Privacy Policy

2.1 User data (restaurant owners)

• Identification data: surname, first name, email address, password (encrypted)
• Professional data: restaurant name, slug, logo, address, currency, timezone, opening hours
• Menu data: categories, products (name, description, price, photo, allergens), option groups
• Billing data: Stripe customer ID, subscribed plan, subscription status, payment history (via Stripe)
• Connection data: IP address, browser type, login timestamps
• Preferences: preferred language (FR/EN)

2.2 Diner data (end customers)

• Order data: order contents, table number, type (dine-in/takeaway), notes, total
• Optional data: name, phone number (only if voluntarily provided for takeaway orders)
• Technical data: IP address (for rate limiting only), browser language

No user account is created for Diners. No banking data is collected by Menyko for Diners (meal payment is made directly at the restaurant).

• User account data: retained for the duration of the subscription, then ninety (90) days after cancellation or end of the trial period
• Order data: retained for the duration of the User's subscription, then archived for the legal retention period of commercial documents (10 years under French law)
• Billing data: retained for the legal retention period of accounting records (10 years)
• Diner data: retained for the duration of the User's subscription. Optional data (name, phone) is deleted along with the rest of the restaurant's data
• Connection logs: retained for twelve (12) months in accordance with applicable legislation
• Cookies: see section 9 below

Your data may be shared with the following sub-processors, strictly for the purposes described above:

No data is sold or transferred to third parties for commercial or advertising purposes.

Some sub-processors (Vercel, Stripe, Resend, Sentry, Upstash) are located in the United States. The database (Supabase) is hosted in the European Union (Frankfurt, Germany). Transfers outside the EU are governed by:

• The EU-US Data Privacy Framework (DPF) for certified providers;
• Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable;
• Additional technical measures (encryption of data in transit and at rest).

You can obtain a copy of the applicable safeguards by contacting contact@menyko.com.

In accordance with the GDPR and the French Data Protection Act, you have the following rights:

• Right of access: obtain confirmation that your data is being processed and receive a copy
• Right to rectification: have your inaccurate or incomplete data corrected
• Right to erasure: request the deletion of your data within the limits provided by law
• Right to restriction: obtain restriction of processing in certain cases
• Right to data portability: receive your data in a structured and commonly used format (JSON)
• Right to object: object to the processing of your data on legitimate grounds
• Right to withdraw consent: at any time, when the processing is based on consent

To exercise these rights, contact us at contact@menyko.com with proof of identity. We will respond within a maximum of one (1) month.

If you are unsatisfied with our response, you may lodge a complaint with the French Data Protection Authority (CNIL): www.cnil.fr.

Menyko processes Diner data as a data processor within the meaning of the GDPR, on behalf of the restaurant owner (data controller). Diners may exercise their rights directly with the restaurant concerned or by contacting Menyko, who will forward the request.

Reminder: no account is created for Diners. The only data collected is strictly necessary for processing the order (contents, table, notes). Name and phone number are only collected if the Diner voluntarily provides them for a takeaway order.

9.1 Strictly necessary cookies

These cookies are essential for the operation of the Service and cannot be disabled:

• Supabase authentication session: identification of the logged-in User
• Language preferences: storage of the chosen language (FR/EN)

9.2 Local storage (localStorage)

The Service uses the browser's local storage for:

• Diner cart: temporary storage of the cart contents (expires after 2 hours)
• Menu language preference: remembering the language choice

No sensitive data is stored in localStorage.

9.3 Analytical cookies (optional)

With your consent, we use Vercel Analytics to measure audience and improve the Service. These cookies are only set after your explicit agreement via the consent banner.

You can withdraw your consent at any time by changing your cookie preferences from the link at the bottom of the page.

Menyko implements appropriate technical and organizational measures to protect your data against unauthorized access, modification, disclosure or destruction:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Secure authentication via Supabase Auth with bcrypt password hashing
• Row Level Security (RLS) at the database level for data isolation between organizations
• Rate limiting to prevent brute force attacks and abuse
• Production data access restricted to authorized personnel only
• Error and anomaly monitoring via Sentry
• HTTP security headers (CSP, X-Frame-Options, X-Content-Type-Options)

Menyko reserves the right to modify this privacy policy at any time. In the event of a substantial change, the User will be informed by email or by notification in the dashboard at least fifteen (15) days before it takes effect.

The current version is the one available at menyko.com/legal/confidentialite.

For any question regarding the protection of your personal data or to exercise your rights, you can contact our data protection officer: