Privacy
PRIVACY POLICY
LAST UPDATED: February 12, 2026
1. IDENTIFICATION OF THE DATA CONTROLLER
In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons with regard to the processing of personal data (GDPR), and Spanish Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights (LOPDGDD), the user is informed of the following:
• Data Controller: MENNU DIGITAL SOLUTIONS, S.L.
• Tax ID (NIF): B26719690
• Address: Paseo de la Castellana, 194, Bajo B, 28046, Madrid, Spain
• Contact email: info@mennuqr.com
• Phone: +34 694 212 713
• Website: https://mennuqr.com
2. PERSONAL DATA WE COLLECT
Depending on the user's interaction with the Platform, we may collect the following categories of personal data:
a) Identification and contact data: name, surname, email address, phone number (optional), name of the hospitality establishment.
b) Authentication data: login credentials (email and encrypted password), session tokens, Google OAuth authentication data.
c) Billing and payment data: subscription-related information, Stripe customer and transaction identifiers. Mennu does NOT store complete credit card data; this is managed directly by Stripe.
d) Content data: menus, dish descriptions, images, logos, restaurant information, and any other content uploaded or generated by the user on the Platform.
e) Technical and usage data: IP address, browser type and version, operating system, pages visited, access date and time, session duration, unique device identifiers, performance data, and technical errors.
f) Communication data: messages sent to our support or customer service team.
3. PURPOSES AND LEGAL BASIS FOR PROCESSING
Personal data is processed for the following purposes, with their respective legal bases under Article 6 of the GDPR:
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Management of user registration and account | Performance of a contract (Art. 6.1.b) |
| Provision of the Service (creation, editing, and publication of digital menus) | Performance of a contract (Art. 6.1.b) |
| Payment processing and subscription management | Performance of a contract (Art. 6.1.b) |
| Invoice issuance and delivery | Legal obligation (Art. 6.1.c) |
| Artificial intelligence features (scanning, translation, brand extraction) | Performance of a contract (Art. 6.1.b) |
| Service communications (updates, technical notifications) | Legitimate interest (Art. 6.1.f) |
| Sending marketing and promotional communications | Consent (Art. 6.1.a) |
| Usage analysis and Platform improvement | Legitimate interest (Art. 6.1.f) |
| Fraud and abuse detection and prevention | Legitimate interest (Art. 6.1.f) |
| Compliance with legal and tax obligations | Legal obligation (Art. 6.1.c) |
| User support and complaint management | Legitimate interest (Art. 6.1.f) |
4. RECIPIENTS AND DATA PROCESSORS
Mennu may share or grant access to personal data to the following third parties, all in accordance with GDPR-compliant data processing agreements (DPA):
| Provider | Function | Data location | Safeguards |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, and storage | European Union (Frankfurt, Germany) | GDPR-compliant DPA |
| Stripe, Inc. | Payment processing and billing | USA / EU | Standard Contractual Clauses (SCC), PCI-DSS certification |
| Vercel, Inc. | Web hosting, deployment, and analytics | USA / Global (CDN) | Standard Contractual Clauses (SCC), DPA |
| Google LLC | Authentication (OAuth), AI services (Gemini API) | USA / Global | Standard Contractual Clauses (SCC), DPA |
| Brevo (Sendinblue) | Transactional email delivery | European Union (France) | GDPR-compliant DPA |
| CookieYes | Cookie consent management | European Union | GDPR-compliant DPA |
Mennu does not sell, rent, or transfer users' personal data to third parties for their own commercial purposes.
5. INTERNATIONAL DATA TRANSFERS
Some of our data processors are located outside the European Economic Area (EEA), specifically in the United States. Such transfers are made in accordance with the safeguards provided for in the GDPR, including:
• Standard Contractual Clauses (SCC) approved by the European Commission (Decision 2021/914).
• European Commission adequacy decisions, where available (e.g., the EU-US Data Privacy Framework).
• Supplementary technical and organizational measures to ensure an adequate level of protection.
6. DATA RETENTION
Personal data will be retained for the time strictly necessary to fulfill the purpose for which it was collected:
• Account and profile data: for as long as the user's account remains active. After cancellation, data will be retained in a blocked state for the applicable legal period (up to 5 years under Article 1964 of the Spanish Civil Code).
• Billing data: 4 years under the General Tax Law.
• Cookie consent data: 5 years or until the user revokes consent.
• Marketing communication data: until the user revokes consent or unsubscribes.
• Technical and analytics data: maximum 26 months, unless previously anonymized.
After the applicable legal periods, data will be deleted or irreversibly anonymized.
7. USER RIGHTS
In accordance with the GDPR and the LOPDGDD, the user has the following rights:
a) Right of access: to obtain confirmation of whether their personal data is being processed and, if so, to access it.
b) Right to rectification: to request the correction of inaccurate or incomplete data.
c) Right to erasure ("right to be forgotten"): to request the deletion of personal data when it is no longer necessary for the purpose for which it was collected, among other circumstances.
d) Right to restriction of processing: to request that the processing of data be limited in certain circumstances.
e) Right to data portability: to receive personal data provided in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
f) Right to object: to object to the processing of personal data on grounds relating to their particular situation.
g) Right not to be subject to automated decisions: not to be subject to a decision based solely on automated processing that produces legal effects or significantly affects them.
h) Right to withdraw consent: where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, the user may contact:
• Email: info@mennuqr.com
• Postal address: MENNU DIGITAL SOLUTIONS, S.L., Paseo de la Castellana, 194, Bajo B, 28046, Madrid, Spain
The request must include a copy of the applicant's identification document. Mennu will respond within a maximum of one (1) month from receipt of the request, which may be extended by up to two (2) additional months depending on the complexity of the request.
8. RIGHT TO LODGE A COMPLAINT
If the user considers that their data protection rights have been violated, they may lodge a complaint with the Spanish Data Protection Agency (AEPD):
• Website: https://www.aepd.es
• Address: C/ Jorge Juan, 6, 28001, Madrid, Spain
9. DATA SECURITY
Mennu implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or accidental destruction, including:
• Data encryption in transit using TLS/SSL.
• Password encryption using secure hash algorithms (bcrypt).
• Two-factor authentication available for users.
• Role-based access control and Row Level Security (RLS) policies in the database.
• Regular and automated backups.
• Access monitoring and auditing.
10. CHILDREN'S PRIVACY
The Platform is not intended for children under 16. Mennu does not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us so that we can proceed with its deletion.
11. CHANGES TO THIS POLICY
Mennu reserves the right to update this Privacy Policy to adapt it to legislative changes or changes to the Service. Any substantial modifications will be notified to the user through the Platform or by email. We recommend that you review this page periodically.
12. CONTACT
For any inquiries related to the processing of your personal data, please contact:
MENNU DIGITAL SOLUTIONS, S.L.
Paseo de la Castellana, 194, Bajo B, 28046, Madrid, Spain
Email: info@mennuqr.com
Phone: +34 694 212 713