Privacy Policy | TapMenu — Your menu, always on.

1. Who We Are

TATOS Technologies Private Limited is a company incorporated in India that operates the digital menu and restaurant management platform available at tapmenu.me. We act as the Data Controller (GDPR) and Data Fiduciary (DPDP Act, 2023) with respect to the personal data described in this policy.

For any privacy-related queries, contact our Grievance Officer / Data Protection contact at: [email protected]

2. Data We Collect

We collect data in the following categories:

2.1 Account Information

Full name / display name
Email address (primary identifier for your account)
Password (stored using a one-way cryptographic hash — we cannot read or recover your password)
Profile avatar URL (if you sign in via Google OAuth)
Google account ID (if you use Sign in with Google)
Account creation date and status

2.2 Restaurant / Organization Data

When you create a restaurant profile, you provide:

Restaurant name, description, and unique handle (URL slug)
Business address
Contact phone number and email
Food license number (if provided — for display on your menu)
Logo image
Operating hours and open/closed settings
Social media links (Instagram, WhatsApp, Facebook, etc.)
Theme and display preferences
Currency setting

This data is published publicly on your restaurant’s menu page. Only share contact details you wish customers to see.

2.3 Menu Content

Menu item names, descriptions, and prices
Dish images (thumbnails and gallery photos — stored on Cloudflare R2)
Category names and sort orders
Availability settings (status, schedules, offer prices)
Tags (e.g., “Popular”, “Chef’s Special”)
Dietary indicators (vegetarian / egg)
Pricing variants

This content is published publicly on your menu page and accessible by anyone with your menu link.

2.4 Team Member Data

Email addresses of staff you invite to your organization
Role and permission assignments
Invitation status and timestamps

You are responsible for obtaining the consent of your team members before entering their email addresses on our platform.

2.5 Subscription & Billing Data

Subscription plan details (plan name, billing interval, status)
Subscription period start and end dates
Payment status (succeeded, failed, refunded)
Transaction identifiers (from Dodo Payments)
Subscription history (plan changes, upgrades, cancellations)

We do not store card numbers, CVVs, or full payment details. All payment processing is handled exclusively by Dodo Payments. See Section 5 for third-party details.

2.6 AI Feature Data

Photos of physical menus you upload for AI scanning (sent to Google Gemini for processing)
Text prompts used for AI dish description generation

Images uploaded for menu scanning are transmitted to Google Gemini API for extraction and are governed by Google’s Privacy Policy. We do not store these images after the scanning session.

2.7 Technical & Usage Data

IP address (logged by servers on API requests)
Browser type and device information (from HTTP headers)
Pages visited and features used within the dashboard
API request logs and error logs
Webhook event logs (from Dodo Payments)
Session tokens stored in secure cookies that are not accessible to client-side scripts

3. How We Use Your Data

Purpose	Legal Basis
Provide and operate the tapmenu platform	Contract performance
Authenticate your identity and secure your account	Contract / Legitimate interest
Process subscription payments and manage billing	Contract performance
Send transactional emails (account, payment, invitation)	Contract performance
Publish your restaurant menu publicly	Contract performance (user consent)
Provide AI menu scanning and description generation	Contract performance (user consent)
Prevent fraud, abuse, and unauthorized access	Legitimate interest / Legal obligation
Respond to support requests	Contract / Legitimate interest
Improve and debug the platform	Legitimate interest
Comply with legal and regulatory obligations	Legal obligation

We do not sell your personal data. We do not use your data for behavioural advertising or share it with data brokers.

4. Cookies & Session Tokens

We use secure cookies to maintain your login session. These cookies:

Are not accessible to client-side scripts running on the page
Are only transmitted over encrypted HTTPS connections
Are scoped to the tapmenu.me domain
Expire automatically after a short period of inactivity; you are re-authenticated seamlessly in the background

We do not use third-party tracking cookies, advertising cookies, or analytics cookies at this time.

5. Third-Party Service Providers

We share data with the following sub-processors to operate the platform. Each has agreed to handle data securely and in compliance with applicable laws:

MongoDB, Inc.

Cloud database hosting — stores all application data including account, organization, and product records

Location: USA / EU (region-dependent)

Cloudflare, Inc.

Cloud storage and CDN — stores all uploaded images (logos, product photos) and serves static platform assets

Location: Global

Dodo Payments

Payment processing — handles subscription checkout and billing. Card data is processed under PCI-DSS compliance.

Location: As per Dodo Payments policy

Google LLC

Authentication (Sign in with Google) and AI-powered features (menu scanning and description generation)

Location: USA

ImageKit Inc.

Media delivery — CDN for static platform assets

Location: Global

6. Data Storage & Security

Your data is stored on servers operated by MongoDB Atlas and Cloudflare, which may be located outside India. By using tapmenu, you consent to the transfer and processing of your data internationally, subject to the safeguards described in this policy.

We implement the following security measures:

Passwords are stored using a strong, one-way cryptographic hash — they cannot be recovered or read by anyone, including us
All data in transit is encrypted using TLS
Session tokens are stored in secure cookies that cannot be accessed by client-side scripts
Role-based access controls limit what data each user and team member can access within the platform
Payment webhook payloads are cryptographically verified before being processed

No security system is 100% impenetrable. In the event of a data breach, we will notify affected users and the appropriate authorities as required by applicable law.

7. Data Retention

Data Type	Retention Period
Account data	Until you delete your account, then 30 days
Restaurant & menu data	Until you delete the organization, then 30 days
Uploaded images	Until removed from the product/organization, then deleted from R2
Payment & subscription records	7 years (statutory financial record obligation under Indian law)
Webhook & transaction logs	2 years for audit purposes
Server access logs (IP, etc.)	90 days
AI scan uploads (photos)	Not retained — discarded after processing
Inactive accounts (no login)	Account data may be deleted after 24 months of inactivity with prior notice

8. Your Rights

Depending on your location, you have the following rights over your personal data. To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

Right to Access

Request a copy of all personal data we hold about you.

Right to Correction

Request correction of inaccurate or incomplete data.

Right to Erasure

Request deletion of your account and personal data (subject to legal retention obligations).

Right to Withdraw Consent

Withdraw consent at any time for processing based on consent. This does not affect prior processing.

Right to Data Portability

Receive your data in a structured, machine-readable format (EU/UK users).

Right to Object

Object to processing based on legitimate interests (EU/UK users).

Right to Restrict Processing

Request restriction of certain processing activities (EU/UK users).

Right to Nominate

Nominate another individual to exercise your rights on your behalf in the event of your death or incapacity (India — DPDP Act 2023).

Right to Grievance Redressal

Lodge a complaint with our Grievance Officer. India-based users may also escalate to the Data Protection Board of India.

California Privacy Rights (CCPA/CPRA)

California residents may request disclosure and deletion of personal information. We do not sell personal data.

9. Children’s Privacy

tapmenu is a business platform intended for adults operating restaurants and food service businesses. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has created an account, contact us immediately at [email protected] and we will promptly delete the account and associated data.

10. Public Menu Data

Your restaurant’s public menu page (accessible at tapmenu.me/your-handle or via your custom subdomain) is publicly accessible on the internet. Menu items, pricing, and the restaurant contact details you choose to display are visible to anyone. Search engines and web crawlers may index this content. Do not include sensitive personal information in publicly-facing fields.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (at the address associated with your account) or by posting a prominent notice on the platform at least 7 days before the changes take effect. Your continued use of tapmenu after the effective date constitutes acceptance of the updated policy.

12. Grievance Officer (India)

In accordance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, we have designated a Grievance Officer to address privacy-related complaints:

Data Fiduciary / Grievance Officer

TATOS Technologies Private Limited

Email: [email protected]

Response time: Within 30 days of receipt of complaint

India-based users may escalate unresolved complaints to the Data Protection Board of India once it becomes operational.

13. Contact Us

For general privacy questions, data requests, or concerns, contact us at:

TATOS Technologies Private Limited

Privacy enquiries: [email protected]

General support: [email protected]