mealar

Mealar Privacy Policy

This Policy describes how Mealar collects, uses, shares, protects, and retains personal data. Read it together with the Mealar Terms of Service; in conflicts on data-protection matters this Policy controls.

Effective: May 8, 2026

Document details

1. Scope and Who's Who

  • This Policy covers four groups: (1) Restaurant owner (B2B Customer) registering with Mealar; (2) Restaurant staff authorised by the owner; (3) End User (Public Menu visitor) who optionally leaves reviews; (4) Website visitors of mealar.com and its sub-domains.
  • Owner duty. The restaurant owner controls the legal relationship with their own customers (End Users) and must publish their own privacy notice and collect consent where required by applicable data-protection laws. Mealar's role as infrastructure provider does not discharge that duty (Section 10).

2. Our Roles

  • Owner's personal data (name, email, phone, payment, tax ID) — Mealar acts as Controller.
  • Authorised staff data — Processor (owner controls).
  • End User reviews and profile — Processor for the owner; controller to the limited extent we use aggregated data for our own product analytics.
  • Technical, security, anti-abuse logs — Controller.
  • Our marketing communications — Controller.

3. Data We Collect

  • 3.1 Registration: email (verified via one-time code, then deleted), restaurant name, country, language, currency, default menu language; optional phone, business address, business tax ID, restaurant logo.
  • 3.2 Account use: password is hashed by Google Firebase Auth — we never see plaintext; creation and last-login timestamps; IP at sensitive actions.
  • 3.3 Payments — Handled by Stripe, never seen by us: full card number, expiry, CVV, cardholder name. Stored by us as Stripe references: Stripe Customer ID, Subscription ID, plan code, billing cycle, start and renewal dates, currency, Mealar Points balance.
  • 3.4 Content: uploaded dish photos, AI outputs (accepted and rejected), AI-generated videos, 3D models (GLB/USDZ), dish names, descriptions, prices, allergens, tags, multi-language translations.
  • 3.5 End-User data — Anonymous visit: if no review is posted we collect only HTTP-request logs (IP, browser, time) for security and rate limiting. Review posting: display name (may be a pseudonym), email (collected but not verified), avatar (optional), review text (HTML/script stripped), rating (1–5), timestamp, IP, User-Agent. The owner is the controller of this data; we are the processor.
  • 3.6 Automated technical data: IP, HTTP method, path, response status, browser/User-Agent, action codes (e.g., "review_created", "ai_video_submitted", "support_access_granted"), timestamp, and contextual metadata. Retained for security, fraud prevention, abuse mitigation, capacity planning, audit, and dispute defence.
  • 3.7 Phone verification. If you opt in to phone verification, your phone number is sent to Twilio Verify for delivery of one-time codes. SMS / voice delivery may incur carrier fees on the recipient's side that we do not control. We rate-limit code requests and verification attempts to deter brute-force and SIM-swap abuse.
  • 3.8 Support data and review-report snapshots. Support requests, message bodies (text only — file uploads are not supported), and reply history. When a review is reported, we may retain an immutable snapshot of the reported review and the reporter's identifiers for audit and dispute purposes; the reporter's identity is not disclosed to the menu owner.
  • 3.9 Administrative support access logs. When a Mealar administrator uses the controlled support-access mechanism to impersonate an account (Section 13 of the Terms), we log the administrator's identity, the target account, the start/end time, the scope, and the justification. Default scope is one hour; access can be granted only by privileged staff and is subject to internal review.
  • 3.10 Data from third parties: Stripe (payment events, disputes), SendGrid (delivery, open, click, bounce, complaint, unsubscribe), Cloudflare (aggregate traffic analytics, custom-domain DNS resolutions logged at the edge), Firebase Auth (identity events), Google / Apple SSO (email and name where used).
  • We do not knowingly collect data beyond what is necessary for the Service.

4. Purposes and Legal Bases

  • We process personal data only where there is a valid legal basis under applicable data-protection laws.
  • Account creation, authentication — Email, hashed password, OTP — Performance of the contract.
  • Service delivery (panel, menu, AI) — Restaurant + content data — Performance of the contract.
  • Billing and payment collection — Stripe references, billing address, tax ID — Performance of the contract + legal obligation.
  • Tax and bookkeeping retention — Invoice data — Legal obligation.
  • Security, anti-abuse logs — IP, User-Agent, logs — Legitimate interests.
  • AI features — Uploads, AI outputs — Performance of the contract (at owner's request).
  • Content moderation — Uploaded images — Legitimate interests (platform safety).
  • Support — Support tickets — Performance of the contract.
  • Service improvement (anonymous / aggregated) — Usage statistics — Legitimate interests.
  • Marketing communications (Mealar newsletters) — Email, name, country — Consent (opt-in); additional local registration where required.
  • Legal claims and compliance — All data as needed — Legal obligation + legitimate interests.
  • Sensitive data (e.g., health, religion, biometric) is processed only with explicit consent or where another lawful basis specifically permits it.

5. Sub-Processors

  • The following independent third parties process personal data on our behalf or in the course of the Service.
  • Stripe Payments Europe Ltd. + Stripe Inc. — Ireland, USA — Billing identity, address, tax ID, full card data direct to Stripe (we don't see); PCI-DSS Level 1.
  • Microsoft Azure (SQL, Blob, App Service) — EU and global — All Service data (database, files); ISO 27001, SOC 2.
  • Microsoft Azure OpenAI (gpt-image-1) — USA (East US 2) — Dish image and server-side prompt for AI Photo Fix.
  • Google Cloud Vertex AI (Veo 3.1, Imagen 4) — USA (us-central1) — Source image and server-side prompt for AI Video and AI imagery.
  • Meshy AI — USA — Public URL of an uploaded image for 3D model generation.
  • Microsoft Azure AI Vision + Content Safety — EU / global — Uploaded image (base64) for food validation and content moderation.
  • Google Firebase Auth — Global — Email and hashed password (we don't see); identity tokens.
  • Cloudflare (CDN, Turnstile) — Global edge — HTTP traffic and IP; CDN cache up to 30 days; DDoS protection; anti-abuse challenge.
  • Twilio SendGrid — USA — Recipient email, sender, subject, body, delivery events.
  • Twilio Verify — USA / global — Phone number for one-time-code verification (if you opt in).
  • Where required by law, data may also be disclosed to competent tax, regulatory, or law-enforcement authorities, and to our professional advisors under confidentiality obligations.

6. AI Processing — Detailed Notice

  • 6.1 Flow. AI Photo Fix: customer image → Azure OpenAI gpt-image-1 → output; rejected outputs are deleted within 24 hours to 30 days. AI Video: image + fixed server prompt → Vertex AI Veo 3.1 → up to four parallel videos; the customer keeps one, others are deleted. 3D model: uploaded image public URL → Meshy → GLB/USDZ. Moderation: every uploaded image passes Azure Vision (food validation) and Content Safety (sexual / violence / hate / self-harm).
  • 6.2 AI training — explicit disclaimer. Mealar currently develops and trains no AI model of its own; AI is delivered through third-party APIs. Customer data is therefore not used by us for model training. Whether the third-party AI providers (Microsoft Azure OpenAI, Google Cloud Vertex AI, Meshy AI, or any successor) use Customer data for model training, abuse monitoring, telemetry, or other purposes is governed entirely by their own agreements and policies. Mealar assumes no responsibility for monitoring, validating, communicating, warranting, or indemnifying changes in those third-party practices. By using AI features you accept the relevant third party's terms and must review them yourself: Microsoft (microsoft.com/licensing/terms), Google Cloud (cloud.google.com/terms), Meshy (meshy.ai/legal).
  • 6.3 Automated decision-making. We do not make solely-automated decisions producing legal or similarly significant effects on individuals. Content moderation is a quality filter; rejected uploads can be appealed via support.

7. International Data Transfers

  • Our infrastructure providers are largely outside Norway. Where personal data is transferred outside the country in which it is collected, we rely on the lawful transfer mechanisms available under the applicable data-protection law — including adequacy decisions, standard contractual clauses, recognised certifications, binding corporate rules, or the limited statutory derogations (such as the data subject's explicit consent or necessity for performance of the contract). Corporate Customers may request a copy of the relevant transfer-mechanism documentation.

8. Cookies and Tracking

  • Essential cookies (no consent needed): session and authentication, CSRF and security, language and currency preference, UI cache.
  • Analytics / functional cookies: anonymous aggregate page-view metrics.
  • Marketing cookies: Mealar does not currently use third-party advertising or marketing cookies. If this changes the Policy will be updated with prior notice.
  • We do not use aggressive browser or device fingerprinting (canvas, audio). You may reject cookies in your browser; some Service features may not function.

9. Retention

  • Active account PII — While active + 30 days — Contract.
  • Invoices and payment records — The period required by applicable bookkeeping and tax law (typically 5–10 years) — Legal.
  • Stripe Customer ID and metadata — Same as invoice retention — Legal.
  • Uploaded dish photos — Until you delete, or 30 days post-termination — Contract.
  • AI outputs accepted — Until you delete — Contract.
  • AI outputs rejected — 24 hours – 30 days — Auto-cleanup.
  • AI operation logs — 365 days, then anonymised — Legitimate interests.
  • Technical activity logs — 6 months active + 6 months anonymised — Legitimate interests.
  • Post-deletion anonymised activity — 180 days — Audit trail.
  • Support tickets — 3 years — Legitimate interests.
  • End-User reviews — Until the owner removes them (or the End User self-deletes); review-author identity is anonymised on owner-account deletion, but review text persists — Owner-controlled.
  • One-time-code records — ≤ 1 hour — Contract.
  • Verified phone number — While the account is active + 30 days post-termination — Contract / fraud prevention.
  • Administrative support-access logs — 3 years — Audit, dispute defence.
  • Review-report snapshots — 3 years from report closure — Audit, dispute defence.
  • Custom-domain edge DNS resolution logs (Cloudflare) — Per Cloudflare's own retention policy — Edge provider, not controlled by us.
  • Marketing consent — Until you withdraw, or the account closes — Consent.
  • On account deletion (owner): PII is anonymised (email → [email protected], name → [deleted], phone → +0000000000); uploaded content, menus, support tickets, and authored reviews are deleted; reviews received by the owner's menu (i.e., posted by End Users) are not hard-deleted but the author identifiers are anonymised; technical activity logs are anonymised; invoice records persist for legal-retention duration; the linked Stripe Customer reference is cleared on our side (Stripe retains its own payment history under its own retention policy).

10. Owner's Controller Duties Toward End Users

  • When End Users interact with a Public Menu (read, review, contact), the owner is the controller of their personal data; Mealar is the processor. The owner must publish their own privacy notice, obtain consent where required (notably marketing, sensitive data, data of minors), respond to data-subject requests of End Users, and report breaches on their side. We supply standard sub-processor information; legal sufficiency in the owner's jurisdiction remains the owner's responsibility. A Data Processing Agreement is available on request.

11. Security

  • Encryption in transit (HTTPS/TLS) and at rest (Azure SQL, Blob Storage); Firebase Auth password hashing; API-key rotation; access logging and anomaly detection; rate limits on public media (30 requests / 60 seconds / IP), AI features, and login; content moderation; geo-redundant backup; least-privilege access; staff confidentiality obligations; processor agreements with sub-processors; documented breach response. Full payment-instrument data never reaches our systems; Stripe (PCI-DSS Level 1) handles that layer.

12. Your Rights

  • Under applicable data-protection laws you may have the following rights. Submit requests to [email protected]; we respond within the timeframes required by applicable law (typically between 10 and 30 days, with permitted extensions where the request is complex).
  • Access to your data and information about its processing.
  • Rectification of inaccurate data (most fields are editable in the panel).
  • Erasure ("right to be forgotten"), subject to legal-retention duties.
  • Restriction of processing in certain cases.
  • Objection to processing based on legitimate interests; always for direct marketing.
  • Data portability in a structured, commonly used, machine-readable format. We do not provide a one-click export from the panel; portability requests are fulfilled manually via [email protected].
  • Withdraw consent at any time for consent-based processing; withdrawal does not affect prior lawful processing.
  • Lodge a complaint with the data-protection authority in your jurisdiction.
  • We may verify identity before responding (confirmation from the registered email, supporting documents); unverifiable requests may be refused.
  • End-User requests sent directly to Mealar. Because the restaurant owner is the controller of End-User personal data (Section 10), an End-User request received by Mealar that concerns data controlled by an owner will be acknowledged and, with the End User's awareness, forwarded to the relevant owner without undue delay. Mealar will respond directly only to the limited extent we act as controller for that End User (for example, our own technical, security, or anti-abuse logs).

13. Sensitive Data, Children, Marketing, Breaches

  • Sensitive data. Menu-level allergen and dietary information concerns the dish, not an individual, and is not sensitive personal data. If an End User volunteers health information in a review, that is sensitive data under the owner's control. We do not process biometric data (face, fingerprint, voice).
  • Children. Mealar is a B2B service and is not intended for under-18 registrants as owners. Public Menus may be viewed by minors; in anonymous viewing we collect no personal data. The owner is responsible for any minor-data implications of reviews on their menu. Age-of-consent rules of the owner's jurisdiction apply.
  • Marketing. Locked transactional email categories (Account Security, Critical Billing, Refund Activity) cannot be unsubscribed. Preference-based categories (Subscription Updates, Wallet Updates, Customer Engagement) are managed in Account Settings. Marketing newsletters require opt-in consent and any additional local registration applicable to commercial messaging in the recipient's jurisdiction. Every marketing email contains a one-click unsubscribe link (RFC 8058).
  • Breach notification. We will notify the competent data-protection authority within the timeframes required by applicable law (commonly 72 hours of awareness for notifiable breaches). Affected data subjects will be informed without undue delay where the breach is high-risk. If a breach occurs on your side you must notify us at [email protected] promptly; for breaches affecting your End Users, notification to authorities and data subjects is your duty.
  • Public-menu visibility and search indexing. Public Menus and the pages they contain are publicly reachable by design and may be indexed by search engines. Where you bind a custom domain, public traffic to that hostname resolves via the configured DNS and may be logged by your registrar and by our edge CDN provider. We apply standard non-indexing signals to internal rewrite paths, but we do not undertake to prevent search-engine indexing of your live Public Menu URLs; you are responsible for any robots-directive or noindex preference signalled at your hostname level if you wish to restrict crawling.

14. Local Representatives

  • Where applicable law requires us to appoint a data-controller representative, data-protection officer, privacy officer, or to register with a local authority, we will do so. Current representative or registration details, where appointed or completed, are available on request from [email protected].

15. Changes and Contact

  • We may update this Policy from time to time and will give at least 30 days' notice of material changes by email or panel banner. We will also notify of new sub-processors or of expanded data access by existing processors. Continued use after the effective date constitutes acceptance.
  • Contact: [email protected] · [email protected] · [email protected].
  • Postal: Kalirox AS, Drammen, Norway (full address on request).
  • You always retain the right to complain to the data-protection authority in your jurisdiction.
  • Read together with the Mealar Terms of Service. Review by qualified local counsel is strongly recommended before publication in any jurisdiction.
Tilbake til hjem