Elev8ed Media Hub - Navigation
Watch Demo
Privacy Policy & Cookie Policy | Elev8ed Media Hub
Legal & Privacy

Your Data. Your Rights. Our Obligations.

We process restaurant owner and restaurant guest data as part of the Elev8ed Reach platform. Here's exactly what we collect, why, and how it's protected.

Elev8ed Reach | Elev8ed Media Hub LLC

Privacy Policy

Effective Date: May 5, 2026  ·  Last Updated: May 5, 2026

1. Introduction

Elev8ed Media Hub LLC ("we," "us," or "our") operates Elev8ed Reach, a customer growth and retention platform for independent restaurants. This Privacy Policy explains how we collect, use, store, and protect information in connection with the Elev8ed Reach platform ("Platform").

This Policy covers two categories of individuals:

  • Restaurant Clients — independent restaurant owners and operators who subscribe to Elev8ed Reach.
  • Restaurant Guests — customers of our Clients whose personal information we process on behalf of Clients as a data processor.

By accessing or using the Platform, you agree to this Privacy Policy. If you do not agree, do not use the Platform.

2. Information We Collect — Restaurant Clients

2.1 Information Clients Provide Directly

  • Business name, legal entity name, and business address.
  • Owner name, email address, and cell phone number.
  • POS system credentials (API tokens for your compatible POS system) — stored encrypted in our automation environment.
  • Google Business Profile URL and Yelp business URL.
  • Payment information — processed and stored by Stripe. We do not store raw payment card data.
  • Communications sent via our intake form, Slack, or email.

2.2 Information Collected Automatically

  • Log data including IP address, browser type, access times, and pages visited on elev8edmediahub.com.
  • UTM attribution cookie (elev8ed_utm) — first-party, 30-day, no personally identifiable information. See Cookie Policy for full details.
  • Usage analytics via Google Analytics 4 — diagnostic only, not linked to individual identity.

3. Information We Process on Behalf of Clients — Restaurant Guests

When Clients use Elev8ed Reach, we process Guest data as a data processor acting under the Client's instructions as the data controller. We do not own Guest data and do not use it for any purpose beyond providing Platform services to the Client.

3.1 Guest Data We Process

  • Name and first name — collected via SMS opt-in or POS integration.
  • Cell phone number — collected via SMS opt-in or POS data pull.
  • Email address — where provided via POS.
  • Order history — items ordered, order frequency, order value.
  • Lapsed status — last order date, calculated days since last visit.
  • SMS consent date and opt-in method.
  • Opt-out status (STOP command processing).

3.2 Legal Basis for Processing Guest Data

  • Contractual necessity — fulfilling our obligations under the Restaurant Client Agreement.
  • Legitimate interests — Clients' interests in retaining their customers.
  • Guest consent — Clients are responsible for obtaining TCPA-compliant opt-in consent from Guests before we send any marketing messages on the Client's behalf.

4. How We Use Information

4.1 Client Information

  • To provide, operate, and maintain the Platform for the Client's account.
  • To process billing and payments via Stripe.
  • To send operational communications via Slack, email, and SMS.
  • To respond to Client inquiries and support requests.
  • To send price increase notices — minimum 30 days written notice.
  • To improve the Platform and develop new features.
  • To comply with applicable law.

4.2 Guest Information

  • To identify lapsed Guest segments based on POS order history.
  • To generate and send SMS reactivation campaigns on behalf of the Client.
  • To calculate retention metrics for Client reports.
  • To route delivery orders via Uber Direct on behalf of the Client.
  • We do not sell, rent, or share Guest data with any third party for advertising or marketing purposes unrelated to serving the Client.

5. Data Storage and Security

All data is stored in our Supabase database hosted in the United States (US West region). Security measures include:

  • Row-Level Security (RLS) in Supabase — each Client's data is isolated and inaccessible to other Clients.
  • POS API credentials stored as encrypted environment variables — never in plain text.
  • Payment data processed exclusively by Stripe. We store only Stripe customer ID and subscription ID.
  • HTTPS enforced on all Platform endpoints.
  • Access to production data limited to authorized personnel.
  • Breach notification: We will notify affected Clients within 72 hours of becoming aware of a confirmed data breach.

6. Third-Party Sub-Processors

We share data with the following sub-processors to operate the Platform. We do not sell Guest data to any third party or share it with advertising networks, data brokers, or social media platforms for targeting purposes.

  • Supabase Inc. — database storage, United States. supabase.com/privacy
  • Twilio / GoHighLevel — SMS delivery infrastructure. twilio.com/legal/privacy
  • Stripe Inc. — payment processing. stripe.com/privacy
  • Uber Direct — delivery dispatch. uber.com/legal/en/document/?name=privacy-policy
  • POS Platform Providers — read-only POS data API access (Client-authorized). Specific provider varies per Client.
  • Google Analytics 4 — diagnostic analytics on our website. policies.google.com/privacy

7. Data Retention

  • Active Client account data: Retained for the duration of the subscription plus 90 days after termination.
  • Guest data: Deleted within 30 days of contract termination upon Client request, or within 90 days automatically.
  • Billing records: Retained for 7 years as required for tax and accounting compliance.
  • SMS opt-out records: Retained indefinitely to ensure we do not re-message opted-out Guests.
  • Web analytics (GA4): Retained per Google's default retention settings (14 months).
  • Attribution cookies: Expire after 30 days automatically.

8. Client Offboarding — Data and Asset Delivery

Upon cancellation or termination of an Elev8ed Reach subscription, the following offboarding process applies. Clients retain ownership of all data they provided to us and all assets accumulated during the engagement.

8.1 What Clients Keep

  • Complete customer list — every phone number, name, email address, and birthday collected during the engagement, delivered as a CSV export before the final day of service.
  • All historical monthly reports — full export delivered before the final day of service.
  • Schema markup and structured data — already injected into the Client's website remains live unless the Client removes it.
  • Google Business Profile — always the Client's property. We do not retain access rights beyond what is required during the active engagement.
  • All Google reviews accumulated during the engagement.
  • Promo card design files — print-ready assets are the Client's to keep and reuse.
  • POS system and all POS-side order history — Elev8ed never owns POS data.
  • Answer engine pages hosted on the Client's own domain (Beta Bonus clients — first 5 onboarding partners) — remain live unless the Client removes them.

8.2 What Clients Do Not Keep

  • GHL/Twilio phone number — assigned through Elev8ed's agency account. Goes dark on the cancellation date unless the Client formally requests a port-out during the 30-day notice window.
  • All SMS automations — Quick Reply, win-back sequences, keyword flows, review campaigns, and promo blasts deactivate on the cancellation date.
  • Conversation AI training and configuration — built inside Elev8ed's GHL infrastructure, not portable.
  • All GHL workflows and automations — built in Elev8ed's agency sub-account, not transferable.
  • Access to the Supabase database — customer data is exported and delivered; the database infrastructure is not transferred.
  • Answer engine pages hosted on Elev8ed's infrastructure (Beta Bonus clients — first 5 onboarding partners) — go offline on the cancellation date.
  • Ongoing campaign management, promo generation, and reporting — all stop at the end of the notice period.
  • Access to n8n automation workflows — built in Elev8ed's infrastructure, not transferable.

8.3 Offboarding Process

  • Client provides 30 days written notice per the Refund and Cancellation Policy.
  • During the 30-day notice window: CSV data export is delivered, final monthly report is delivered, and port-out of the GHL/Twilio number may be requested.
  • On the cancellation date: all automations deactivate, the sub-account is archived, and the phone number is released or ported.
  • Guest personal data is permanently deleted within 90 days of the cancellation date, consistent with Section 7 of this Privacy Policy.

9. California Privacy Rights — CCPA / CPRA

This section applies to California residents and is provided pursuant to the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA), Cal. Civ. Code §1798.100 et seq. In the event of any conflict between this section and the rest of this Privacy Policy, this section controls for California residents.

9.1 Categories of Personal Information We Collect

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

  • Identifiers — Real name, business name, email address, cell phone number, IP address, and online identifiers (UTM attribution cookie values, GA4 session identifiers).
  • Commercial information — POS order history, order frequency, order value, menu items purchased, and lapsed guest status — collected from Client's POS API on behalf of Client.
  • Internet or other electronic network activity — Browser type, access times, and pages visited on elev8edmediahub.com.
  • Professional or employment-related information — Business name, restaurant address, and POS account credentials (encrypted) — Clients only.
  • Financial information (limited) — Stripe customer ID and subscription ID. Raw payment card data is never stored by us; it is processed exclusively by Stripe.
  • Geolocation data (approximate) — Derived from IP address for analytics purposes only. No precise geolocation is collected.

9.2 Categories of Sources

  • Directly from you — intake forms, Slack communications, and account signup.
  • Your POS system — via API credentials you authorize (order and customer data).
  • Restaurant Guests — via keyword SMS opt-in flow.
  • Automatically — via website cookies and server logs when you visit elev8edmediahub.com.
  • Third-party services — Stripe (billing), GoHighLevel/Twilio (SMS delivery confirmations), Google Analytics 4 (diagnostic analytics).

9.3 Business or Commercial Purposes for Collection

  • Providing, operating, and maintaining the Elev8ed Reach Platform and its services.
  • Processing subscription payments and managing billing.
  • Identifying lapsed restaurant guests and generating SMS reactivation campaigns on behalf of restaurant Clients.
  • Routing delivery orders through Uber Direct on behalf of Clients.
  • Generating monthly performance reports for Clients.
  • Sending operational SMS and email communications to Clients.
  • Improving Platform functionality and developing new features.
  • Complying with applicable law and enforcing our agreements.

9.4 Categories of Third Parties to Whom We Disclose Personal Information

We disclose personal information to the following categories of third parties for the business purposes listed above. We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

  • Database and infrastructure providers — Supabase Inc. (data storage, United States).
  • Communications providers — Twilio / GoHighLevel (SMS delivery).
  • Payment processors — Stripe Inc. (billing and payment processing).
  • Delivery platforms — Uber Direct (order routing and delivery dispatch).
  • POS platform providers — read-only API access authorized by Client (specific provider varies per Client).
  • Analytics providers — Google Analytics 4 (diagnostic website analytics).

9.5 Your Rights as a California Resident

  • Right to Know (Categories) — Request disclosure of the categories of personal information collected, the categories of sources, the business or commercial purposes for collection, and the categories of third parties to whom it is disclosed.
  • Right to Know (Specific Pieces) — Request a copy of the specific pieces of personal information we have collected about you in the preceding 12 months.
  • Right to Delete — Request deletion of personal information we have collected from you, subject to exceptions including information necessary to complete a transaction, detect security incidents, comply with a legal obligation, or carry out other internal uses compatible with the context in which you provided the information.
  • Right to Correct — Request correction of inaccurate personal information we maintain about you.
  • Right to Opt Out of Sale or Sharing — We do not sell personal information. We do not share personal information for cross-context behavioral advertising. No opt-out request is necessary.
  • Right to Limit Use of Sensitive Personal Information — We do not use sensitive personal information beyond what is necessary to provide the Platform. No limitation request is necessary.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights. Exercising your rights will not result in denial of services, different pricing, or a different level of service quality.

9.6 How to Submit a Privacy Request

California residents may submit a verifiable consumer request by:

  • Email: [email protected] — Subject line: "California Privacy Request"
  • Phone: +1 (406) 909-4491

We will acknowledge your request within 10 business days and respond within 45 days of receipt. If we require additional time (up to an additional 45 days), we will notify you in writing within the initial 45-day period and state the reason for the extension.

To protect your privacy, we must verify your identity before processing a request. For Clients, we will verify using the email address on file for your account. For Restaurant Guests, we will verify using your phone number and SMS opt-in record.

You may designate an authorized agent to submit a request on your behalf. Authorized agent requests must be accompanied by written authorization from you or a valid power of attorney. We may still require you to verify your own identity directly with us.

You may submit a Right to Know request up to twice per 12-month period.

9.7 California Shine the Light Law — Cal. Civ. Code §1798.83

California residents who have an established business relationship with us may request information once per year about whether we have shared personal information with third parties for their direct marketing purposes during the preceding calendar year. Elev8ed Media Hub LLC does not share personal information with third parties for their own direct marketing purposes. No disclosure is required under this law, but you may submit a request to [email protected] with the subject line "Shine the Light Request" if you wish to confirm this directly.

10. Global Privacy Control (GPC)

Our website respects the Global Privacy Control (GPC) signal. If your browser transmits a GPC signal, we will treat it as an opt-out of the sale or sharing of your personal information, consistent with CPRA requirements. See our Cookie Policy for full details.

11. Restaurant Guest Rights

If you are a restaurant Guest who received an SMS from a restaurant using Elev8ed Reach:

  • The restaurant (our Client) is the data controller responsible for your personal data.
  • To stop receiving messages, reply STOP to any SMS at any time.
  • To request data deletion or access, contact the restaurant directly or email [email protected] — subject line "Guest Data Request" — and we will forward your request to the appropriate Client within 5 business days.
  • If you are a California resident, the rights described in Section 9 apply to you. You may submit a verifiable consumer request directly to us at [email protected].

12. Children's Privacy

The Platform is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Last Updated" date at the top of this page. For material changes, we will notify Clients via email or Slack at least 30 days before the changes take effect. Continued use of the Platform after the effective date of any material change constitutes acceptance of the updated Policy.

14. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of California, without regard to its conflict of law principles. Any dispute arising out of or relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the state and federal courts located in California.

Notwithstanding the foregoing, California residents' rights under CCPA/CPRA are governed by California law regardless of the Company's state of organization. Any claim by a California resident arising under CCPA/CPRA may be brought in a court of competent jurisdiction in California.

15. Limitation of Liability — Privacy and Data

To the maximum extent permitted by applicable law, Elev8ed Media Hub LLC's total liability arising out of or related to this Privacy Policy, any data breach, or any privacy claim shall not exceed the total fees paid by the applicable Client to Elev8ed Media Hub LLC in the twelve (12) months immediately preceding the event giving rise to the claim.

In no event will Elev8ed Media Hub LLC be liable for any indirect, incidental, consequential, special, or punitive damages arising from any privacy or data-related claim, including but not limited to loss of business, loss of revenue, or loss of data, even if advised of the possibility of such damages.

With respect to Restaurant Guest data, Elev8ed Media Hub LLC's liability is further limited to its role as a data processor. Restaurant Clients, as data controllers, bear primary responsibility for the lawfulness of personal data processing performed at their direction. Our liability as processor does not exceed the liability cap set forth above.

Nothing in this section limits any rights you may have under applicable California or federal law that cannot be waived by contract, including rights under CCPA/CPRA.

16. Severability

If any provision of this Privacy Policy is found by a court of competent jurisdiction to be invalid, unlawful, void, or unenforceable — including but not limited to any provision that a California court determines is inconsistent with CCPA/CPRA — that provision will be deemed severed from this Privacy Policy to the minimum extent necessary. The remaining provisions of this Privacy Policy will continue in full force and effect and will be interpreted to give the maximum legal effect consistent with the intent of the original provision.

The invalidity or unenforceability of any provision in one jurisdiction will not affect the validity or enforceability of that provision in any other jurisdiction.

17. Contact

Elev8ed Media Hub LLC
1001 South Main Street, Suite 500
Kalispell, MT 59901
[email protected]
+1 (406) 909-4491
elev8edmediahub.com

For California privacy requests, use subject line: "California Privacy Request"
For guest data requests, use subject line: "Guest Data Request"

· · ·

Elev8ed Reach | Elev8ed Media Hub LLC

Cookie Policy

Effective Date: May 5, 2026  ·  Last Updated: May 5, 2026

1. Overview

This Cookie Policy explains how Elev8ed Media Hub LLC uses cookies and similar tracking technologies on elev8edmediahub.com ("Website"). By using the Website, you consent to the use of cookies as described in this Policy.

2. What Is a Cookie

A cookie is a small text file stored on your browser or device when you visit a website. Cookies serve various functions including remembering your preferences, analyzing how you navigate the site, and attributing your visit to the correct marketing source.

3. The Cookies We Use

3.1 elev8ed_utm — First-Party Attribution Cookie

  • Name: elev8ed_utm
  • Type: First-party, functional/analytics
  • Duration: 30 days
  • Data stored: utm_source, utm_medium, utm_campaign, utm_content, utm_term — URL parameter values from your first visit. No personally identifiable information stored (no name, email, phone, or IP address).
  • SameSite: Lax — not transmitted on cross-site requests, reducing CSRF risk.
  • Purpose: First-touch attribution — records which marketing channel first brought you to the Website. First-touch source is preserved across multiple visits.
  • Who reads it: Our checkout script reads this cookie at checkout and passes attribution values into order metadata. No third party has access to this cookie.

3.2 Google Analytics 4 Cookies

  • Cookies: _ga, _ga_[container-id]
  • Type: Analytics, third-party (Google)
  • Duration: Up to 2 years
  • Purpose: Diagnostic website analytics — page views, session duration, geographic distribution, device types. GA4 data is not linked to individual identity.
  • Google's privacy policy: policies.google.com/privacy

3.3 Stripe Cookies (Checkout Pages Only)

When you navigate to a Stripe-hosted checkout page, Stripe may set cookies for fraud prevention and checkout session management. These are governed by Stripe's cookie policy at stripe.com/cookie-settings.

4. Cookies We Do Not Use

  • We do not use advertising cookies or third-party behavioral tracking cookies.
  • We do not use cross-site tracking technologies.
  • We do not share cookie data with advertising networks or data brokers.

5. Your Cookie Choices

5.1 Browser Controls

You may control and delete cookies through your browser settings. Disabling the elev8ed_utm cookie will not affect your ability to browse the Website or complete a purchase, but may affect the accuracy of our internal analytics.

5.2 Opt Out of Google Analytics

You may opt out of Google Analytics tracking by installing the Google Analytics Opt-Out Browser Add-on at: tools.google.com/dlpage/gaoptout

5.3 Global Privacy Control (GPC)

We respect the Global Privacy Control (GPC) browser signal. If your browser transmits a GPC signal, we will: (a) not deploy any non-essential third-party tracking cookies; and (b) treat your session as an opt-out of the sale or sharing of your personal information, consistent with CPRA.

6. CPRA Compliance

Under the California Privacy Rights Act (CPRA), California residents have the right to opt out of the sale or sharing of their personal information. We do not sell personal information collected via cookies and do not share cookie data for cross-context behavioral advertising. No opt-out action is required for the cookies we use.

7. Changes to This Cookie Policy

We may update this Cookie Policy from time to time. Updates will be posted on this page with a revised "Last Updated" date.

8. Contact

Elev8ed Media Hub LLC
1001 South Main Street, Suite 500
Kalispell, MT 59901
[email protected]
+1 (406) 909-4491
elev8edmediahub.com

Elev8ed Media Hub - Footer