Privacy Policy
Last Updated: May 29, 2026
IMPORTANT DISCLAIMER: This document is a template for informational purposes only. It provides a foundation for a comprehensive privacy policy but does not constitute legal advice. You should consult with a qualified attorney to ensure compliance with all applicable laws and regulations in your target jurisdictions before using this document.
1. Introduction
About MenyoTap
MenyoTap ("we," "us," or "our") operates the digital menu platform accessible at menyotap.com and related subdomains (collectively, the "Service"). We are committed to protecting your privacy and ensuring compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant regulations.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you:
- Create an account as a restaurant owner or administrator
- Use our dashboard to manage your restaurant's digital menu
- Visit or interact with public restaurant menus
- Place orders through our WhatsApp integration
- Contact our support team
- Subscribe to our paid plans
Controller Information
Data Controller: MenyoTap
Email: hi@menyotap.com
Website: menyotap.com
2. Data We Collect
2.1 Personal Data You Provide
We collect the following personal data when you create an account or use our Service:
| Data Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, password | Account creation, authentication |
| Profile Data | Restaurant name, phone number, business details | Service delivery, identification |
| Restaurant Content | Menu items, categories, descriptions, images, prices | Service delivery |
| Payment Data | Order history, payment proof images, billing address | Subscription management |
| Communication Data | Support inquiries, feedback, chat messages | Customer support |
| Branch Information | Branch addresses, phone numbers, working hours | Service delivery |
2.2 Automatically Collected Data
When you use our Service, we automatically collect:
| Data Type | Examples | Purpose |
|---|---|---|
| Device Data | IP address, browser type, operating system, device type | Analytics, security |
| Usage Data | Pages visited, time spent, features used | Service improvement |
| Analytics Data | Menu views, QR scans, item clicks, WhatsApp clicks | Business analytics |
| Location Data | Approximate location from IP address | Analytics, language preferences |
2.3 Data From Third Parties
- Authentication Providers: If you sign up using Google OAuth, we receive your name and email from Google
- Payment Processors: Transaction data from Instapay (payment confirmations)
3. How We Use Your Data
We use your personal data for the following purposes:
3.1 Service Delivery
- Provide, maintain, and improve our digital menu platform
- Create and manage your restaurant account
- Generate and deliver QR codes for your menus
- Process subscription payments and orders
- Enable WhatsApp ordering functionality
3.2 Communication
- Send account-related notifications and updates
- Respond to your support inquiries
- Send marketing communications (only with your consent)
- Provide service announcements and security alerts
3.3 Business Operations
- Analyze usage patterns to improve our Service
- Generate anonymized analytics for restaurant owners
- Conduct research and development
- Detect and prevent fraud, abuse, and security incidents
3.4 Legal Compliance
- Comply with legal obligations (tax reporting, fraud prevention)
- Enforce our Terms of Service
- Protect our rights and property
4. Legal Basis for Processing
We process your personal data under the following legal bases:
For Restaurant Owners (Controllers):
- Contract Performance: Processing necessary to provide the Service under our Terms of Service
- Legitimate Interest: Analytics, security, fraud prevention, and business improvement
- Legal Obligation: Tax compliance, law enforcement requests
For End Users (Visitors):
- Legitimate Interest: Analytics, improving user experience
- Consent: Marketing communications, non-essential cookies
For All Users:
- Vital Interests: Protecting safety in emergencies
- Public Task: Responding to legal requests from authorities
5. Data Sharing and Transfers
5.1 Service Providers
We share data with the following categories of service providers:
| Provider | Data Shared | Purpose |
|---|---|---|
| Supabase | All user data, content, analytics | Database, authentication, storage |
| Payment Processors | Payment details | Payment processing |
| Hosting Provider | All data | Website hosting |
| Analytics Tools | Anonymous usage data | Service analytics |
5.2 Third-Party Integrations
- WhatsApp: Order details shared with restaurant WhatsApp number
- Google OAuth: Basic profile information for authentication
5.3 Legal Disclosures
We may disclose your data when:
- Required by law or government request
- Necessary to enforce our Terms of Service
- Necessary to protect our rights, safety, or property
- In connection with a merger, acquisition, or sale of company assets
5.4 No Sale of Data
We do not sell your personal data to third parties. We never have and never will.
6. Your Rights
6.1 GDPR Rights (EU/EEA Residents)
If you are located in the EU/EEA, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Rectification | Correct inaccurate personal data |
| Erasure | Request deletion of your personal data |
| Restriction | Limit how we process your data |
| Portability | Receive your data in a machine-readable format |
| Objection | Object to processing based on legitimate interests |
| Withdrawal | Withdraw consent at any time |
6.2 CCPA Rights (California Residents)
- Know what personal information we collect and how we use it
- Request deletion of your personal information
- Opt-out of the sale of your personal information (we don't sell)
- Non-discrimination for exercising your rights
6.3 How to Exercise Your Rights
To exercise any of these rights, contact us at:
Email: hi@menyotap.com
Subject: Privacy Rights Request
We will respond to your request within 30 days. For complex requests, we may need additional time.
7. Data Security
7.1 Security Measures
We implement appropriate technical and organizational measures to protect your data:
- Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access Controls: Role-based access, MFA for admin accounts
- Monitoring: Regular security audits and vulnerability assessments
- Firewalls: Web Application Firewall (WAF) protection
- Backup: Automated encrypted backups with disaster recovery
7.2 Security Incident Response
In the event of a data breach:
- We will notify affected users within 72 hours
- Report to relevant supervisory authorities as required
- Take immediate steps to contain and remediate the breach
- Provide guidance on protective measures
8. Data Retention
8.1 Retention Periods
| Data Type | Retention Period |
|---|---|
| Account Data | Duration of account + 30 days after deletion |
| Menu Content | Duration of account + 30 days after deletion |
| Payment Records | 7 years (legal requirement) |
| Analytics Data | 2 years (anonymized) |
| Support Tickets | 2 years after resolution |
| Login Records | 1 year |
8.2 Deletion
When you request account deletion:
- Personal data deleted within 30 days
- Menu content and associated data permanently removed
- Payment records retained as required by law
9. Cookies and Tracking Technologies
9.1 Types of Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, session management, language preference | Session + 1 year |
| Analytics | Anonymous usage statistics, page performance | 2 years |
| Functional | UI preferences, saved settings | 1 year |
9.2 Cookie Management
You can manage cookies through your browser settings:
- Block all cookies: May limit functionality
- Delete existing cookies: Clears stored preferences
- Opt-out of analytics: Use browser add-ons
10. Children's Privacy
Age Restrictions
Our Service is not intended for:
- Restaurant Owners: Must be 18+ years old
- Menu Visitors: Our Service does not target children under 13
We do not knowingly collect personal data from children under 13. If we become aware of such collection, we will delete the data immediately.
11. Third-Party Links
Our Service may contain links to third-party websites, services, or applications that are not operated by us:
- We are not responsible for the privacy practices of these third parties
- We recommend reviewing their privacy policies before providing any personal data
- Restaurant menus may include links to social media profiles (controlled by restaurants)
12. International Data Transfers
Data Processing Location
Our servers are located in the United States (Supabase). Your data may be processed in countries outside your residence country.
Transfer Mechanisms
For international transfers, we ensure:
- Adequacy Decisions: Transfer to countries with adequate data protection
- Standard Contractual Clauses: EU-approved contract terms with processors
- Binding Corporate Rules: For intra-group transfers
13. Changes to This Policy
Updates
We may update this Privacy Policy periodically. When we make material changes:
- Update the Last Updated date at the top
- Post the new policy on our website
- Send email notification for significant changes (30+ days notice)
Your Rights
If you disagree with changes, you may:
- Stop using our Service
- Request deletion of your data
- Contact us with concerns
14. Complaints and Contact
Questions
For privacy-related questions, contact:
Email: hi@menyotap.com
Subject: Privacy Inquiry
Complaints
If you believe your data protection rights have been violated:
- Contact us first — we'll try to resolve the issue
- File a complaint with your local data protection authority
Appendix: Data Processing Details
Data Controller
Name: MenyoTap
Email: hi@menyotap.com
Data Processor
Supabase, Inc. (our backend service provider). We have a Data Processing Agreement with Supabase that meets GDPR requirements.
Document Version: 1.0
This privacy policy is provided as a template and should be reviewed by a qualified attorney before implementation.