Privacy Policy

Last updated: June 30, 2026

GetFreeMenu ("we", "us", or "our") operates the GetFreeMenu website and digital menu platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the Service. By using the Service, you agree to this policy. Please also read our Terms of Service, including the disclaimers and limitations of liability.

1. Our Role: Controller and Processor

For information about you, the account holder (for example, your registration details and subscription), GetFreeMenu acts as a data controller.

For information that a restaurant collects from its own customers through the Service—such as orders, order notes, queue reservations, GPS location used to verify proximity, and payment metadata—the restaurant is the data controllerand GetFreeMenu acts only as a processor that stores and displays that information on the restaurant's behalf. The restaurant is solely responsible for having a lawful basis to collect this data, for providing required notices and obtaining required consents from its customers, and for responding to those customers' privacy requests. If you are a diner with a question about how a particular restaurant uses your data, please contact that restaurant.

2. Information We Collect

  • Account information: name, email address, and a hashed password when you register. If you sign in with Google, we receive your name, email, and profile picture from Google.
  • Restaurant content: restaurant name, address, location coordinates, contact details, menus, categories, items, prices, descriptions, translations, and images you upload.
  • Order & queue data:items ordered, order notes, table and queue numbers, reference codes, and timestamps generated when a restaurant's customers use table ordering or the virtual queue.
  • Customer contact (takeaway):for a takeaway queue reservation, a restaurant's customer provides a name and phone number so the restaurant can call them when their order is ready. This is stored on the reservation and made available to the relevant restaurant.
  • Payment data:when a restaurant connects its own payment provider (e.g. Toss Payments, KakaoPay, GB Prime Pay, Opn), customers pay that provider through the kiosk or takeaway queue. We store only payment metadata (amount, currency, a provider session/reference, and status) needed to confirm the order. The payment is processed by the restaurant's provider, and we never receive, process, or store card or bank-account numbers.
  • Location data:with the user's permission, the virtual queue uses approximate device GPS location to confirm a customer is near the restaurant. We use IP-based geolocation (via a third-party lookup) to detect an approximate country/region for language selection.
  • Subscription & billing data: if you subscribe to Pro, our payment provider and Merchant of Record (Paddle.com Market Limited) handles your card details and the sale, including any applicable VAT or sales tax. We store only a Paddle customer/subscription identifier and your plan status and renewal date; we never receive or store full card numbers.
  • Usage data: aggregated analytics such as page and menu views, device type, approximate location, and referring URLs.
  • Cookies & similar technologies: session tokens for authentication, language preferences, and analytics and advertising cookies.

3. How We Use Information

  • To provide, maintain, secure, and improve the Service.
  • To authenticate users and protect accounts.
  • To display restaurant menus, ordering, and queue pages to customers via public links and QR codes.
  • To process Pro subscriptions and prevent fraud and abuse, through our payment processor.
  • To measure and improve performance using aggregated analytics.
  • To display advertising on the free Service (see Section 6).
  • To communicate about your account, security notices, and important updates, and to comply with legal obligations.

4. Google User Data

If you sign in with Google, we request access only to your basic profile information (name, email address, and profile picture). We use it solely to create and manage your GetFreeMenu account. We do not use Google user data for advertising, sell it, or share it, except as strictly required to provide the Service or as required by law. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. You can revoke access at any time via your Google Account permissions page.

5. Third-Party Services

We rely on the following third parties, each governed by its own privacy policy:

  • Paddle — payment processing and Merchant of Record for Pro subscriptions (handles billing, invoicing, and tax).
  • Amazon Web Services (AWS) — hosting, database and file storage (DynamoDB, S3), content delivery (CloudFront), and email delivery (SES).
  • Google — sign-in (OAuth), Analytics, AdSense, Google Ads, and Maps links. See the Google Privacy Policy.
  • Geolocation & QR providers — IP-based country/region lookup for language selection and a QR-code image generator for menu/table codes.

6. Advertising & Cookies

The free Service is supported by advertising. We display third-party advertisements (including via Google AdSense) on public menu pages and elsewhere within the Service. Third-party vendors, including Google, use cookies and similar technologies to serve and personalize ads based on prior visits to this and other websites. You can opt out of personalized advertising at Google Ads Settings and learn more at aboutads.info. Upgrading to Pro removes advertisements from your public menu pages. You can control cookies through your browser settings; disabling cookies may affect certain features.

7. Data Retention

We retain account and restaurant content while your account is active. Order and sales data may be retained and archived (including in long-term storage and daily reports) so restaurants can access their own history. You may delete your account at any time, after which we will remove your personal data within a reasonable period unless retention is required for legal, accounting, security, or fraud- prevention purposes.

8. Data Security

We use commercially reasonable safeguards, including TLS encryption in transit, Argon2 password hashing, token-based authentication, restricted storage access, and AWS-managed encryption at rest. However, no method of transmission or storage is completely secure, and we cannot and do not guarantee that the Service or any data will be free from unauthorized access, hacking, breach, loss, or alteration. You use the Service at your own risk. To the maximum extent permitted by law, and as further described in our Terms of Service, GetFreeMenu is not liable for any harm arising from a security incident except to the extent directly caused by our gross negligence or willful misconduct and not excludable by law. You are responsible for safeguarding your credentials, devices, and team access.

9. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or export your personal data, and to object to or restrict certain processing. To exercise these rights regarding the data we control, contact us at the email below. For data a restaurant collects from its own customers, please direct your request to that restaurant (the controller).

10. Children's Privacy

The Service is not directed to children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal information from children.

11. International Data Transfers

The Service is operated from Thailand and hosted on Amazon Web Services (AWS) infrastructure located in Singapore (ap-southeast-1), and may be accessed globally. Your information — including order and queue records, payment metadata, and, for takeaway reservations, the name and phone number provided — is transferred to and stored on servers outside your country, including outside the Republic of Korea and the EEA.

  • Recipient of the transfer: Amazon Web Services, Inc. (cloud hosting and storage), Singapore. Some sub-processors (e.g. Google for analytics/sign-in, our email provider) may also process data outside your country.
  • Items transferred:account data; restaurant and menu content; order, queue and payment-metadata records; and, where applicable, a customer's name and phone number.
  • Purpose & retention: hosting, storage, and operation of the Service, retained for as long as your account or the relevant record is kept (see Section 7).
  • How to refuse: you may decline by not using the Service, or contact us at [email protected] to object. We cannot provide the Service without this transfer.

Transfer safeguards:where personal data is transferred from the EEA, the United Kingdom, or another region that restricts international transfers, we rely on an applicable adequacy decision or on Standard Contractual Clauses (SCCs) and equivalent safeguards in our processors' data-processing agreements (for example, the AWS GDPR Data Processing Addendum, which incorporates the EU SCCs), or on your consent or another lawful basis where permitted.

For users in the Republic of Korea: the above is an overseas transfer of personal information under the Personal Information Protection Act (PIPA), disclosed in accordance with Article 28-8 (see also our Korean-language policy).

12. Your Regional Privacy Rights

Wherever you are, you can ask us to access, correct, delete, or export the personal data we control, withdraw consent, or object to processing — contact [email protected]. We honor these requests regardless of your location. In addition, specific regions have specific rights:

  • European Economic Area & United Kingdom (GDPR / UK GDPR): we process personal data on the lawful bases of performance of a contract, your consent, our legitimate interests, and legal obligation. You have the rights of access, rectification, erasure, restriction, portability, objection, and to withdraw consent, and you may lodge a complaint with your local supervisory authority (in the UK, the ICO). International transfers are protected by SCCs / adequacy as described in Section 11. If we are required to designate an EU/UK representative under Article 27, you may reach us at the email above.
  • United States (California CCPA/CPRA, and Virginia, Colorado, Connecticut and other state laws):you may request to know, access, delete, and correct your personal information, and opt out of the "sale" or "sharing" of personal information and of targeted/ cross-context behavioral advertising, without discrimination. We do notsell your personal information for money. We do use analytics and advertising cookies that may constitute "sharing" under California law; you can opt out at any time via the cookie banner, the "Cookie settings" and "Do Not Sell or Share My Info" links in our footer, or by enabling a Global Privacy Control (GPC) browser signal, which we honor as a valid opt-out.
  • Japan (APPI): we use personal information only for the purposes stated in this policy. Where we transfer personal data to a third party overseas, we do so with your consent or another lawful basis and provide the information required by the Act on the Protection of Personal Information.
  • Australia (Privacy Act 1988 / Australian Privacy Principles): you may request access to and correction of your personal information. We disclose personal information overseas (Singapore) as described in Section 11 (APP 8) and will take reasonable steps to protect it. Complaints may be made to the OAIC.
  • Hong Kong (PDPO): this policy serves as our Personal Information Collection Statement. You may request access to and correction of your personal data and complain to the PCPD.
  • Taiwan (Personal Data Protection Act): you may inquire about, review, correct, and request deletion of your personal data, and we collect and use it only for the purposes described here.
  • Canada (PIPEDA) and elsewhere: you have the rights granted by your local law; contact us and we will respond as required, and you may complain to your local data-protection authority (in Canada, the OPC).

13. Changes & Governing Language

We may update this Privacy Policy from time to time and will post the new version on this page with an updated "Last updated" date. This policy is provided in English; any translation is for convenience only, and the English version controls in case of any conflict.

14. Contact Us

Questions about this Privacy Policy or our data practices? Contact us at [email protected] or visit our contact page.