Data Processing Agreement
Jun 30, 2025
Data Processing Agreement (DPA)
Effective Date: June 30, 2025
Parties
Data Controller: The Customer (restaurant, café, or business entity using MenuMix)
Data Processor: Truezone Inc.
Address: 1111B S Governors Ave STE 20696, Dover, DE, 19904, United States
Email: help@menumix.app
1. Subject Matter
This Agreement governs the processing of personal data by Truezone Inc. (“Processor”) on behalf of the Customer (“Controller”) in connection with the Customer’s use of the MenuMix platform.
2. Duration
This DPA remains in force for as long as the Processor processes personal data on behalf of the Controller and the underlying Terms of Service are valid.
3. Nature and Purpose of Processing
The Processor provides a QR Menu and Order Management system. Processing activities include:
- Account creation and access control
- Order tracking and management
- Table and QR code interaction
- Reporting and analytics
- Subscription billing for the Professional Plan
- Support communications
4. Categories of Data Subjects
- Business users (e.g., restaurant staff, admins, waiters)
- Restaurant customers (if optional personal data such as name or comments is entered)
5. Categories of Personal Data
- User identifiers (name, email, role)
- Order and table data
- Device information, IP address, browser type
- Language and region preferences
- Subscription metadata (e.g., plan, billing events via Stripe)
Note: No payment card numbers or special-category data are stored or processed.
6. Obligations of the Controller
The Controller shall:
- Ensure legal basis for all personal data processed
- Provide clear and lawful privacy notices to data subjects
- Comply with applicable data protection laws
- Respond to data subject rights requests under GDPR, CCPA, KVKK, etc.
7. Obligations of the Processor
The Processor agrees to:
- Process data only on documented instructions from the Controller
- Maintain confidentiality and restrict internal access
- Implement appropriate technical and organizational security measures
- Notify the Controller without undue delay in case of a data breach
- Assist the Controller with data subject rights requests
- Delete or return all personal data at contract termination unless retention is legally required
- Make available documentation necessary to demonstrate compliance
8. Subprocessors
The Controller authorizes the use of the following subprocessors:
| Purpose | Subprocessor |
|---|---|
| Hosting & Backend | Google Firebase (Firestore, Auth, Functions) |
| Analytics | Google Analytics |
| Tag Management | Google Tag Manager |
| Translation Services | Google Cloud Translation API |
| Messaging/OTP/Calls | Twilio Inc. |
| Subscription Payments | Stripe, Inc. |
All subprocessors are bound by written data protection agreements.
MenuMix will notify the Controller of material subprocessor changes and allow objections within 10 business days.
9. International Data Transfers
Where data is transferred outside the EU/EEA or UK, the Processor shall implement adequate safeguards, including:
- EU Standard Contractual Clauses (SCCs)
- UK International Data Transfer Addendum
- Adequacy decisions or equivalent mechanisms
10. Security Measures
The Processor implements industry-standard measures, including:
- HTTPS encryption for all data in transit
- Encrypted database storage
- Role-based access control and least-privilege design
- Secure user authentication (e.g., Firebase Auth)
- Regular monitoring and vulnerability mitigation
11. Data Subject Requests
The Processor will assist the Controller in responding to:
- Access, rectification, deletion, and portability requests
- Objections or withdrawal of consent
12. Audit and Documentation
The Processor shall make available, upon written request, all information reasonably necessary to demonstrate compliance with this DPA.
Audits may be conducted with at least 30 days’ notice under appropriate confidentiality terms.
13. Termination
Upon termination of the Service:
- All personal data shall be deleted or returned, as requested by the Controller, within 30 days
- Unless retention is required by law or regulatory compliance
14. Governing Law
This DPA is governed by the laws of the State of Delaware, United States, unless otherwise required by applicable data protection regulations.
15. Miscellaneous
This DPA forms part of the MenuMix Terms of Service. In case of conflict between the Terms of Service and this DPA regarding personal data, this DPA shall prevail.
Binding Agreement
This DPA is binding upon the parties through the Controller’s acceptance of the MenuMix Terms of Service and continued use of the platform.
