MenuraiMENURAISign in

Privacy Policy

Last updated: May 18, 2026

This Privacy Policy explains what personal data Menurai (the "Service") collects, how we use it, who we share it with, and the rights you have over it. The Service is operated as a private individual project (the "Operator", "we", "us"), which is the data controller for the purposes of the EU General Data Protection Regulation (GDPR).

1. What we collect

We collect only what we need to run the Service:

  • Account data — your email address, authentication tokens, and any name or avatar you provide through our authentication provider (Clerk). We do not ask for or store government ID, full name, or date of birth.
  • Menu content — everything you upload to your menu: category names, dish names, descriptions, prices, photos, opening hours, your own custom domain names, branding choices.
  • Subscription data — for paid plans, Stripe records (subscription id, the last 4 digits of the card, plan status). We never receive the full card number.
  • Guest analytics — when a guest opens your menu we record the visit: a random anonymous visitor id (stored in their browser), timestamp, the UTM source (if any), and which menu was opened. We do not record IP address, precise location, full name or any other personally identifying detail about your guests.
  • Technical logs — server-side error logs from Vercel and Railway. These are retained for up to 30 days and contain truncated IP addresses for abuse-prevention only.

2. Why we use it (legal bases under GDPR)

  • Performance of a contract (Art. 6(1)(b)) — to provide the Service you signed up for: host your menu, serve it to your guests, generate QR codes, show you analytics.
  • Legitimate interest (Art. 6(1)(f)) — to keep the Service secure, prevent abuse, and improve product quality with aggregated usage statistics.
  • Legal obligation (Art. 6(1)(c)) — to keep invoice records for tax purposes for as long as local law requires.

3. Who we share it with

We do not sell your data. We share only the minimum needed with the following sub-processors, each contractually bound to handle data lawfully:

  • Clerk (Clerk Inc., USA) — authentication and account management
  • Stripe (Stripe Payments Europe Limited, Ireland) — subscription billing
  • Vercel (Vercel Inc., USA) — front-end hosting and CDN
  • Railway (Railway Corp., USA) — back-end hosting and database
  • Google Search Console — for crawl reporting only; no user data is shared

Some of these are in the United States. Transfers rely on the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–U.S. Data Privacy Framework.

4. Cookies & similar tech

We use a small number of strictly-necessary cookies and local-storage items:

  • Clerk authentication cookies — to keep you signed in
  • A random visitor id in the guest's browser localStorage — to dedupe repeat visits to your menu within 30 minutes
  • A session-storage flag for the same dedupe purpose per tab

We do not use third-party advertising cookies or tracking pixels.

5. How long we keep it

  • Active accounts — kept while your account is open.
  • After account deletion — your account, menu content and custom-domain records are deleted immediately. Guest analytics tied to your menus are retained in aggregated form for up to 90 days after deletion so we can compute platform-level metrics; after that they are deleted.
  • Invoices & tax records — kept for as long as local tax law requires (typically up to 7 years for Stripe receipts).
  • Server error logs — up to 30 days.

6. Your rights (GDPR)

If you are in the EU/UK, you have the following rights under GDPR. You can exercise any of them by emailing support@menurai.com from the address tied to your account:

  • Access — get a copy of the personal data we hold about you
  • Rectification — fix inaccurate data
  • Erasure ("right to be forgotten") — delete your data, on the schedule described above
  • Portability — get your menu content in a standard machine-readable format
  • Restriction & objection — pause certain processing
  • Withdraw consent — where processing was based on consent
  • Lodge a complaint with your local supervisory authority

We respond to verified requests within 30 days, free of charge for the first request.

7. Children

The Service is not intended for users under 16. If you believe we have collected data from a child, contact us and we will delete it.

8. Security

We use industry-standard measures: HTTPS everywhere, encrypted database connections, scoped access tokens, and principle-of-least-privilege for our staff and tools. No online service is 100% secure; if a breach occurs that affects your data, we will notify you within 72 hours as GDPR requires.

9. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by email or by a notice in the dashboard at least 30 days before they take effect.

10. Contact & data controller

Data controller: the Operator (a private individual). For any privacy question, data request, or to exercise your GDPR rights, email support@menurai.com. See also our Terms of Service.