Privacy Policy
Last updated: April 2026
This Privacy Policy explains what personal data MenuNFC processes, for what purposes and what your rights are, in accordance with the General Data Protection Regulation (GDPR – EU 2016/679).
1. Data controller
Personal data collected through MenuNFC is processed by Lluís Andreu Oliver Obrador, NIF 41536803E, Centre 13, 07670, Felanitx, Illes Balears, Spain, trading under the name MenuNFC. For any privacy-related queries, contact us at info@menu-nfc.com.
2. Data we collect
Restaurant owners (registered users):
- Name and email address.
- Restaurant name and configuration.
- Billing data, processed entirely by Stripe — MenuNFC does not store card details.
- Shipping address for physical NFC tag orders.
- Order history and subscription status.
End customers (diners): MenuNFC does not collect identifying data from users viewing the public menu. We may record anonymous, aggregated metrics (visit count, language) for statistical purposes.
Technical data: IP address, browser type and server access logs, retained for 12 months.
3. Purpose and legal basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Account, menu and order management | Contract performance — art. 6.1.b |
| Billing and payment processing | Contract performance / legal obligation |
| Shipping physical NFC tags | Contract performance — art. 6.1.b |
| Transactional communications | Contract performance — art. 6.1.b |
| Own marketing communications | Legitimate interest / consent — art. 6.1.a/f |
| Usage analysis and service improvement | Legitimate interest — art. 6.1.f |
| Legal and tax obligations | Legal obligation — art. 6.1.c |
4. Data retention
- Account data: for the duration of the contract and up to 5 years after cancellation.
- Billing data: 6 years (Spanish tax obligation).
- NFC tag orders: 5 years.
- Access logs: 12 months.
5. Recipients and data processors
MenuNFC works with the following providers as data processors:
- Stripe, Inc. — payment processing.
- Resend — transactional email delivery.
- Cloud infrastructure provider — data hosting and storage.
- NFC tag manufacturer / distributor — shipping data strictly required for delivery.
MenuNFC does not sell, rent or share personal data with third parties for their own purposes.
6. International transfers
Some providers may process data outside the European Economic Area. MenuNFC ensures adequate safeguards in all cases: Standard Contractual Clauses approved by the European Commission (SCCs) or other recognised legal instruments.
7. Your rights
You have the right to access, rectification, erasure, restriction of processing, data portability and objection. To exercise these rights, write to info@menu-nfc.com with your request and proof of identity.
Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
You may lodge a complaint with the Spanish Data Protection Agency (AEPD) at aepd.es.
8. Cookies
MenuNFC uses first-party and third-party cookies. See our Cookie Policy for details and to manage your preferences.
9. Security
We apply appropriate technical and organisational measures: TLS encryption, role-based access control, regular backups and access auditing.
10. Minors
The service is not directed at persons under 18 years of age. MenuNFC does not knowingly collect data from minors.
11. Changes to this policy
We may update this policy when necessary. Significant changes will be notified by email or via a prominent notice on the platform with reasonable advance notice.