Privacy Compliance

thMenu is committed to protecting your personal data in compliance with all applicable privacy laws worldwide — including the EU General Data Protection Regulation (GDPR), the Turkish Personal Data Protection Law (KVKK), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and equivalent legislation in the United States, Canada, Australia, Japan, Brazil, and other jurisdictions.

Synaltix LLC (Albuquerque, NM, USA — operating the thMenu platform) acts as the Data Controller for personal data of platform users (restaurant owners and staff).

For end-customers of restaurants using thMenu, the restaurant operator acts as the Data Controller and Synaltix LLC acts as the Data Processor under a DPA.

Contact for privacy requests: thmenu@synaltix.io · Legal & formal correspondence: legal@synaltix.io

Identity & Contact: Name, email address, phone number
Business Data: Restaurant name, address, tax information
Usage Data: Platform interactions, preferences, analytics
Payment Data: Subscription tier, transaction history (card details processed by Stripe — never stored by thMenu)
Technical Data: IP address, browser type, device identifiers

Contract Performance (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)): Processing necessary to provide our Services.

Legitimate Interests (GDPR Art. 6(1)(f)): Analytics, security, fraud prevention.

Legal Obligation (GDPR Art. 6(1)(c) / KVKK Art. 5(2)(ç)): Tax records, regulatory compliance.

Consent (GDPR Art. 6(1)(a) / KVKK Art. 5(1)): Marketing communications (opt-in only).

🇪🇺 EEA Residents (GDPR):
Right of Access (Art. 15) · Right to Rectification (Art. 16) · Right to Erasure (Art. 17) · Right to Restriction (Art. 18) · Right to Portability (Art. 20) · Right to Object (Art. 21)

🇹🇷 Türkiye (KVKK Md. 11):
Kişisel verilerinizin işlenip işlenmediğini öğrenme · Bilgi talep etme · Düzeltilmesini isteme · Silinmesini isteme · Aktarıldığı kişilere bildirilmesini isteme · Zarara itiraz etme

🇺🇸 California Residents (CCPA/CPRA):
Right to Know · Right to Delete · Right to Correct · Right to Opt-Out of Sale · Right to Non-Discrimination · Right to Limit Sensitive Data Use

🌐 Other Jurisdictions:
Residents of Canada (PIPEDA), Australia (Privacy Act), Brazil (LGPD), Japan (APPI), and other countries enjoy equivalent rights under applicable local law.

We transfer personal data outside the EEA and Turkey to the following sub-processors under EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA), and — where the provider is self-certified — the EU–US Data Privacy Framework:

• Cloudflare, Inc. (USA) — edge compute, R2 object storage, DNS
• Supabase, Inc. (USA) — authentication, primary database
• Stripe, Inc. (USA) — payment processing
• Resend, Inc. (USA) — transactional email
• PostHog, Inc. (USA) — product analytics (opt-in via cookie banner)
• Sentry / Functional Software, Inc. (USA) — error monitoring
• Wise Payments Ltd. (UK/USA) — affiliate payouts (used only when affiliate enables Wise payouts; opt-in)

All transfers are designed to comply with GDPR Chapter V, the UK GDPR, and KVKK Article 9. A copy of the SCCs / IDTA is available on request at legal@synaltix.io.

Sub-processor change notification (LEGAL-25): We will publish updates to this list at least 30 days before a new sub-processor begins processing your data. Notification channels: this page (canonical), email to all account admins, and a banner on the admin dashboard. Customers may object in writing within the 30-day window; sustained objection is grounds for contract termination with a pro-rata refund.

thMenu does not sell personal information as defined by the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising.

• Account data: Duration of account + 30 days after deletion request
• Transaction records: 7 years (legal obligation)
• Analytics data: 12 months (anonymized thereafter)
• Support communications: 3 years

In the event of a personal data breach we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33), notify affected users without undue delay, and comply with KVKK, CCPA/CPRA, and other applicable breach notification requirements.

Submit a request to: thmenu@synaltix.io

Response times: GDPR: 30 days · KVKK: 30 days · CCPA/CPRA: 45 days

You may also lodge a complaint with your local supervisory authority — ICO (UK), CNIL (France), BfDI (Germany), Kişisel Verileri Koruma Kurumu (Turkey), or the California Privacy Protection Agency (USA).