This Privacy Policy explains how DineEasy collects and processes personal data of restaurant Owners and diners who interact with menus published on our platform. It applies to the website, dashboard, and public menu URLs operated under dineeasy.app and its subdomains.
1. Controller
DineEasy is operated by Maxapp GmbH, Birkenstrasse 49, 6343 Rotkreuz, Switzerland – the data controller for personal data processed through the service. For privacy questions, contact legal@dineeasy.app.
DineEasy serves Owners in Switzerland, Liechtenstein, Germany, France, Italy, and Austria. We comply with the Swiss Federal Act on Data Protection (revFADP, in force since 1 September 2023) and, where applicable, the EU General Data Protection Regulation (GDPR).
2. Scope
We process personal data of two groups:
- Owners – restaurant operators who register an account.
- Diners – visitors to a published public menu.
Owners are responsible, as separate controllers, for any personal data of their own customers that they choose to upload or process via the service.
3. What we collect and why
| Category | Examples | Purpose | Legal basis |
|---|---|---|---|
| Account data | Email, hashed password, locale preference | Operate the service, authenticate you | Contract (Art 6(1)(b) GDPR; Art 31(1) revFADP) |
| Restaurant data | Restaurant name, address, phone, opening hours, menu items, photos | Render the public menu and dashboard | Contract |
| Usage data | Login events, menu changes, page views, errors, device/browser info | Improve the service, debug issues | Legitimate interest (Art 6(1)(f) GDPR) |
| Session recordings | Mouse movement, click events, page navigation in the dashboard. Password, email, and phone fields are masked at the source and never recorded. | Diagnose UX issues. Never used for individual surveillance. Opt-out available. | Legitimate interest, opt-out on request |
| Communications | Emails to support, contact-form submissions | Reply to your request | Legitimate interest |
| Newsletter & waitlist | Email address, name (if provided), locale, signup source | Send you launch updates and product news. Contact and demo form submissions are also added so we can follow up when DineEasy goes live. | Consent (affirmative signup action) |
We do not sell personal data and do not use it for advertising profiling.
4. Cookies and tracking
We use:
- Strictly necessary cookies – Supabase Auth session token, your locale preference, sidebar layout state. Required for the service to work; no consent needed under Art 5(3) ePrivacy / Art 31 revFADP.
- Product analytics & session replay – PostHog (EU Cloud), used to understand how Owners interact with the dashboard and to debug errors. We will introduce a consent banner before any consumer-facing public marketing site or in-app payment flow goes live to EU residents. Until then you can opt out at any time by writing to legal@dineeasy.app.
5. Sub-processors
We use the following service providers to operate DineEasy. All process personal data under written instructions from us. The list may change; the current list is always available on this page.
| Provider | Purpose | Data region |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt) |
| Vercel | Application hosting and edge network | Global edge; data at rest in the EU/US |
| Upstash | Cache and background-job queue | EU |
| PostHog | Product analytics, session replay, error tracking | EU (Frankfurt) |
| Resend | Transactional email | EU |
| DeepL | Automated translation of menu content | EU (Germany) |
| Google Maps Platform | Address autocomplete | Global (Google) |
| Stripe | Payment processing for diner orders. We use Stripe Connect with direct charges, so the restaurant’s Stripe account is the merchant of record; the platform never holds diner funds. | EU (Ireland) |
| Anthropic | AI-assisted menu import. When you upload a photo or PDF of an existing menu, we send the file to Anthropic’s Claude API to extract dish names, descriptions, and prices. Only the uploaded file is transmitted; no account data or personal information is included in the request. Anthropic does not use your data to train its models. | US |
6. International transfers
Personal data is stored in the European Union or in Switzerland – recognised by the EU as offering an adequate level of data protection. One sub-processor, Anthropic (AI-assisted menu import), processes data in the United States. This transfer is covered by Standard Contractual Clauses (European Commission Decision 2021/914). Only the uploaded menu file is transmitted; no account data or personal information is included. If additional sub-processors outside the EU/Switzerland are added in the future, this section will be updated and an appropriate transfer mechanism will be put in place before any transfer begins.
7. Retention
- Account & restaurant data: kept while your account is active and for up to 90 days after deletion to allow reactivation, then permanently deleted (except backups, which expire within 35 days).
- Server logs: 30 days.
- Analytics events & session recordings: 6 months.
- Email correspondence: 24 months.
- Newsletter & waitlist data: kept until you unsubscribe or request deletion. You can unsubscribe at any time by emailing hello@dineeasy.app.
Where Swiss commercial law requires longer retention (for example invoices under Art 958f Swiss Code of Obligations), we retain those documents for the legally required period (typically 10 years).
8. Your rights
Under the revFADP and the GDPR you have the right to:
- access the personal data we hold about you,
- request correction of inaccurate data,
- request deletion (the “right to be forgotten”),
- restrict or object to certain processing,
- data portability,
- withdraw consent at any time where processing is based on consent,
- lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch) or your local EU supervisory authority.
To exercise any of these rights, write to legal@dineeasy.app. We respond within 30 days.
9. Security
We use industry-standard measures: encryption in transit (TLS 1.2+), encryption at rest, role-based access control, row-level security on the database, and regular dependency audits. No system is perfectly secure, but we take this seriously and notify affected users promptly in the event of a personal-data breach as required by Art 24 revFADP and Art 33–34 GDPR.
10. Children
The dashboard is intended for adults operating businesses. We do not knowingly collect data from anyone under 16. If you believe a minor has provided us with personal data, contact us and we will delete it.
11. Changes
We may update this Policy. Material changes are announced in-app and by email at least 30 days in advance.
12. Contact
Maxapp GmbH
Birkenstrasse 49
6343 Rotkreuz, Switzerland
legal@dineeasy.app