Skip to content
FunktionerPriserPartnerBlogHjælpOm osKontakt
Kom i gangLog ind
This page is available in:English|Türkçe— You are viewing the English version.

Privacy Policy

Version 3.0

Last updatedJune 19, 2026Effective15 July 2026

1. Introduction

Thmenu ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services at thmenu.com. By using Thmenu, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

Account Information: When you register, we collect your name, email address, and business information.

Menu & Business Data: Content you upload including menu items, photos, prices, and restaurant details.

Usage Data: We automatically collect information such as browser type, pages visited, time spent, and device information.

Customer Interaction Data: Anonymous analytics on how customers interact with your menus (views, clicks, orders).

3. How We Use Your Information

We use the information we collect for the following purposes; each is tied to a legal basis under GDPR Article 6 (and the corresponding KVKK Article 5/6 basis for Turkish data subjects):

Provide, operate, and maintain the Thmenu platform — contract performance (GDPR Art. 6(1)(b))
Process transactions and manage subscriptions — contract performance (Art. 6(1)(b)) + legal obligation for tax records (Art. 6(1)(c))
Send service notifications and administrative messages — contract performance (Art. 6(1)(b))
Marketing email communications — your consent (Art. 6(1)(a)); you can withdraw at any time via the unsubscribe link in each message
Analyse usage to improve our services — legitimate interests (Art. 6(1)(f)); for cookie-based analytics, your consent (ePrivacy Art. 5(3))
Comply with legal obligations — legal obligation (Art. 6(1)(c))
Prevent fraud and ensure security — legitimate interests (Art. 6(1)(f))

You have the right to object to processing based on legitimate interests — see Section 7.

4. Data Sharing & International Transfers

We do not sell, trade, or rent your personal information to third parties. We may share data with:

Service Providers (sub-processors): Trusted third parties who assist in operating our platform (Cloudflare Inc., Supabase Inc., Stripe Inc., Resend Inc., PostHog Inc., Sentry / Functional Software Inc.). The full and current list is published on our Compliance page.

International transfers: The sub-processors above are based in the United States. Transfers of EEA / UK personal data are covered by EU Standard Contractual Clauses (SCCs) or equivalent UK IDTAs. Transfers of Turkish personal data follow KVKK Article 9 — see our KVKK page for the legal basis.

Legal Requirements: When required by law or to protect our rights.

Business Transfers: In connection with a merger, acquisition, or sale of assets — you will be notified of any change of controller.

5. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected and applicable legal obligations. The schedule below is canonical and mirrors the GDPR + Account-Deletion pages.

CategoryRetentionLegal basis
Account profileLifetime + 30-day graceGDPR Art. 6(1)(b)
Invoices & payments7y US IRS / 10y EU VAT / 10y TR TTK — longestArt. 6(1)(c) / KVKK md. 5(2)(ç)
Order data (end-customer)6m active + anonymised aggregatesLegitimate interest
Cookie consent13 monthsArt. 7(1)
Support / email3 yearsStatute of limitations
Push subscription token90d inactiveStorage limitation
Audit logs (hot)1 yearArt. 32 / KVKK md. 12
Audit logs (cold, hashed)7 yearsSOC 2
Affiliate KYC (pgcrypto)7y post closureIRS 1099 + AML
AI inference cache7 daysStorage limitation

Request deletion at any time at dpo@synaltix.io. See the Account Deletion page for the full procedure.

6. Data Security

We implement industry-standard security measures including:

• TLS/SSL encryption for all data in transit
• AES-256 encryption for data at rest
• Cloudflare DDoS and WAF protection
• Regular security audits and penetration testing

7. AI Usage Data (New in v3)

When you use Thmenu's AI features (AI product descriptions, AI menu chat):

Prompts and responses are not retained beyond the duration of the API call — no AI training on your content, no cross-restaurant caching
AI call counts (timestamp, restaurant_id, kind: ai_desc | ai_chat) are retained for:
  – 7 days for the per-restaurant daily quota counter
  – 90 days for billing reconciliation against Stripe metered usage records
  – Forever in anonymized aggregate form for service capacity planning
Overage billing data is transmitted to Stripe as part of metered usage records

If you delete your account, all AI usage data tied to your restaurant is anonymized within 30 days.

8. Your Rights

Depending on your location, you may have the right to:

Access your personal data
Rectification of inaccurate data
Erasure ("right to be forgotten")
Restriction of processing
Portability (machine-readable export)
Objection to processing for direct marketing or legitimate interests
Withdrawal of consent for consent-based processing

To exercise these rights, use the in-app DSR portal at /dashboard/settings/privacy or email privacy@thmenu.com. We respond within 30 days (GDPR/KVKK) or 45 days (CCPA, extendable to 90 days with notice).

9. Cookies

We use cookies and similar tracking technologies. For details, please see our Cookie Policy.

10. Children's Privacy

Thmenu is a B2B platform aimed at restaurant operators (commercial users). Minimum account-holder age is 18 (or local age of majority).

GDPR Art. 8 (EU/EEA) — default 16, with member-state derogations: DE 16, IE 16, NL 16, FR 15, ES 14, IT 14, BE 13, SE 13. For users below the applicable threshold, processing requires verifiable parental consent.
UK DPA 2018 §9 + ICO Children's Code — 13.
USA — COPPA 15 USC §6501-6506 — verifiable parental consent for under-13s; suspended within 7 days of detection without verified consent.
Türkiye — TMK m. 11 — 18 for full contractual capacity.

End-customers (e.g. a 12-year-old scanning a QR code to view a menu) generate only pseudonymous browser-side data; no account is created. If a minor's admin account is detected, we delete it within 7 days. Report at thmenu@synaltix.io.

11. EU/UK Representative — Art. 27(2)(a) Exemption

Synaltix LLC has assessed its activities under GDPR Article 27(2)(a) (and the equivalent UK GDPR provision) and has determined that a formal EU/UK representative is not required at this time. Our processing of EU/EEA and UK personal data is occasional (restaurant operator accounts and their end-customer order data), does not include large-scale processing of special categories of data, and is unlikely to result in a risk to the rights and freedoms of natural persons.

An internal written assessment supporting this determination is maintained at docs/gdpr-art27-exemption-assessment.md (version-controlled, updated annually or on material change).

EU/EEA and UK data subjects may exercise all rights under GDPR Articles 15–22 and UK GDPR directly via:

Email: privacy@thmenu.com
In-app DSR portal: /dashboard/settings/privacy

We respond to all requests within 30 days (GDPR standard) or 45 days (CCPA standard, extendable to 90 days with notice).

12. Contact Us

For privacy-related questions or requests:

General privacy inquiries: privacy@thmenu.com
DSR requests: /dashboard/settings/privacy or privacy@thmenu.com
Data Protection Officer: dpo@thmenu.com
Security disclosures: security@thmenu.com

Postal: Synaltix LLC, 1209 Mountain Road Pl NE, Ste N, Albuquerque, NM 87110, USA