, party size) is exported to the shop owner's calendar (Google Calendar, Apple Calendar, etc.) via iCal format.

4.4 Legal Disclosure

We may disclose information when required by law, court order, or government request, or to protect our legal rights or the safety of users.

5. Data Storage and Retention

• Data is stored on secure servers located in Japan with HTTPS-encrypted transmission and encrypted backups
• [Shopify Edition] Store data is automatically deactivated when the app is uninstalled. All data is completely deleted within 48 hours of receiving a Shopify shop/redact webhook, or within 30 days for customer data requests (customers/redact)
• [Standalone Edition] Shop data is retained while the subscription is active. Upon cancellation, data is retained for 30 days to allow reactivation, then permanently deleted
• Completed order data is automatically anonymized after 90 days unless retention is required for legal or accounting purposes
• Waitlist phone numbers are automatically deleted 30 days after the entry is completed or cancelled
• Billing records are retained for 7 years as required by Japanese tax law

6. Security

• HTTPS/TLS encrypted communication across all endpoints
• Shopify HMAC signature verification for Shopify webhooks
• Stripe webhook signature verification for Stripe events
• Bcrypt-hashed password storage
• CSRF protection on all state-changing requests
• XSS prevention via output escaping and Content Security Policy
• Rate limiting on authentication and API endpoints
• Regular security audits and dependency updates
• Card data is never stored on our servers (handled exclusively by Stripe, PCI-DSS Level 1 certified)

7. User Rights

In accordance with Japan's Act on the Protection of Personal Information (APPI) and the EU General Data Protection Regulation (GDPR) where applicable, we guarantee the following rights:

• Right of access — you can request a copy of your personal data
• Right to rectification — you can request correction of inaccurate data
• Right to erasure — you can request deletion of your personal data
• Right to data portability — you can request your data in a machine-readable format (CSV, JSON)
• Right to withdraw consent — you can opt out of optional integrations (LINE, AI, Google Business, Calendar) at any time
• Right to lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at info@geekstylejapan.com. We will respond within 30 days.

8. Cookies and Local Storage

We use cookies and browser local storage for the following purposes:

• Session management and authentication (strictly necessary)
• Remembering user preferences (language, layout)
• CSRF protection tokens
• Shopping cart state (customer-facing ordering app)

We do not use third-party advertising cookies or tracking cookies.

9. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via email or in-app notification at least 30 days before taking effect. Continued use after the effective date constitutes acceptance of the updated policy.

11. Contact

For privacy-related inquiries, data access requests, or to exercise any of your rights under this policy, please contact us:

• Operator: 株式会社GeekStyleJapan
• Representative: 津村 健介
• Address: 〒660-0052 兵庫県尼崎市七松町1-20-23 AKCビル3F
• Email: info@geekstylejapan.com