Patron AI

Privacy, Security, and Data Protection Policy

Patron AI - A Part Of CoCreations Collective Ltd

Effective Date: 1st March 2025

Last Updated: 21st March 2025

1. Introduction

Cocreations Collective Ltd ("we," "our," "us") provides Voice AI solutions as a Software-as-a-Service (SaaS) for restaurants. This Privacy, Security, and Data Protection Policy outlines how we collect, process, store, and protect personal data in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679.

2. Scope

This policy applies to all users of our Voice AI solutions, including restaurant staff, customers interacting with our AI, and third-party service providers.

3. Data Collection & Processing

3.1 Types of Data Collected

We collect the following types of data:

  • Customer Data: Voice interactions, reservation details, and customer preferences.
  • Restaurant Staff Data: Name, role, and account credentials for managing the AI assistant.
  • Operational Data: System logs, usage statistics, and AI response analytics.
  • Payment Data: If applicable, we use third-party payment processors to handle transactions securely.
  • Personal Identifiable Information (PII): Names, emails, and phone numbers of users.

3.2 Legal Basis for Processing

We process personal data based on the following lawful grounds under GDPR:

  • Performance of Contract: To provide AI-driven restaurant services.
  • Legitimate Interest: To enhance AI accuracy, improve customer experience, and detect fraudulent activity.
  • Consent: For marketing communications and optional data storage.
  • Legal Obligation: To comply with regulatory requirements.

3.3 Storage and Processing of Names, Emails, and Phone Numbers

Who Stores This Data?
  • CoCreations: Stores and processes names, emails, and phone numbers to provide AI-powered services, manage user accounts, and facilitate customer interactions.
  • Key Clients (Restaurants): May access and store customer details for reservation management and personalized service.
  • Technology Providers (Vapi and other third-party service providers): May process names, emails, and phone numbers as part of AI interaction processing and communication facilitation.

Where is This Data Stored?
  • Stored securely on EU-based cloud servers managed by CoCreations.
  • Processed by Vapi and integrated third-party providers with GDPR-compliant data agreements.

Data Retention
  • Personal information is retained for service continuity and deleted upon request or after a period of inactivity.
  • Any personal data shared with partners and restaurants is subject to their respective privacy policies.

3.4 Handling of Voice Data and Protection Against Impersonation Risks

Why We Store Voice Data

  • Voice interactions are stored temporarily to improve AI performance.Ensure accuracy and provide customer support.
  • Voice recordings are not used for authentication or identification purposes.

Protection Against Impersonation Risks

  • Limited Retention: Voice data is stored and then automatically deleted or anonymized.
  • No Biometric Processing: We do not use voice data to create biometric voiceprints or any authentication models.
  • Access Restrictions: Only authorized personnel with role-based access can retrieve stored voice interactions.
  • Anonymization & Encryption: All voice data is encrypted and, where possible, anonymized to prevent misuse.

User Control

  • Users can request immediate deletion of their voice interactions by contacting our support team.
  • Users have the right to opt-out of voice data retention, although this may limit certain service functionalities.

4. Data Storage & Security Measures

4.1 Storage Locations

We store data within EU-based secure cloud servers to ensure compliance with GDPR regulations.

4.2 Data Security Measures

We implement industry-standard security measures to protect personal data, including:


  • End-to-End Encryption: All voice interactions and stored data are
  • Access Control: Role-based access and multi-factor authentication (MFA) for authorized personnel.
  • Anonymization & Pseudonymization: Where possible, personal data is anonymized to minimize risk.
  • Data Minimization: We only collect and retain necessary data.
  • Regular Security Audits: We conduct annual penetration testing and real-time monitoring for security threats.

The security of your data is important to us but remember that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

5. Data Retention & Deletion

  • Voice recordings and transcriptions are stored for service improvement purposes and are automatically deleted or anonymized thereafter.
  • User account data is maintained while the service remains active and is deleted upon request or after 12 months of inactivity.
  • Names, emails, and phone numbers are retained and securely deleted or anonymized when they are no longer necessary.
  • Legal and compliance data is preserved as mandated by law.

6. User Rights under GDPR

Under GDPR, individuals have the following rights:

  1. Right to Access – Request a copy of personal data we hold.
  2. Right to Rectification – Correct inaccurate or incomplete data.
  3. Right to Erasure ("Right to be Forgotten") – Request deletion of personal data.
  4. Right to Restrict Processing – Limit how we use personal data.
  5. Right to Data Portability – Request data in a structured format.
  6. Right to Object – Opt-out of certain processing activities.
  7. Right to Withdraw Consent – Revoke previously given consent.
Requests can be made via hello@thepatron.ai, and we will respond within 30 days as per GDPR requirements.

7. Data Sharing & Third-Party Processors

We do not sell personal data. We share limited data with:

  • Cloud Storage & Infrastructure Providers – (e.g., AWS, Google Cloud, Microsoft Azure) for secure data hosting.
  • Payment Processors – (e.g., Stripe, PayPal) to handle financial transactions.
  • AI Service Providers – (e.g., speech-to-text APIs, Vapi) to improve AI functionality.
  • Key Clients (Restaurants) – who require user data to manage reservations and customer interactions.

All third-party processors are GDPR-compliant and have Data Processing Agreements (DPAs) in place.

8. Cookies & Tracking

We use cookies and tracking technologies to enhance user experience and optimize our services.

  • Essential Cookies – Required for core functionalities.
  • Analytics Cookies – Used to improve AI performance and user experience (opt-in required).
  • Marketing Cookies – Only used with explicit consent.

9. Data Breach Response Plan

In case of a data breach:

  • Immediate Containment – Isolate affected systems and assess the impact.
  • User Notification – Inform affected users within 72 hours (as per GDPR requirements).
  • Regulatory Notification – Report to relevant authorities if required.
  • Remediation & Prevention – Implement corrective measures and security updates.

10. Contact Information

For privacy concerns, data access requests, or GDPR-related inquiries, contact our Data Protection Officer (DPO):
CoCreations Collective Ltd
Email: hello@thepatron.ai
Address: Level 5a Maple House, 149 Tottenham Court Road, London, United Kingdom, W1T 7NF.

11. Policy Updates

We may update this policy periodically to reflect regulatory changes and service enhancements. Users will be notified of significant updates via this website.

Our Address: Level 5a Maple House, 149 Tottenham Court Road, London, United Kingdom, W1T 7NF

Email: hello@thepatron.ai

2025 CoCreations Collective Ltd. All rights reserved.