Speak Your Menu Privacy Policy

1. Information We Collect

1.1 Account Information

When an owner, manager, director, or employee account is created we collect:

• uuid (system-generated)
• first & last name
• business e-mail address (required, unique)
• hashed password
• optional profile image (avatar URL)
• role (super_admin, director, manager, employee)
• assigned_restaurants (array of restaurant UUIDs)
• permissions & lessons_required flags
• assignedLessons, lesson_progress & badges
• account status (active flag) and last_login timestamp

1.2 Restaurant & Menu Data

Managers upload menu items, wine SKUs, ingredients, and food images so the platform can generate training lessons.

1.3 Employee Lesson Metrics

For each employee we store lesson assignment, completion status, scores, badges, and timestamps. No HR, payroll, or phone data is collected.

1.4 Operational Logs

Our Log collection records user UUID, action type, context details, role, restaurant UUID, and timestamp. We do not log IP addresses, browser/OS, device type, or geolocation.

1.5 Analytics and Advertising Technologies

We use analytics and advertising technologies on our public marketing site, including Google Analytics 4 and Meta Pixel, to understand website usage, measure marketing performance, and improve how visitors find and use Speak Your Menu. These technologies may collect information such as page views, browser information, approximate location derived from IP address, referral source, and interaction events.

We do not use these tools to power employee lesson scoring or restaurant training operations inside the product itself. If our use of tracking technologies changes materially, we will update this Policy before or at the time the change takes effect.

1.6 Assessment Responses

When you complete a Speak Your Menu assessment, we collect your responses, baseline scores, and the business e-mail address you provide in order to generate your Results and deliver them to you. These responses may include operational details about your restaurant’s training practices. We use this data only to calculate your Results, to improve our assessment methodology, and to provide you with a one-time results e-mail (unless you separately opt in to marketing communications).

2. How We Use Information

• Operate & deliver the Services and personalise the training experience.
• Improve & develop new features, analytics dashboards, and lesson algorithms.
• Communicate with account owners and managers about updates, security alerts, and service messages.
• Marketing emails to owners and managers (never to employees) – each message includes an unsubscribe link.
• Generate and deliver assessment Results, provide follow-up insights, and improve our lift-calculation models.
• With your consent, send ongoing marketing communications (e.g., product tips, promotions, research updates) after you complete an assessment. You may withdraw consent at any time by clicking “unsubscribe” in any marketing email.
• Research & insights – we may aggregate and anonymise usage data to create industry reports.

3. Legal Bases (GDPR)

Where the GDPR applies we process personal data under these bases:

• Performance of a contract (providing the platform)
• Legitimate interests (security, product improvement)
• Consent (marketing emails, including ongoing communications after assessments)

4. Sharing & Sub-processors

We share data only with the service providers necessary to run the platform:

We require each Sub-processor to sign data-processing agreements with protections equal to this Policy. An up-to-date list is maintained at our Subprocessors page.

5. International Transfers

The primary data centre is in the United States (AWS us-east-1). Authorised personnel may access production data from outside the U.S. (e.g., a freelance engineer in Pakistan) under strict role-based access controls and confidentiality agreements. We rely on Standard Contractual Clauses and equivalent safeguards for such transfers.

6. Data Retention

You may request early deletion at any time (see § 7).

7. Your Rights & Choices

• Access / deletion / correction: You may email support@speakyourmenu.com to request a copy, deletion, or correction of your personal data. We respond within 30 days.
• Marketing opt-out: Every marketing email contains an unsubscribe link that instantly removes you from future campaigns.
• California “Do Not Sell/Share” (future): We currently sell only aggregated, de-identified statistics. If we begin selling identifiable restaurant data we will add a “Do Not Sell or Share My Personal Information” link and update this Policy 30 days in advance.

8. Security

• TLS 1.2/1.3 encryption in transit & AES-256 at rest
• Least-privilege IAM and MFA required for all manager and admin logins
• Annual third-party penetration testing and continuous vulnerability scanning
• Encrypted backups with tight S3 bucket policies
• Logged access to production systems and rapid incident-response procedures

9. Children’s Privacy

The Services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted at https://speakyourmenu.com/privacy with a revised “Effective Date.” If changes are material, we will provide 30 days’ notice via e-mail or in-app banner.

11. Contact Us

By using our Services you acknowledge that you have read and understood this Privacy Policy.