Enterprise Intelligence Hub

Invisible Intelligence.
Unforgettable Hospitality.

Welcome to the central intelligence layer. Securely access live venue data, manage guest experiences, or review system architecture & compliance.

Experience the System
How It Works
Architecture, data flow & compliance
Experience the System
Select a role and enter the live demo
Guest Consent
The guest-facing POPIA consent form
Project Status
Go-Live Readiness
Blockers, costs & checklist
2 of 15
← Back
Sign out

How It Works

Four steps. Every visit. Invisible to the guest.

1

Guest Books

A reservation comes in through DinePlan or WhatsApp. GuestIQ automatically pulls the booking details and checks if this guest has visited before. If they’re new, a simple consent step captures their preferences. If they’re returning, their profile is already waiting.

2

Staff Get Briefed

Before service, every front-of-house team member sees a short, AI-generated brief for each guest arriving that day. It tells them what matters — preferred table, wine they loved last time, their anniversary is next week, they had a complaint two visits ago that was resolved. No digging through notes. It’s just there.

3

Staff Type Naturally

After the visit, staff type a quick note in plain English: “Loved the lamb, asked for the Cab Sav again, celebrating a promotion, sat at table 12 with four friends.” Claude reads that note and files everything into the right place automatically. No forms. No dropdowns. No training.

4

Guests Feel Known

Next time that guest books, the cycle starts again — but now it’s richer. The system knows their favourite wine, their usual table, their birthday next month. The restaurant reaches out at the right moment with the right gesture, but only if the guest said that’s okay.

The Key: Guest Consent

None of this works without the guest’s permission. South African law requires explicit consent before any preference tracking can begin — and rightly so. When a guest dines for the first time, they’re presented with a simple, friendly consent form on a tablet at the front desk. It takes under 30 seconds.

If they say yes, the system begins learning. If they decline, their name is stored for that visit only and automatically purged after 30 days. No pressure. No dark patterns. The guest is always in control.

The more guests who consent, the smarter the system becomes. At launch, intelligence will be limited — it grows naturally as returning guests opt in over the first 6–12 months. This is by design, not a flaw.

What Makes It Different

It’s invisible. Guests never see a system. Staff never fight with software. It just feels like the restaurant has an incredible memory.

Section 1

System Identity

GuestIQ is not a CRM. It is a private, AI-powered intelligence layer for a group of 4 venues. It solves the “Memory Loss” problem when staff leave and the “Silo Problem” between brands.

System Specs
Type
Private Internal Web App
Venues
4 Restaurants (Single Premises)
Legal Entity
One Company (Single Entity)
Hosting
GCP Cape Town (africa-south1)
Access
Browser via Google IAP
Public Exposure
None — fully private
Maintained By
Remote Admin, United Kingdom
The Solution

Gut Feel vs. Intelligence: Most restaurants rely on staff memory. GuestIQ creates permanent institutional intelligence that survives staff turnover.

Natural Input: Staff type natural notes. Claude AI structures it automatically. No forms, no dropdowns, no training required.

Cross-Venue: A guest known at one venue is no longer a stranger at another. Preferences and safety data travel with the guest.

Section 2 & 3

Privacy by Architecture

Foundational Principle: The AI engine must never have access to personally identifiable information (PII). This is achieved via a strict Two-Database Split.

DATABASE AIdentity Store
DATABASE BPreference Store
Database A — IdentityAES-256
  • Guest Names
  • Phone Numbers
  • Email Addresses
  • Booking History
  • Consent Records
  • Marketing Flags
  • UUID Token Link
Database B — AI PreferencesNo PII
  • Pseudonymous Tokens
  • Dining Preferences
  • Allergy Data
  • Seating Preferences
  • Occasion Dates
  • Relationship Metrics
  • Structured Notes

Claude AI reads exclusively from here

How Data Flows

Guest data enters through four channels, passes through processing, then splits into two permanently separated databases.

DinePlan APILive sync
WhatsAppConsent link
Walk-InTablet form
Phone / EmailVia DinePlan
Processing Layer: Phone dedup • Consent check • PII stripping • Venue tagging • Audit logging
Database AIdentity
Database BPreferences
Claude AI — Server-Side Only • Reads tokens only • Never sees PII
Frontend — React DashboardTwo separate API calls combined on screen only
Technical Stack
Frontend
React
Backend
Node.js on Cloud Run
Database
Two Cloud SQL PostgreSQL
Encryption
AES-256 via pgcrypto
Hosting
GCP Cape Town
Auth
Google IAP + MFA
AI Layer
Claude API, server-side
Secrets
GCP Secret Manager
Section 4

What GuestIQ Captures

Only information genuinely useful for improving future dining experiences. Data minimisation is enforced at the AI layer.

Dining Preferences
  • Favourite table or area
  • Favourite server or bartender
  • Menu items & dish preferences
  • Drink preferences
  • Allergies & dietary restrictions
Behaviour & Service
  • Occasion types (Business, Date, Family)
  • Service expectations
  • VIP status (management flag)
  • Special dates (birthday, anniversary)
  • Celebration style preferences
Relationship Intelligence
  • Full visit timeline
  • Complaint history & resolution
  • Sentiment tracking over time
  • Relationship health score
  • Visit predictions & churn risk
PROHIBITED DATA (POPIA Condition 3)

Subjective personality assessments are explicitly prohibited. Staff notes are limited to observable dining preferences and behaviour. No character judgements, no assumptions about lifestyle, religion (beyond dietary preference), or personal circumstances.

Section 5

AI Intelligence Layer

Claude AI powers the core intelligence. All API calls are server-side only. The AI reads exclusively from Database B — it never sees names, contact details, or any PII.

Note Parsing

Staff type natural notes — AI structures into profile data automatically

Daily Briefings

Pre-service summaries for every guest arriving today

Occasion Alerts

Birthday/anniversary detection with action recommendations

Outreach Drafting

Personalised messages for manager review and approval

Relationship Health

Loyalty, frequency, spend trends, and churn risk scoring

Sentiment Analysis

Track guest experience quality across visit history

Visit Prediction

Pattern analysis, flags overdue guests for follow-up

Complaint Flagging

Unresolved issues surfaced when guest rebooks

Cross-Venue Summary

AI-generated preference summary for other venues (no raw notes)

Recovery Suggestions

Gesture recommendations for guests with poor experiences

Staff Handoff

Intelligence transfer when preferred server leaves

Confidence Decay

Preference scores fade over time. Allergies never below 0.8

Confidence Decay Formula
max(0.3, 1.0 − (months × 0.1))

A preference confirmed last month scores 0.9. A preference from a year ago scores 0.1 (floored at 0.3). Allergies are the exception — they never drop below 0.8 because they are safety-critical.

How Note Parsing Works

When staff type a natural language note — e.g. “Mrs Johnson loved the Cabernet, asked for the corner booth, allergic to shellfish, here for anniversary” — the system strips the name via the PII stripping service. The sanitised note is sent to Claude with only the pseudonymous token. Claude structures it into categories: wine preference, seating preference, allergy (flagged for verification), and occasion. Each preference is stored with a confidence score that decays over time.

Section 6

Cross-Venue Intelligence

One guest, four venues. Preferences and safety data travel with the guest everywhere, but raw notes stay at the creating venue.

Data TypeVisibilityDetail
PreferencesAll VenuesDietary, drink, seating, service style
AllergiesAll Venues — PrioritySafety-critical — verified every visit
Special DatesAll VenuesBirthday, anniversary, celebration style
Visit HistoryOwn Venue FullOther venues see AI summary only
Staff NotesOwn Venue OnlyRaw notes never cross venue boundaries
ComplaintsFlagged Cross-VenueUnresolved issues visible group-wide
Health ScoreAll VenuesCalculated at group level
Section 8

Security Architecture

Defence in depth — seven distinct security layers. Security is the default, never optional, never retrofitted.

1
Google Identity-Aware Proxy
No public IP • No open ports • Browser-only access
2
MFA + Named Accounts
Every staff member identified • No shared logins
3
Role-Based Access Control
5 roles: Operator • Owner • Manager • FOH • IO
4
TLS 1.3 Encryption
All traffic encrypted — even internal network
5
AES-256 Column Encryption
Sensitive fields encrypted at rest via pgcrypto
6
Immutable Audit Log
Every action logged — user, timestamp, device
7
GCP Secret Manager
API keys and encryption keys never in code

GCP Cape Town (africa-south1) • Zero cross-border transfer • South African jurisdiction

Section 9

Roles & Access Control

Every staff member has their own named Google account. No shared logins — ever. MFA mandatory. Instant revocation when staff leave.

GuestIQ Operator

UK Remote Admin

Full system access • GCP management • All venues

Group Owner

Restaurant Owner

Full cross-venue • All notes • All history

Manager

Venue Manager

Own venue full • Cross-venue summary • Outreach approval

Front-of-House

Host / Server

View profiles • Add notes • See phone/email

Section 10

A Day in the Life

Designed for non-technical restaurant staff. Every interaction takes under 30 seconds. No complex forms, no dropdown menus, no training manuals.

Sign In

Browser + Google account + MFA

Dashboard

Today’s reservations with AI briefs

Guest Arrives

Search name — full profile in seconds

During Service

Allergy alerts • VIP flags • Preferences visible

After Visit

Type a natural note — AI structures it

Next Morning

Manager reviews occasions • Drafts outreach

Under 30 seconds from search to screen

Section 11

POPIA Compliance

South African law. Non-compliance carries fines up to R10 million or 10 years imprisonment. Every feature built with POPIA in mind from the start.

1

Accountability

Designated Information Officer. Full compliance dashboard.

2

Processing Limitation

Data collected directly from guest. Lawfully, with consent.

3

Purpose Specification

Every data field has a documented purpose.

4

Further Processing

Data cannot be repurposed beyond stated use.

5

Information Quality

Records reviewed regularly. Guests can correct data.

6

Openness

Plain-language privacy notice at every capture point.

7

Security Safeguards

Encryption, IAP, audit logging. Access control.

8

Data Subject Participation

Access, correction, deletion workflows built in.

Guest Rights — Built In
S.23
Right to Access: One-click PDF report — all data plus 12 months of access logs. 30-day SLA.
S.24
Right to Correction: Apply correction with audit log, or create dispute notation excluded from AI.
S.14
Right to Erasure: Admin-only. Crypto-shredding — encryption key destroyed, data overwritten. Cannot undo.
S.11(3)
Right to Object: do_not_track set immediately. Guest can book but no AI intelligence is built.
Special Category DataS.26–32

Halaal/Kosher dietary requirements, allergy information, and health-related restrictions receive the highest encryption and most restricted access. Separate explicit consent required under Section 27(1)(a).

Applicable Legislation
  • POPIA — Act 4 of 2013
  • POPIA Regulations — amended April 2025
  • Cybercrimes Act 19 of 2020
  • ECTA 25 of 2002
  • Consumer Protection Act 68 of 2008
  • PAIA 2 of 2000
  • Constitution — Sections 9 and 14
  • SA National AI Policy Framework — Aug 2024
Section 12

Launch Requirements

Five launch blockers must be resolved before any guest data is processed. No exceptions.

Launch Blockers
IDBlockerPOPIA
LB-1Information Officer registered with Information RegulatorS.55(2)
LB-2Written Operator Agreement signed (restaurant & UK developer)S.21(1)
LB-3Consent form meets all 8 Section 18(1) requirementsS.18(1)
LB-4Separate explicit consent for special category dataS.27, S.32
LB-5Deletion guarantees non-recoverability via crypto-shreddingS.14(5)
Build Phases — 14 Phases Across 5 Stages
StagePhaseWhat Gets BuiltComplexity
Stage 1: Foundations
1ALegal Foundations — IO registrationLow
1BOperator Agreement — POPIA S.21Low
1CCompliance SpecificationsMedium
Stage 2: Infrastructure
2AGCP Infrastructure + Database SchemaHigh
2BAuthentication + Google IAPHigh
2CBackend API — Node.js on Cloud RunHigh
Stage 3: Core Features
3ADinePlan Integration — live sync, dedupHigh
3BFrontend — profiles, dashboard, notesHigh
3CAI Intelligence Layer — ClaudeHigh
3DConsent + Walk-In CaptureMedium
Stage 4: Compliance
4ACompliance Dashboard + AuditMedium
4BGuest Rights Workflows — SAR, correction, deletionMedium
4COccasion Engine + OutreachMedium
Stage 5: Launch
5APre-Launch Verification ChecklistLow
Post-Launch Obligations
  • Annual: Full POPIA compliance audit — 2–3 hours
  • Annual: Non-abuse analytics policy review — 1–2 hours
  • Quarterly: Guest complaint and data subject request log review — 30 min
  • Bi-annual: Algorithmic fairness audit — 1–2 hours
Section 13

Summary

  • One guest profile across four venues — preferences, allergies, and relationship intelligence travel with the guest
  • AI structures natural staff notes automatically — no training, no forms, no dropdowns
  • The AI never sees who a guest is — two-database split guarantees privacy by architecture
  • Seven layers of security — from Google IAP to AES-256 encryption to immutable audit logs
  • Three separate consent types — AI profiling, email marketing, SMS/WhatsApp — never bundled
  • Full POPIA compliance across all 8 conditions — built in from day one, not retrofitted
  • Five launch blockers verified before any guest data is processed
  • 14 build phases across 5 stages — each with acceptance criteria and compliance gates
  • Guest rights workflows — access, correction, erasure, and objection — all built in
  • Maintained remotely from the UK with zero cross-border data transfer

Invisible intelligence.
Unforgettable hospitality.

← Back
Sign out
TimeGuest

Ready for Service

Select a booking to view the guest intelligence brief.

← Back
Sign out

Are We Ready to Launch?

A visual overview of every item standing between us and going live — compliance, cost, and risk.

2
of 15 ready
Not Ready for Launch
STOP
POPIA Compliance Blockers
6 Critical Items — Must resolve before any guest data is processed
UK Cross-Border Access
Critical
The spec says “zero cross-border data transfer” — but a UK admin remotely accessing guest names, phones, and emails is a transfer under POPIA Section 72, regardless of where the server sits. We need a formal cross-border agreement, or restructure access so the UK role never touches PII.
POPIA S.72 — Fines up to R10 million
Information Officer Registration
Critical
No data processing can legally begin until the IO is registered with the Information Regulator. Is this done? If not, it needs to start immediately — processing can take weeks.
POPIA S.55(2) — Launch Blocker LB-1
30,000 Clients Need Fresh Consent
Critical
DinePlan’s existing consent does not carry over for AI profiling. Every guest needs fresh POPIA-compliant consent. At launch, the system will have very limited intelligence — it could take 6–12 months as guests return and opt in.
Spec: “Fresh consent must be obtained from every guest”
UK Operator Agreement
Critical
A written agreement between the restaurant (responsible party) and the UK developer (operator) is a legal requirement. Must cover: processing scope, confidentiality, cross-border access, breach notification, and liability.
POPIA S.21(1) — Launch Blocker LB-2
Consent Form Legal Review
Critical
The six-step consent flow is well-designed, but has a South African POPIA attorney actually reviewed the wording? It must meet all 8 requirements of Section 18(1).
POPIA S.18(1) — Launch Blocker LB-3
Special Category Data (Allergies / Halaal)
Critical
Allergy and religious dietary data are special category data under POPIA — requiring separate explicit consent and possibly prior authorisation from the Information Regulator.
POPIA S.26–32, S.27 — Launch Blocker LB-4
!
High-Risk Items
Not hard blockers, but serious risks that need attention
Allergy Data Liability
High Risk
The highest-risk functional area. If AI misinterprets a note and misattributes an allergy — or fails to flag one — someone could suffer anaphylaxis. We need mandatory human verification for all AI-detected allergies.
PII Stripping Service
High Risk
The whole two-database architecture depends on PII never leaking into Database B. Has this been tested with South African name patterns? (van der Merwe, Dlamini, Nkosi, colloquial refs like “the Botha table”).
Crypto-Shredding + Backups
Medium
Deletion must be non-recoverable (LB-5). But does crypto-shredding also cover GCP automated backup snapshots? A “deleted” record could persist in backups for weeks.
Monthly Operating Cost
R
What Will This Cost?
Monthly operating cost for 30,000 clients across 4 venues
Recommended Monthly Budget
R12,000 – 14,000
≈ $700 – $800 USD / month
Mid scenario: HA on identity database, Sonnet + Haiku hybrid AI, prompt caching
Where the money goes~R13,000/mo
Databases
Backend
Claude AI
Other
2× Cloud SQL — R5,200
Cloud Run — R2,300
Claude AI API — R3,600
Network, Secrets, Workspace — R1,900
Low — Basic
R8,300 – 9,900
$460 – $550 USD
No HA, Haiku AI only, caching on
Mid — Recommended
R12,000 – 14,400
$650 – $800 USD
HA on identity DB, Sonnet + Haiku, caching
Best Value
High — Full HA
R18,000 – 21,600
$1,000 – $1,200 USD
Full HA on both DBs, Sonnet, no caching
ZAR estimates at ~R18/USD • Google IAP is free • Exchange rate fluctuations apply
Go-Live Checklist
15
Full Go-Live Checklist
15 items — 7 Critical, 4 High, 4 Medium
  • IO registered with Information Regulator — Status unknown. Must confirm.
  • Written UK Operator Agreement — Not yet drafted. Requires SA legal input.
  • Consent form legal review — Needs SA POPIA attorney sign-off.
  • Special category data consent mechanism — Separate consent for allergies/Halaal.
  • Crypto-shredding deletion verified — Must test and document non-recoverability.
  • Cross-border access agreement (UK → SA) — New requirement. Not started.
  • Re-consent strategy for 30,000 clients — No plan exists yet.
  • !
    Allergy data liability + verification protocol — Need human verification step.
  • !
    PII stripping tested with SA names/formats — Status unknown.
  • !
    DinePlan API integration production-tested — Status unknown.
  • !
    PAIA manual prepared — Legal requirement for all SA private bodies.
  • GCP infrastructure (Cape Town region) — Architecture designed. Ready to deploy.
  • Two-database split architecture — Privacy by design. Sound approach.
  • !
    Staff training plan — Not yet documented.
  • !
    Google Workspace accounts for staff — Need to provision named accounts + MFA.
What To Do Next
Recommended Next Steps
In priority order

Engage a South African POPIA Attorney

This is the single most important action. They review the consent form, draft the operator agreement, and advise on cross-border access.

Confirm IO Registration

Check with the Information Regulator. If not registered, begin immediately.

Draft UK Operator Agreement

With explicit POPIA S.72 cross-border provisions. Consider restricting UK access to infrastructure-only.

Design the Re-Consent Strategy

Accept partial intelligence at launch. Plan email/WhatsApp/on-arrival consent capture. Set realistic expectations: 6–12 months for meaningful coverage.

Define Allergy Verification Protocol

Mandatory human verification for all AI-detected allergies. Clear liability in the operator agreement.

Approve Monthly Budget

R12,000–R14,000/month for the recommended setup. Confirm financial commitment before build begins.

Confidential • Feb 2026 • Go-Live Readiness Assessment

← Back