Privacy Policy

Effective Date: March 7, 2026

Supa.menu ("Supa," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at https://supa.menu and any related services (collectively, the "Service").

1. Data Controller

The data controller responsible for your personal data is:

Supa.menu Email: support@supa.menu

2. Information We Collect

Information You Provide

• Account Information: Name, email address, and password when you create an account
• Menu Content: Photos, menu item names, descriptions, prices, and other data you upload
• Payment Information: Billing details processed securely through our payment provider (Polar.sh). We do not store your full payment card details.
• Communications: Any messages or feedback you send us

Information Collected Automatically

• Usage Data: Pages visited, features used, and interactions with the Service
• Device Information: Browser type, operating system, and device identifiers
• Log Data: IP address, access times, and referring URLs

3. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you requested (Article 6(1)(b) GDPR)
• Legitimate Interests: Analytics and service improvement, fraud prevention, and security (Article 6(1)(f) GDPR)
• Consent: Where you have given explicit consent, such as for marketing communications (Article 6(1)(a) GDPR)
• Legal Obligation: Where processing is required to comply with applicable laws (Article 6(1)(c) GDPR)

4. How We Use Your Information

We use collected information to:

• Provide, maintain, and improve the Service
• Process your menu uploads using AI to extract menu data
• Process payments and manage subscriptions
• Send transactional emails (account verification, password resets, billing)
• Respond to your inquiries and support requests
• Monitor and analyze usage trends to improve the Service
• Detect, prevent, and address fraud and security issues

5. AI Processing

We use third-party AI services (OpenAI) to process your uploaded menu images and extract menu data. Images are sent to OpenAI's API for processing and are handled in accordance with OpenAI's data usage policies. We do not use your menu data to train AI models.

6. Data Sharing

We do not sell your personal data. We may share your information with:

• Service Providers: Third-party vendors who help us operate the Service (hosting, payment processing, AI processing, analytics)
• Legal Requirements: When required by law, regulation, or legal process
• Business Transfers: In connection with a merger, acquisition, or sale of assets

Third-Party Services We Use

• Convex: Database and backend services
• OpenAI: AI-powered menu extraction
• Polar.sh: Payment processing
• Vercel: Hosting and deployment

7. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account deletion, we will delete or anonymize your data within 30 days, unless retention is required by law.

9. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Restriction: Request restriction of processing
• Data Portability: Receive your data in a structured, machine-readable format
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at support@supa.menu. We will respond within 30 days.

10. Cookies

We use essential cookies necessary for the Service to function (authentication, session management). We do not use advertising or tracking cookies.

11. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit and at rest, access controls, and regular security assessments. However, no method of transmission over the Internet is 100% secure.

12. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Effective Date." Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Supervisory Authority

If you are located in the EU/EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: support@supa.menu