1. Introduction & Scope
Welcome to menuws. We are committed to protecting your privacy and ensuring transparency about how we collect, use, and protect your personal data.
This Privacy Policy explains our data practices for the menuws platform, a digital menu service designed for restaurants, cafés, and bars. Our platform allows businesses to create, manage, and share digital menus with their customers.
This policy applies to:
• Restaurant owners, managers, and staff who create accounts and manage menus (Business Users)
• Customers who view public digital menus (Menu Viewers)
• Anyone who visits our website or uses our services
Your Responsibility:
• You are responsible for reading and understanding this Privacy Policy before using menuws
• You must check this policy regularly for updates - we are not obligated to notify you of changes
• By using menuws, you agree to check this policy periodically and accept responsibility for staying informed
• If you do not agree with this policy or any updates, you must stop using our services
By using menuws, you agree to the data practices described in this Privacy Policy. If you do not agree with this policy, please do not use our services.
This Privacy Policy should be read in conjunction with our Terms of Service, which govern your use of menuws.
2. Data Controller Information
The data controller responsible for your personal information is:
321K (operating as menuws)
Luxembourg
For privacy-related inquiries, you can contact us at:
Email: contact@menuws.com
Response time: We aim to respond to all privacy inquiries within 5 business days.
For general support inquiries: contact@menuws.com
For security-related concerns: contact@menuws.com
3. What Data We Collect
We collect different types of information depending on how you interact with menuws. Below is a comprehensive list of the personal data we collect:
3.1 Account Data (Business Users)
When you create an account with menuws, we collect:
• First name and last name
• Email address (used for login and communications)
• Password (securely encrypted - we never store passwords in plain text)
• Account status (active, inactive, or pending)
• Account creation and last update timestamps
Legal basis for processing: Contract performance (GDPR Article 6(1)(b)) - this data is necessary to provide our services to you.
3.2 Session Data
To keep you logged in and maintain your session security, we collect:
• Authentication tokens
• Secure session cookies
• Session duration: 30 days from last login
Legal basis for processing: Legitimate interest (GDPR Article 6(1)(f)) - necessary for authentication and security.
3.3 Language Preference
To remember your language choice, we store:
• Language preference cookie ('lang')
• Supported languages: English, French, German, Portuguese, Italian, Spanish
• Cookie duration: 365 days
• This cookie does not identify you personally
Legal basis for processing: Legitimate interest - enhancing user experience.
3.4 Security & Rate Limiting Data
To protect against unauthorized access and abuse, we temporarily collect:
• IP addresses (for rate limiting purposes)
• Login attempt timestamps
• Email addresses associated with login attempts
• This data is automatically deleted after a short period
• Rate limiting is applied to prevent abuse
Legal basis for processing: Legitimate interest - fraud prevention and security.
3.5 Analytics & Usage Data (Premium Feature)
For premium menu owners, we collect:
• Menu view counts and timestamps
• Category click events
• Item click events
• Anonymous session IDs
• User agent strings (browser and device information)
• Referrer information
• Hashed IP address (one-way hash — raw IP is never stored)
Important: This data is only collected for premium account holders and only for their own menus. We do not track individual menu viewers or collect their personal information.
Legal basis for processing: Legitimate interest AND consent (for cookies) - service improvement and analytics.
3.6 Payment Data (Stripe)
When you subscribe to a premium plan, we collect:
• Stripe Customer ID
• Stripe Subscription ID
• Subscription status (active, canceled, past_due, incomplete)
• Billing period dates
• Plan type (monthly or yearly)
Important: Payment card details are stored and processed by Stripe, our payment processor. We never see or store your full credit card number. Stripe is PCI-DSS Level 1 certified, the highest level of payment security.
Legal basis for processing: Contract performance - necessary to process payments for premium subscriptions.
3.7 Menu Content (User-Created Data)
When you create and manage menus, we store:
• Restaurant information: name, address, phone, WhatsApp, Instagram
• Custom links and social media profiles
• Menu categories: names, ordering
• Menu items: titles, descriptions, prices, images (premium), visibility settings
• Menu customizations: colors, currency settings
Important: You are responsible for ensuring that the content you publish complies with applicable laws and regulations. This includes accurate pricing, allergen information, and any other required disclosures.
Legal basis for processing: Contract performance - this is the core functionality of our service.
3.8 Fidelity Card Data (Premium Feature)
When a customer registers for a fidelity card on a Premium menu, we collect:
• Customer name
• Customer email address
• Communication preference (opt-in/opt-out for receiving communications from the restaurant)
• Fidelity card progress (steps completed, completions, history)
Important: Fidelity card data is associated with the specific menu/restaurant, not with a menuws account. The restaurant owner is the data controller for their customers' fidelity card data. menuws processes this data on behalf of the restaurant owner.
Legal basis for processing: Contract performance (providing the fidelity card service) and consent (where the customer opts in to communications).
4. How We Use Your Data
We use your personal data only for the purposes described below. We will never use your data for purposes you haven't been informed about.
4.1 Service Delivery
We use your data to provide and maintain menuws services:
• Creating and authenticating your account
• Enabling you to create, edit, and publish digital menus
• Processing real-time updates to your menus
• Remembering your language preference
• Managing your session and keeping you logged in
• Providing customer support
4.2 Security & Fraud Prevention
We use your data to protect your account and our platform:
• Preventing unauthorized access attempts through rate limiting
• Detecting and preventing fraudulent account creation
• Monitoring for suspicious activity
• Protecting against unauthorized access
• Maintaining the security and integrity of our systems
4.3 Premium Features (When Applicable)
For premium subscribers, we use data to provide enhanced features:
• Analytics dashboard showing menu performance metrics
• Multi-user collaboration and team access
• Change history and rollback functionality
• Advanced customization options
• Priority customer support
4.4 Service Improvement
We may use aggregated, anonymized data to:
• Understand how users interact with menuws
• Identify and prioritize new features
• Detect and fix bugs
• Optimize performance and user experience
• Conduct research and analysis
Important: When we use data for improvement purposes, it is aggregated and anonymized so that you cannot be individually identified.
4.5 Legal Compliance
We may use or disclose your data when necessary to:
• Comply with applicable laws and regulations
• Respond to valid legal requests from authorities
• Enforce our Terms of Service
• Protect our legal rights and the rights of others
• Prevent fraud or security threats
What We Don't Do With Your Data
We want to be clear about what we don't do with your personal data:
• We do NOT sell your personal data to third parties
• We do NOT use your data for targeted advertising
• We do NOT share your data with advertisers or data brokers
• We do NOT use your data for purposes beyond those stated in this policy
5. Data Storage & Security
5.1 Where We Store Your Data
Your data is stored using the following infrastructure:
• Primary database: Cloud-hosted managed database service
• Application hosting: Serverless hosting platform with global edge network
• Geographic location: European Union (Paris, France)
• Data residency: Your data may be stored and processed in multiple regions for performance and reliability
All of our service providers are contractually obligated to protect your data in accordance with this Privacy Policy and applicable data protection laws.
5.2 How We Protect Your Data
We implement industry-standard security measures to protect your personal data:
Password Security:
• All passwords are securely encrypted using industry-standard methods
• We never store passwords in plain text
• We cannot see or recover your password
Transport Encryption:
• All data transmission is encrypted using HTTPS
• All connections between your browser and our servers are encrypted
Authentication Security:
• Secure session management with protected cookies
• Protection against common web vulnerabilities
Rate Limiting:
• Automated protection against unauthorized access attempts
• Login attempts are monitored and rate-limited to prevent abuse
Database Security:
• Encrypted connections to database
• Authentication required for all database access
• Regular security updates and patches
Access Controls:
• Sensitive credentials stored securely, not in code
• Authentication required for all protected API endpoints
• Role-based access controls for team features
5.3 How Long We Keep Your Data
We retain your personal data only for as long as necessary to provide our services and comply with legal obligations:
• Active accounts: Data retained while your account is active
• Inactive accounts: Accounts inactive for 2+ years may be deleted. You are responsible for maintaining your account access and checking this policy for retention periods.
• Deleted accounts: 30-day grace period, then permanent deletion
• Session data: 30 days or until you log out, whichever comes first
• Rate limiting data: 15 minutes (automatic cleanup)
• Analytics data (premium): Automatically deleted after 180 days (6 months)
• Backups: Backup data is retained according to our backup policy and is permanently deleted according to our retention schedule
If you delete your account, we will permanently delete your personal data within 30 days, except where we are required by law to retain it longer.
6. Data Sharing & Third Parties
We work with trusted third-party service providers to deliver menuws. Below is a complete list of third parties who may have access to your data:
6.1 Google Analytics
Purpose: Website traffic analysis and user behavior insights
Data shared: Page views, session duration, user flow, device and browser information, geographic location (country level only)
Privacy policy: https://policies.google.com/privacy
Your controls: You can disable Google Analytics through your browser settings or by rejecting analytics cookies in our cookie consent banner
Safeguards: We have configured IP anonymization and limited data retention to 14 months
6.2 Stripe (Payment Processing)
Purpose: Processing payments for premium subscriptions
Data shared: Email address, billing information
Privacy policy: https://stripe.com/privacy
Security: Stripe is PCI-DSS Level 1 certified, the highest level of payment security
Important: Your payment card details are entered directly into Stripe's secure system. We never see or store your full credit card number
Data use: Stripe uses your data solely to process payments and prevent fraud
6.3 Hosting Provider
Purpose: Application hosting, serverless functions, content delivery
Data shared: Technical logs, performance metrics, request data
Security: SOC 2 Type II certified
Data location: Global edge network — your data may be processed in multiple regions for performance
Data retention: Technical logs are retained according to the provider's data retention policy
6.4 Database Provider
Purpose: Primary data storage for all application data
Data shared: All personal data and menu content
Security: Encrypted at rest and in transit, SOC 2 Type II certified
Data location: European Union (Paris, France)
Backups: Automatic continuous backups with point-in-time recovery
6.5 Who We Do NOT Share Your Data With
We want to be absolutely clear about who we do NOT share your data with:
• Advertisers or advertising networks
• Data brokers or data aggregators
• Social media platforms (unless you explicitly choose to share)
• Marketing companies or email marketers
• Any third party for marketing purposes
• Any third party not explicitly listed in this policy
The only exception to this is when we are legally required to disclose data (e.g., valid court orders, law enforcement requests with proper legal process).
6.6 Legal Requests and Law Enforcement
We may disclose your personal data if required by law or in response to valid legal requests, such as:
• Court orders or subpoenas
• Law enforcement requests (with valid legal process)
• Legal obligations under applicable laws
• To protect our legal rights or the rights of others
• To prevent fraud, security threats, or illegal activity
We review all legal requests carefully and only disclose the minimum data necessary to comply with valid legal process. Notification to users is provided only when legally required and permitted. We are often legally prohibited from notifying users about law enforcement requests.
8. Your Privacy Rights
Depending on your location, you have specific rights regarding your personal data. We are committed to honoring these rights.
8.1 Rights Under GDPR (EU/EEA Residents)
Right to Access (Article 15)
You have the right to request a copy of the personal data we hold about you.
What you'll receive: Account information, menu data, analytics (if premium), subscription details
Format: JSON file or PDF report
How to exercise: Email contact@menuws.com with subject 'Data Access Request'
Response time: 30 days (may extend to 60 days for complex requests)
Free of charge: First request is free; we may charge reasonable fee for subsequent requests
Right to Rectification (Article 16)
You have the right to correct inaccurate or incomplete personal data.
How to exercise: Update information in account settings, or email contact@menuws.com
Response time: 30 days
We will notify third parties if we correct data we've shared with them
Right to Erasure / 'Right to be Forgotten' (Article 17)
You have the right to request deletion of your personal data.
When it applies: Data no longer necessary, you withdraw consent, you object to processing, data unlawfully processed
Exceptions: Legal obligation to keep data, legal claims, public interest
How to exercise: Account Settings > Delete Account, or email contact@menuws.com
What happens:
• Account marked for deletion (30-day grace period)
• You can cancel deletion within 30 days
• After 30 days: Permanent deletion from all systems including backups
• All menus, analytics, and associated data deleted
What remains: Aggregated, anonymized analytics with no personal identifiers
Right to Data Portability (Article 20)
You have the right to receive your data in a structured, machine-readable format.
What's included: Account data, menus, categories, items, restaurant information, analytics (if premium)
Format: JSON file (menuws-com-data-export-[timestamp].json)
How to exercise: Account Settings > Export Data, or email contact@menuws.com
Response time: 30 days (often immediate for small datasets)
You can transfer this data to another service
Right to Restrict Processing (Article 18)
You have the right to request that we temporarily stop processing your data.
When it applies: You contest data accuracy, processing is unlawful, we no longer need data but you need it for legal claims, you objected to processing
Effect: Data stored but not processed (except with your consent or for legal claims)
How to exercise: Email contact@menuws.com with subject 'Restrict Processing Request'
Response time: 30 days
Right to Object (Article 21)
You have the right to object to processing based on legitimate interest.
Applies to: Analytics processing, marketing (if implemented)
Does NOT apply to: Processing necessary for contract (authentication)
How to exercise: Cookie consent banner (for analytics), or email contact@menuws.com
Effect: We must stop processing unless we have compelling legitimate grounds
Response time: 30 days
Right to Withdraw Consent (Article 7(3))
You have the right to withdraw consent at any time.
Applies to: Analytics cookies, marketing communications (if applicable)
How to exercise: Cookie consent banner > Change preferences, or Account Settings
Effect: Processing stops from withdrawal point forward (doesn't affect past processing)
Easy as giving consent: Withdrawal must be as easy as giving consent
Right to Lodge a Complaint
You have the right to file a complaint with your data protection authority.
We encourage you to contact us first: contact@menuws.com
Find your authority: https://edpb.europa.eu/about-edpb/board/members_en
No retaliation: We will not penalize you for filing a complaint
8.2 Rights Under CCPA (California Residents)
Right to Know
You have the right to know what personal information we collect, use, and share.
You can request:
• Categories of personal information collected
• Categories of sources of personal information
• Business purposes for collecting personal information
• Categories of third parties with whom we share personal information
• Specific pieces of personal information we collected about you
How to exercise: Email contact@menuws.com with subject 'CCPA Right to Know Request'
Response time: 45 days (can extend 45 more days if necessary)
Frequency: You can make up to 2 requests per 12-month period
Right to Delete
You have the right to request deletion of your personal information.
Same process as GDPR right to erasure
Exceptions: Complete transaction, detect security incidents, comply with legal obligations, internal uses reasonably aligned with your expectations
Right to Opt-Out of Sale
Important: menuws does NOT sell your personal information to third parties.
We do not sell, rent, or trade personal information for monetary or other valuable consideration.
No opt-out needed: Since we don't sell data, there's nothing to opt out of.
If our data practices change, the updated privacy policy will be posted here. You are responsible for reviewing this policy regularly to stay informed of any changes.
Right to Non-Discrimination
You have the right to equal service regardless of exercising your privacy rights.
We will NOT:
• Deny you service
• Charge different prices
• Provide different quality of service
• Suggest you'll receive different service for exercising rights
Our commitment: All users receive equal treatment regardless of privacy choices
8.3 How to Exercise Your Rights
Email: contact@menuws.com
• Include: Full name, email address associated with account, specific request
• Subject line: Use descriptive subject (e.g., 'Data Access Request', 'Delete Account Request')
• Verification: We may require proof of identity to protect your data
Account Settings (when implemented):
• Delete Account button (right to erasure)
• Export Data button (right to access/portability)
• Privacy preferences (right to object/withdraw consent)
Response Time:
• GDPR requests: 30 days (can extend to 60 days if complex)
• CCPA requests: 45 days (can extend 45 more days if necessary)
• We'll acknowledge your request within 1 business day
Verification Process:
• We'll send confirmation email to your registered email address
• May require additional verification for sensitive requests (deletion, access)
• This protects your data from unauthorized access
No Cost:
• First request is free
• We may charge reasonable fee for subsequent requests (covers administrative costs)
9. Children's Privacy
menuws is not intended for use by children under the age of 16.
We do not knowingly collect personal information from children under 16 years of age. Our service is designed for businesses (restaurants, cafés, bars) and is not targeted at children.
Age Restriction: By using menuws, you represent that you are at least 16 years old.
If we discover: If we learn that we have collected personal information from a child under 16 without parental consent, we will take steps to delete that information as quickly as possible.
Parents or guardians: If you believe your child has provided personal information to menuws, please contact us immediately at contact@menuws.com so we can delete it.
Public menu viewing: While children may view public restaurant menus (e.g., with their parents), we do not collect any personal information from menu viewers.
Compliance: This policy complies with GDPR Article 8 (which requires parental consent for children under 16 in the EU) and COPPA (which protects children under 13 in the US).
10. International Data Transfers
menuws is accessible globally, and your personal data may be transferred to, stored in, and processed in countries other than your own.
Why transfers occur:
• Our hosting provider operates a global edge network
• Our database provider stores data in the European Union
• Third-party services (Google Analytics, Stripe) may process data internationally
Protection mechanisms:
For transfers from the EU/EEA to countries without an adequacy decision, we use:
• Standard Contractual Clauses (SCCs): EU-approved contract clauses that ensure adequate data protection
• Data Processing Agreements: Contracts with our service providers that require GDPR-level protection
• Security measures: Encryption, access controls, and other safeguards
Your consent:
By using menuws, you consent to the transfer of your personal data to countries outside your location, subject to the protections described in this policy.
EU-US transfers:
Following the Schrems II decision, we ensure that any transfers to the US are protected by Standard Contractual Clauses and additional security measures.
Your rights:
You have the right to ask about the safeguards we use for international transfers. Contact contact@menuws.com for more information.
Data location:
Our primary database is located in: European Union (Paris, France)
While we store data in specific locations, it may be accessed from other locations for technical support and maintenance purposes.
11. Public Menu Pages
menuws allows businesses to create public digital menus accessible via URLs (e.g., menuws.com/m/[menuname]).
Public nature:
• These menus are intentionally public and can be viewed by anyone without authentication
• They may be indexed by search engines (Google, Bing, etc.) for discoverability
• Anyone with the URL can view the menu content
Restaurant owner responsibility:
• As a restaurant owner, you are responsible for the content you publish
• You must ensure compliance with applicable laws (pricing accuracy, allergen disclosures, etc.)
• You control what information is public (name, address, phone, menu items)
Data controller:
• For menu content: You (the restaurant owner) are the data controller
• For analytics (premium): menuws is the data controller
• For account data: menuws is the data controller
Menu viewer privacy:
• We do not require menu viewers to create accounts
• We do not collect personal information from people viewing public menus
• For premium analytics: Only aggregate, anonymous data is collected (view counts, not individual identities)
Analytics disclosure:
If you have a premium account with analytics enabled:
• Your public menu page will include a privacy notice
• Menu viewers will see a cookie notice on first visit (if analytics cookies are used)
• Analytics data is aggregated and does not identify individual viewers
Search engine indexing:
Public menus may appear in search engine results. This is intentional for business discoverability. You can request removal from search results through the search engine's removal tools.
Removing your menu:
If you delete your menu or account, public menus will be immediately removed and no longer accessible.
12. Data Breach Notification
We take data security seriously and have procedures in place to respond to data breaches.
What is a Data Breach?
A data breach is any security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
Our Response Process
If a data breach occurs, we will:
1. Detection & Containment (immediate):
• Identify the source and scope of the breach
• Contain the breach to prevent further unauthorized access
• Preserve evidence for investigation
2. Assessment (within 24 hours):
• Determine what data was affected
• Assess how many users are impacted
• Evaluate the risk level (high, medium, low)
3. Legal Notification (as required by law):
• Notify supervisory authorities as required by applicable data protection laws (e.g., GDPR requires notification within 72 hours for EU breaches)
• Notify affected individuals only when legally required and when the breach is likely to result in high risk to rights and freedoms
4. Remediation (ongoing):
• Fix the vulnerability that caused the breach
• Implement additional safeguards to prevent future breaches
• Review and improve our security practices
When We'll Notify You
When Required by Law:
We will notify you of a data breach only when legally required, including:
• GDPR (EU): Notification required if breach is likely to result in high risk to your rights and freedoms
• CCPA (California): Notification required under California Civil Code § 1798.82
• Other applicable data breach notification laws
Our notification will include information required by applicable law, which may include:
• Nature of the breach
• What data was affected
• Steps we've taken to address the breach
• Recommendations for protecting yourself
Exceptions (when we may NOT notify even if breach occurs):
• Data was encrypted or otherwise rendered unreadable
• Subsequent measures ensure high risk is no longer likely
• Applicable law does not require notification
• Notification would require disproportionate effort (public communication may be used instead)
Your Responsibility:
You are responsible for maintaining strong passwords, enabling available security features, and monitoring your account for suspicious activity. We recommend checking this policy and our security advisories regularly.
Reporting Security Vulnerabilities
If you discover a security vulnerability in menuws:
• Do not exploit the vulnerability
• Report it immediately to: contact@menuws.com
• Provide details about the vulnerability and how you discovered it
• We will respond within 24 hours for critical security issues
• We will work with you to understand and fix the issue
Responsible disclosure:
We appreciate security researchers who report vulnerabilities responsibly. We will not take legal action against researchers who follow responsible disclosure practices.
13. Changes to Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service improvements.
How we post updates:
• Updated policy will be posted at this URL with a new effective date at the top
• The effective date shows when the policy was last updated
• Updates take effect immediately upon posting unless otherwise stated
• Continued use of menuws after updates means you accept the changes
Your responsibility:
• You are responsible for reviewing this Privacy Policy regularly
• We recommend checking this page at least monthly or before using new features
• Check the effective date at the top to see if the policy has been updated
• If you do not agree with changes, you must stop using menuws and delete your account
No notification requirement:
• We are NOT obligated to notify you of policy changes by email or other means
• We may choose to notify users at our sole discretion, but this is not guaranteed
• Do not rely on receiving notifications - checking this policy is your responsibility
Version history:
• We maintain internal records of policy changes
• You can request information about previous versions by contacting contact@menuws.com
• Significant changes may be documented in change logs at our discretion
Disagreement with changes:
If you do not agree with changes to this Privacy Policy:
• Stop using menuws immediately
• Delete your account through Account Settings or contact contact@menuws.com
• Request data deletion under your GDPR/CCPA rights if applicable
• Continued use after changes indicates acceptance of the new terms
14. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
Privacy Inquiries
Email: contact@menuws.com
Purpose: Privacy questions, rights requests, complaints
Response time: We aim to respond within 5 business days (acknowledge receipt), full response within 30 days
General Support
Email: contact@menuws.com
Purpose: Technical support, account issues, general questions
Response time: 1-2 business days
Security Issues
Email: contact@menuws.com
Purpose: Security vulnerabilities, breach reports
Response time: 24 hours for critical security issues
Mailing Address
321K (operating as menuws)
Luxembourg
Email: contact@menuws.com
Note: For fastest response, please email us. Postal mail is not available.
This privacy policy was last updated on May 31, 2026. You are responsible for checking this policy regularly for updates. We are not obligated to notify you of changes. If you have questions about how we handle your data, contact contact@menuws.com.