Placeholder document — not legal advice. This page contains template content only. Review every section marked [PLACEHOLDER] and replace with accurate, legally reviewed text before launch. Last updated: 25 April 2026.

Privacy Policy

Effective date: [PLACEHOLDER: insert final date]

1. About This Policy

Local Menu Ltd ("Local Menu", "we", "us", "our") is committed to protecting the privacy of everyone who uses our Platform. This Privacy Policy explains how we collect, use, store, and share personal information in connection with the Local Menu service at localmenu.co.nz.

This policy is written in compliance with the New Zealand Privacy Act 2020 and its Information Privacy Principles (IPPs). Where our customers are in the European Economic Area, the UK, or Australia, additional obligations may apply — [PLACEHOLDER: review GDPR / Australian Privacy Act requirements if serving those jurisdictions].

2. Who We Are

Local Menu Ltd is the data controller for personal information collected through the Platform.

  • Company: Local Menu Ltd
  • NZBN: [PLACEHOLDER: verify 9429 0512 7724]
  • Address: [PLACEHOLDER: registered address]
  • Email: hello@localmenu.co.nz

3. Information We Collect

We collect information in the following categories:

Restaurant account holders

  • Name and email address (registration)
  • Business name, address, phone number, and slug
  • Logo and menu item photos you upload
  • Stripe Connect account details (held by Stripe, not Local Menu)
  • Account activity, login history, and settings changes

Customers placing orders

  • Name, email address, and phone number (required to place an order)
  • Order contents and special instructions
  • Payment card details (processed by Stripe; we do not store card numbers)
  • Order history associated with your contact details

All visitors

  • IP address and approximate location
  • Browser type, device type, and operating system
  • Pages visited and time spent on the Platform
  • Referral source

4. How We Use Your Information

We use personal information to:

  • Operate and maintain your account and ordering pages
  • Process and fulfil orders, including sending order confirmation and status emails
  • Calculate and collect platform commission via Stripe Connect
  • Send transactional emails (order confirmations, status updates, receipts)
  • Provide customer support and respond to enquiries
  • Detect and prevent fraud, abuse, and security incidents
  • Monitor platform performance and fix bugs (including via Sentry error reporting)
  • Comply with legal obligations

We do not use personal information for advertising, sell it to third parties, or use it for any purpose incompatible with the purpose for which it was collected.

5. Disclosure to Third Parties

We share personal information with the following service providers, each of whom is bound by appropriate data processing agreements:

  • Stripe — payment processing and Restaurant payouts. Stripe processes payment card data and manages Connected Accounts. Stripe's privacy policy applies to information they hold: stripe.com/nz/privacy.
  • Supabase — database and file storage, hosted in AWS Sydney (ap-southeast-2). Personal data is stored in New Zealand's geographic region. [PLACEHOLDER: confirm Supabase data residency and DPA status for NZ Privacy Act purposes.]
  • Resend — transactional email delivery (order confirmations, status notifications). Email content including recipient addresses passes through Resend's infrastructure. [PLACEHOLDER: link Resend privacy policy and confirm DPA.]
  • Sentry — application error monitoring. Error reports may contain request metadata and, in some cases, anonymised stack traces. We configure Sentry to scrub sensitive fields where possible. [PLACEHOLDER: review Sentry data scrubbing configuration before launch.]
  • Upstash Redis — rate limiting counters. IP addresses are used as rate-limiting keys and are not stored beyond the expiration of the rate-limit window.
  • Vercel — platform hosting and edge delivery. Request logs including IP addresses are retained per Vercel's data retention policy.

We do not disclose personal information to any other third party except where required by law (e.g., a court order or lawful request from a New Zealand government agency).

6. Cookies and Tracking

Local Menu uses cookies and similar technologies to operate the Platform. We use:

  • Session cookies — to keep you logged in to your Restaurant dashboard. These are essential and cannot be disabled without breaking the service.
  • Supabase auth cookies — to maintain authentication state across requests. These are first-party cookies set on localmenu.co.nz.
  • [PLACEHOLDER: If you add analytics (e.g., Vercel Analytics, PostHog, Google Analytics), list them here with opt-out mechanism.]

We do not currently use advertising or tracking cookies. If this changes, we will update this policy and obtain any required consent before setting such cookies.

7. Data Security

We take reasonable technical and organisational measures to protect personal information from unauthorised access, disclosure, or destruction, including:

  • Encryption of data in transit (HTTPS/TLS) and at rest
  • Row-level security (RLS) enforced at the database level so each Restaurant can only access its own data
  • Regular dependency updates and security monitoring via Sentry
  • Access controls limiting which staff can view production data

No system is completely secure. If you believe there has been a security incident involving your data, please contact us immediately at hello@localmenu.co.nz.

8. Data Retention

We retain personal information for as long as necessary to fulfil the purposes described in this policy, or as required by law.

  • Active accounts: retained indefinitely while the account is open.
  • Closed accounts: account data is deleted within [PLACEHOLDER: e.g., 90 days] of account closure, except where retention is required for legal, tax, or dispute resolution purposes.
  • Order records: retained for [PLACEHOLDER: e.g., 7 years] for accounting and tax purposes consistent with the Tax Administration Act 1994.
  • Server logs: retained for [PLACEHOLDER: e.g., 30 days] and then deleted.

9. International Data Transfers

Some of our service providers (Resend, Sentry, Upstash) may process data outside New Zealand. Where this occurs, we take steps to ensure adequate protection is in place, consistent with Privacy Act 2020 Principle 12. [PLACEHOLDER: detail specific transfer mechanisms, e.g., standard contractual clauses, adequacy decisions, or DPAs with each provider.]

10. Your Rights

Under the New Zealand Privacy Act 2020, you have the right to:

  • Access — request a copy of the personal information we hold about you.
  • Correction — request correction of inaccurate information.
  • Deletion — request deletion of your personal information (subject to legal retention requirements).
  • Portability — [PLACEHOLDER: describe how data can be exported if this is implemented].

To exercise any of these rights, email hello@localmenu.co.nz with the subject line "Privacy Request". We will respond within 20 working days as required by the Privacy Act.

11. Privacy Complaints

If you believe we have breached the Privacy Act 2020, please contact us first at hello@localmenu.co.nz so we can attempt to resolve the issue. If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner (privacy.org.nz).

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address at least [PLACEHOLDER: e.g., 14] days before the changes take effect. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.

13. Contact

Privacy enquiries: hello@localmenu.co.nz

[PLACEHOLDER: Add registered business address once confirmed.]