← Hawthorne
Privacy Policy
Last updated: May 17, 2026
1. Who we are
Hawthorne is operated by [LEGAL ENTITY NAME, e.g. "Hawthorne Software LLC"], a [STATE] company headquartered at [BUSINESS ADDRESS] ("Hawthorne," "we," "us").
We provide an operating-system platform for independent bars and small hospitality businesses ("the Service"). This policy explains how we handle information that bar operators give us directly and how we handle information about a bar's own customers when that bar uses our software to run their floor, reservations, messaging, loyalty program, and so on.
2. What information we collect
From bar operators (our direct customers)
- Account info — name, email, phone, role, the bar's name and address.
- Authentication — hashed passwords, session tokens. We don't store passwords in plain text.
- Billing — payment method tokens via Stripe. We don't see or store raw card numbers.
- Usage — basic logs of how the Service is used (pages visited, features touched). Used for support and product improvement.
- Communications — emails, feedback, and support requests you send us.
From a bar's own customers (when a bar uses Hawthorne)
- Contact info — name, email, phone, when a guest books a table, joins a waitlist, signs up for loyalty, buys a gift card, or buys an event ticket.
- Reservation history — date, time, party size, occasion notes, dietary notes, no-shows.
- Payment info — for online purchases (gift cards, ticketed events, reservation holds), Stripe processes the payment and we store only the Stripe identifiers, never raw card data.
- Consent records — whether the customer has opted in to transactional SMS, marketing SMS, and email, and the timestamp / source of each opt-in.
- Loyalty activity — visits, points balance, perks redeemed.
- Reviews and feedback — what a guest writes back when prompted after a visit, including any Google reviews we sync.
Automatically (any visitor to the Service)
- Device / browser — user agent, OS, screen size — to render the Service correctly.
- IP address — for security, rate-limiting public forms, and abuse prevention.
- Cookies / local storage — minimal, used to keep you signed in and remember preferences (e.g. theme, sort order). We do not use third-party advertising cookies on the Service.
3. How we use information
We use the information described above to:
- Provide the Service to bar operators and run the features they enable for their own customers (reservations, waitlist, schedule, loyalty, gift cards, event ticketing, messaging, reviews).
- Process payments via Stripe.
- Send transactional messages — booking confirmations, reminders, gift card receipts, "your table is ready" notifications — when a customer has consented to receive them.
- Send marketing messages — only when a customer has explicitly opted in (separate from transactional consent).
- Respond to support requests and act on feedback.
- Detect abuse, fraud, and security incidents.
- Comply with our legal obligations (e.g. financial recordkeeping for taxes).
We do not sell personal information and we do not use it for advertising on third-party platforms.
4. Who we share information with
We use a small set of subprocessors — well-known service providers who help us run the Service. Each has its own privacy and security commitments:
- Supabase — managed Postgres database, authentication, file storage, real-time updates. Hosts in their US data center.
- Netlify — static site hosting (the websites you and your customers see).
- Stripe — payment processing for reservations holds, gift cards, and event tickets.
- Brevo — transactional email and SMS delivery.
- Google — Maps (location pickers) and Business Profile API (review syncing) when a bar enables those features.
We do not sell or rent personal information. We may share information when required by law, when responding to a valid legal process, or when necessary to protect the rights, property, or safety of Hawthorne, our customers, or others.
If we ever go through a business transition (merger, acquisition, asset sale), customer information may transfer to the successor entity, subject to the protections of this policy.
5. If you're a customer of a bar that uses Hawthorne
When a bar uses Hawthorne to manage reservations, waitlists, marketing, etc., that bar — not Hawthorne — is the data controller for the information they collect from you. Hawthorne is the data processor: we hold the data on their behalf and act on their instructions.
What that means in practice:
- Your relationship is with the bar. They decide what to collect, how long to keep it, and who to share it with.
- If you want to access, correct, or delete data the bar holds about you, contact the bar directly. They can do all of those things from inside Hawthorne.
- If you can't reach the bar or they aren't responsive, you can contact us and we'll help facilitate.
6. How long we keep information
- Bar operator accounts — for as long as the account is active, plus 24 months after closure for accounting and audit purposes.
- Customer reservation history — retained for at least 18 months for operational and audit reasons, then archived or deleted.
- SMS / email consent records — retained while a person remains opted in, plus 24 months after opt-out for TCPA / GDPR compliance.
- Payment records — retained as required by applicable tax and financial regulations.
- Backups — encrypted, time-limited, automatically aged out.
7. Security
We use industry-standard safeguards: HTTPS everywhere, encrypted-at-rest databases, hashed passwords, role-based access controls, row-level security on the database itself, and a tightly limited team who can see customer records. Payments use Stripe.js Elements so card numbers never touch our servers.
No system is perfect, but we treat customer data with the same care we'd want for our own. We're working on additional hardening — leaked-password detection, formal SOC 2 audit, and a published security disclosures page — as part of our standard roadmap.
8. Your rights
You can ask us to:
- Access — get a copy of the information we hold about you.
- Correct — fix information that's inaccurate or out of date.
- Delete — remove your information, subject to legal hold (e.g. tax records).
- Restrict or object — limit how we use your information.
- Port — receive your information in a machine-readable format.
- Opt out — stop email, SMS, or marketing communications.
To exercise any of these rights, email [CONTACT EMAIL, e.g. "privacy@gethawthorne.io"]. We respond within 30 days. If you're a customer of a bar that uses Hawthorne, see Section 5 for the right channel.
9. International transfers
Our service is hosted in the United States. If you access Hawthorne from outside the US — including from the European Union, the United Kingdom, or other regions — your information will be transferred to and processed in the US. We rely on standard contractual clauses with our subprocessors where applicable to safeguard international transfers.
10. Children's privacy
Hawthorne is built for businesses that primarily serve adults (bars). We do not knowingly collect information from anyone under the age of 13. If a parent or guardian believes a child has provided us with information, please contact us and we'll delete it.
11. California residents (CCPA)
If you are a California resident, the CCPA gives you specific rights:
- The right to know what categories of personal information we have collected.
- The right to request deletion of personal information.
- The right to opt out of any "sale" of personal information (we don't sell yours — but you have the right anyway).
- The right not to be discriminated against for exercising these rights.
Email [CONTACT EMAIL] to exercise any of these rights.
12. EU / UK residents (GDPR)
If you are in the EU or the UK, you have the rights described in Section 8 plus the right to lodge a complaint with your local data protection authority. Our legal bases for processing are: (a) contract when we provide the Service you've signed up for; (b) legitimate interests when we run security, fraud prevention, and product improvement; (c) consent when we send marketing messages; and (d) legal obligation when we keep financial records or respond to legal process.
13. Changes to this policy
We may update this policy. When we do, we'll change the "Last updated" date at the top and, for material changes, notify bar operators by email at least 30 days before the change takes effect.