Menu
Malakمالَك
Get in touch
Get in touch
Home
Legal

Privacy Policy

Effective: May 3, 2026 · Version 3.0

1. Introduction and Acceptance

Menu Malak LLC ("Menu Malak", "the Company", "we", "us", or "our") operates a multi-tenant cloud platform for restaurant management comprising the website at menumalak.com, the Tenant Admin portal, the Point of Sale (POS), the Kitchen Display System (KDS), the QR ordering portal, and the Menu Malak Admin iOS application (collectively, the "Service").

By accessing or using any part of the Service, you acknowledge that you have read, understood, and agreed to this Privacy Policy and our Terms of Service. If you do not agree, you must immediately cease using the Service.

Controlling language: The English version of this Policy is the controlling text. The Arabic version is provided for informational purposes only; in case of conflict, the English text prevails.

2. Our Roles: Controller and Processor

We act in two distinct capacities depending on the data type:

  • Data Controller with respect to tenant account data (restaurants and their staff users), telemetry, and marketing data.
  • Data Processor with respect to end-customer data that a tenant inputs into the Service (e.g., QR-ordering customers, loyalty / customer databases). The tenant is the controller of such data and bears the primary obligations toward its own customers.

3. Controller Details

Menu Malak LLC, registered in the United Arab Emirates.
Privacy contact: info@menumalak.com
Website: https://menumalak.com

EU / UK Representative: Not currently appointed. We do not systematically target EU or UK data subjects. We will appoint a representative under GDPR Article 27 if and when required.

4. Information We Collect

a. Contact Information

  • First and last name, email address (used as login), phone number
  • Restaurant name and physical branch addresses

b. Identifiers

  • User ID, tenant ID, authentication tokens (JWT)
  • IP address, browser type, operating system, device type

c. Usage and Diagnostic Data

  • In-app activity logs (audit logs)
  • Feature interaction (taps, screen views)
  • Crash logs and performance metrics

d. Business and Transactional Data

  • Orders, invoices, gift card balances, customer credit balances
  • Payment amounts and methods, shift logs, staff performance data

e. User-Uploaded Content

  • Photos of menu items, combos, banners, stories, logos

f. Payment Information (PCI)

We never store or process full payment card data. Card details are entered directly with our payment processor Ziina (PCI-DSS Level 1 compliant). Our scope is PCI-DSS SAQ-A; we retain only a transaction reference, amount, and status.

g. Biometric Data

We do not collect biometric data. Any use of Touch ID or Face ID to unlock the app is performed entirely on-device; the biometric data never leaves your device and is never transmitted to us.

5. How We Use Your Data (Article 6 Matrix)

We process your data on the following legal bases:

  • Performance of contract: operating the account, processing orders and payments, delivering features.
  • Legitimate interest: security, fraud prevention, product improvement, aggregated analytics.
  • Legal obligation: retention of tax and accounting records, response to authority requests.
  • Consent: marketing communications, non-essential cookies (if any), optional push notifications.

We do not use your data for behavioral advertising and we do not sell or share it with any third party for targeted advertising purposes.

6. Automated Decision-Making and AI

We do not currently engage in automated decision-making within the meaning of GDPR Article 22 (decisions that produce legal or similarly significant effects on you without human involvement). If we introduce any such feature, we will update this Policy and provide an opt-out mechanism.

7. Data Sharing and Sub-Processors

We share data only with the following trusted sub-processors, and only as necessary:

  • Supabase Inc.: database hosting and authentication
  • Cloudflare, Inc.: CDN, image storage (R2), DDoS protection
  • DigitalOcean LLC: API server hosting
  • Ziina Payment Services: online payment processing
  • Apple Inc.: iOS app distribution and push notifications

New sub-processor notice: we will notify tenants at least 30 days before adding a new sub-processor, via email or in-app notice, allowing time to object.

We may also disclose data to authorities upon lawful request, to protect our rights or user safety, or in connection with a merger or acquisition.

8. Telemetry and Analytics Providers

  • Cloudflare Analytics: aggregate, cookie-less site analytics
  • Apple App Analytics: aggregate iOS analytics, opt-in at the OS level
  • Internal diagnostic logs on our own infrastructure

We do not use Google Analytics, Facebook Pixel, Mixpanel, Sentry, or any analytics provider that tracks users across sites.

9. Data Processing Addendum (DPA)

For tenants subject to GDPR, UK GDPR, or UAE PDPL, we offer a Data Processing Addendum (DPA) incorporating EU Standard Contractual Clauses and the UK International Data Transfer Addendum (IDTA). Email info@menumalak.com to execute one.

10. Data Retention Schedule

  • Financial and tax records: 7 years (UAE)
  • Audit and security logs: 2 years
  • Session tokens: 30 days
  • Closed accounts (soft delete): 30 days, then hard delete
  • Backups: 90-day rolling windows
  • Marketing consent: until withdrawn

11. Data Security

  • TLS 1.2+ encryption for all data in transit
  • Strict tenant data isolation enforced at the database layer
  • JWT signature verification on every request
  • Role-based access control and audit logging
  • Daily backups and 24/7 monitoring

However, no system is 100% secure and absolute security cannot be guaranteed.

12. Data Breach Notification

If we become aware of a personal data breach:

  • We will notify affected tenants without undue delay, and where feasible within 72 hours.
  • We will notify competent supervisory authorities as required by applicable law.
  • We will provide details on the nature of the breach, affected data, and mitigation measures.

13. User Responsibilities

  • You are solely responsible for the confidentiality of your account credentials (password, PIN, tokens).
  • You are responsible for all activity that occurs under your account.
  • You must notify us immediately of any unauthorized use or suspected security breach.
  • You are responsible for the accuracy of data you enter (orders, prices, inventory).
  • You are responsible for complying with all applicable laws governing your business.
  • You are responsible for maintaining independent backups of critical operational data.

14. Tenant Obligations Toward End-Customers

If you are a tenant (restaurant) and you collect data about your end-customers via the Service (QR orders, reservations, loyalty):

  • You are the controller of that data, not us.
  • You must publish your own privacy policy covering this collection.
  • You must obtain any required consents (marketing, cookies) from your customers.
  • You must respond to data-subject requests from your customers directly; we provide tools to help you fulfill them.

15. Disclaimer of Warranties and Limitation of Liability

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" without warranties of any kind, whether express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, or non-infringement.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, MENU MALAK LLC SHALL NOT BE LIABLE FOR:

  • Loss of data resulting from your improper use of the Service, accidental deletion, or failure to maintain independent backups.
  • Unauthorized access to your account caused by your negligence in protecting credentials or sharing them with others.
  • Indirect, incidental, consequential, special, or punitive damages, including loss of profits, goodwill, business opportunity, or data.
  • Downtime, malfunction, or delay caused by third-party providers (Supabase, Cloudflare, DigitalOcean, Ziina, Apple).
  • Damage caused by malware, viruses, cyberattacks, or intrusions that bypass our reasonable security controls.
  • Force majeure events (power outages, natural disasters, war, government action, internet outages).
  • Financial loss caused by human error of users on your account (incorrect prices, wrong transactions, misconfiguration).
  • Damage resulting from your violation of this Policy, the Terms of Service, or applicable law.

OUR TOTAL AGGREGATE LIABILITY to you shall not exceed the total fees actually paid by you to Menu Malak LLC during the twelve (12) months preceding the event giving rise to the claim.

16. Indemnification

You agree to indemnify, defend, and hold harmless Menu Malak LLC, its officers, employees, and agents from and against any claims, losses, damages, liabilities, and costs (including reasonable attorneys' fees) arising out of or relating to:

  • Your use of the Service in violation of this Policy or the Terms of Service
  • Your violation of any law or third-party right
  • Content you upload or input into the Service
  • Your negligence or willful misconduct

17. Force Majeure

We shall not be liable for any failure or delay in performance due to causes beyond our reasonable control, including acts of God, war, terrorism, pandemics, strikes, internet or telecommunications outages, government actions, or failure of third-party infrastructure.

18. Your Rights (UAE PDPL, GDPR, CCPA)

Under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), the EU General Data Protection Regulation, and the California Consumer Privacy Act, you have the following rights:

  • Access your personal data and obtain a copy
  • Correct inaccurate data
  • Deletion ("right to be forgotten"), subject to our legal obligations
  • Restrict or object to processing
  • Data portability (structured, machine-readable format)
  • Withdraw consent at any time
  • Do not sell or share (CCPA); we do not sell or share your data in the first place
  • Lodge a complaint with the UAE Data Office or the competent supervisory authority

Data Subject Access Requests (DSARs): contact us at info@menumalak.com. We respond within 30 days (extendable by 60 days for complex requests). The first request is free. We may require identity verification.

Authorized agent: permitted under CCPA; signed authorization required.

Global Privacy Control (GPC) signals: we honor GPC signals from users in applicable U.S. states as a request not to sell or share.

19. App Store Privacy Label

Our App Store privacy disclosures align with this Policy as follows:

  • Data Linked to You: Contact Info, Identifiers, Usage Data, Diagnostics, User Content, Transaction data
  • Data Used to Track You: None
  • Purposes: App Functionality, Authentication, Legal Compliance

20. iOS App: Permissions and Account Deletion

Permissions requested:

  • Photo Library: to select images of menu items, combos, banners, and stories for upload.
  • Notifications: for new-order alerts and system updates (optional).

Account deletion: in compliance with Apple App Store Review Guideline 5.1.1(v), you may delete your account and all associated data directly from Settings > Account > Delete Account within the app, or by emailing info@menumalak.com. We complete deletion within 30 days (subject to legally required minimum retention).

App Tracking Transparency (ATT): we do not use Apple's ATT framework and we do not track you across other companies' apps or websites.

21. Marketing Communications

We may occasionally send marketing email (product updates, offers). You can unsubscribe at any time via the "unsubscribe" link in every email, or by contacting info@menumalak.com. Service-related messages (receipts, security alerts) cannot be opted out of.

22. Cookies

We use only essential cookies for authentication and language preferences. We do not use advertising or cross-site tracking cookies. We honor "Do Not Track" and GPC signals.

23. International Data Transfers

Your data may be processed in India, the United States, and the European Union by our service providers. We ensure appropriate contractual safeguards (EU SCCs and UK IDTA where applicable) for any such transfer, in line with Articles 22–23 of the UAE PDPL.

24. Children's Privacy

The Service is intended for adult business owners (16 years and older) and is not directed at children. We do not knowingly collect children's data. If we discover such data, we delete it immediately. The minimum age in the United States is 13 under COPPA.

25. Aggregated and De-Identified Data

We reserve the right to create and use aggregated, de-identified data derived from platform activity to improve the product, conduct research, measure performance, and produce industry reports. Such data does not identify any individual or business and is not subject to this Policy.

26. Government and Law Enforcement Requests

We respond only to government or law-enforcement requests based on valid legal process (court order, subpoena, search warrant). We notify the affected tenant unless legally prohibited. We aim to publish an annual transparency report.

27. Changes to this Policy and Version History

We will announce material changes via email or in-app notice at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

Version history:

  • v3.0 (May 3, 2026): full expansion (PDPL, GDPR, CCPA, DPA, sub-processor publication, account deletion, version history).
  • v2.0 (May 3, 2026): added liability cap, indemnification, force majeure.
  • v1.0 (March 23, 2026): initial version.

28. Governing Law and Dispute Resolution

This Policy is governed by the laws of the United Arab Emirates. Any dispute shall be subject to the exclusive jurisdiction of the courts of Dubai.

29. Severability and Waiver

If any provision is held invalid or unenforceable, the remaining provisions remain in full force and effect. Failure to enforce a right does not constitute a waiver of that right.

30. Contact

Menu Malak LLC
United Arab Emirates
Email: info@menumalak.com
Website: https://menumalak.com

Terms of Service →Home