RilonAI

Privacy Policy

Last updated: February 2026

Introduction

Confidentiality and security are core values of Cerebro Technologies FZ-LLC ("Cerebro Technologies", "we", "us", or "our"). We are committed to protecting your privacy and ensuring that your personal data is handled responsibly and in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, the "PDPL").

This Privacy Policy explains how we collect, use, store, share, and protect personal data in connection with our website at rilonai.com, our SaaS platform Rilon AI (the "Platform"), and our mobile applications Rilon Portal and Rilon Terminal (the "Apps").

This policy applies to website visitors, Platform subscribers and their authorized users, mobile app users, restaurant guests whose data is processed through our services, and any other individuals whose personal data we process in the course of providing our services.

Data Controller

The data controller for personal data processed through this website is:

Cerebro Technologies FZ-LLC
United Arab Emirates
Email: contact@cerebrotechnologies.dev

When our customers (restaurant owners and operators) use the Rilon AI Platform to process personal data of their employees, guests, or other individuals, the customer acts as the data controller and Cerebro Technologies acts as the data processor. In such cases, data processing is governed by a Data Processing Agreement between Cerebro Technologies and the customer.

Website Data

When you visit our website at rilonai.com, we may collect the following categories of personal data:

Contact form and demo requests

  • Name, email address, phone number, and company name
  • Restaurant type, location, and number of venues
  • Message content and any additional information you choose to provide

We use this data to:

  • Respond to your inquiries and requests for information
  • Schedule and conduct product demonstrations
  • Send marketing communications about our products and services, where you have given consent
  • Analyze website usage to improve our content and user experience

Newsletter subscriptions

If you subscribe to our newsletter, we collect your email address and any preferences you indicate. You may unsubscribe at any time using the link provided in each email.

Navigation and technical data

We automatically collect certain technical data when you browse our website, including IP address, browser type and version, device type, operating system, pages visited and time spent, and referring URLs.

Platform Data

When customers subscribe to and use the Rilon AI Platform, we process personal data as a data processor on behalf of our customers. The categories of data processed depend on the features and modules used by each customer, and may include:

Account and administrator data

  • Name, email address, phone number
  • Authentication credentials (encrypted)
  • Role, permissions, and access logs
  • Billing and payment information

Employee and staff data

  • Name, contact information, and job title
  • Employment details (department, role, assigned location)
  • Shift schedules, attendance records, and availability
  • Performance data and internal communications

Guest and customer data

  • Name, phone number, email address, and communication preferences
  • Reservation history, dining preferences, and special requests
  • CRM profiles including visit frequency and spending patterns
  • Feedback, reviews, and complaint records

Call and voice data

  • Call recordings and transcripts from the AI voice agent service
  • Caller identification data (phone number, name when available)
  • Call metadata (time, duration, outcome, actions taken)

Reservation and booking data

  • Guest name, party size, date, time, and special requests
  • Table assignment and seating preferences
  • Booking source and confirmation status

Payment data

  • Transaction records, payment amounts, and payment method references
  • Tip information and bill-splitting details where applicable

Analytics data

  • Aggregated operational metrics (covers, revenue, labor costs)
  • Platform usage patterns and feature adoption

Mobile Apps

Rilon Portal (staff mobile app)

Rilon Portal is a mobile application used by restaurant employees to manage their work schedules, view shift assignments, communicate with management, and access employment-related information. The app processes:

  • Employee identification and authentication data
  • Shift schedules, availability, and time-off requests
  • Push notification tokens for shift alerts and updates
  • Device information for app functionality and security

Access to Rilon Portal is provided by the employer (the customer) as part of the employment relationship. The employer acts as the data controller for employee data processed through the app.

Rilon Terminal (POS tablet app)

Rilon Terminal is a tablet-based point-of-sale and table management application used in restaurants. The app processes:

  • Staff login credentials and session data
  • Order details, table assignments, and guest counts
  • Payment transaction references
  • Device and network information for operation and security

We process personal data on the following legal grounds, as applicable under the GDPR (Article 6) and the UAE PDPL:

  • Contract performance — Processing necessary to perform our contract with you or to take pre-contractual steps at your request, including providing the Platform, Apps, and related services.
  • Legitimate interests — Processing necessary for our legitimate business interests, such as improving our services, ensuring platform security, preventing fraud, and conducting analytics, provided these interests are not overridden by your rights.
  • Consent — Where you have given specific consent to processing, such as for marketing communications, newsletter subscriptions, or non-essential cookies. You may withdraw consent at any time.
  • Legal obligations — Processing necessary to comply with legal requirements, such as tax regulations, accounting obligations, or lawful requests from authorities.

Where our customers use the Platform to process personal data of their employees or guests, the customer determines the legal basis for such processing. Common bases include the performance of employment contracts, legitimate interests in business operations, and compliance with labor and tax laws.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

  • Website inquiries and demo requests — Retained for the duration necessary to respond to your request, and thereafter for up to 12 months unless a commercial relationship is established.
  • Newsletter subscriptions — Retained until you unsubscribe or withdraw consent.
  • Platform data — Retained for the duration of the customer's subscription. Upon termination, customer data is deleted from our systems within 90 days, unless retention is required by law or the customer requests an earlier export.
  • Call recordings — Retained in accordance with the customer's configuration and applicable regulations, typically for a maximum of 12 months.
  • Payment records — Retained as required by applicable tax and accounting regulations.
  • Technical and analytics data — Retained in anonymized or aggregated form for service improvement purposes.

Data Sharing

We do not sell personal data. We share personal data only in the following circumstances:

Service providers (sub-processors)

We engage trusted third-party service providers to assist in delivering our services. All sub-processors are bound by data processing agreements that ensure confidentiality and compliance with applicable data protection laws. Key service providers include:

  • Google Cloud Platform / Firebase — Cloud infrastructure, database hosting, authentication, and analytics
  • Twilio — Voice communication services for the AI phone agent
  • Stripe and SumUp — Payment processing
  • ElevenLabs — Text-to-speech services for the AI voice agent

Customer organizations

Where we process data on behalf of a customer, the customer has access to and control over the data processed through their account, in accordance with the terms of their subscription agreement.

Legal requirements

We may disclose personal data when required by law, regulation, legal process, or governmental request, or when necessary to protect our rights, the safety of our users, or the public.

International Transfers

Cerebro Technologies is established in the United Arab Emirates. Our services use cloud infrastructure that may process data in multiple regions, including the European Economic Area (EEA), the United States, and other jurisdictions.

Where personal data is transferred outside the EEA or the UAE, we ensure appropriate safeguards are in place in compliance with the GDPR and the UAE PDPL, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission or the UAE Data Office where applicable
  • Binding corporate rules or other recognized transfer mechanisms

Our primary sub-processors (Google Cloud, Twilio, Stripe, ElevenLabs) maintain their own data transfer mechanisms and certifications to ensure lawful international transfers.

Your Rights

Under the GDPR and the UAE PDPL, you have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you.
  • Rectification — Request correction of inaccurate or incomplete personal data.
  • Erasure — Request deletion of your personal data where it is no longer necessary for the purposes for which it was collected.
  • Restriction — Request that we restrict processing of your personal data in certain circumstances.
  • Portability — Request to receive your personal data in a structured, commonly used, machine-readable format.
  • Objection — Object to processing based on legitimate interests or for direct marketing purposes.
  • Withdraw consent — Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at contact@cerebrotechnologies.dev with the subject line "Personal Data Rights" and a description of your request.

If you are an employee or guest of one of our customers, please direct your request to the relevant customer (your employer or the restaurant), as they are the data controller for your personal data. We will assist our customers in responding to such requests.

If you believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with a supervisory authority, including the UAE Data Office or the relevant authority in your jurisdiction.

Cookies

Our website uses cookies and similar technologies to enhance your browsing experience, analyze website traffic, and support our marketing efforts. We classify cookies into the following categories:

  • Strictly necessary cookies — Essential for the website to function. These cannot be disabled.
  • Analytics cookies — Help us understand how visitors interact with our website by collecting aggregated usage data.
  • Marketing cookies — Used to deliver relevant advertisements and track campaign performance.

When you first visit our website, you will be presented with a cookie consent banner allowing you to accept or decline non-essential cookies. You can update your preferences at any time through your browser settings or our cookie preferences tool.

Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS) and at rest
  • Access controls with role-based permissions and multi-factor authentication
  • Regular security assessments and vulnerability monitoring
  • Secure cloud infrastructure with industry-standard certifications
  • Employee training on data protection and information security
  • Incident response procedures for data breach management

While we take all reasonable precautions, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security of your data.

Children

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at contact@cerebrotechnologies.dev.

Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website with a revised "Last updated" date.

For Platform subscribers, we will provide notice of material changes via email or through the Platform dashboard. Continued use of our services after changes take effect constitutes acceptance of the updated policy.

Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Cerebro Technologies FZ-LLC
Email: contact@cerebrotechnologies.dev
Email: info@rilonai.com

For data protection inquiries specifically related to the Rilon AI Platform and your rights as a data subject, please include "Data Protection" in the subject line of your email.