Privacy Policy

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection regulations is:

IMOS Print UG (haftungsbeschränkt)
Wilhelmshavener Heerstr. 63
26125 Oldenburg, Germany
Email: info@imos-print.de
Phone: +49 441 / 21 23 39 80

2. General Information on Data Processing

We process personal data of our users only to the extent necessary to provide a functional platform and our content and services. Personal data is regularly processed only with the consent of the user. An exception applies in cases where prior consent is not possible for factual reasons and the processing of the data is permitted by law.

3. Registration and User Account

Using Menu Mage requires registration. We collect the following data:

  • First and last name
  • Email address
  • Password (stored encrypted with BCRYPT; not for Google Sign-In)
  • Company name
  • Billing address (street, postal code, city, country)
  • VAT ID (optional, for EU business customers)
  • Language preference (German/English)

The processing of this data is based on Art. 6 para. 1 lit. b GDPR for the performance of the user contract and Art. 6 para. 1 lit. c GDPR for compliance with tax obligations.

4. Google Sign-In

We offer the option of logging in via Google Sign-In (Google Identity Services) by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When you log in with your Google account, Google transmits your name and email address to us. No further Google profile data is linked. The legal basis for processing is Art. 6 para. 1 lit. b GDPR. For more information on Google privacy, please visit: https://policies.google.com/privacy

5. User-Entered Content (Restaurant and Menu Data)

As part of the usage, the user stores data about their restaurant or business on the platform. This includes in particular:

  • Restaurant name, address, logo, cover images, colour/design specifications
  • Categories and items with name, description, price, allergen and dietary information (multilingual)
  • Uploaded menu PDFs for parsing (AI-assisted data import)
  • Uploaded or AI-generated product images
  • Created and possibly published menus (PDF and online version)

This data is processed for the performance of the contract pursuant to Art. 6 para. 1 lit. b GDPR. Insofar as the user stores personal data of third parties (e.g., employee names) in the restaurant or item data, the user is responsible for this under data protection law.

6. AI Image Generation (OpenAI)

For the AI-assisted generation of product images, we use services from OpenAI, L.L.C. (1455 3rd Street, San Francisco, CA 94158, USA) or OpenAI Ireland Ltd. During image generation, the texts entered by the user (prompts, e.g., dish descriptions) and any control parameters are transmitted to OpenAI. No direct personal data (such as the user's name or email address) is passed on to OpenAI.

A transfer to the USA cannot be ruled out. It takes place on the basis of appropriate safeguards pursuant to Art. 46 GDPR (in particular standard contractual clauses) or under the EU-US Data Privacy Framework, where applicable. The legal basis for processing is Art. 6 para. 1 lit. b GDPR (performance of contract) and Art. 6 para. 1 lit. f GDPR (legitimate interest in providing modern AI functions). Further information can be found in OpenAI's privacy policy: https://openai.com/policies/privacy-policy

7. Published Menus and Anonymous View Statistics

When a user publishes a menu as "public", it is accessible under an individual URL and can be accessed by restaurant guests without registration. For such accesses, we only collect anonymous statistical data:

  • Access date (without time at second-level precision)
  • Number of views per day
  • Information on whether the access took place via a QR code scan (technical marker)

Specifically, NO IP addresses are stored in plain text, NO tracking cookies are set, NO personal data of guests is collected, and NO device profiles are created. The access data is used exclusively for aggregated statistical analysis for the respective restaurant operator. The legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest of the restaurant operator in a simple anonymous reach measurement of their own menu).

8. Cookies and Sessions

In the logged-in area, Menu Mage uses technically necessary session cookies to maintain the user's logged-in status, language preference, and theme (light/dark). These cookies are deleted after the browser is closed or after logging out. No tracking cookies or advertising cookies are set. In the public area (e.g., menus for guests), no personal cookies are set. The legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest in the secure operation of the platform) and § 25 para. 2 no. 2 TTDSG (technically strictly necessary cookies).

9. Server Log Files

The hosting provider (IONOS SE) automatically collects and stores information in server log files that your browser automatically transmits. These include: IP address, date and time of request, accessed URL, browser and operating system used, and HTTP status code. This data is not merged with other data sources by us. The data serves to maintain functionality, IT security, and error analysis. The legal basis is Art. 6 para. 1 lit. f GDPR.

10. Usage Logging in the Logged-In Area

For quality assurance, error analysis, quota management, and improvement of our services, we log certain activities of logged-in users within the platform:

  • Number and times of AI image generations (for quota management)
  • Number and times of menu generations as well as page count
  • Status history of uploaded PDFs (uploaded/parsed/imported/failed)
  • Payment and invoice history

Sensitive data such as passwords or complete payment information is not recorded. These logs are stored on our servers and not shared with third parties. The legal basis is Art. 6 para. 1 lit. b GDPR (performance of contract, especially quota calculation) and Art. 6 para. 1 lit. f GDPR (legitimate interest in the security and quality assurance of the platform).

11. Payment Processing (Stripe, PayPal)

Paid plans and pay-per-use purchases are processed via external payment service providers – currently Stripe Payments Europe Ltd. (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland), to be supplemented by PayPal (Europe) S.à r.l. et Cie, S.C.A. (22-24 Boulevard Royal, 2449 Luxembourg). The data required for payment (e.g., name, billing address, payment details) is transmitted directly to the payment service provider and processed there in accordance with their privacy policy.

We do not store complete payment details (e.g., card numbers) on our servers. Only transaction IDs, amounts, status, and invoice metadata are stored on our side in order to fulfil invoices, receipts, and legal retention obligations. The legal basis is Art. 6 para. 1 lit. b GDPR (performance of contract) and Art. 6 para. 1 lit. c GDPR (compliance with tax obligations).

https://stripe.com/de/privacy
https://www.paypal.com/de/legalhub/privacy-full

12. Email Delivery

For communication with our users (e.g., confirmation, invoice, reminder, and service emails), we send transactional emails to the email address stored in the account. Sending is done via the SMTP infrastructure of our hosting provider IONOS. The processing serves the performance of the contract (Art. 6 para. 1 lit. b GDPR) and the fulfilment of legal obligations (Art. 6 para. 1 lit. c GDPR – e.g., sending the invoice PDF).

13. Retention Period

Personal data is stored only for as long as necessary for the respective processing purpose. After the contract ends, the account first goes through a grace period; thereafter, restaurant, item, menu, PDF upload, AI image, QR code, and tracking data are permanently deleted. Tax-relevant data – in particular invoices, payment and subscription records, and associated master data – continue to be retained in accordance with statutory retention obligations (in particular § 147 AO, up to 10 years). In this case, the user account is deactivated and the password removed; a new login is no longer possible.

14. Your Rights as a Data Subject

You have the following rights with regard to the personal data concerning you:

  • Right of access – Art. 15 GDPR
  • Right to rectification – Art. 16 GDPR
  • Right to erasure – Art. 17 GDPR (limited by statutory retention obligations)
  • Right to restriction of processing – Art. 18 GDPR
  • Right to data portability – Art. 20 GDPR
  • Right to object – Art. 21 GDPR
  • Right to withdraw consent – Art. 7 para. 3 GDPR

To exercise your rights, please contact: info@imos-print.de. You also have the right to lodge a complaint with a data protection supervisory authority. The competent authority for Lower Saxony is the State Commissioner for Data Protection of Lower Saxony (LfD Niedersachsen).

15. Data Security

Menu Mage uses technical and organisational security measures to protect your data against manipulation, loss, destruction, or unauthorised access. Data is transmitted between your browser and our server in encrypted form via HTTPS/TLS. Passwords are hashed using BCRYPT (not stored in plain text). Forms and API calls are protected against cross-site request forgery using CSRF tokens and against SQL injection using prepared statements. Our security measures are continuously improved in line with technological development.

16. Processors and Recipients of Data

In the course of providing the service, we use the following processors and external service providers:

  • IONOS SE, Elgendorfer Str. 57, 56410 Montabaur (hosting, email delivery)
  • OpenAI, L.L.C. / OpenAI Ireland Ltd. (AI-assisted image and text processing)
  • Stripe Payments Europe Ltd., Dublin, Ireland (payment processing)
  • Google Ireland Limited (optional login via "Sign in with Google")

Data processing agreements pursuant to Art. 28 GDPR exist or will be concluded with all processors, where legally required. Your data will not be passed on to third parties beyond this, unless we are legally obliged to do so (e.g., to tax authorities) or you have expressly consented.

17. Changes to this Privacy Policy

We reserve the right to adjust this privacy policy to adapt it to changed legal situations or in the event of changes to the service and data processing. The current version is available at this URL. Please check the content of the privacy policy regularly.

Last updated: May 2026