Privacy Policy

Who we are

Pocket AGM is a restaurant intelligence platform operated by Blender Brands, LLC, a Texas limited liability company headquartered in the Dallas–Fort Worth area. In this policy “we,” “us,” and “Pocket AGM” all refer to Blender Brands, LLC operating the platform. “You” means the organization (and its individual users) that connects data to Pocket AGM.

Pocket AGM is a business-to-business platform. It is not directed at consumers and is not intended for use by anyone under 18.

What information we collect

Account information

When a user is invited to Pocket AGM, we store their email address, display name (if provided), the role assigned to them by their organization’s administrator, and a Supabase-managed authentication record. We do not store passwords; sign-in is by one-time email link.

Data from connected systems

With your explicit authorization, Pocket AGM reads operational and financial data from third-party systems your organization uses to run its business. Today the platform integrates with two such systems:

• QuickBooks Online (Intuit Inc.) — we read profit-and-loss reports, cash flow statements, your chart of accounts, and the line items those reports contain. We do not write to QuickBooks. We do not request the “payments” scope, the “openid” scope, or any scope outside of the standard Accounting API.
• Toast (Toast, Inc.) — we read daily sales totals, sales by category, labor hours and cost, menu item sales, payments by tender type, voids and discounts, and third-party delivery breakdowns. We do not write to Toast and we do not collect customer-level transaction records, payment card details, or guest contact information.

Additional integrations may be added in the future (for example, Restaurant365 for inventory). When that happens, this list will be updated before any new integration becomes available to connect.

Authentication tokens

To keep reading data on a recurring schedule without asking you to log in to QuickBooks or Toast every time, we store the OAuth refresh tokens those services issue to us during the initial connection handshake. Tokens are stored encrypted in our database’s managed secrets store (Supabase Vault) and are accessed only by the server-side sync job that needs them. They are never sent to the browser and are never logged in plain text.

Application logs

We retain server-side logs of API requests and responses to and from connected vendors for audit and debugging purposes. These logs may include the raw payload of a sync response (for example, the JSON returned by a QuickBooks profit-and-loss request). They are retained in the same database as the rest of your data, under the same access controls, and are visible only to Pocket AGM administrators with explicit platform-level access.

How we use your data

Data you connect to Pocket AGM is used solely to deliver the platform’s features to you and the users you authorize:

• Computing and rendering operational KPIs (sales, labor, prime cost, etc.) on dashboards
• Producing categorized profit-and-loss roll-ups
• Generating period-over-period comparisons and portfolio summaries
• Producing optional AI-generated narrative summaries when a user explicitly requests one (see “Subprocessors” below)
• Producing alerts and anomaly notifications to members of your team

We do not use your data for advertising, retargeting, or any cross-customer profiling. We do not sell your data. We do not use your data to train machine learning models that benefit anyone other than your own organization.

Where your data is stored

Pocket AGM is hosted on Vercel (web tier) and Supabase (managed Postgres database + authentication). Both providers run in the United States. All data in transit between your browser, Pocket AGM, and the connected vendors travels over TLS. Data at rest is encrypted using the storage providers’ standard encryption controls (Supabase’s managed Postgres on AWS, with AWS-managed at-rest encryption). OAuth refresh tokens are additionally encrypted at the application layer in Supabase Vault.

Access to the database and to vendor credentials is limited to:

• The Pocket AGM server-side application running on Vercel
• Authorized Pocket AGM platform administrators (today: a small group of Blender Brands operators)

Subprocessors

To deliver the service we share your data, in limited and specific ways, with the following subprocessors:

• Vercel, Inc. — web hosting and serverless function execution
• Supabase, Inc. — managed Postgres database, authentication, and file storage. Underlying compute on Amazon Web Services
• Intuit, Inc. — the source of QuickBooks data; we exchange OAuth tokens with Intuit and request your reports through their API
• Toast, Inc. — the source of point-of-sale data; same OAuth exchange pattern
• Anthropic, PBC — only when a user explicitly requests an AI-generated narrative summary inside Pocket AGM, the relevant aggregated metrics for that summary are sent to Anthropic’s Claude API for text generation. Anthropic’s API does not train on customer data submitted via the API (see Anthropic’s policy at anthropic.com/legal/privacy). No customer data is sent to Anthropic unless a Pocket AGM user inside your organization invokes the feature.

Each subprocessor is bound by their own published terms and privacy commitments. We do not share your data with any third party for marketing, advertising, or analytics outside of this list.

Data retention

We retain operational and financial data for as long as your organization remains an active customer, plus a reasonable archival period afterward (typically one year), unless you ask us to delete it sooner. You can request deletion at any time by contacting us. We will delete the data within 30 days of the request, except where we are legally required to retain certain records (for example, tax or audit obligations, which do not apply to vendor-sourced data we hold for you).

Disconnecting an integration through the administrator UI immediately revokes our ability to pull new data from that vendor and discards the refresh token; historical data already synced is preserved unless you also request its deletion.

Your rights

You can, at any time:

• Access the data we hold about your organization. Most of it is already visible inside Pocket AGM; for anything not directly rendered, contact us and we will produce an export.
• Correct account-level information by editing your user profile, or by asking your organization’s administrator to do so on your behalf.
• Delete all data we hold about your organization. Send the request from an email address on record as an administrator of your organization. We will confirm by reply before processing.
• Disconnect any third-party integration. From within Pocket AGM, an organization administrator can revoke a connection at any time.
• Export the metrics and reports you see in Pocket AGM. Contact us if the in-product export does not cover your need.

Residents of California, the European Economic Area, or the United Kingdom may have additional rights under their respective regulations (CCPA, GDPR, UK GDPR). We will honor those requests in good faith even where the platform’s contractual scope does not strictly require it.

Cookies

Pocket AGM uses session and authentication cookies set by Supabase to keep you signed in. We do not use advertising or tracking cookies. We do not set any third-party cookies for marketing purposes.

Children

Pocket AGM is a business platform and is not intended for use by individuals under 18. We do not knowingly collect personal information from children.

Changes to this policy

We may update this policy from time to time. Any material change will be reflected in the “ Effective” date at the top of this page. For significant changes that affect how we use data you’ve already given us, we will notify organization administrators by email.

Contact

For privacy questions, deletion requests, or any other inquiry related to this policy, write to:

Blender Brands, LLC
Attn: Privacy — Pocket AGM
danny@blender-brands.com