Skip to content
OminaisuudetHinnoitteluKumppanitBlogiOhjeMeistäYhteystiedot
AloitaKirjaudu sisään
This page is available in:English|Türkçe— You are viewing the English version.

Data Processing Agreement

GDPR Art. 28 · UK GDPR · KVKK — processor terms

Last updated1 July 2026Effective1 July 2026

1. Parties, Scope & Precedence

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Terms of Service between Synaltix LLC ("Thmenu", "Processor", "we") and the customer ("Controller", "you"). It governs our processing of personal data on your behalf when you use the Thmenu platform. Where this DPA conflicts with the Terms on a data-protection matter, this DPA prevails. It takes effect on your acceptance of the Terms and remains in force for as long as we process personal data on your behalf.

2. Definitions

"GDPR" means Regulation (EU) 2016/679 and, as applicable, the UK GDPR and Data Protection Act 2018. "KVKK" means Türkiye's Law No. 6698 on the Protection of Personal Data. "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-processor" and "Personal Data Breach" have the meanings given in the GDPR (and their KVKK equivalents: "veri sorumlusu", "veri işleyen", "ilgili kişi", "kişisel veri"). "Applicable Data Protection Law" means all of the foregoing to the extent they apply to the processing.

3. Roles of the Parties

GDPR / KVKK
For personal data of your end customers and (where applicable) hotel guests processed through the platform, you are the Controller and Thmenu is the Processor. You determine the purposes and means; we process only to provide the service. For our own limited controller activities (billing, account administration, security logging, and product analytics on our own users), we act as an independent Controller under our Privacy Policy.

4. Processing Details (Annex I)

Subject-matter: provision of the Thmenu SaaS platform.
Duration: for the term of the Terms plus the retention/deletion window in §11.
Nature & purpose: hosting, storing, transmitting and displaying menu/order data; taking table and room orders; customer engagement; and — for Diamond hotel accounts — binding an in-room menu to a guest and returning orders for folio posting.
Categories of data subjects: your end customers (diners), your staff, and hotel guests (Diamond).
Categories of personal data: order contents and amounts; table/room identifiers; contact details you or the data subject provide (name, email, phone) for orders, feedback, loyalty or reservations; device/technical data (IP address, user-agent, approximate location signals) processed for fraud prevention and service delivery; and, via the PMS API, hotel guest state (name, room number, language, stay/loyalty identifiers). We do not seek special-category data; you must not push it through free-text fields.

5. Processor Obligations (Art. 28(3))

We will: (a) process personal data only on your documented instructions (the Terms, this DPA, and your use of the platform's configuration), including for international transfers, unless required by law (in which case we inform you unless legally prohibited); (b) ensure persons authorised to process are bound by confidentiality; (c) implement the security measures in §7; (d) respect the sub-processor conditions in §6; (e) assist you, by appropriate technical and organisational measures, to respond to data-subject requests (§8); (f) assist you with security, breach notification, DPIAs and prior consultation (Arts. 32-36); (g) at your choice, delete or return personal data at the end of provision (§11); and (h) make available information necessary to demonstrate compliance and allow for audits (§9). If we consider an instruction infringes Applicable Data Protection Law, we will inform you.

6. Sub-processors

Sub-processors
You grant general authorisation to engage the sub-processors below, each bound by data-protection terms no less protective than this DPA. We remain fully liable for their performance.

Cloudflare, Inc. (USA/global edge) — hosting, CDN, edge compute, R2 storage
Supabase, Inc. (USA) — authentication + primary database
Stripe, Inc. (USA) — subscription payments (and, where enabled, pay-at-table)
Resend, Inc. (USA) — transactional email
PostHog, Inc. (USA) — product analytics (cookie-gated)
Sentry / Functional Software, Inc. (USA) — error monitoring

The current list is maintained on our Compliance page. We will give at least 30 days' notice of any intended addition or replacement of a sub-processor; you may object on reasonable data-protection grounds within that period, and if we cannot accommodate the objection you may terminate the affected service.

7. Security Measures (Art. 32)

We maintain technical and organisational measures appropriate to the risk, including: encryption in transit (TLS) and encryption at rest for sensitive fields (e.g. pgcrypto-encrypted KYC/bank data); strict access controls and least-privilege; row-level security and privileged-field write triggers; CSRF, rate-limiting, brute-force and bot/anonymiser defenses; audit logging; PII minimisation and hashing in logs; encrypted, access-controlled backups with live-secret redaction; and a documented secret-rotation process. Measures are reviewed and improved over the life of the service; we may update them provided the level of protection is not materially reduced.

8. Data-Subject Requests

Taking into account the nature of the processing, we assist you by appropriate technical and organisational measures — including in-product export and deletion tooling and, where needed, support requests to legal@synaltix.io — to fulfil your obligation to respond to requests to exercise data-subject rights (access, rectification, erasure, restriction, portability, objection) under the GDPR and KVKK. If a data subject contacts us directly, we will refer them to you and not respond substantively except on your instruction or as required by law.

9. Personal Data Breach

We will notify you without undue delay after becoming aware of a Personal Data Breach affecting your personal data, and provide information reasonably available to help you meet your notification obligations (Arts. 33-34 / KVKK breach-notice rules), including the nature of the breach, likely consequences, and measures taken or proposed. Notification is not an acknowledgement of fault.

10. International Transfers

Our infrastructure and sub-processors are primarily in the United States. Where personal data of EEA/UK/Türkiye data subjects is transferred to a country without an adequacy decision, the transfer is protected by the applicable safeguard — the EU Standard Contractual Clauses (Module Two: Controller-to-Processor), the UK International Data Transfer Addendum, and, for Türkiye, KVKK Art. 9 mechanisms — together with supplementary technical measures (encryption, access controls). The SCCs are incorporated by reference; where they conflict with this DPA, the SCCs prevail on transfer matters.

11. Deletion & Return

On expiry or termination of the service, and at your choice, we will delete or return all personal data processed on your behalf and delete existing copies, except to the extent Applicable Data Protection Law requires storage (e.g. invoice records: 7 years). Absent a contrary instruction, personal data is retained for a 30-day grace period then permanently erased. Hotel guest data pushed via the PMS API is retained only for the duration of the stay plus this window. Backups age out on their normal rotation.

12. Audit

We make available information necessary to demonstrate compliance with Art. 28 and contribute to audits, including inspections, conducted by you or a mutually agreed independent auditor bound by confidentiality. Audits are on reasonable prior notice (at least 30 days), no more than once per 12 months (unless required by a supervisory authority or following a breach), during business hours, and without disrupting our operations or the confidentiality of other customers. We may satisfy audit requests by providing our then-current security documentation and third-party attestations.

13. Türkiye / KVKK Specifics

KVKK
For Turkish data subjects, KVKK obligations apply regardless of the governing-law clause in the Terms. Thmenu, as veri işleyen (processor), processes kişisel veri only on your instructions as veri sorumlusu, applies the security measures required by KVKK Art. 12, and assists with VERBİS/data-subject obligations. Cross-border transfer relies on KVKK Art. 9 (explicit consent where required, or the applicable safeguards). You remain responsible for your own KVKK registration and lawful-basis determinations.

14. Liability, Term & Contact

Each party's liability under this DPA is subject to the limitations of liability in the Terms. This DPA continues until we cease all processing of personal data on your behalf. It is governed by the same law and forum as the Terms, without prejudice to mandatory data-subject and supervisory-authority rights.

Data-protection contact: legal@synaltix.io. A countersigned copy of this DPA is available on request.