GDPR — General Data Protection Regulation

Synaltix LLC (1209 Mountain Road Pl NE, Ste N, Albuquerque, NM 87110, USA — operating the thMenu platform) acts as the Data Controller for personal data of platform users (restaurant owners, staff, affiliates). For end-customers of restaurants, the restaurant operator acts as the Data Controller and Synaltix LLC acts as the Data Processor under a written DPA (signed at account opening; copy on request from legal@synaltix.io).

EU Representative (GDPR Art. 27): Synaltix LLC processes personal data of EU data subjects and has therefore appointed a written EU Representative:
  Name: [Appointed representative — to be filled before EU launch]
  Address: [EU member state address]
  Email: eu-representative@synaltix.io

UK Representative (UK GDPR Art. 27 + DPA 2018 Sch. 1):
  Name: [Appointed representative — to be filled before UK launch]
  Email: uk-representative@synaltix.io

Data Protection Officer: dpo@synaltix.io.

• Contract (Art. 6(1)(b)): account creation, billing, support, order/reservation processing.
• Legal obligation (Art. 6(1)(c)): tax records, IRS 1099, AML.
• Legitimate interests (Art. 6(1)(f)): platform security, fraud prevention, aggregate analytics — balancing test on file.
• Consent (Art. 6(1)(a)): non-essential cookies + marketing emails + newsletter (double opt-in).

AI-assisted processing (Art. 13(2)(f) + Art. 22): Cloudflare Workers AI (LLaMA 3.1 8B + @cf/baai/bge embedding) generates product descriptions, computes blog embeddings, surfaces menu recommendations, and produces business insights. Inference is stateless; we do NOT train third-party AI models on your data. AI-generated outputs are flagged in admin (ai_generated=1). You may request human review of any AI-assisted decision (see §3).

EU/EEA residents have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), not to be subject to automated decision-making (Art. 22), withdraw consent (Art. 7(3)), lodge a complaint (Art. 77 — directory at edpb.europa.eu). Send requests to dpo@synaltix.io; we reply within 30 days (Art. 12(3)), extendable by two months.

Sub-processors located outside the EEA receive personal data under EU Standard Contractual Clauses 2021/914 (Module 2/3) plus supplementary measures per EDPB Recommendations 01/2020 (encryption in transit + at rest, network access controls, RBAC). EU–US Data Privacy Framework relied on where the provider is self-certified.

• Cloudflare Inc. — infrastructure, CDN, R2, D1, KV, Vectorize, Workers AI
• Supabase Inc. — auth + Postgres (EU Frankfurt)
• Stripe Inc. — payments (DPA + SCCs)
• Resend Inc. — transactional email
• PostHog Inc. — analytics (cookie-gated)
• Sentry — error monitoring (PII-scrubbed)
• Wise Payments Ltd. — affiliate payouts (opt-in)

Updates: at least 30 days' notice; full list on the Compliance page.

On detection of a personal data breach (Art. 4(12)) we will: notify the lead supervisory authority within 72 hours (Art. 33); notify affected data subjects without undue delay where the breach is likely to result in high risk (Art. 34); document every breach for at least 5 years (Art. 33(5)); coordinate with Cloudflare, Supabase, Stripe and other sub-processors.

DPO: dpo@synaltix.io. EU Representative: eu-representative@synaltix.io. You may complain to your member-state DPA (ICO, CNIL, BfDI, Garante, Datatilsynet etc.). Full directory: edpb.europa.eu/about-edpb/about-edpb/members_en.