Privacy Policy

Last updated: 21 June 2026

This Privacy Policy explains how [COMPANY LEGAL NAME]("Menudium", "we", "us") collects and uses personal data when you use our service for creating online restaurant menus and QR codes (the "Service"). We act as the data controller for restaurant owner accounts. For the menu content owners publish, owners are responsible for the information they choose to make public.

Who this applies to

Restaurant owners / managers who create accounts, and diners who view public menu pages. Diners can browse a public menu without an account; we do not require diners to provide personal data to view a menu.

Data we collect

Account data: name (optional) and email address. Restaurant content you provide: restaurant name, description, address, phone, working hours, social links, logo and menu item images, and menu details. Technical data: IP address, browser/device information, and server logs, collected automatically for security and to operate the Service.

We do not currently process payments. If we add paid plans, billing details will be handled by a payment provider and this policy updated.

How we use your data

To provide and maintain the Service; to authenticate you and keep your account secure; to display your public menu; to respond to support requests; to detect and prevent abuse; and to comply with legal obligations.

Legal bases (GDPR)

We process personal data to perform our contract with you (providing the Service), based on our legitimate interests (security, improving the Service), to comply with legal obligations, and with your consent where required.

Cookies

We use strictly necessary cookies to keep you logged in (session cookies via our authentication provider). We do not use advertising cookies. If we add analytics in future, we will update this policy and request consent where required.

Sharing and processors

We do not sell your personal data. We share it with service providers that help us run the Service: Supabase (database, authentication, file storage) and Vercel (hosting). These providers process data on our behalf under their own terms and data-processing agreements.

International transfers

Our providers may process data outside your country, including outside the EU/EEA. Where this happens, appropriate safeguards (such as Standard Contractual Clauses) are relied upon to protect your data.

Retention

We keep account and content data for as long as your account is active. If you delete your account, we delete or anonymise your personal data within a reasonable period, except where we must retain it for legal reasons.

Your rights

Subject to applicable law, you may request access to, correction of, or deletion of your personal data; restrict or object to processing; request portability; and withdraw consent. You may also lodge a complaint with your local data protection authority. To exercise these rights, contact us at [privacy@yourdomain].

Security

We use industry-standard measures including encryption in transit and access controls. No method of transmission or storage is fully secure, but we work to protect your data.

Children

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal data from children.

Changes

We may update this policy from time to time. We will post the new version here and update the "Last updated" date.

Contact

Questions about this policy or your data? Contact [COMPANY LEGAL NAME] at [privacy@yourdomain]. Governing law: [Serbia / your jurisdiction].