Legal

Privacy Policy

Last updated June 10, 2026

Plain-language template. This page is a starting template written for clarity, not a finished legal document. It has not been reviewed by a lawyer and is not a substitute for legal advice. Have it reviewed before you rely on it.

1. Data we collect

We keep what we need to run the booking service for you:

Account identity. When you sign in with Google (through Supabase Auth), we receive your email address and name to identify your account.
Your Resy connection. The Resy token you provide so we can book on your behalf, plus a short-lived access token we cache from Resy. Both are encrypted at rest (see below).
Booking configuration & history. The venues, dates, party sizes, time windows, and release times you set up, and a log of the booking attempts (“races”) we run for you.
Payment reference. A Stripe customer identifier and a reference to the card you saved. We do not store your card number — see “Payments” below.

2. Encryption of your Resy token

Your Resy refresh token and the cached Resy access token are encrypted at rest using AES-256-GCM, with the encryption bound to your account. These tokens are used only on our servers to talk to Resy; they are never sent to your browser and never written to logs.

3. The optional browser extension

SeatSwiper offers an optional browser extension that links your Resy account in one click, so you don’t have to copy the token by hand:

When you click it, the extension reads your resy.com login cookie (the production_refresh_token) locally in your browser — only at that moment, and only on that site.
It hands that token to your own signed-in SeatSwiper dashboard tab, which stores it encrypted at rest exactly the same way the manual paste flow does (see above).
The extension itself stores nothing and logs nothing, and it never sends your token to any third party or to any server other than your SeatSwiper dashboard.

Using the extension is optional — you can always paste your Resy token manually instead.

4. Payments — Stripe holds your card, not us

We use Stripe as our payment processor. When you save a card, it is collected and stored by Stripe (a PCI-compliant processor) — we never see or store your full card number. We keep only a Stripe customer id and a reference to the saved card so we can charge the $5 service fee when a booking succeeds. Stripe’s handling of your card data is governed by Stripe’s own privacy policy.

5. Third parties we share data with

We rely on a small set of service providers to operate SeatSwiper. We share only what each needs to do its job:

Supabase — authentication (Google sign-in) and the database where your account and booking data are stored.
Stripe — payment processing and storage of your saved card for the service fee.
Resy — the reservation platform we connect to on your behalf using the token you provide.
Vercel — hosting for the web application.
Railway — hosting for the background worker that runs your booking races.

We do not sell your personal data.

6. How long we keep it (retention)

We keep your account, Resy connection, booking configuration, and race history for as long as your account is active so the service can function. You can remove your stored Resy token at any time by disconnecting your Resy account, and you can delete your entire account and the data we hold at any time (see below). Some records may be retained by our processors (for example, Stripe’s record of a charge) as required for their legal, accounting, or fraud-prevention purposes.

7. Deleting your account & data

You can delete your account from within the app: open your account menu and choose Delete account. When you do, we:

best-effort delete your customer record at Stripe, which removes the card you saved with them; and
delete the data we hold — your encrypted Resy token and cached access token, your booking configurations, and your race history.

One honest caveat. By design, SeatSwiper does not hold the administrative key to your sign-in identity, which lives with our authentication provider (Supabase). Deleting your account removes all of the application data described above, but it does not erase the underlying Google/Supabase sign-in record itself. If you sign in again later with the same Google account, a new, empty profile is created — none of your previous Resy token, cards, bookings, or history is recovered. If you also want your sign-in identity removed, contact us at the address below.

8. Security

We encrypt sensitive credentials at rest, keep secret tokens server-side, and restrict database access. No system is perfectly secure, but we aim to limit what we store and to protect what we do.

9. Changes to this policy

We may update this policy from time to time. When we do, we will revise the “Last updated” date above.

10. Contact

Questions about your privacy or a deletion request? Email gyatesofficial@gmail.com.