Who We Are Data We Collect Legal Basis (GDPR)How We Use Data Sub-Processors International Transfers Security Data Retention Your Rights (GDPR)Cookies Children Data Breach Changes Contact

Privacy Policy

How MenuHall collects, uses, and protects your personal data.

Last updated: March 25, 2026Jurisdiction: EU / GDPR

1. Who We Are

MenuHall is operated by LeapLane Lda, based in Porto, Portugal. We are the data controller for the personal data processed through our platform.

2. What Data We Collect

Establishment Owners

•Account data: Email address, name (if provided), authentication credentials.
•Establishment data: Restaurant name, description, logo, cover image, menu content (categories, items, prices, images).
•Billing data: Processed by Stripe. We do not store credit card numbers.

End Users (Customers)

Minimal data collection

No account required. We do not collect names, emails, or phone numbers from customers.
Order data (items, table number, notes) is associated with a table, not a person.
Technical data (IP address, browser type, device) is collected automatically via server logs.

3. Legal Basis for Processing (GDPR Art. 6)

Legal Basis	What It Covers
Contract performance (Art. 6(1)(b))	Providing the MenuHall service: account management, menu hosting, order processing.
Legitimate interest (Art. 6(1)(f))	Security, fraud prevention, service improvement. For End Users: processing order and technical data to deliver the ordering service.
Legal obligation (Art. 6(1)(c))	Tax, accounting, and legal compliance requirements.
Consent (Art. 6(1)(a))	Optional marketing communications. You may withdraw consent at any time.

4. How We Use Your Data

•To provide and operate the MenuHall platform (displaying menus, processing orders).
•To manage Establishment accounts and subscriptions.
•To communicate with Establishment owners about their account and service updates.
•To improve and maintain the quality and security of our Service.

5. Data Sharing and Sub-Processors

We share data with the following third-party services:

Service	Purpose	Data Location	DPA
Supabase Inc.	Database, auth, file storage	EU (eu-west-1)	Link
Vercel Inc.	Hosting and deployment	Global CDN	Link
Stripe Inc.	Payment processing (Establishments only)	EU / US	Link
OpenAI Inc.	AI menu extraction (menu text/images only)	US	Link
Google LLC	Gemini API (item names/descriptions only)	US	Link

We do not

Sell personal data to third parties.
Share data with advertisers.
Send personal data (names, emails) to AI providers — only menu content.

6. International Data Transfers

Our primary data storage is in the EU (Supabase eu-west-1). Some sub-processors (OpenAI, Google, Stripe, Vercel) may process data in the United States. These transfers are protected by:

•EU-U.S. Data Privacy Framework certifications where applicable.
•Standard Contractual Clauses (SCCs) approved by the European Commission.
•Data Processing Agreements with each sub-processor (linked above).

7. Data Storage and Security

Security measures

All data encrypted in transit (TLS) and at rest.
Row Level Security (RLS) policies isolate each Establishment's data.
Authentication via secure, HTTP-only session tokens.
Primary data storage in EU region (Supabase eu-west-1).

8. Data Retention

Data Type	Retention Period
Account data	While account is active. Deleted within 30 days of account deletion.
Order data	90 days, then automatically deleted.
Menu content	While account is active. Images deleted within 30 days of removal.
Server logs	30 days for security and debugging.

9. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

Right	Description
Access (Art. 15)	Obtain a copy of your personal data.
Rectification (Art. 16)	Correct inaccurate data.
Erasure (Art. 17)	Request deletion of your data.
Portability (Art. 20)	Receive your data in a structured, machine-readable format.
Restrict processing (Art. 18)	Request limitation of processing.
Object (Art. 21)	Object to processing based on legitimate interest.
Withdraw consent (Art. 7(3))	Withdraw consent at any time without affecting prior processing.

To exercise these rights, contact us at privacy@menuhall.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Portuguese data protection authority (CNPD — www.cnpd.pt) or your local supervisory authority.

10. Cookies

MenuHall uses only strictly necessary cookies required for authentication and session management. These cookies are exempt from consent requirements under the ePrivacy Directive as they are essential for the service to function. We do not use tracking cookies, analytics cookies, or advertising cookies.

11. Children

MenuHall is not directed at children under 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

12. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33). If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (GDPR Art. 34).

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Establishment owners of material changes via email at least 30 days before they take effect. Continued use of the Service after changes constitutes acceptance.

14. Contact

For privacy-related questions, data requests, or complaints, contact us at:

privacy@menuhall.com
LeapLane Lda
Porto, Portugal

Contents