Back to Home

Privacy Policy

Effective Date: April 2026

Last Updated: April 2026

EGO HERO LTD (trading as BuzzMenu) ("BuzzMenu," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use the BuzzMenu platform as a Merchant (restaurant or cafe owner), or interact with it as an End-User (diner).

This Policy complies with the New Zealand Privacy Act 2020, the Australian Privacy Principles under the Privacy Act 1988 (Cth), and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Who This Applies To

This Policy applies to:

  • Merchants — Restaurant owners, managers, and staff who register and use BuzzMenu to operate their venue.
  • End-Users / Diners — Customers who scan a QR code and interact with a Merchant's menu through BuzzMenu.
  • Website Visitors — Anyone who visits our marketing website.

Note on diner data: For diners, BuzzMenu generally acts as a data processor on behalf of the Merchant. The Merchant is the primary data controller responsible for how diner data is collected and used in their venue.

2. Information We Collect

A. Merchant Data

  • Account Information: Name, email address, password (hashed, never stored in plain text), restaurant name, slug, and business details.
  • Financial Information: Subscription billing and payment processing data handled by Stripe. We do not store full credit card numbers or bank details on our servers.
  • Operational Data: Menu items, pricing, images, operating hours, table configurations, staff roster, and manager PIN (hashed).
  • Stripe Connect Data: Stripe account ID, subscription IDs, payout status. Full merchant onboarding data (identity verification, bank details) is held by Stripe under their privacy policy.
  • Usage Data: Log data about how you use the Service for analytics and troubleshooting.

B. End-User / Diner Data

  • Order Information: Items selected, quantities, dietary requirements, special instructions, table number.
  • Payment Information: For cafe-mode upfront payments, card details are collected through Stripe Elements and transmitted directly to Stripe. BuzzMenu never sees or stores your raw card data.
  • Technical Data: IP address, browser type, device type, timestamps, and referring page.
  • Cookies and Session Data: See Section 6.

C. Children's Privacy

The Service is not intended for children under 13 (NZ) or 13–16 depending on jurisdiction (EU). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the BuzzMenu platform.
  • Process subscriptions, transactions, and send receipts.
  • Authenticate users and secure accounts.
  • Provide Merchant analytics (order volume, popular items, customer wait times).
  • Communicate with Merchants about service updates, billing, and support.
  • Detect, prevent, and respond to fraud, security incidents, and technical issues.
  • Improve and develop new features.
  • Comply with legal obligations and resolve disputes.

Legal bases (GDPR): Where GDPR applies, we process data based on (a) contract performance, (b) legitimate interests in operating our business, (c) legal obligations, and (d) consent where required (e.g., marketing communications).

4. Disclosure of Your Information

We do not sell your personal data. We may share information with:

  • Service Providers (Sub-processors):
    • Supabase — Database hosting, authentication, and real-time infrastructure. (Privacy Policy)
    • Stripe — Payment processing, Connect onboarding, subscription billing. (Privacy Policy)
    • Vercel — Web hosting and edge infrastructure. (Privacy Policy)
    • Web3Forms — Contact form submission handling.
  • Merchants: If you are a diner, your order details and any information you enter (e.g., special instructions) are shared with the specific restaurant you are ordering from.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify affected users before the transfer takes effect.
  • Legal Requirements: When required by law, court order, subpoena, or to protect our legal rights.

5. International Data Transfers

BuzzMenu's infrastructure partners (Supabase, Stripe, Vercel) operate globally and may store or process your data in the United States, European Union, Australia, or other countries outside your own.

When we transfer personal data outside of New Zealand, Australia, or the EU/EEA, we rely on appropriate safeguards including:

  • Contractual commitments from our sub-processors to protect your data to the standard of your home jurisdiction.
  • Standard Contractual Clauses approved by the European Commission where GDPR applies.
  • Adequacy decisions or recognised privacy frameworks.

By using the Service, you consent to the transfer of your data to these jurisdictions.

6. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

  • Essential cookies: Required for authentication, session management, and core Service functionality (e.g., Supabase auth tokens, session storage for manager PIN unlock and table session tokens).
  • Functional cookies: Remember user preferences such as cart contents and age-verification status during an ordering session.
  • Analytics cookies: Vercel Analytics may collect aggregated traffic data to help us understand how the Service is used. This data is anonymised.

You can configure your browser to refuse cookies, but essential cookies cannot be disabled without breaking the Service.

7. Data Security

We use industry-standard practices to protect your data, including:

  • Encryption: Data in transit is protected with TLS/HTTPS. Data at rest is encrypted by our infrastructure providers.
  • Row-Level Security (RLS): Database policies enforce strict multi-tenant isolation so Merchants can only access their own data.
  • Password Security: Passwords are hashed using industry-standard algorithms. We require strong passwords with uppercase, lowercase, numbers, and symbols.
  • Payment Card Data: Handled exclusively by Stripe (PCI-DSS Level 1 certified). BuzzMenu never stores raw card details.
  • Access Controls: Administrative access to our systems is limited to authorised personnel.

While we implement these safeguards, no online service is completely secure. You use the Service at your own risk.

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy or required by law:

  • Account data: Retained while the Merchant account is active. Deleted 30 days after account termination (except where retention is required by law).
  • Order and transaction records: Retained for up to 7 years to comply with tax and accounting obligations in NZ and AU.
  • Technical logs: Retained for up to 90 days for security and debugging purposes.
  • Marketing communications data: Retained until you withdraw consent.
  • Support communications: Retained for up to 2 years after resolution.

After the retention period, data is either deleted or anonymised so it can no longer identify you.

9. Your Data Protection Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data (subject to legal retention obligations).
  • Objection: Object to certain processing activities.
  • Portability: Request a copy of your data in a machine-readable format.
  • Withdrawal of Consent: Withdraw consent where processing is based on consent.
  • Complaint: Lodge a complaint with the relevant supervisory authority (see below).

To exercise any of these rights, email us at buzzmenu.app@gmail.com. We will respond within 30 days.

10. Complaints and Supervisory Authorities

If you believe we have mishandled your personal data, you have the right to lodge a complaint with the relevant supervisory authority:

  • New Zealand: Office of the Privacy Commissioner — privacy.org.nz
  • Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
  • European Union: Your local Data Protection Authority.

We encourage you to contact us first so we can try to resolve your concerns directly.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in serious harm to affected individuals, we will:

  • Notify the Office of the Privacy Commissioner (NZ) or the OAIC (AU) as required by the Notifiable Data Breaches Scheme.
  • Notify affected users without undue delay (within 72 hours where feasible, in line with GDPR).
  • Provide information about the nature of the breach, the data involved, and steps you can take to protect yourself.

12. Third-Party Links

The Service may contain links to third-party websites (e.g., Stripe's hosted onboarding pages). We are not responsible for the privacy practices or content of these third parties. We encourage you to review their privacy policies before providing any personal information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. Material changes will be notified by email or an in-app notice. The "Last Updated" date at the top of this page reflects the most recent revision.

Your continued use of the Service after an update constitutes acceptance of the revised Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

EGO HERO LTD (trading as BuzzMenu)

Email: buzzmenu.app@gmail.com