Privacy Policy

Last updated: March 10, 2026

MenuHoster values your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our Service.

At a Glance

Here's a quick summary of our privacy practices:

  • We collect account information, menu content, usage data, and device/log information
  • We use your information to provide the Service, improve features, and communicate with you
  • We do not sell your personal information
  • We do not use Google or Facebook user data for advertising purposes
  • You can access, update, and delete your account and data
  • Published menus are publicly visible; you control what information is displayed
  • We use industry-standard security measures to protect your data
  • You can manage cookie preferences at any time via the banner or footer link

Information We Collect

Account Information

When you create an account, we collect:

  • Email address (if registering with email)
  • Name
  • Password (encrypted and not accessible to us)
  • Profile information (optional business name, description, phone number, location)

When you sign in with Google or Facebook (OAuth):

  • Name
  • Email address
  • Profile picture (if available)
  • Unique provider ID (for authentication purposes)

We do NOT:

  • Post to your Facebook timeline or pages
  • Access your Facebook friends list
  • Read your Gmail or access Google Drive
  • Access Facebook pages unless you explicitly connect them (we currently do not offer this feature)

Menu Content and Business Information

We collect and store:

  • Uploaded menu files (PDFs, images)
  • Structured menu data you enter (item names, prices, descriptions, categories)
  • Business name, description, and contact information you choose to display
  • Photos and branding assets
  • Custom QR code designs

Usage Data and Analytics

We collect information about how you and your customers interact with the Service:

  • Menu views and QR code scans
  • Timestamps of visits
  • Page interactions
  • Session duration
  • Referral sources
  • Session recordings — on authenticated pages only, we may record your clicks, scrolls, and page navigation to help us understand how the product is used and fix issues. Recordings never capture passwords, payment details, or hidden form fields. Session recording is only active when you have consented to analytics cookies and is not used on public-facing menu pages.

Device and Log Data

We automatically collect:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Time zone and language preferences
  • Referring URLs
  • Error logs and diagnostic information

Cookies and Tracking Technologies

We use cookies and similar technologies to operate MenuHoster, analyze usage, and serve relevant advertising. When you first visit MenuHoster, you'll see a cookie consent banner that lets you choose which categories of cookies to allow.

Cookie Categories

We organize cookies into three categories:

CategoryPurposeExamplesCan You Opt Out?
EssentialAuthentication, security, consent state, core functionality__mh_cc, __clerk_*, __mh_geoNo — required for MenuHoster to work
AnalyticsUsage statistics, page views, performance monitoring_ga, _gid, __mh_attr, ph_*Yes — via the cookie banner or footer link
MarketingAd measurement, remarketing, conversion tracking_gcl_aw, _fbpYes — via the cookie banner or footer link

Managing Your Cookie Preferences

You can change your cookie preferences at any time by clicking "Cookie Preferences" in the footer of any page, or through your browser's cookie settings. If you withdraw consent for analytics or marketing cookies, we will stop setting those cookies and delete any existing ones from those categories.

Consent by Region

MenuHoster adjusts its cookie consent behavior based on your location:

  • European Union, UK, India, Brazil, Switzerland, South Korea, Japan:We require your explicit consent before setting analytics or marketing cookies. Non-essential cookies are blocked until you click "Accept All" or choose specific categories.
  • United States, Canada, Australia, New Zealand:Analytics and marketing cookies are active by default. You can opt out at any time using the cookie banner or the "Cookie Preferences" link in the footer.
  • All other regions: Same as United States — active by default with opt-out.

Consent Records

When you make a cookie consent choice, we store a record of your decision (a unique consent ID, the categories you accepted, a timestamp, and a hashed version of your IP address) for compliance auditing. We never store your raw IP address in consent records. These records are retained for three years as required by GDPR and DPDPA regulations.

Analytics Providers

We use self-hosted Umami for lightweight website analytics, PostHog for selected product analytics and feature analysis, and internal event logging for operational reporting. When analytics or marketing cookies are denied, optional tracking remains disabled.

Payment Information

If you subscribe to a paid plan, payment information is processed by a third-party payment processor. We do not store your full credit card numbers. We may store:

  • Last four digits of your card (for display purposes)
  • Billing address
  • Transaction history

How We Use Information

We use the information we collect to:

  • Provide and maintain the Service — host your menus, generate QR codes, deliver analytics
  • Authenticate your account — verify your identity and secure your access
  • Process payments — handle subscriptions and billing
  • Communicate with you — send account verification emails, passwordless login links, billing receipts, limit warnings, and important updates
  • Improve the Service — analyze usage patterns, fix bugs, develop new features
  • Ensure security — detect and prevent fraud, abuse, and unauthorized access
  • Provide customer support — respond to your questions and requests
  • Comply with legal obligations — respond to lawful requests and enforce our Terms

We do NOT use your information for:

  • Advertising or marketing purposes without your consent
  • Selling or renting your personal information to third parties
  • Using Google or Facebook user data to serve ads

Legal Bases for Processing

Depending on where you live, we process your personal information based on:

  • Contract performance — to provide the Service you've signed up for
  • Legitimate interests — to improve the Service, ensure security, and communicate with you
  • Consent — where required by law, such as for analytics cookies and marketing communications
  • Legal obligations — to comply with applicable laws and regulations

How We Share Information

We do not sell your personal information.

We may share information in the following circumstances:

Service Providers

We share data with trusted third-party vendors who help us operate the Service:

  • Cloud hosting and storage providers — to store your data
  • Payment processors — to handle billing
  • Analytics services — to understand usage patterns
  • Email service providers — to send transactional emails
  • OAuth providers (Google, Facebook) — for authentication

These providers are contractually obligated to protect your information and use it only for the purposes we specify.

Specific Service Providers

We currently use the following third-party service providers:

  • Self-hosted on Coolify (Hostinger KVM) — application hosting and infrastructure
  • MongoDB, Inc. (MongoDB Atlas) — database hosting for user accounts and menu data
  • Cloudinary Ltd. — image and media storage for uploaded assets
  • Self-hosted Umami — lightweight website analytics
  • Cloudflare, Inc. — CDN, DDoS protection, and privacy region detection via CF-IPCountry header
  • Clerk, Inc. — authentication and user management
  • LemonSqueezy (Lemon Squeezy LLC) — subscription billing and payment processing
  • Postmark (ActiveCampaign LLC) — transactional email delivery
  • PostHog, Inc. — product analytics and session recording on authenticated pages (data hosted in the US)

These providers may process personal data on our behalf solely to provide their services and are contractually obligated to protect your information.

Legal Requirements

We may disclose information if required to:

  • Comply with a subpoena, court order, or other legal process
  • Enforce our Terms of Service
  • Protect the rights, property, or safety of MenuHoster, our users, or the public

We review all requests from public authorities for legality, disclose only the minimum information required by law, and document such requests and our responses.

Business Transfers

If MenuHoster is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

With Your Consent

We may share information for other purposes with your explicit consent.

Public Information

When you publish a menu on MenuHoster, the following information becomes publicly visible to anyone with the URL or QR code:

  • Business name and description
  • Menu items, prices, and descriptions
  • Photos and images
  • Phone number (if you include the "Call Restaurant" button)
  • Any other information you choose to display

Published menus are indexed by search engines and accessible to the public. You control what information appears by choosing what to include on your menu pages. To remove information from public view, unpublish your menu or delete it from your account.

Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specifically:

  • Account information — retained while your account is active
  • Menu content — retained while your menus are published or saved as drafts
  • Analytics data — retained for up to 2 years for reporting purposes
  • Session recordings — automatically deleted after 90 days
  • Consent records — retained for 3 years for GDPR/DPDPA compliance auditing
  • Log data — retained for up to 90 days for security and debugging

After you delete your account, we will delete or anonymize your personal information within 30 days, except where we must retain it for legal, security, or fraud prevention purposes.

Security

We implement industry-standard security measures to protect your information:

  • Data encrypted in transit using HTTPS
  • Data encrypted at rest on our servers
  • Regular security assessments and updates
  • Access controls and authentication requirements
  • Monitoring for suspicious activity
  • IP addresses hashed with SHA-256 before storage (never stored in raw form)

However, no system is completely secure. While we strive to protect your data, we cannot guarantee absolute security.

Your Choices and Rights

Access and Update

You can access and update your account information at any time through your dashboard. If you need assistance, contact us via our contact form.

Delete Your Account and Data

You can delete your account from your dashboard settings. Upon deletion:

  • Your account and personal information will be removed within 30 days
  • Your published menus will be taken offline immediately
  • Analytics data may be retained in anonymized form for reporting

Alternatively, submit a request via our contact form to request account deletion.

Opt Out of Marketing Emails

If we send marketing communications (with your consent), you can opt out by clicking the "unsubscribe" link in any email. Note that you will still receive transactional emails necessary for the Service (e.g., account verification, billing receipts).

Session Recordings

If you'd like your session recordings deleted sooner than the 90-day automatic retention period, contact us via our contact formwith the subject "Delete My Recordings" and we will remove them within 30 days. Opting out of analytics cookies also stops any future recordings from being collected.

Cookie Controls

You can manage cookies through our cookie consent banner (shown on first visit) or by clicking "Cookie Preferences" in the footer of any page. You can also control cookies through your browser settings. If you reject all non-essential cookies, MenuHoster will continue to work — you can still browse menus, sign in, and use all core features.

Do Not Track and Global Privacy Control

MenuHoster respects Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we treat it as a request to opt out of non-essential cookies and will not set analytics or marketing cookies unless you explicitly opt in via our cookie banner.

For the older "Do Not Track" browser signal, note that there is no industry-wide consensus on how to respond to DNT. However, our cookie consent system provides a clear and granular way to control tracking.

Your Privacy Rights by Region

European Economic Area and United Kingdom (GDPR / UK GDPR)

If you are in the EEA or UK, you have the right to:

  • Access a copy of your personal data
  • Rectify inaccurate data
  • Request erasure ("right to be forgotten")
  • Restrict processing
  • Data portability (receive your data in a structured format)
  • Object to processing based on legitimate interests
  • Withdraw consent at any time (without affecting prior lawful processing)
  • Lodge a complaint with your local Data Protection Authority

India (Digital Personal Data Protection Act, 2023)

If you are in India, you have the right to:

  • Access a summary of your personal data and processing activities
  • Correct and update inaccurate or incomplete data
  • Erase your data (subject to legal retention requirements)
  • Nominate another person to exercise your rights on your behalf
  • Grievance redressal — contact us and we will respond within 30 days

Importantly, you can continue to use MenuHoster's core features (viewing published menus) even if you reject all non-essential cookies. We will never deny you access to publicly available menu content based on your cookie preferences.

United States (CCPA / CPRA and State Privacy Laws)

If you are a California resident or covered by other US state privacy laws, you have the right to:

  • Know what personal information we collect and why
  • Request deletion of your personal information
  • Opt out of the "sale" or "sharing" of personal information — we do not sell your data
  • Non-discrimination for exercising your privacy rights

To exercise any of these rights, submit a request via our contact form. We will verify your identity and respond within the timeframe required by applicable law (typically 30–45 days).

Brazil (LGPD)

If you are in Brazil, you have the right to:

  • Confirm whether your data is being processed
  • Access your data
  • Correct incomplete or inaccurate data
  • Anonymize, block, or delete unnecessary data
  • Request data portability
  • Revoke consent at any time

OAuth-Specific Information

What We Receive from Google and Facebook

When you sign in with Google or Facebook, we receive:

  • Your name
  • Your email address
  • Your profile picture (if available)
  • A unique provider ID to authenticate your account

We use this information solely for account creation, authentication, security, and customer support.

What We Do NOT Access

  • Google: We do not access your Gmail, Google Drive, Google Calendar, or any other Google services. We do not read your emails or files.
  • Facebook: We do not post to your timeline, access your friends list, or read your messages. We do not access Facebook pages unless you explicitly connect them (not currently available).

We Do Not Use Google or Facebook Data for Advertising

We do not use data obtained from Google or Facebook to serve you advertisements. We do not sell this data to third parties.

How to Revoke Access

You can revoke MenuHoster's access to your Google or Facebook account at any time:

Google:

  1. Go to your Google Account settings: myaccount.google.com
  2. Navigate to "Security" → "Third-party apps with account access"
  3. Find MenuHoster and click "Remove Access"

Facebook:

  1. Go to Facebook Settings: facebook.com/settings
  2. Navigate to "Apps and Websites"
  3. Find MenuHoster and click "Remove"

After revocation, you will need to sign in using a different method or reconnect your Google/Facebook account.

Data Deletion Instructions

To delete all data associated with your MenuHoster account:

  1. Log in to your MenuHoster dashboard
  2. Go to Account Settings
  3. Click "Delete Account" and confirm

This deletion includes all personal data obtained through Google or Facebook login.

Alternatively, submit a request via our contact formwith the subject "Delete My Account" and we will process your request within 30 days.

Children's Privacy

MenuHoster is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will promptly delete it. If you believe a child has provided us with personal information, contact us via our contact form.

International Data Transfers

MenuHoster is operated from infrastructure hosted by Hostinger (Lithuania, EU) with Cloudflare providing CDN and edge services globally. Your information may be processed in the EU and other countries where our service providers operate.

If you access the Service from a region with specific data transfer requirements (such as the EU under GDPR), we rely on appropriate safeguards including standard contractual clauses and service provider agreements to ensure your data is protected during transfer.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:

  • Posting a notice on menuhoster.com
  • Sending an email to the address associated with your account

The "Last updated" date at the top of this policy reflects the most recent changes. We encourage you to review this policy periodically.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

Contact: Contact Form

Website: menuhoster.com

We will respond to your inquiry within a reasonable timeframe, typically within 30 days.

← Back to MenuHoster