Privacy Policy — MenuPulse

Overview

MenuPulse ("we," "us," or "our") operates the MenuPulse restaurant operations platform and the Sage AI engine. This Privacy Policy explains what data we collect, how we use it, who we share it with, and the choices you have.

We take data privacy seriously. Your restaurant's operational data is yours — we use it to power the Service, not to sell to third parties or build advertising profiles.

By using MenuPulse, you agree to the data practices described in this policy.

1. Data We Collect

Account data — your email address, used to authenticate you via magic link. We do not store passwords.

Restaurant profile data — restaurant name, location names and addresses, concept type, and the operational preferences you configure during onboarding.

Operational data you upload — invoices and line items, menu and recipe data, inventory counts, staff schedules, labor entries, vendor information, and sales history imported from a POS system.

AI interaction data — queries you send to Sage, the briefings Sage generates, and actions you take in response (e.g., marking an item actioned or dismissed). This data is used to improve Sage's recommendations for your account.

Usage data — page visits, feature usage events, and error logs. We use this to understand how the product is used and to fix bugs.

Billing data — if you subscribe to a paid plan, Stripe processes your payment. We receive and store a Stripe customer ID, subscription ID, and subscription status. We never store your full card number or CVV.

Communications — if you contact us by email or submit feedback, we retain that correspondence.

2. How We Use Your Data

To provide the Service — storing your data, generating Sage briefings, running costing and forecasting calculations, and displaying your dashboards.
To improve Sage — your data, in aggregated and de-identified form, may be used to improve the accuracy of AI recommendations across the platform. We do not use individually identifiable data to train models shared outside your account.
To process payments — we pass your billing details to Stripe and record subscription status.
To send transactional communications — account confirmation, magic link sign-in emails, billing receipts, and important service announcements. We do not send marketing emails without your consent.
To detect and prevent fraud and abuse — monitoring for unusual activity or Terms of Service violations.
To comply with legal obligations — responding to lawful requests from government authorities or satisfying legal requirements.

3. Third-Party Services

We use the following third-party services to operate MenuPulse. Each has its own privacy policy governing how they handle data.

Supabase

Database, authentication, and file storage. Your data is stored in Supabase's hosted Postgres infrastructure. Privacy policy ↗

Anthropic (Claude)

Powers the Sage AI engine. Invoice parsing, daily briefings, and recommendations are processed via Anthropic's API. Privacy policy ↗

Stripe

Payment processing for paid subscriptions. Stripe stores and processes your card data under PCI-DSS compliance. Privacy policy ↗

Railway

Hosts the MenuPulse backend API. API requests and server logs are processed on Railway's infrastructure. Privacy policy ↗

Vercel

Hosts the MenuPulse frontend. Page loads and static assets are served via Vercel's CDN. Privacy policy ↗

Formspree

Processes email addresses submitted via our landing page beta signup form. Privacy policy ↗

4. Data Sharing

We do not sell, rent, or trade your personal data or your restaurant's operational data to any third party for marketing or advertising purposes.

We share data only in the following limited circumstances:

With service providers — the third-party services listed above, only to the extent necessary to operate the platform.
With your team — other users you authorize to access your MenuPulse account.
Legal requirements — if required by law, court order, or to protect the rights, property, or safety of MenuPulse, our users, or the public.
Business transfers — if MenuPulse is acquired or merges with another company, your data may be transferred as part of that transaction. You will be notified before any such transfer occurs.

5. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

Account data — retained until you delete your account.
Operational data — retained for 3 years from the date of creation, or until you delete your account, whichever comes first.
Usage and error logs — retained for 90 days.
Billing records — retained for 7 years to comply with financial record-keeping requirements.

After account termination, you have 30 days to request an export of your data. After that window, we will delete or anonymize your data unless retention is required by law.

6. Security

We implement industry-standard security measures including encrypted data transmission (TLS), encrypted data storage, and access controls that limit who can view your data.

Authentication uses Supabase's magic link system — no passwords are stored. Payment data is handled entirely by Stripe and never touches our servers.

No system is perfectly secure. If you discover a security vulnerability, please report it to hello@menupulse.io before disclosing it publicly.

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you.
Correction — request correction of inaccurate data.
Deletion — request deletion of your personal data. Some data may be retained to comply with legal obligations.
Export / portability — request a machine-readable export of your restaurant data.
Objection — object to certain uses of your data, including use for AI model improvement.

To exercise any of these rights, email hello@menupulse.io. We will respond within 30 days.

8. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you additional rights:

The right to know what personal information we collect, use, and share.
The right to delete personal information we have collected from you.
The right to opt out of the sale of your personal information. We do not sell personal information.
The right to non-discrimination for exercising your CCPA rights.

To submit a CCPA request, email hello@menupulse.io with "CCPA Request" in the subject line.

9. Cookies and Tracking

MenuPulse uses browser localStorage to store your session, location preferences, and cached restaurant data. We do not use third-party advertising cookies or cross-site tracking technologies.

Supabase sets a session cookie for authentication. You can clear localStorage and cookies at any time through your browser settings, though this will sign you out.

10. Children's Privacy

The Service is intended for business use by adults. We do not knowingly collect personal data from anyone under 18. If we learn we have inadvertently collected data from a minor, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or a prominent in-app notice at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of the Service after a revision takes effect means you accept the updated policy.

12. Contact

Questions or concerns about this Privacy Policy or how we handle your data? Email us at hello@menupulse.io. We respond within 5 business days.