Privacy Policy
Last updatedMay 29, 2026
1. Introduction
thMenu ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services at thmenu.com.
By using thMenu, you agree to the collection and use of information in accordance with this policy.
2. Information We Collect
Account Information: When you register, we collect your name, email address, and business information.
Menu & Business Data: Content you upload including menu items, photos, prices, and restaurant details.
Usage Data: We automatically collect information such as browser type, pages visited, time spent, and device information.
Customer Interaction Data: Anonymous analytics on how customers interact with your menus (views, clicks, orders).
Menu & Business Data: Content you upload including menu items, photos, prices, and restaurant details.
Usage Data: We automatically collect information such as browser type, pages visited, time spent, and device information.
Customer Interaction Data: Anonymous analytics on how customers interact with your menus (views, clicks, orders).
3. How We Use Your Information
We use the information we collect for the following purposes; each is tied to a legal basis under GDPR Article 6 (and the corresponding KVKK Article 5/6 basis for Turkish data subjects):
• Provide, operate, and maintain the thMenu platform — contract performance (GDPR Art. 6(1)(b))
• Process transactions and manage subscriptions — contract performance (Art. 6(1)(b)) + legal obligation for tax records (Art. 6(1)(c))
• Send service notifications and administrative messages — contract performance (Art. 6(1)(b))
• Marketing email communications — your consent (Art. 6(1)(a)); you can withdraw at any time via the unsubscribe link in each message
• Analyse usage to improve our services — legitimate interests (Art. 6(1)(f)); for cookie-based analytics, your consent (ePrivacy Art. 5(3))
• Comply with legal obligations — legal obligation (Art. 6(1)(c))
• Prevent fraud and ensure security — legitimate interests (Art. 6(1)(f))
You have the right to object to processing based on legitimate interests — see Section 7.
• Provide, operate, and maintain the thMenu platform — contract performance (GDPR Art. 6(1)(b))
• Process transactions and manage subscriptions — contract performance (Art. 6(1)(b)) + legal obligation for tax records (Art. 6(1)(c))
• Send service notifications and administrative messages — contract performance (Art. 6(1)(b))
• Marketing email communications — your consent (Art. 6(1)(a)); you can withdraw at any time via the unsubscribe link in each message
• Analyse usage to improve our services — legitimate interests (Art. 6(1)(f)); for cookie-based analytics, your consent (ePrivacy Art. 5(3))
• Comply with legal obligations — legal obligation (Art. 6(1)(c))
• Prevent fraud and ensure security — legitimate interests (Art. 6(1)(f))
You have the right to object to processing based on legitimate interests — see Section 7.
4. Data Sharing & International Transfers
We do not sell, trade, or rent your personal information to third parties. We may share data with:
Service Providers (sub-processors): Trusted third parties who assist in operating our platform (Cloudflare Inc., Supabase Inc., Stripe Inc., Resend Inc., PostHog Inc., Sentry / Functional Software Inc.). The full and current list is published on our Compliance page.
International transfers: The sub-processors above are based in the United States. Transfers of EEA / UK personal data are covered by EU Standard Contractual Clauses (SCCs) or equivalent UK IDTAs. Transfers of Turkish personal data follow KVKK Article 9 — see our KVKK page for the legal basis.
Legal Requirements: When required by law or to protect our rights.
Business Transfers: In connection with a merger, acquisition, or sale of assets — you will be notified of any change of controller.
Service Providers (sub-processors): Trusted third parties who assist in operating our platform (Cloudflare Inc., Supabase Inc., Stripe Inc., Resend Inc., PostHog Inc., Sentry / Functional Software Inc.). The full and current list is published on our Compliance page.
International transfers: The sub-processors above are based in the United States. Transfers of EEA / UK personal data are covered by EU Standard Contractual Clauses (SCCs) or equivalent UK IDTAs. Transfers of Turkish personal data follow KVKK Article 9 — see our KVKK page for the legal basis.
Legal Requirements: When required by law or to protect our rights.
Business Transfers: In connection with a merger, acquisition, or sale of assets — you will be notified of any change of controller.
5. Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected and applicable legal obligations. The schedule below is canonical and mirrors the GDPR + Account-Deletion pages.
Request deletion at any time at dpo@synaltix.io. See the Account Deletion page for the full procedure.
| Category | Retention | Legal basis |
|---|---|---|
| Account profile | Lifetime + 30-day grace | GDPR Art. 6(1)(b) |
| Invoices & payments | 7y US IRS / 10y EU VAT / 10y TR TTK — longest | Art. 6(1)(c) / KVKK md. 5(2)(ç) |
| Order data (end-customer) | 6m active + anonymised aggregates | Legitimate interest |
| Cookie consent | 13 months | Art. 7(1) |
| Support / email | 3 years | Statute of limitations |
| Push subscription token | 90d inactive | Storage limitation |
| Audit logs (hot) | 1 year | Art. 32 / KVKK md. 12 |
| Audit logs (cold, hashed) | 7 years | SOC 2 |
| Affiliate KYC (pgcrypto) | 7y post closure | IRS 1099 + AML |
| AI inference cache | 7 days | Storage limitation |
Request deletion at any time at dpo@synaltix.io. See the Account Deletion page for the full procedure.
6. Data Security
We implement industry-standard security measures including:
• TLS/SSL encryption for all data in transit
• AES-256 encryption for data at rest
• Cloudflare DDoS and WAF protection
• Regular security audits and penetration testing
• TLS/SSL encryption for all data in transit
• AES-256 encryption for data at rest
• Cloudflare DDoS and WAF protection
• Regular security audits and penetration testing
7. Your Rights
Depending on your location, you may have the right to:
• Access your personal data
• Correct inaccurate data
• Request deletion ("right to be forgotten")
• Object to or restrict processing
• Data portability
• Withdraw consent at any time
To exercise these rights, contact us at thmenu@synaltix.io.
• Access your personal data
• Correct inaccurate data
• Request deletion ("right to be forgotten")
• Object to or restrict processing
• Data portability
• Withdraw consent at any time
To exercise these rights, contact us at thmenu@synaltix.io.
8. Cookies
We use cookies and similar tracking technologies. For details, please see our Cookie Policy.
9. Children's Privacy
thMenu is a B2B platform aimed at restaurant operators (commercial users). Minimum account-holder age is 18 (or local age of majority).
• GDPR Art. 8 (EU/EEA) — default 16, with member-state derogations: DE 16, IE 16, NL 16, FR 15, ES 14, IT 14, BE 13, SE 13. For users below the applicable threshold, processing requires verifiable parental consent.
• UK DPA 2018 §9 + ICO Children's Code — 13.
• USA — COPPA 15 USC §6501-6506 — verifiable parental consent for under-13s; suspended within 7 days of detection without verified consent.
• Türkiye — TMK m. 11 — 18 for full contractual capacity.
End-customers (e.g. a 12-year-old scanning a QR code to view a menu) generate only pseudonymous browser-side data; no account is created. If a minor's admin account is detected, we delete it within 7 days. Report at thmenu@synaltix.io.
• GDPR Art. 8 (EU/EEA) — default 16, with member-state derogations: DE 16, IE 16, NL 16, FR 15, ES 14, IT 14, BE 13, SE 13. For users below the applicable threshold, processing requires verifiable parental consent.
• UK DPA 2018 §9 + ICO Children's Code — 13.
• USA — COPPA 15 USC §6501-6506 — verifiable parental consent for under-13s; suspended within 7 days of detection without verified consent.
• Türkiye — TMK m. 11 — 18 for full contractual capacity.
End-customers (e.g. a 12-year-old scanning a QR code to view a menu) generate only pseudonymous browser-side data; no account is created. If a minor's admin account is detected, we delete it within 7 days. Report at thmenu@synaltix.io.