CCPA / CPRA — California Consumer Privacy Notice

This notice applies to California residents under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). The business covered is Synaltix LLC (1209 Mountain Road Pl NE, Ste N, Albuquerque, NM 87110, USA), operating the thMenu platform. Inquiries: dpo@synaltix.io.

Categories collected in the preceding 12 months (retention mirrors Privacy §5 and GDPR §5):

Category	Examples	Retention
Identifiers	Name, email, IP, account ID	Account lifetime + 30 days
Commercial information	Subscription tier, invoices, payouts	7 years (US IRS)
Internet / network activity	Page views, app interaction, error reports	12 months (anonymised after)
Professional / employment	Business name, role, address	Account lifetime + 30 days
Inferences	Usage patterns informing recommendations	12 months
Audio (affiliate support tickets)	Voice recordings	3 years

Sensitive Personal Information (Cal. Civ. Code §1798.140(ae)): thMenu does not knowingly collect government IDs, financial credentials, precise geolocation, racial/ethnic origin, religious beliefs, union membership, immigration status, contents of communications, genetic data, biometric data for unique identification, health data, or sex-life / sexual-orientation data. Payment-card details are tokenised and processed directly by Stripe. Affiliate KYC fields (Tax ID, IBAN, ACH) are encrypted at rest with pgcrypto AES; CPRA "Limit Use of Sensitive PI" applies to that field set.

Directly from you, automatically from your interactions (logs, strictly-necessary cookies, consent-gated analytics), and from sub-processors (Stripe, Sumsub, Sentry, Cloudflare).

Service provision; payment + subscription management; legal compliance (tax, AML, sanctions, IRS 1099); customer support; fraud and abuse prevention; product analytics and quality improvement; AI-assisted features (Cloudflare Workers AI; no third-party model training).

thMenu does not sell personal information (§1798.140(ad)) and does not share for cross-context behavioural advertising (§1798.140(ah)).

Global Privacy Control (GPC). In accordance with Cal. Code Reg. §7025, when our servers receive a valid GPC signal (the Sec-GPC: 1 HTTP header), we treat it as a legally binding opt-out of sale and sharing. The signal binds to the browser profile; no separate confirmation required. Signed-in users have the opt-out propagated to their account for 12 months. If our practices ever change so a sale or sharing would occur, the cookie banner, this notice and account settings will be updated and a meaningful opt-out provided before any sale or sharing.

• Know · Access · Delete · Correct · Opt out of sale/sharing · Limit use of Sensitive PI · Non-discrimination.

Two channels per Cal. Code Reg. §7026:
• Email dpo@synaltix.io
• Web form at https://thmenu.com/legal/ccpa-request.

We respond within 45 days and may extend by 45 days with prior notice (§1798.130(a)(2)). Verification: access/know — registered email + one-time code; deletion/correction — sign-in with 2FA; Sensitive PI requests — notarised statement.

You may designate an authorised agent. We verify:
1. Written and signed authorisation specifying agent and scope;
2. Direct confirmation from you (we email/text the registered contact);
3. Agent identity — government photo ID for sensitive requests; business registration for corporate agents.

Deletion requests require notarised power of attorney or direct online verification. Access / know / correct requests need only written authorisation plus your confirmation. Agents must not retain personal information beyond what is necessary to complete the request.

We do not deny services, charge different prices or provide a different level of service based on you exercising your CCPA/CPRA rights. We do not currently offer financial incentives for personal information.

DPO: dpo@synaltix.io · Privacy: thmenu@synaltix.io · California Privacy Protection Agency: cppa.ca.gov.