Privacy Policy
Note: This English text is provided for convenience only. The Turkish version at menuverse.me/privacy.html is the legally binding original; in the event of any conflict, the Turkish text prevails.
As Menuverse, operated by Ömer Bozkurt as a natural person ("Menuverse", "we"), we attach the highest importance to the privacy and security of your personal data. This Privacy Policy (the "Policy") transparently explains, when you use our Platform (website, management panel, mobile interfaces and QR menu infrastructure), what data is collected, how it is processed, with whom it is shared, how long it is retained and the rights you hold.
This Policy is prepared in line with the Turkish Personal Data Protection Law No. 6698 ("KVKK"), the EU General Data Protection Regulation ("GDPR") and related secondary legislation.
1. Identity of the Data Controller
Data Controller: Ömer Bozkurt (natural person)
Brand: Menuverse
Address: Antalya / Türkiye
E-mail: [email protected]
2. Personal Data We Collect
To provide our services, we may collect the following categories of data:
2.1. Identity and Contact Data: Name, surname, e-mail address, phone number, business/restaurant title, tax number, expense-voucher/payment details.
2.2. Account Data: Username, password (stored only as a one-way cryptographic hash — bcrypt/argon2), session tokens, multi-factor authentication data.
2.3. Content and Operational Data: Menu items, categories, prices, product images, 3D modeling data, allergen information, order records, table layouts.
2.4. Technical Data: IP address, browser type and version, operating system, device identifiers, language/time-zone settings, screen resolution, error logs.
2.5. Usage Data: In-platform clicks, page views, session duration, features used, performance metrics.
2.6. Location Data: City/country derived from the business address. GPS-precision location is processed only with your explicit consent.
2.7. Payment Data: Card details are not stored on our servers; payment is made by bank transfer/EFT or via licensed payment institutions. When a payment institution is used, only the transaction reference, amount and status are shared with us.
2.8. Marketing Preferences: Newsletter subscription, communication channel preferences, campaign participation records (consent-based).
3. Collection Methods
- Directly from you: registration forms, contact forms, panel entries.
- Automatically: cookies, web beacons, server logs, analytics scripts (see the Cookie Policy).
- From third parties: payment institutions, e-mail providers, corporate customer references (only where there is a legal basis).
4. Purposes and Legal Bases of Processing
| Purpose | Legal Basis (KVKK art. 5) |
|---|---|
| Service delivery, account creation, subscription management | Performance of a contract |
| Payment documentation (expense voucher) and accounting | Legal obligation (Tax Procedure Law) |
| Customer support, request management | Legitimate interest |
| Platform security, abuse detection | Legitimate interest |
| Performance analytics, product development | Legitimate interest (anonymized) |
| Marketing communication, newsletters | Explicit consent |
| Responding to lawful authority requests | Legal obligation |
5. Data Sharing
Your personal data is not transferred, sold or shared for advertising purposes except in the following cases:
- Service Providers (Data Processors): Cloud hosting, transactional e-mail, analytics, payment, customer support software, under KVKK-compliant data processing agreements.
- Legal Obligation: When responding to lawful requests from judicial and administrative authorities.
- Transfer: In the event of a full or partial transfer of the Menuverse brand or business, to the acquiring party within the scope of the transfer (prior notice is given).
- With Explicit Consent: For any sharing not listed above, your explicit consent is sought.
6. Cross-Border Data Transfers
Some of our service providers (e.g. CDN, e-mail infrastructure) may locate servers abroad. In such cases, under KVKK art. 9, we observe (i) the destination country having adequate protection, (ii) a written undertaking and Board permission where adequate protection is absent, or (iii) your explicit consent. Providers to which transfers are made are disclosed to you upon request.
7. Retention Periods
- Account data: While the account is active + deleted 30 days after termination.
- Expense voucher and accounting records: For the legal retention period under the Tax Procedure Law (generally 5 years).
- Marketing consents and consent logs: Until consent is withdrawn + 3 years for evidentiary purposes.
- Server logs: Maximum 90 days (for security).
- Order and operational data: While the account is active.
Data whose retention period has expired is destroyed by secure deletion, destruction or anonymization.
8. Data Security
We apply technical and administrative measures appropriate to our scale to protect your data:
- Encryption: All traffic is transmitted over TLS 1.2+/HTTPS; sensitive fields are encrypted at the database level.
- Access control: Access to data is restricted on a least-privilege basis.
- Backups: Encrypted, geographically separated backups with regular restore tests.
- Incident management: In case of a data breach, notification to the Authority and affected data subjects within 72 hours under KVKK art. 12/5.
9. Cookies and Similar Technologies
We use cookies to improve the site experience, remember your language/theme preferences and analyze performance. For types, purposes, retention periods and management options, see the Cookie Policy.
10. Data Subject Rights (KVKK Article 11)
As a data subject you have the right to:
- Learn whether your personal data is processed,
- Request information if it has been processed,
- Learn the purpose of processing and whether it is used accordingly,
- Know the third parties to whom it is transferred at home or abroad,
- Request correction of incomplete or inaccurate data,
- Request deletion or destruction,
- Request that correction/deletion be notified to third parties to whom data was transferred,
- Object to a result against you arising from automated analysis,
- Claim compensation for damages due to unlawful processing.
You may submit your requests in writing to [email protected]. Requests are resolved free of charge within 30 days at the latest.
11. Children's Privacy
The Platform is not directed at persons under 18. We do not knowingly collect personal data from children. Account data identified as belonging to a person under 18 is deleted immediately.
12. Policy Changes
We may update this Policy from time to time. Significant changes are announced at least 15 days before they take effect, by e-mail or in-platform notice. The effective date and version are shown at the top of the page.
13. Contact
For any question, request or complaint about privacy: [email protected]