Privacy Policy

1. Introduction

DailyMenu LLC ("we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service (DailyMenu).

Effective Date: December 15, 2025

Last Updated: December 17, 2025

This Privacy Policy applies to all users of DailyMenu, regardless of location. We comply with applicable data protection laws, including:

• GDPR - General Data Protection Regulation (European Union)
• CCPA - California Consumer Privacy Act (California, USA)
• LFPDPPP - Ley Federal de Protección de Datos Personales en Posesión de los Particulares (Mexico)

By using our Service, you consent to the data practices described in this Privacy Policy. Please also review our Terms of Service.

Contact for Privacy Inquiries: [email protected]

2. Information We Collect

2.1 Account Information

When you create an account via OAuth, we collect:

• Email address (required)
• Full name (required)
• Profile photo URL (optional, from OAuth provider)
• OAuth provider ID (Google or Facebook user ID)
• Authentication tokens (refresh_token, access_token)

2.2 Business Information

When you set up your business profile, we collect:

• Business name
• Chosen subdomain (e.g., yourname.dailymenu.app)
• Business type (optional)
• Contact information (phone, WhatsApp, address, business hours) - all optional

2.3 Menu Content

Content you create using the Service:

• Product names and descriptions
• Pricing information
• Categories and organization
• Uploaded images (product photos, business logos)
• Template selections and color preferences
• Menu availability schedules

2.4 Payment Information

Payment data processed through Stripe:

• Billing email
• Credit card details (tokenized by Stripe, NOT stored by us)
• Stripe customer ID
• Subscription status and billing history

Important: We do not store your credit card information. All payment processing is handled securely by Stripe, a PCI DSS Level 1 certified provider.

2.5 Analytics Data (Business Plan Only)

If you have a Business plan subscription, we collect:

• Menu view counts
• QR code scan statistics
• Referral sources
• Device types (mobile/desktop)
• Geographic location (city-level, anonymized)
• Browser user agent strings

2.6 Technical and Usage Data

Automatically collected when you use the Service:

• IP addresses
• Browser type and version
• Operating system
• Request timestamps
• URLs accessed
• HTTP response codes
• Session duration
• Last login timestamp

3. How We Collect Information

3.1 Direct Collection

Information you provide directly:

• During account registration via Google or Facebook OAuth
• When setting up your business profile
• When creating and managing menu content
• When uploading images
• When contacting customer support

3.2 Automatic Collection

Information collected automatically:

• Server logs (IP addresses, timestamps, URLs)
• Cookies and session tokens (authentication)
• Analytics data (if Business plan subscriber)
• Error logs and debugging information

3.3 Third-Party Sources

Information from third parties:

• Google/Facebook: Email, name, profile photo (via OAuth)
• Stripe: Payment status, subscription information

4. How We Use Your Information

4.1 Provide the Service

• Create and manage your account
• Enable multi-tenant architecture (your isolated environment)
• Store and display your menu content
• Generate QR codes and public menu URLs
• Process payments and manage subscriptions

4.2 Authentication and Security

• Verify your identity via OAuth
• Maintain secure sessions
• Prevent unauthorized access and fraud
• Detect and respond to security incidents

4.3 Business Operations

• Billing and invoicing
• Customer support and troubleshooting
• Service improvements and feature development
• Platform security and stability

4.4 Analytics and Insights (Business Plan)

• Provide menu performance metrics
• Generate usage reports and insights
• Help you understand customer engagement

4.5 Legal Compliance

• Comply with legal obligations (tax records, court orders)
• Enforce our Terms of Service
• Respond to legal requests

5. Legal Basis for Processing (GDPR)

If you are in the European Union, we process your personal data based on the following legal grounds:

5.1 Contractual Necessity

Processing necessary to provide the Service you signed up for (account creation, menu hosting, payment processing).

5.2 Legitimate Interest

Processing necessary for our legitimate business interests, such as:

• Fraud prevention and security
• Analytics (Business plan features)
• Service improvements
• Customer support

5.3 Legal Obligation

Processing required by law (tax records, court orders, regulatory compliance).

5.4 Consent

For any processing not covered above, we will obtain your explicit consent (e.g., marketing communications if we add them in the future).

6. Sharing and Disclosure

6.1 Third-Party Service Providers

We share data with the following third parties to operate our Service:

6.2 Publicly Accessible Data

6.3 We Do Not Sell Your Data

6.4 Legal Disclosure

We may disclose your information if required by law:

• In response to court orders or subpoenas
• To comply with legal processes
• To protect our rights and property
• To investigate fraud or security incidents
• To protect user safety

7. Data Retention

7.1 Active Accounts

While your account is active, we retain your data indefinitely to provide the Service.

7.2 Canceled Accounts

After you cancel your subscription:

• Grace period: Data retained for 30 days (allows reactivation)
• After 30 days: All data is permanently deleted
• Exceptions: Payment records kept for 7 years (tax compliance)

7.3 Server Logs

• Access logs: 90 days
• Error logs: 90 days
• Security logs: 2 years

7.4 Backups

Data in backups is retained for 30 days and then permanently deleted. Backups are used only for disaster recovery.

7.5 Legal Records

Financial records (invoices, payment history) are retained for 7 years to comply with tax regulations.

8. Your Rights (GDPR/CCPA)

You have the following rights regarding your personal data:

How to Exercise Your Rights

To exercise any of these rights, email us at [email protected] with:

• Subject: "Data Rights Request - [Your Name]"
• Your account email
• Description of your request
• Verification information (for security)

Response time: We will respond within 30 days (GDPR) or 45 days (CCPA).

9. Data Security

We implement industry-standard security measures to protect your data:

9.1 Technical Safeguards

• Encryption: HTTPS/TLS for all data in transit
• Authentication: Secure OAuth with Google/Facebook
• Session Management: JWT tokens with httpOnly cookies
• CSRF Protection: Anti-CSRF tokens
• SQL Injection Prevention: Parameterized queries (Prisma ORM)
• Regular Updates: Security patches applied promptly

9.2 Access Controls

• Multi-tenant data isolation (database level)
• Role-based access control (RBAC)
• API authentication required for all endpoints

9.3 Infrastructure Security

• AWS security groups (firewall rules)
• SSH key-based authentication
• Automated backups (encrypted)
• DDoS protection (Cloudflare)

9.4 Incident Response

In the event of a data breach, we will:

• Notify affected users within 72 hours (GDPR requirement)
• Report to relevant authorities as required by law
• Investigate and remediate the incident
• Provide details about the breach and mitigation steps

Security concerns: Email [email protected]

9.5 Limitations

While we take reasonable precautions, no system is 100% secure. You are responsible for:

• Keeping your OAuth account secure
• Not sharing your login credentials
• Using strong passwords for your OAuth provider
• Reporting suspicious activity immediately

10. International Data Transfers

10.1 Data Location

Our servers are located in the United States (AWS US-East-1, Virginia). If you access the Service from outside the United States, your data will be transferred to and stored in the United States.

10.2 EU/EEA Users

For users in the European Union or European Economic Area, we rely on the following mechanisms for international data transfers:

• Standard Contractual Clauses (SCCs): EU-approved contracts for data transfers
• Adequacy Decisions: Where applicable (e.g., EU-US Data Privacy Framework)

10.3 Third-Party Transfers

Our third-party providers (AWS, Stripe, etc.) also transfer data internationally. They use appropriate safeguards such as SCCs and Privacy Shield certifications (where applicable).

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to improve your experience on DailyMenu. We are committed to GDPR, CCPA, and LFPDPPP compliance and only set non-essential cookies with your consent.

11.1 Essential Cookies

Required for the Service to function (cannot be disabled):

• next-auth.session-token: Authentication session (httpOnly, secure, expires when you log out)
• next-auth.csrf-token: CSRF protection (security)

These cookies are exempt from consent requirements under GDPR Article 5(3) as they are strictly necessary for the Service to function.

11.2 Analytics Cookies (Requires Consent)

We use analytics cookies to understand how visitors interact with menus and provide insights to Business plan subscribers:

• dm_visitor_id: Identifies returning visitors for analytics (1 year expiry)

Important: This cookie is ONLY set if you consent to analytics cookies. If you decline, we track page views anonymously without setting cookies.

11.3 What We Track with Analytics Cookies

If you consent to analytics cookies, we collect:

• Menu view counts (how many times your menu is viewed)
• Returning vs. new visitors
• Traffic sources (QR code, social media, direct link, etc.)
• Device types (mobile, desktop, tablet)
• User agent and browser information

11.4 No Advertising or Third-Party Tracking

11.5 Managing Your Cookie Preferences

You can manage your cookie preferences in three ways:

1. Cookie Banner: When you first visit DailyMenu, you can accept, decline, or customize cookies
2. Cookie Policy Page: Visit our Cookie Policy to manage preferences anytime
3. Browser Settings: Configure cookie settings directly in your browser (note: blocking essential cookies will prevent login)

11.6 Withdrawing Cookie Consent

You can withdraw your consent for analytics cookies at any time:

1. Visit our Cookie Policy
2. Click "Manage Cookie Preferences"
3. Toggle off "Analytics Cookies"
4. Save your preferences

The dm_visitor_id cookie will be immediately deleted from your browser, and we will stop tracking your visits.

11.7 Cookie Data Retention

• Essential cookies: Deleted when you log out or close your browser
• Analytics cookies: Expire after 1 year, or immediately if you decline
• Analytics data: Raw events stored for 30 days, aggregated data retained indefinitely

For complete details about our use of cookies, please see our Cookie Policy.

12. Children's Privacy

DailyMenu is a B2B service intended for business use only. We do not knowingly collect personal data from individuals under 18 years of age.

If you believe we have inadvertently collected data from a minor, please contact us immediately at [email protected], and we will delete it promptly.

13. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

13.1 Right to Know

You have the right to request:

• Categories of personal information we collect
• Specific pieces of personal information we have about you
• Categories of sources from which we collect information
• Business or commercial purposes for collecting information
• Categories of third parties with whom we share information

13.2 Right to Delete

Request deletion of your personal information (subject to legal exceptions like tax records).

13.3 Right to Opt-Out of Sale

13.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights (e.g., denying service or charging different prices).

13.5 How to Exercise CCPA Rights

Email us at [email protected] with subject "CCPA Request - [Your Name]"

Response time: 45 days (extendable by 45 more days if needed)

14. European Privacy Rights (GDPR)

If you are in the European Union or European Economic Area, you have specific rights under GDPR (already covered in Section 8). Additionally:

14.1 Legal Basis for Processing

See Section 5 for details on our legal basis for each type of processing.

14.2 Data Protection Officer

For data protection inquiries, contact: [email protected]

14.3 Supervisory Authority

You have the right to lodge a complaint with your local data protection authority. Find your authority at: https://edpb.europa.eu/about-edpb/board/members_en

14.4 Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or significantly affects you.

15. Changes to This Policy

15.1 Notification of Changes

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. If we make material changes, we will notify you:

• Via email at least 30 days before changes take effect
• Via prominent notice in the Service (banner or modal)
• By updating the "Last Updated" date at the top of this policy

15.2 Your Acceptance

Your continued use of the Service after the changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree, you must stop using the Service and may close your account.

15.3 Version History

Previous versions of this Privacy Policy are available upon request by emailing [email protected].

16. Contact Information

16.1 Privacy Inquiries

16.2 Legal Inquiries

16.3 Data Protection Officer

16.4 General Support

16.5 Company Information