Privacy Policy

Data Controller (Veri Sorumlusu): Menu Points, {{LEGAL_NAME_TBD}}, registered at {{REGISTERED_ADDRESS_TBD}}, Izmir, Turkey. MERSIS: {{MERSIS_TBD}}. Tax Office / Vergi Dairesi: {{TAX_OFFICE_TBD}}.

VERBİS Registration: {{VERBIS_TBD}} (if below the employee/balance-sheet threshold, state exemption basis here before publishing).

Contact for all data-related inquiries: hello@menupoints.com.tr. We recommend switching to a dedicated address (e.g. privacy@menupoints.com.tr) before going live.

Internal application procedure (KVKK Art. 13): Data subjects must submit their request to the controller first before escalating to the Kişisel Verileri Koruma Kurulu. Please contact us by email; we will respond within 30 calendar days.

This Privacy Policy applies to:

• The landing page at menupoints.com.tr and all subpages
• The Menu Points dashboard used by restaurant staff
• The customer-facing QR menu pages accessed by restaurant guests
• The Reservation, Queue Management, and AI Waiter add-ons when enabled by a restaurant

Key definitions:

• Controller / Veri Sorumlusu: The entity that determines the purposes and means of processing personal data. Menu Points is the controller for staff account data and visitor analytics data.
• Processor / Veri İşleyen: Menu Points acts as a processor for personal data that restaurants collect about their guests (e.g., reservation names, phone numbers). Each restaurant is the controller of such data and must maintain its own privacy disclosures.
• Data Subject / İlgili Kişi: Any identified or identifiable natural person whose personal data is processed.
• Personal Data / Kişisel Veri: Any information relating to an identified or identifiable natural person (KVKK Art. 3, GDPR Art. 4).

We process the following categories of personal data, grouped by data subject:

a) Restaurant staff / account holders

• Name, email address, hashed password
• Restaurant name, address, logo, branding assets, menu content
• Billing details: subscription plan, invoicing address; card data is handled exclusively by {{PAYMENT_PROCESSOR_TBD}} (we store only the last four digits)
• IP address, device type, browser, session activity logs

b) Restaurant guests (QR menu visitors)

• IP address, approximate geolocation derived from IP (country / city)
• Device type, browser, OS, pages viewed, menu items viewed, scan timestamps
• No account or login is required. No name or email is collected from guests unless the reservation add-on is active.

c) Reservation & queue users (add-on — controller: the restaurant)

• Full name, phone number, party size, booking date and time
• Any special requests or notes submitted at booking
• Note: the restaurant that enabled this add-on is the data controller for this data. Menu Points processes it only as a data processor on the restaurant's behalf.

d) Landing page visitors

• IP address, browser type, OS, referral URL
• Cookie data — see the Cookie Policy for details

We process personal data for the following purposes:

• Service delivery: creating and managing restaurant accounts, generating QR codes, hosting menu pages, enabling add-ons
• Analytics & improvement: providing aggregated menu-view and engagement statistics to restaurant operators; improving platform features and performance
• Billing & payments: processing subscription payments via {{PAYMENT_PROCESSOR_TBD}}, issuing e-invoices (e-Arşiv/e-Fatura), managing refunds
• Security & fraud prevention: detecting abuse, protecting accounts, rate-limiting, preventing unauthorized access
• Legal compliance: fulfilling obligations under KVKK, GDPR, Turkish commercial law (TCC), tax regulations (VUK), and other applicable laws
• Communications: transactional emails (account confirmation, password reset, billing receipts); marketing communications only with prior opt-in consent and İYS registration ({{IYS_STATUS_TBD}})
• AI Waiter (when active): processing guest-submitted text prompts via {{LLM_PROVIDER_TBD}} to generate automated menu suggestions — see Section 15 for full disclosure

We rely on the following legal bases under KVKK Art. 5/6 and the parallel provisions of GDPR Art. 6:

• Contract (KVKK Art. 5/2-c, GDPR Art. 6(1)(b)): processing necessary to enter into or perform the service contract — account management, QR menu delivery, billing
• Legal obligation (KVKK Art. 5/2-ç, GDPR Art. 6(1)(c)): tax record-keeping, anti-fraud obligations, compliance with court orders or regulatory requests
• Legitimate interests (KVKK Art. 5/2-f, GDPR Art. 6(1)(f)): security monitoring, internal platform analytics, fraud prevention — we have balanced this against data subjects' rights and freedoms
• Explicit consent / Açık Rıza (KVKK Art. 5/1, GDPR Art. 6(1)(a)): marketing communications, non-essential cookies, cross-border transfers where required under post-Law 7499 rules, and AI Waiter processing of prompts that may reveal special-category data

Explicit consent (açık rıza) is a separate, granular, and revocable act under KVKK. It is never bundled with acceptance of these terms or any other document. You may withdraw consent at any time without detriment to your lawful use of the service.

We collect personal data through the following means:

• Directly from you: registration and onboarding forms, account settings pages, the menu editor, billing forms, contact emails, and support requests
• Automatically: server logs, cookies and similar technologies (see Cookie Policy), QR-scan analytics embedded in the menu page, session activity in the dashboard
• From third parties: {{PAYMENT_PROCESSOR_TBD}} for billing confirmation; payment fraud-prevention signals; potentially social login providers if implemented in future
• From restaurant operators (as processor): reservation and queue data that restaurants enter about their guests via the add-on

We share personal data only to the extent necessary and with appropriate data processing agreements in place. Our current sub-processors include:

• Hosting provider: {{HOSTING_PROVIDER_TBD}} — infrastructure for the platform, database, and file storage
• Payment processor: {{PAYMENT_PROCESSOR_TBD}} — billing, card tokenization, PCI-DSS compliance; they maintain their own privacy policy
• Email delivery: transactional email provider (TBD — confirm before launch) for account and billing notifications
• Analytics platform: TBD (confirm vendor) — anonymized, aggregated usage data; IP anonymization enabled
• AI inference (AI Waiter add-on): {{LLM_PROVIDER_TBD}} — guest prompts are transmitted to this provider for processing. See Section 8 for cross-border transfer mechanism.

We do not sell personal data to third parties. We do not share personal data with advertisers without explicit prior consent.

We may disclose personal data to Turkish courts, the KVKK Board, or other public authorities when required by applicable law.

Menu Points is based in Turkey (Izmir). Some sub-processors operate servers outside Turkey and/or the EU/EEA. All international transfers are governed as follows:

KVKK — Law 7499 (in force March 2024): transfers are made on the basis of (a) an adequacy decision issued by the KVKK Board, (b) standard contractual clauses approved by the KVKK Board, or (c) binding corporate rules. Where none of these mechanisms apply, we obtain explicit consent (açık rıza) from the data subject before the transfer takes place.

GDPR Art. 46: for data subjects in the EU/EEA, transfers to processors in third countries rely on Standard Contractual Clauses (SCCs) as approved by the European Commission.

Known transfer destinations:

• {{HOSTING_PROVIDER_TBD}} — servers in {{HOSTING_LOCATION_TBD}}; transfer mechanism: {{HOSTING_TRANSFER_MECHANISM_TBD}}
• {{LLM_PROVIDER_TBD}} (AI Waiter) — servers in {{LLM_LOCATION_TBD}}; transfer mechanism: {{LLM_TRANSFER_MECHANISM_TBD}}

Confirm and complete transfer mechanism details before enabling cross-border features or collecting EU data subjects' personal data.

We retain personal data only as long as necessary for the purpose for which it was collected:

• Account data (restaurant staff): for the duration of the active account plus 3 years after closure (Turkish Commercial Code, TCC Art. 82)
• Billing records & invoices: 10 years (Tax Procedure Law, VUK Art. 253)
• Guest QR analytics: aggregated and anonymized after 12 months; raw IP logs purged after 90 days
• Reservation & queue data: deleted 12 months after the reservation date, unless the restaurant requests deletion earlier or a legal hold applies
• Cookie consent logs: 3 years from the date of consent
• Data subject rights correspondence: 3 years from date of resolution
• Security and access logs: 90 days
• AI Waiter prompt data: not retained beyond the active session; no prompt data is stored after the response is delivered

When a retention period expires, personal data is securely deleted or irreversibly anonymized using industry-standard methods.

Under KVKK Art. 11, you have the right to:

• Learn whether your personal data is being processed
• Request information about the processing if it is taking place
• Learn the purpose of processing and whether data is used in accordance with that purpose
• Know the third parties to whom your data is transferred domestically or abroad
• Request correction of incomplete or inaccurate data
• Request deletion or destruction of data where the conditions for processing no longer apply
• Request that any correction or deletion be notified to third parties to whom data was transferred
• Object to a result arising solely from automated processing that works against your interests
• Claim compensation for any damages arising from unlawful processing of your personal data

EU/EEA data subjects additionally have the following rights under GDPR:

• Data portability (Art. 20): receive your data in a structured, machine-readable format
• Restriction of processing (Art. 18): ask us to pause processing under certain circumstances
• Object to processing (Art. 21): object to processing based on legitimate interests or for direct marketing
• Automated decision-making (Art. 22): not be subject to solely automated decisions with legal or similarly significant effects
• Withdraw consent (Art. 7): withdraw consent at any time without affecting the lawfulness of prior processing

To exercise any of the rights listed in Section 10, please contact us at hello@menupoints.com.tr and include:

• Your full name and the email address associated with your account (or, for guests, sufficient identifying information to locate the relevant data)
• A clear description of the right you wish to exercise and the specific data concerned
• A copy of a valid identity document if we need to verify your identity before acting on the request

Response timeline: We will acknowledge your request within 5 business days and resolve it within 30 calendar days (KVKK Art. 13 / GDPR Art. 12). Complex requests may be extended by a further 60 days under GDPR (we will inform you of any extension).

KVKK internal procedure (mandatory before escalation): Under KVKK Art. 13, data subjects must submit their request to the controller first. If your request is rejected or not resolved within 30 days, you may file a complaint with the Kişisel Verileri Koruma Kurulu within 30 days of receiving our response (or within 60 days of submitting the request).

There is no fee for standard requests. If a request is manifestly unfounded or excessive, we may charge a reasonable administrative fee (GDPR Art. 12(5)).

If you believe your data protection rights have not been adequately addressed after contacting us, you may lodge a complaint with a supervisory authority:

• Turkey — KVKK Board: Kişisel Verileri Koruma Kurumu. Address: Nasuh Akar Mah. Ziyabey Cad. No: 1407 Balgat / Ankara, Turkey. Website: www.kvkk.gov.tr
• EU/EEA residents: Contact your local Data Protection Authority (DPA). A full list of EU DPAs is available at edpb.europa.eu

We always encourage data subjects to contact us directly first so we can resolve concerns promptly and without formal escalation.

We implement appropriate technical and organizational security measures to protect personal data against unauthorized access, accidental loss, destruction, or alteration, in compliance with KVKK Art. 12. Our measures include:

• Encryption in transit: TLS 1.2 or higher for all data transmitted between your browser and our servers
• Encryption at rest: sensitive data fields are encrypted at the database level
• Access control: role-based permissions ensure staff access only the data necessary for their function (least privilege principle)
• Password security: passwords are hashed using a recognized algorithm (bcrypt or equivalent) and never stored in plaintext
• Regular security reviews: periodic vulnerability assessments and penetration testing
• Incident response: in the event of a personal data breach, we will notify the KVKK Board within 72 hours of becoming aware and will inform affected data subjects without undue delay where required by law

Menu Points is not directed at or intended for use by children under the age of 18. We do not knowingly collect personal data from minors. The platform is designed for restaurant operators and adult consumers.

Under Turkish civil law, processing the personal data of a minor requires parental or legal guardian consent. Under GDPR Art. 8, the minimum age for consent to digital services is 16 years (some EU member states have set a lower age).

If you believe a child has provided personal data to Menu Points without appropriate consent, please contact us immediately at hello@menupoints.com.tr and we will promptly review and delete the data.

The AI Waiter add-on, when enabled by a restaurant, processes guest-submitted text prompts (e.g., questions about menu items, dietary preferences, allergy queries) using a large language model operated by {{LLM_PROVIDER_TBD}} to generate automated menu recommendations.

In compliance with GDPR Art. 22, this constitutes automated processing. However, the AI Waiter provides suggestions only — the final decision (placing an order, selecting a dish) is always made by the human guest. We do not use AI outputs to make legal decisions or decisions with similarly significant effects on individuals.

Guest prompts may incidentally contain special-category data (dietary restrictions, allergies, religious dietary observance). Where this is possible, we obtain explicit consent (açık rıza) from the guest before enabling AI Waiter processing for that session. Such data is not retained beyond the active session.

A Data Protection Impact Assessment (DPIA / Veri Koruma Etki Değerlendirmesi) is conducted and documented before the AI Waiter add-on is made generally available to customers.

Restaurants that enable AI Waiter must inform their guests of the automated processing feature, consistent with their own obligations as data controllers.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or product features. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify registered restaurant operators by email at least 30 days before the changes take effect
• Display a prominent notice in the Menu Points dashboard for the same period

For non-material changes (corrections, clarifications, updated contact details), we will update the policy without advance notice but will update the "Last Updated" date.

Continued use of Menu Points after the effective date of the updated policy constitutes acceptance of the changes. If you do not agree with the updated policy, please discontinue use of the service and contact us to close your account and request data deletion.

For all privacy-related inquiries, data subject access requests, or complaints, please contact:

• Email: hello@menupoints.com.tr (recommend: privacy@menupoints.com.tr)
• Postal address: Menu Points, {{REGISTERED_ADDRESS_TBD}}, Izmir, Turkey
• Data Officer / Veri Sorumlusu Temsilcisi: {{DATA_OFFICER_TBD}} (designate a named person before VERBİS registration)

We aim to acknowledge all inquiries within 5 business days.

This Privacy Policy is published in both Turkish (Türkçe) and English. The Turkish version is the legally binding version for the purposes of compliance with KVKK and Turkish law. The English version is provided for convenience and informational purposes only.

In the event of any inconsistency, ambiguity, or conflict between the Turkish and English versions, the Turkish version shall prevail.