Privacy Policy

Restaurant operator data

When restaurants use MaxyMenu, we collect business information provided during onboarding: restaurant name, contact details, and login identifiers and account information. We also collect menu content (dishes, prices, descriptions, photos, allergens, and translations) that operators submit through the platform.

WhatsApp interaction data

To enable WhatsApp-based menu updates, we process messages sent by restaurant operators to our system. This includes text instructions and any content shared for menu management purposes. We do not access personal WhatsApp conversations outside of the designated business number.

Usage data

We automatically collect technical data when you interact with MaxyMenu: device type, browser, IP address, pages visited, time spent, and interaction patterns. This data is used exclusively to improve the service and diagnose technical issues.

Customer-facing menu visitors

End customers who view a restaurant's digital menu via QR code or link are not required to create an account. We may collect aggregated or pseudonymized analytics where possible (page views, language preference, scroll behaviour) to help restaurants understand menu engagement.

Service delivery

We use your data to operate and maintain the MaxyMenu platform: processing menu update requests, generating multilingual content, publishing digital menus, and sending confirmation notifications via WhatsApp.

AI-assisted processing

Menu update instructions submitted through WhatsApp are processed by AI models to interpret intent, extract structured data, and prepare validated updates before they are applied. A confirmation step is required before changes are applied to the live menu.

Communications

We may use your contact details to send service notifications, security alerts, and product updates related to your MaxyMenu account. We do not send unsolicited marketing messages without your explicit consent.

Analytics and improvement

Aggregated, anonymised usage data helps us understand how the platform is used and where we can improve reliability, performance, and user experience. Individual data is never sold to third parties.

AI providers

Menu update instructions may be transmitted to third-party AI model providers, such as OpenAI or other AI service providers used to deliver MaxyMenu features, for natural-language processing. We work with providers whose terms include data handling commitments, and we do not knowingly share data with providers that use it for their own model training without consent.

WhatsApp / Meta

MaxyMenu integrates with the WhatsApp Business API, operated by Meta Platforms, Inc. Messages exchanged via this channel are subject to Meta's Business Messaging Terms and Privacy Policy. We recommend reviewing those policies separately.

Infrastructure providers

We use cloud infrastructure providers (such as Vercel and database hosting services) to run the platform. These providers operate as sub-processors and access data only to the extent necessary to deliver their services.

Legal obligations

We may disclose data if required by law, court order, or to protect the rights and safety of users or the public. We will notify affected users where legally permissible.

Active accounts

We retain your data for as long as your MaxyMenu account is active and as needed to provide the service. Menu content and update history are kept to support audit trails and rollback capabilities.

Account deletion

Upon account termination or deletion request, we will remove your personal data within 30 days. Anonymised, aggregated usage statistics may be retained for analytical purposes indefinitely.

Legal retention requirements

Certain data may be retained longer where required by applicable law, such as financial transaction records or regulatory compliance obligations.

Access and portability

You have the right to request a copy of the personal data we hold about you, in a portable format where technically feasible.

Correction

You may request correction of inaccurate or incomplete personal data at any time through your account settings or by contacting us directly.

Erasure

You may request deletion of your personal data ('right to be forgotten'), subject to legal retention obligations. We will confirm the deletion or explain any applicable limitations.

Objection and restriction

You have the right to object to or restrict certain types of processing, including automated decision-making. Contact us to exercise these rights.

Contract performance

Most processing is necessary to provide the MaxyMenu service under our terms of use — for example, processing menu update requests and publishing digital menus for restaurant operators.

Legitimate interests

We process certain data on the basis of our legitimate interests, such as improving platform reliability and security, provided those interests are not overridden by your rights. You may object to this processing at any time.

Consent

Where we rely on consent — for example, for optional analytics cookies or marketing communications — you may withdraw that consent at any time without affecting the lawfulness of prior processing.

Legal obligation

In some cases we are required to process data to comply with applicable law, including tax, accounting, and regulatory requirements.

Supervisory authority

If you are located in Spain or the EU and believe we are processing your data unlawfully, you have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD, aepd.es) or the supervisory authority in your country of residence.

Transfers outside the EU/EEA

Some of our third-party service providers — including AI model providers and cloud infrastructure services — may be based in or process data in countries outside the European Economic Area, including the United States.

Safeguards

Where personal data is transferred outside the EU/EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or we use providers operating under equivalent data protection frameworks. As MaxyMenu is in active development, we continuously review our transfer mechanisms as the platform matures.

Your rights regarding transfers

You have the right to obtain information about the specific safeguards applied to international transfers involving your data. Contact us at the address in Section 10 for details.

Essential cookies

We use strictly necessary cookies to maintain your session and ensure the platform functions correctly. These cannot be disabled without breaking core functionality.

Analytics cookies

With your consent, we may use analytics cookies to understand how users interact with MaxyMenu. These are anonymised and do not track you across other websites.

No advertising cookies

MaxyMenu does not use advertising or cross-site tracking cookies. We do not sell or share data with advertising networks.

Technical safeguards

We implement reasonable security measures including encrypted data transmission (TLS), access controls, and periodic security reviews. Menu content is stored in access-controlled databases. As an early-stage product, we are committed to improving our security posture as the platform grows.

Breach notification

In the event of a data breach that may affect your rights, we will notify you and relevant supervisory authorities within the timeframes required by applicable law.

Data controller

MaxyMenu is a project developed and operated by Daniel Navarro Fernández. For any questions about this Privacy Policy, data requests, or concerns about how we handle your data, please contact us at: maxymenu@gmail.com

Updates to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the 'Last updated' date at the top of this page and, where required by law, notify affected users directly.