Privacy Policy

This Privacy Policy explains how [Company Name] ("we", "us", or "our") collects, uses, and protects your personal data when you use MenuGaze, our digital menu platform for restaurants.

Data Controller: [Company Name] is the data controller under the General Data Protection Regulation (GDPR).

For privacy inquiries, contact us at privacy@menugaze.com.

Restaurant Owners

• Account information: name, email address, and a securely hashed password
• Restaurant profile: restaurant name and URL slug
• Billing data: subscription status, plan tier, and payment processor customer ID (we never store card numbers)
• Menu content: item names, descriptions, prices, categories, uploaded photos, and AI-generated 3D models
• Authentication tokens: a session cookie with a 7-day expiry
• Activity data: login timestamps and feature usage

End Diners

• Menu engagement: page views, view duration, and 3D model interactions
• Cart data: selected items and quantities, stored in your browser only and not sent to our servers unless you place an order
• Order data: table identifier, ordered items, quantities, and order status

We process your data for the following purposes:

• Account and authentication: creating your account, verifying your identity, and maintaining secure sessions. Legal basis: contract performance.
• Billing and subscriptions: processing payments, managing plan tiers, and handling cancellations. Legal basis: contract performance.
• AI photo enhancement: enhancing uploaded menu photos for better visual quality. Legal basis: contract performance.
• 3D model generation: generating interactive 3D models from menu photos. Legal basis: contract performance.
• File storage: storing photos, 3D models, and QR code assets. Legal basis: contract performance.
• Analytics: providing menu engagement insights to restaurant owners. Legal basis: legitimate interest.
• Ordering: facilitating table-side ordering, cart management, and order tracking. Legal basis: contract performance.
• Security: rate limiting and fraud prevention. Legal basis: legitimate interest.
• Legal compliance: complying with applicable laws and regulations. Legal basis: legal obligation.

We share data with third-party service providers who process data on our behalf. Each provider is bound by data processing agreements and processes data only as necessary to deliver our services.

• Payment processor: handles payments and subscription management. We never store full card numbers.
• Cloud storage provider: stores uploaded photos, 3D models, and other media assets.
• AI service providers: process menu photos for enhancement and 3D model generation. Photos are sent for processing and results are stored in our cloud storage.
• Hosting provider: provides application hosting and database infrastructure.

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

Your data may be processed in the United States, where our primary infrastructure is located. We implement appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) and compliance with the EU-US Data Privacy Framework where applicable.

If you are located in the EEA, UK, or Switzerland, we will only transfer your data outside these regions when adequate safeguards are in place as required by the GDPR.

We retain your data only as long as necessary:

• Account data: duration of your account plus 30 days after deletion
• Restaurant and menu content: duration of account plus 90 days after cancellation
• Photos and 3D models: duration of account plus 90 days after closure
• Analytics data: 24-month rolling window
• Order records: 12 months while active; 90 days after cancellation
• Payment records: 7 years (legal and tax compliance)
• Session cookies: 7 days (automatic expiry)

After the applicable retention period, data is permanently deleted or anonymized.

GDPR Rights (EU/EEA/UK Residents)

If you are located in the EU, EEA, or UK, you have the right to:

• Access your personal data. Restaurant owners can use the built-in data export feature in the dashboard.
• Rectification of any inaccurate data we hold about you.
• Erasure of your personal data where there is no compelling reason for continued processing.
• Data portability in a structured, machine-readable format (JSON) via the data export feature.
• Restrict processing in certain circumstances.
• Object to processing based on legitimate interest.
• Withdraw consent at any time without affecting prior processing.

CCPA Rights (California Residents)

• Right to Know: request disclosure of what personal information we collect and how we use it.
• Right to Opt-Out of Sale: we do not sell your personal information.
• Right to Non-Discrimination: we will not discriminate against you for exercising your rights.
• Right to Correct: request correction of inaccurate information.

How to Exercise Your Rights

Contact us at privacy@menugaze.com. We respond to GDPR requests within one month and CCPA requests within 45 days.

We use only essential cookies required for the service to function. We do not use advertising, tracking, or third-party analytics cookies. For full details, see our Cookie Policy.

MenuGaze is a business service for restaurant owners and is not directed at children. We do not knowingly collect personal information from children under 13 (COPPA) or under 16 (GDPR). If you believe we have collected data from a child, contact us at privacy@menugaze.com.

We implement appropriate technical and organizational measures to protect your data:

• Passwords are securely hashed and never stored in plaintext
• Authentication cookies are httpOnly, SameSite, and Secure in production
• All data in transit is encrypted using TLS
• Stored files are encrypted at rest
• Authentication endpoints are rate limited to prevent brute-force attacks
• All API endpoints enforce authentication and ownership verification

While we take reasonable precautions, no method of electronic transmission or storage is completely secure.

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make material changes, we will notify restaurant owners via email and update the "Last Updated" date on this page. Continued use of MenuGaze after changes take effect constitutes acceptance of the revised policy.

For questions or complaints about this policy, contact us at privacy@menugaze.com.

EU/EEA/UK residents may lodge a complaint with their local data protection authority. Find yours at edpb.europa.eu.

California residents may contact the California Privacy Protection Agency at cppa.ca.gov.