← Back to home

Privacy Policy

Last updated: 14 May 2026

1. Who we are

Menu Mastermind is operated by Dimitris Taktikos & Elena K. Tsiavasili, based in Greece. We act as the data controller for personal data we collect about restaurant operators using the Service. We process menu-viewer data (anonymous QR-menu visitors) on behalf of those restaurant operators.

Contact: dimitristakt@gmail.com

2. What we collect

From you (the operator):

  • Account: email, display name, restaurant name, password hash.
  • Menu content: dishes, sections, photos, logos, brand settings, sales CSVs you upload.
  • AI request logs: which AI feature you called, timestamp, token usage. Used to monitor abuse and bill usage.
  • Support clicks: when you open WhatsApp support, we record the route you came from.

From your menu visitors (anonymous):

  • One row in menu_views per page load: timestamp, referrer, user-agent. No cookies, no IP, no profile.

3. Why we use it

  • To provide the Service (host menus, run AI features, deliver QR pages).
  • To prevent abuse and bill AI usage fairly.
  • To send transactional emails (verification, password resets, billing receipts).
  • To give operators view analytics for their own menus.

We do not sell your data, do not use it to train third-party advertising models, and do not share menu content with other operators.

4. Legal basis (GDPR)

  • Contract: operating your account and the Service.
  • Legitimate interest: abuse prevention, security logs, basic analytics.
  • Legal obligation: keeping invoices for tax purposes.
  • Consent: marketing emails, when you opt in.

5. Sub-processors

We use these services to run Menu Mastermind:

  • Supabase (database, auth, storage) — EU region.
  • Cloudflare (hosting, edge runtime).
  • Lovable AI Gateway (Google Gemini, OpenAI GPT) for AI features.
  • Google Search Console for SEO measurement.
  • Payment processor (added when paid plans launch; will be Paddle, the merchant of record).

All sub-processors are GDPR-compliant. AI prompts may contain dish names and descriptions you choose to send; do not send personal data through AI features.

6. Cookies and tracking

We use only essential cookies: a session cookie to keep you signed in. The public QR menu does not set tracking cookies and does not load analytics scripts. We do not use advertising cookies.

7. Retention

  • Account & menu data: until you delete it or close your account.
  • AI request logs: 90 days.
  • Menu view records: 24 months.
  • Invoices and tax records: as required by Greek law (typically 5 years).

8. Your rights

Under GDPR you can:

  • Access the personal data we hold about you.
  • Correct or delete it.
  • Export your menus and data.
  • Object to processing or withdraw consent.
  • Lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr).

Email dimitristakt@gmail.com and we will respond within 30 days.

9. International transfers

Most processing happens in the EU. Where data is processed outside the EU (e.g. AI providers in the US), Standard Contractual Clauses or equivalent safeguards are in place.

10. Security

We use TLS in transit, encrypted storage at rest, row-level security in the database, and least-privilege access. No system is perfectly secure; if we ever experience a breach affecting your data, we will notify you within 72 hours.

11. Changes

We will email account owners about material changes to this policy and update the "Last updated" date above.