This Privacy Policy is provided in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). It explains how Menuva handles personal data when you use the Menuva iOS app (the "App") and the Menuva web pages we operate (the "Website") (together, the "Service"). Menuva is designed to be accountless and data-minimising, but some information (especially location data, analytics event data, and online identifiers) can still be personal data under UK GDPR. This policy should be read alongside our Terms & Conditions, Cookie Policy, and Complaints Procedure.

Key points:

• we do not transmit raw latitude/longitude off-device (both the App and the Website process location on-device only)
• both the App and the Website use analytics for usage measurement
• analytics does not log free-text search queries, specific dietary or allergen selections, or allergen severity
• customization identifiers are hashed so analytics cannot identify specific menu choices
• ad tracking features (ad storage, ad user data, ad personalization) are disabled by default

1.1 Controller. Duke DJ Saputra (student-led project, "Menuva").

1.2 Email. hello@menuva.co.uk.

1.3 Address. Warwick Business School, University of Warwick, Scarman Rd, Coventry CV4 7AL, United Kingdom.

1.4 If you contact us by email, we process the information you include to respond.

1.5 We have assessed that we are not required to appoint a Data Protection Officer under Article 37 of the UK GDPR. For privacy enquiries, contact hello@menuva.co.uk.

2.1 Menuva is intended for users in the United Kingdom. If you use the Service elsewhere, this policy still applies, and our service providers may process data internationally (see Section 8).

3.0.1 Where a feature is specific to one platform, it is marked "(App only)" or "(Website only)." The main differences are: the App uses device location for venue discovery and the Website uses device location for the optional "Sort by Distance" toggle on the menus page (both on-device only); the App stores dietary preferences on-device; both the App and Website offer analytics opt-out toggles; and the App and Website use different technologies for abuse prevention (see Section 6.A.3).

A. Precise location (App and Website, foreground)

3.A.1 If you grant location permission (iOS "When In Use" in the App, or browser geolocation permission on the Website's menus page), precise location is read on your device to:

• show nearby venues and determine which venue's menus to load (App), and
• re-order the menu list by distance when you enable the "Sort by Distance" toggle (Website).

3.A.2 How it works.

• In the App, location updates may run continuously while the App is in the foreground on relevant screens (for example, home/map).
• On the Website, the browser geolocation API is called only when you tap "Sort by Distance" (and silently on subsequent visits if you previously enabled the toggle). No continuous updates.
• Distance calculations happen locally on your device on both platforms.
• The App may cache your last known location and city on-device only (for example, via iOS local storage) for faster loading and fallback behavior. The Website persists only a single boolean flag (whether "Sort by Distance" is on) in browser localStorage; it does not cache coordinates.

3.A.3 What we do not do.

• We do not transmit raw latitude/longitude off-device (App or Website).
• We do not intentionally store your precise location in our databases.
• In the App, analytics receives only a boolean flag (has_location true/false) and the venue identifier (restaurant slug), never coordinates. On the Website, analytics for the "Sort by Distance" toggle records only the toggle state (on/off) and, on failure, the browser's error code and a short truncated error message; coordinates are never sent.

3.A.4 You can disable location access at any time in iOS settings (App) or in your browser's site permissions (Website). If you deny or revoke location access, manual venue selection and alphabetical ordering remain available on both platforms.

B. Dietary and allergen preferences (on-device)

3.B.1 If you set dietary or allergen preferences in the App, they are stored on-device only and are not synced to our servers. Analytics events for dietary and allergen configuration log only whether the change was made during onboarding or in settings (is_settings_mode). Specific selections are never sent.

C. Analytics (App and Website)

3.C.1 The App uses Firebase Analytics and the Website uses Google Analytics (GA4) to understand usage and improve the Service. Both are provided by Google. The App disables automatic screen reporting and uses manual tracking only.

3.C.2 Categories of events we collect. Analytics events fall into the following categories:

• Navigation and discovery: opening menus, using the map, enabling location, starting a search, and navigating between screens.
• Menu browsing: viewing item lists, selecting items, opening item details, scrolling through categories, and toggling subsections.
• Engagement metrics: time spent on each screen (screen dwell), time spent on each menu category (category dwell), and scroll depth percentages (25/50/75/100%) per category.
• E-commerce funnel (standard GA4 events): view_item_list, select_item, view_item, add_to_cart, remove_from_cart, and view_cart.
• Order review: opening the order summary, clearing the basket, and toggling the order language.
• Settings and preferences: opening settings screens, configuring personalization, and changing language or currency.
• Onboarding: completion of each onboarding step (App only).

3.C.3 Event parameters. Events include contextual parameters such as:

• venue identifiers (restaurant slug, location ID),
• boolean flags (for example, has_location, is_open, is_nearest_venue, has_items_in_basket),
• counts (for example, basket count, search result count, filter count),
• currency codes and price values in minor units (for e-commerce funnel analysis),
• static screen and category names,
• time values (dwell seconds), and
• scroll depth percentages.

3.C.4 User properties. The App syncs eight display and locale preferences to analytics as user properties: preferred language, preferred currency, appearance mode, energy unit, and four display toggles (show converted prices, always translate, show menu images, show descriptions). These are preference settings only and do not include dietary or health data.

3.C.5 Screen and page tracking. The App tracks 12 screens with static screen names (for example, "home", "menu", "profile") and dynamic context as custom parameters (for example, restaurant_slug on the menu screen). The Website tracks page views with page path and referrer.

3.C.6 Privacy protections in analytics.

• Free-text search queries are never logged. Search events send only the result count.
• Dietary and allergen configuration events log only is_settings_mode (a boolean indicating onboarding vs. settings). Specific dietary or allergen selections are never sent.
• Allergen subsection interactions log only the subsection identifier and whether it was expanded or collapsed. Severity information is not included.
• Menu customization identifiers (customization and option IDs) are hashed using Fowler-Noll-Vo 1a (FNV-1a) to opaque values before being sent to analytics. The original names cannot be recovered from analytics data alone.
• Location data in analytics is limited to a boolean flag (has_location) and venue identifiers (restaurant slug). Coordinates are never sent.
• No personal identifiers, names, or email addresses are included in analytics events. We do not set a custom user ID in analytics.

3.C.7 Device and technical data. Firebase Analytics and Google Analytics process device and app information and identifiers used for measurement (for example, an app-instance identifier), plus technical data that may be processed by the analytics provider to deliver the service securely and reliably (such as IP address and request metadata).

3.C.8 Ad features. Ad storage, ad user data, and ad personalization are all disabled by default in both the App and the Website. We do not collect the advertising identifier (IDFA), do not use tracking based on App Tracking Transparency (ATT), and do not use analytics for cross-app or cross-site advertising.

3.C.9 Outbound link tracking. When you click a link to an external website, the link URL and link text (up to 100 characters) are recorded in analytics to understand which external resources are useful.

D. Feedback (optional, Website)

3.D.1 If you submit feedback at menuva.co.uk/feedback, your submission may include:

• your responses, and
• optional contact details (only if you choose to provide them).

3.D.2 If you include contact details, they are personal data.

E. Technical and network data (Service delivery)

3.E.1 When your device or browser connects to Firebase/Google infrastructure to fetch menus and images, technical data such as IP address and request metadata may be processed by service providers to deliver content, maintain security, and prevent abuse.

3.E.2 The App connects to our servers to check for service announcements (such as maintenance notices or new feature alerts). No personal data beyond the technical data described in Section 3.E.1 is sent in these requests.

F. Website analytics (Google Analytics)

3.F.1 The Website runs Google Analytics (GA4) to measure page views and menu interactions. The Website collects a subset of the analytics events described in Section 3.C above. Features that are specific to the App (such as onboarding, map interactions, and on-device preferences) are not collected on the Website.

3.F.2 GitHub Pages (our hosting provider, operated by GitHub, Inc., a subsidiary of Microsoft Corporation) may also process technical log data (IP address and request metadata) to deliver the Website securely.

3.F.3 Website-specific events. On the Website, we additionally track: page views and content views (with referrer URL), redirect page visits for marketing attribution (which QR codes and campaigns drive traffic, including UTM parameters), 404 error page hits, outbound link clicks (as described in Section 3.C.9), menu scroll depth, and the "Sort by Distance" toggle events on the menus page (toggle state on/off; on failure, the browser's error code and a short truncated error message - never coordinates). We do not log search queries, dietary or allergen filter selections, or any personal identifiers.

G. Cookies and similar technologies

3.G.1 We use the following technologies to store or access information on your device:

• Google Analytics cookies (_ga, _ga_*): set by Google to distinguish unique users and maintain session state. These are analytics cookies and require your consent or opt-out acknowledgement.
• Google reCAPTCHA cookie (_GRECAPTCHA): set by Google reCAPTCHA v3 on the menus page for bot detection and security. reCAPTCHA also analyses browser behaviour and device signals beyond the cookie itself (see Section 6.A.3). We treat this as strictly necessary for protecting our backend services from abuse. From April 2026, Menuva is the data controller for reCAPTCHA data processed on the Website.
• Local storage: We store language preference, analytics opt-out choice, cached menu data, and cached page content in your browser's localStorage for performance and functionality. These do not track you and are strictly necessary for the Service to function.

3.G.2 The legal basis for storing analytics cookies on your device is the statistical analysis exception under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), Schedule A1, paragraph 5 (inserted by the Data (Use and Access) Act 2025, s.112). The legal basis for processing the resulting analytics data under the UK GDPR is legitimate interests (Article 6(1)(f)). See Section 5 below.

3.G.3 For a full list of technologies used, see our Cookie Policy.

3.G.4 Under the DUAA 2025 statistical analysis exception, we confirm that: (a) analytics cookies are used solely for statistical measurement to improve the Service; (b) the resulting information is aggregate and cannot be used to identify individuals; (c) analytics data is not shared with third parties except Google as our analytics provider assisting with service improvements; and (d) Google's data sharing for products and services is disabled in our analytics configuration. You may opt out of analytics at any time using the toggle in the website footer.

H. On-device browser storage

3.H.1 We store the following in your browser's local storage for functionality and performance: your language preference, your analytics opt-out choice, cached menu data and page content (to reduce loading times), whether you have dismissed the ordering disclaimer, and whether you have enabled the "Sort by Distance" toggle on the menus page (a single on/off flag, no coordinates). A temporary navigation hint is stored in sessionStorage and is automatically cleared when you close the browser tab.

3.H.2 None of this data is transmitted to our servers or shared with third parties. It is deleted when you clear your browser data.

I. Consent records (App only)

3.I.1 When you accept these Terms and our Privacy Policy in the App, we record the date and time of your acceptance, your device model, operating system version, and app version. This record is currently stored only on your device. We may in future transmit consent records to our servers to maintain auditable records of consent as required by data protection law. We will update this policy before doing so.

J. Currency conversion (App only)

3.J.1 The App fetches current exchange rates from ExchangeRate-API (exchangerate-api.com) to display prices in your preferred currency. Only the requested base currency code is sent. Your IP address is transmitted as part of the network request. Responses are cached on your device for up to 7 days to minimise external requests.

4.1 Across both the App and the Website:

• no account registration, and no sign-in,
• no names, emails, or phone numbers unless you voluntarily provide them via feedback or email,
• no free-text search queries in analytics (only result counts),
• no specific dietary or allergen selections in analytics (only a boolean flag),
• no allergen severity information in analytics,
• no advertising identifier (IDFA) collection, and no ATT-based tracking, and
• no cross-app or cross-site tracking for advertising.

UK GDPR requires a lawful basis for processing.

5.2 Balancing test. We have assessed that our legitimate interests in understanding usage patterns for product improvement do not override your rights, given that: analytics data is pseudonymous and does not include personal identifiers; IP addresses are anonymised; you can opt out at any time via the website footer toggle; and we have disabled Google's data sharing features. Our full Legitimate Interests Assessment is documented internally and available on request.

You can withdraw consent for location processing at any time by disabling location permissions in iOS settings (App) or in your browser's site permissions (Website), or by turning off the "Sort by Distance" toggle on the menus page.

To opt out of analytics on the website, use the analytics toggle in the footer or visit our Cookie Policy. Once opted out, no analytics data will be collected on future visits.

6.1 We share data only as needed to run the Service.

A. Google Firebase / Google Cloud / Google Analytics

6.A.1 We use Google services:

• Firebase Storage (menus and images delivery),
• Firebase Firestore (read-only menu metadata),
• Firebase Analytics (App usage analytics),
• Google Analytics / GA4 (Website usage analytics),
• Firebase App Check (abuse prevention; see Section 6.A.3).

6.A.2 Google processes data as needed to provide and secure these services.

6.A.3 Firebase App Check. We use Firebase App Check to verify that requests to our backend come from genuine instances of the Menuva app or website, preventing automated abuse.

• On iOS: App Check uses Apple's App Attest, which generates cryptographic device attestation tokens verified by Firebase. These tokens are unique per app installation (not backed up, not synced across devices) and contain no hardware identifiers. Tokens may be retained by Firebase for up to 30 days when replay protection is used.
• On the Website: App Check uses Google reCAPTCHA v3. reCAPTCHA analyses browser behaviour and device signals (including mouse movement, scroll behaviour, keystroke dynamics, browser fingerprint, and IP address reputation) to verify that requests come from genuine users. See Google's Privacy Policy and reCAPTCHA Terms of Service.

B. Google Forms (feedback)

6.B.1 If you submit feedback via Google Forms, Google processes that submission as the form provider.

C. Apple

6.C.1 Apple processes App Store distribution and provides developers with aggregated App Store metrics.

D. Participating venues (aggregated only)

6.D.1 We may share aggregated pilot reporting with participating venues. We do not share precise location data or per-device analytics.

6.D.2 As of the "Last updated" date, venue partners do not have access to our analytics dashboards. If we enable partner access in the future, we will update this policy first (see Section 12).

6.D.3 We do not sell personal data.

6.2 Sub-processors. Google LLC (Google Analytics / GA4, Firebase Firestore, Firebase Storage, Firebase App Check, Google reCAPTCHA v3, Google Forms), Apple Inc. (App Store Connect analytics), GitHub, Inc. (Microsoft Corporation) (Website hosting via GitHub Pages), ExchangeRate-API (exchangerate-api.com - currency conversion rates). We will update this list if we add or change sub-processors.

7.1 We keep data only as long as needed:

• Precise location: used on-device on both the App and Website; not stored in our databases. The App may cache the last known location/city on-device until you delete the App or reset preferences. The Website stores only a "Sort by Distance" on/off preference flag in browser localStorage, and no coordinates.
• On-device preferences and caches: stored locally until you delete the App or clear browser data
• Analytics (Firebase/GA4): retained for 14 months (per our current analytics retention configuration)
• Feedback submissions (Google Forms): we periodically review feedback and delete or anonymize it when no longer needed, typically within 24 months, unless we need to keep it longer to resolve issues or for legitimate record-keeping
• Service-provider logs: may exist within third-party infrastructure for security and operational reasons and are retained per provider configuration

8.1 Our service providers may process data outside the UK, primarily in the United States:

• Google LLC (Analytics, Firebase, reCAPTCHA, Google Forms): Google is certified under the UK Extension to the EU-US Data Privacy Framework. Google's Data Processing Terms also include UK Standard Contractual Clauses as a fallback mechanism.
• Apple Inc. (App Store distribution, aggregated metrics): transfers are protected by Standard Contractual Clauses.
• GitHub, Inc. (Microsoft Corporation) (Website hosting via GitHub Pages): GitHub participates in the UK Extension to the EU-US Data Privacy Framework. GitHub's Data Protection Agreement also includes Standard Contractual Clauses.
• ExchangeRate-API (exchangerate-api.com): currency conversion rates.

9.1 We use reasonable technical and organizational measures to protect data, including encryption in transit and at rest where supported, and restricted administrative access.

10.1 The Service is intended for users aged 13+. We do not knowingly collect personal data from children under 13. The App does not currently implement age verification.

10.2 For young users and parents. Menuva is designed to be used by anyone aged 13 and over. If you are under 18, please ask a parent or guardian to read this policy with you. In simple terms: we count how many people use Menuva to help us improve it, but we don't know who you are, we don't store your name or email, and we don't share your information with advertisers. You can stop analytics at any time by using the analytics toggle in the footer.

11.1 Depending on your circumstances, you may have the following rights under the UK GDPR: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21). You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): website ico.org.uk, phone 0303 123 1113, address Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

11.2 Article 11: identification not required. Because the Service does not require identification of data subjects, we may be unable to identify your personal data in our analytics systems. Under UK GDPR Article 11, we are not required to process additional information solely to identify you. If you contact us to exercise your rights, please provide any information that could help us locate your data (for example, the email address you used to submit feedback or the approximate date of your correspondence). Where we cannot identify your data, we will explain why and what steps you can take.

11.3 Exercising your rights. To exercise any right, email hello@menuva.co.uk with the subject line "Data Request." We will respond within one calendar month.

11.4 Objecting to analytics. You can object to analytics processing at any time. On the Website, use the analytics toggle in the footer or visit our Cookie Policy. On the App, use the Analytics toggle in Settings to disable analytics collection. Because analytics is not tied to an account identity, we generally cannot locate or delete past analytics records associated with a specific person.

11.5 Automated decision-making. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

11.6 Provision of data. Providing personal data is not a statutory or contractual requirement. The Service functions fully without analytics. You may opt out at any time.

11.7 Data breach notification. In the event of a personal data breach, we will notify the ICO within 72 hours where required under UK GDPR Article 33 and inform affected individuals without undue delay where there is a high risk to their rights and freedoms (Article 34). Where a breach involves data subject to the Privacy and Electronic Communications Regulations 2003 (PECR), we will also comply with the PECR breach notification requirements.

12.1 If we change how we process data (for example, adding new analytics events or SDKs, introducing user accounts, changing analytics retention settings, or expanding who can access analytics dashboards), we will update this policy and, where appropriate, provide in-app or Website notice. Apple also requires keeping App Privacy disclosures accurate.

12.2 Version history.

• Terms & Conditions: terms of use for the Menuva service
• Cookie Policy: cookies, local storage, and similar technologies used on the Website
• Complaints Procedure: how to raise a complaint, including escalation to the ICO under UK GDPR Article 77
• Regulatory Compliance: summary of the regulations we have assessed and how we address them
• Accessibility Statement: our commitment to accessible design

14.1 For complaints about how we handle your data, see our Complaints Procedure, which also explains how to escalate to the ICO under UK GDPR Article 77.

本隐私政策根据英国通用数据保护条例（UK GDPR）和《2018 年数据保护法》(DPA 2018) 制定。本政策说明当您使用 Menuva iOS 应用程序（以下简称”应用”）和我们运营的 Menuva 网页（以下简称”网站”）（统称”服务”）时，Menuva 如何处理个人数据。Menuva 的设计理念是无需账户且尽量减少数据收集，但某些信息（尤其是位置数据、分析事件数据和在线标识符）仍可能构成 UK GDPR 定义下的个人数据。本政策应与我们的条款与细则、Cookie 政策和投诉程序一并阅读。

要点：

• 我们不会将原始经纬度数据传出设备（应用和网站均仅在设备端处理位置信息）
• 应用和网站均使用分析工具进行使用情况测量
• 分析不会记录自由文本搜索查询、特定饮食或过敏原选择，也不会记录过敏原严重程度
• 定制标识符经过哈希处理，因此分析无法识别具体的菜单选择
• 广告跟踪功能（广告存储、广告用户数据、广告个性化）默认处于关闭状态

1.1 数据控制者。 Duke DJ Saputra（学生主导项目，“Menuva”）。

1.2 电子邮件。 hello@menuva.co.uk。

1.3 地址。 Warwick Business School, University of Warwick, Scarman Rd, Coventry CV4 7AL, United Kingdom.

1.4 如果您通过电子邮件联系我们，我们会处理您提供的信息以进行回复。

1.5 我们已评估确认，根据英国 GDPR 第 37 条，我们无需任命数据保护官。如有隐私方面的咨询，请联系 hello@menuva.co.uk。

2.1 Menuva 面向英国用户。如果您在其他地区使用本服务，本政策仍然适用，且我们的服务提供商可能会在国际范围内处理数据（见第 8 条）。

3.0.1 如果某项功能仅适用于特定平台，我们会标注"（仅限应用）"或"（仅限网站）"。主要区别如下：应用使用设备位置进行餐厅发现，网站在菜单页面上提供可选的"按距离排序"开关，两者均仅在设备端处理位置；应用在设备本地存储饮食偏好；应用和网站均提供分析功能退出开关；应用和网站使用不同的技术来防止滥用（见第 6.A.3 条）。

A. 精确位置（应用和网站，前台运行时）

3.A.1 如果您授予位置权限（应用中的 iOS "使用期间"权限，或网站菜单页面的浏览器定位权限），设备会在本地读取精确位置，用于：

• 显示附近的餐厅并确定加载哪家餐厅的菜单（应用），以及
• 当您启用"按距离排序"开关时，按距离重新排列菜单列表（网站）。

3.A.2 工作原理。

• 在应用中，当应用在前台运行于相关界面（例如首页/地图）时，位置更新可能会持续运行。
• 在网站上，仅当您点击"按距离排序"时（以及如果您之前启用了该开关，后续访问时静默调用），才会调用浏览器的 Geolocation API。不会持续更新。
• 两个平台上的距离计算均在您的设备上本地完成。
• 应用可能会在设备上缓存您的最近已知位置和城市（例如通过 iOS 本地存储），以加快加载速度并提供回退功能。网站仅在浏览器 localStorage 中保存一个布尔标志（"按距离排序"是否开启），不缓存任何坐标。

3.A.3 我们不会做的事。

• 我们不会将原始经纬度数据传出设备（应用或网站皆然）。
• 我们不会有意将您的精确位置存储在我们的数据库中。
• 在应用中，分析仅接收一个布尔标志（has_location true/false）和餐厅标识符（restaurant slug），绝不会接收坐标。在网站上，"按距离排序"开关相关的分析仅记录开关状态（开/关），失败时还包括浏览器的错误代码和一段截断的简短错误信息；坐标绝不会被发送。

3.A.4 您可以随时在 iOS 设置中禁用位置访问（应用），或在浏览器的站点权限中禁用位置访问（网站）。如果您拒绝或撤销位置访问，两个平台上仍可使用手动选择餐厅和按字母排序的功能。

B. 饮食和过敏原偏好（设备端）

3.B.1 如果您在应用中设置饮食或过敏原偏好，这些数据仅存储在设备上，不会同步到我们的服务器。饮食和过敏原配置的分析事件仅记录更改是在引导流程中还是在设置中进行的（is_settings_mode）。具体选择永远不会被发送。

C. 分析（应用和网站）

3.C.1 应用使用 Firebase Analytics，网站使用 Google Analytics (GA4) 来了解使用情况并改进服务。两者均由 Google 提供。应用禁用了自动屏幕报告，仅使用手动跟踪。

3.C.2 我们收集的事件类别。 分析事件分为以下类别：

• 导航和发现：打开菜单、使用地图、启用位置、发起搜索、在页面间导航。
• 菜单浏览：查看项目列表、选择项目、打开项目详情、滚动类别、切换子栏目。
• 参与度指标：每个页面的停留时间（屏幕停留）、每个菜单类别的停留时间（类别停留）、以及每个类别的滚动深度百分比（25/50/75/100%）。
• 电子商务漏斗（标准 GA4 事件）：view_item_list、select_item、view_item、add_to_cart、remove_from_cart 和 view_cart。
• 订单审核：打开订单摘要、清空购物篮、切换订单语言。
• 设置和偏好：打开设置页面、配置个性化选项、更改语言或货币。
• 引导流程：每个引导步骤的完成情况（仅限应用）。

3.C.3 事件参数。 事件包含上下文参数，例如：

• 餐厅标识符（restaurant slug、location ID），
• 布尔标志（例如 has_location、is_open、is_nearest_venue、has_items_in_basket），
• 计数（例如购物篮数量、搜索结果数量、筛选条件数量），
• 货币代码和以最小单位表示的价格值（用于电子商务漏斗分析），
• 静态页面和类别名称，
• 时间值（停留秒数），以及
• 滚动深度百分比。

3.C.4 用户属性。 应用将八项显示和区域偏好同步到分析作为用户属性：首选语言、首选货币、外观模式、能量单位、以及四个显示开关（显示换算价格、始终翻译、显示菜单图片、显示描述）。这些仅为偏好设置，不包含饮食或健康数据。

3.C.5 屏幕和页面跟踪。 应用使用静态屏幕名称跟踪 12 个屏幕（例如“home”、“menu”、“profile”），并以自定义参数的形式附带动态上下文（例如菜单屏幕上的 restaurant_slug）。网站跟踪页面浏览量，包含页面路径和来源信息。

3.C.6 分析中的隐私保护。

• 自由文本搜索查询绝不会被记录。搜索事件仅发送结果数量。
• 饮食和过敏原配置事件仅记录 is_settings_mode（一个布尔值，指示是在引导流程中还是在设置中进行的更改）。具体的饮食或过敏原选择绝不会被发送。
• 过敏原子栏目交互仅记录子栏目标识符和展开/收起状态。不包含严重程度信息。
• 菜单定制标识符（定制组和选项 ID）在发送至分析前使用 Fowler-Noll-Vo 1a (FNV-1a) 进行哈希处理，生成不透明值。仅凭分析数据无法恢复原始名称。
• 分析中的位置数据仅限于一个布尔标志（has_location）和餐厅标识符（restaurant slug）。坐标绝不会被发送。
• 分析事件中不包含个人标识信息、姓名或电子邮件地址。我们不在分析中设置自定义用户 ID。

3.C.7 设备和技术数据。 Firebase Analytics 和 Google Analytics 会处理设备和应用信息以及用于测量的标识符（例如应用实例标识符），还有分析提供商为安全可靠地提供服务而可能处理的技术数据（如 IP 地址和请求元数据）。

3.C.8 广告功能。 应用和网站中的广告存储、广告用户数据和广告个性化功能默认均处于关闭状态。我们不收集广告标识符 (IDFA)，不使用基于应用追踪透明度 (App Tracking Transparency, ATT) 的跟踪，也不将分析用于跨应用或跨站点广告。

3.C.9 外部链接跟踪。 当您点击指向外部网站的链接时，该链接的 URL 和链接文本（最多 100 个字符）会被记录到分析中，以了解哪些外部资源对用户有用。

D. 反馈（可选，网站）

3.D.1 如果您在 menuva.co.uk/feedback 提交反馈，您的提交内容可能包括：

• 您的回答，以及
• 可选的联系方式（仅在您选择提供时）。

3.D.2 如果您提供了联系方式，则这些信息构成个人数据。

E. 技术和网络数据（服务交付）

3.E.1 当您的设备或浏览器连接到 Firebase/Google 基础设施以获取菜单和图片时，服务提供商可能会处理 IP 地址和请求元数据等技术数据，以交付内容、维护安全并防止滥用。

3.E.2 应用会连接到我们的服务器以检查服务公告（如维护通知或新功能提示）。这些请求中不会发送第 3.E.1 节所述技术数据以外的个人数据。

F. 网站分析 (Google Analytics)

3.F.1 网站运行 Google Analytics (GA4) 以测量页面浏览量和菜单交互。网站收集上述第 3.C 条中描述的分析事件的子集。仅限应用的功能（如引导流程、地图交互和设备端偏好）不在网站上收集。

3.F.2 GitHub Pages（我们的托管提供商，由 Microsoft Corporation 的子公司 GitHub, Inc. 运营）也可能处理技术日志数据（IP 地址和请求元数据）以安全地交付网站。

3.F.3 网站特定事件。 在网站上，我们还会跟踪：页面浏览和内容浏览（含来源 URL）、用于营销归因的重定向页面访问（哪些二维码和推广活动带来了流量，包括 UTM 参数）、404 错误页面访问、外部链接点击（如第 3.C.9 条所述）、菜单滚动深度，以及菜单页面上"按距离排序"开关事件（开关状态开/关；失败时包括浏览器的错误代码和一段截断的简短错误信息 - 绝不会记录坐标）。我们不会记录搜索查询、饮食或过敏原筛选条件，也不会记录任何个人身份信息。

G. Cookie 和类似技术

3.G.1 我们使用以下技术在您的设备上存储或访问信息：

• Google Analytics cookie（_ga、_ga_*）：由 Google 设置，用于区分唯一用户并维持会话状态。这些属于分析 cookie，需要您的同意或退出确认。
• Google reCAPTCHA cookie（_GRECAPTCHA）：由 Google reCAPTCHA v3 在菜单页面上设置，用于机器人检测和安全防护。reCAPTCHA 还会分析 cookie 本身以外的浏览器行为和设备信号（见第 6.A.3 节）。我们将其视为保护后端服务免受滥用所严格必要的 cookie。自 2026 年 4 月起，Menuva 是网站上 reCAPTCHA 数据处理的数据控制者。
• 本地存储： 我们在您浏览器的 localStorage 中存储语言偏好、分析退出选择、缓存的菜单数据和缓存的页面内容，以提升性能和功能。这些数据不会跟踪您，且为服务正常运行所严格必要。

3.G.2 在您的设备上存储分析 Cookie 的法律依据是《2003 年隐私与电子通信（欧盟指令）条例》(PECR) 附表 A1 第 5 段规定的统计分析例外条款（由《2025 年数据（使用与访问）法案》第 112 条插入）。根据 UK GDPR 处理所得分析数据的法律依据是合法利益（第 6(1)(f) 条）。详见下文第 5 节。

3.G.3 如需查看所用技术的完整列表，请参阅我们的 Cookie 政策。

3.G.4 根据《2025 年数据（使用与访问）法案》的统计分析例外条款，我们确认：(a) 分析 Cookie 仅用于统计测量以改进服务；(b) 所得信息为汇总数据，无法用于识别个人身份；(c) 分析数据不与第三方共享，仅与作为我们分析提供商协助改进服务的 Google 共享；(d) 我们的分析配置中已禁用 Google 的产品和服务数据共享功能。您可以随时使用网站页脚的开关退出分析。

H. 设备端浏览器存储

3.H.1 我们在您浏览器的本地存储中保存以下信息，以实现功能和提升性能：您的语言偏好、分析退出选择、缓存的菜单数据和页面内容（以缩短加载时间）、您是否已关闭点餐免责声明，以及您是否已启用菜单页面上的"按距离排序"开关（一个开/关标志，不含任何坐标）。一个临时导航提示存储在 sessionStorage 中，当您关闭浏览器标签页时会自动清除。

3.H.2 上述数据均不会传输到我们的服务器，也不会与第三方共享。当您清除浏览器数据时，这些数据将被删除。

I. 同意记录（仅限应用）

3.I.1 当您在应用中接受本条款和我们的隐私政策时，我们会记录您接受的日期和时间、设备型号、操作系统版本和应用版本。该记录目前仅存储在您的设备上。我们将来可能会将同意记录传输到我们的服务器，以维护数据保护法要求的可审计同意记录。届时我们将在此之前更新本政策。

J. 货币换算（仅限应用）

3.J.1 应用从 ExchangeRate-API (exchangerate-api.com) 获取当前汇率，以便以您偏好的货币显示价格。仅发送所请求的基础货币代码。您的 IP 地址会作为网络请求的一部分被传输。响应在您的设备上缓存最多 7 天，以减少外部请求。

4.1 在应用和网站上均适用：

• 无需账户注册，无需登录，
• 不收集姓名、电子邮件或电话号码，除非您通过反馈或电子邮件自愿提供，
• 分析中不记录自由文本搜索查询（仅记录结果数量），
• 分析中不记录具体的饮食或过敏原选择（仅记录布尔标志），
• 分析中不记录过敏原严重程度信息，
• 不收集广告标识符 (IDFA)，不使用基于 ATT 的跟踪，以及
• 不进行跨应用或跨站点广告跟踪。

英国 GDPR 要求处理数据须有合法依据。

5.2 利益平衡测试。 我们已评估确认，鉴于以下原因，我们在了解使用模式以改进产品方面的合法利益不会凌驾于您的权利之上：分析数据是假名化的，不包含个人标识信息；IP 地址已匿名化处理；您可以随时通过网站页脚的开关选择退出；我们已禁用 Google 的数据共享功能。我们完整的合法利益评估已在内部记录存档，如需查阅可应要求提供。

您可以随时撤回对位置处理的同意：在 iOS 设置中禁用位置权限（应用）、在浏览器的站点权限中禁用位置访问（网站），或关闭菜单页面上的"按距离排序"开关。

如需在网站上退出分析，请使用页脚的分析开关或访问我们的 Cookie 政策。退出后，将不再在您未来的访问中收集分析数据。

6.1 我们仅在运营服务所需的范围内共享数据。

A. Google Firebase / Google Cloud / Google Analytics

6.A.1 我们使用以下 Google 服务：

• Firebase Storage（菜单和图片交付），
• Firebase Firestore（只读菜单元数据），
• Firebase Analytics（应用使用情况分析），
• Google Analytics / GA4（网站使用情况分析），
• Firebase App Check（防止滥用；见第 6.A.3 节）。

6.A.2 Google 按提供和保障这些服务所需的方式处理数据。

6.A.3 Firebase App Check。 我们使用 Firebase App Check 来验证对后端的请求是否来自 Menuva 应用或网站的真实实例，以防止自动化滥用。

• 在 iOS 上：App Check 使用 Apple 的 App Attest，生成由 Firebase 验证的加密设备认证令牌。这些令牌对每个应用安装是唯一的（不会备份，不会跨设备同步），且不包含硬件标识符。使用重放保护时，Firebase 可能会保留令牌最多 30 天。
• 在网站上：App Check 使用 Google reCAPTCHA v3。reCAPTCHA 通过分析浏览器行为和设备信号（包括鼠标移动、滚动行为、按键动态、浏览器指纹和 IP 地址信誉）来验证请求是否来自真实用户。请参阅 Google 的隐私政策和 reCAPTCHA 服务条款。

B. Google Forms（反馈）

6.B.1 如果您通过 Google Forms 提交反馈，Google 将作为表单提供商处理该提交内容。

C. Apple

6.C.1 Apple 处理 App Store 分发，并向开发者提供汇总的 App Store 指标。

D. 参与餐厅（仅限汇总数据）

6.D.1 我们可能会与参与餐厅共享汇总的试点报告。我们不会共享精确位置数据或逐设备分析数据。

6.D.2 截至“最后更新”日期，餐厅合作伙伴无权访问我们的分析仪表板。如果我们将来启用合作伙伴访问权限，我们将首先更新本政策（见第 12 条）。

6.D.3 我们不出售个人数据。

6.2 数据子处理者。 Google LLC（Google Analytics / GA4、Firebase Firestore、Firebase Storage、Firebase App Check、Google reCAPTCHA v3、Google Forms），Apple Inc.（App Store Connect 分析），GitHub, Inc.（Microsoft Corporation）（通过 GitHub Pages 提供网站托管），ExchangeRate-API (exchangerate-api.com - 货币换算汇率)。如果我们增加或更换子处理者，我们将更新此列表。

7.1 我们仅在必要时保留数据：

• 精确位置: 在应用和网站上均仅在设备端使用；不存储在我们的数据库中。应用可能会在设备上缓存最近已知的位置/城市，直到您删除应用或重置偏好设置。网站仅在浏览器 localStorage 中保存"按距离排序"开关的开/关偏好标志，不保存任何坐标。
• 设备端偏好和缓存: 本地存储，直到您删除应用或清除浏览器数据
• 分析数据 (Firebase/GA4): 保留 14 个月（根据我们当前的分析保留配置）
• 反馈提交 (Google Forms): 我们会定期审查反馈，并在不再需要时将其删除或匿名化，通常在 24 个月内，除非我们需要更长时间来解决问题或进行合法的记录保存
• 服务提供商日志: 可能存在于第三方基础设施中，用于安全和运营目的，保留期限按提供商配置执行

8.1 我们的服务提供商可能会在英国境外处理数据，主要在美国：

• Google LLC（Analytics、Firebase、reCAPTCHA、Google Forms）：Google 已获得《欧盟-美国数据隐私框架》英国扩展认证。Google 的数据处理条款还包含英国标准合同条款作为后备机制。
• Apple Inc.（App Store 分发、汇总指标）：数据传输受标准合同条款保护。
• GitHub, Inc.（Microsoft Corporation）（通过 GitHub Pages 提供网站托管）：GitHub 参与了《欧盟-美国数据隐私框架》英国扩展计划。GitHub 的数据保护协议还包含标准合同条款。
• ExchangeRate-API (exchangerate-api.com)：货币换算汇率。

9.1 我们采取合理的技术和组织措施来保护数据，包括在支持的情况下对传输中和静态数据进行加密，以及限制管理访问权限。

10.1 本服务面向 13 岁及以上的用户。我们不会故意收集 13 岁以下儿童的个人数据。应用目前未实施年龄验证。

10.2 致年轻用户和家长。 Menuva 适合 13 岁及以上的任何人使用。如果您未满 18 岁，请让父母或监护人与您一起阅读本政策。简单来说：我们统计有多少人使用 Menuva 以帮助我们改进服务，但我们不知道您是谁，我们不存储您的姓名或电子邮件，也不与广告商共享您的信息。您可以随时通过页脚的分析开关停止分析。

11.1 根据您的情况，您可能享有以下英国 GDPR 规定的权利：访问权（第 15 条）、更正权（第 16 条）、删除权（第 17 条）、限制处理权（第 18 条）、数据可携带权（第 20 条）和反对权（第 21 条）。您还有权向信息专员办公室（ICO）提出投诉：网站 ico.org.uk，电话 0303 123 1113，地址 Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF。

11.2 第 11 条：无需身份识别。 由于本服务不要求识别数据主体的身份，我们可能无法在分析系统中识别您的个人数据。根据英国 GDPR 第 11 条，我们无需仅为识别您的身份而处理额外信息。如果您联系我们行使您的权利，请提供任何有助于我们定位您数据的信息（例如，您提交反馈时使用的电子邮件地址或您通信的大致日期）。如果我们无法识别您的数据，我们将解释原因以及您可以采取的步骤。

11.3 行使您的权利。 如需行使任何权利，请发送电子邮件至 hello@menuva.co.uk，主题行请注明"Data Request"。我们将在一个日历月内回复。

11.4 反对分析。 您可以随时反对分析处理。在网站上，使用页脚的分析开关或访问我们的 Cookie 政策。在应用中，使用"设置"中的"数据分析"开关来禁用分析收集。由于分析与账户身份无关，我们通常无法定位或删除与特定个人关联的历史分析记录。

11.5 自动化决策。 我们不会将您的数据用于产生法律效力或类似重大影响的自动化决策或用户画像分析。

11.6 数据提供。 提供个人数据并非法定或合同要求。本服务在没有分析的情况下仍可完整运行。您可以随时选择退出。

11.7 数据泄露通知。 如发生个人数据泄露事件，我们将根据 UK GDPR 第 33 条在法律要求的情况下于 72 小时内通知信息专员办公室 (ICO)，并根据第 34 条在对数据主体的权利和自由存在高风险时及时通知受影响的个人。如果泄露涉及受《2003 年隐私与电子通信条例》(PECR) 管辖的数据，我们还将遵守 PECR 的泄露通知要求。

12.1 如果我们更改数据处理方式（例如添加新的分析事件或 SDK、引入用户账户、更改分析保留设置，或扩大分析仪表板的访问范围），我们将更新本政策，并在适当时通过应用内或网站通知提供告知。Apple 还要求保持 App Privacy 披露信息的准确性。

12.2 版本历史。

• 条款与细则：Menuva 服务的使用条款
• Cookie 政策：网站上使用的 Cookie、本地存储和类似技术
• 投诉程序：如何提出投诉，包括根据 UK GDPR 第 77 条向 ICO 申诉
• 法规合规：我们已评估的法规及合规方式
• 无障碍声明：我们对无障碍设计的承诺

14.1 如对我们处理您的数据方式有投诉，请参阅我们的投诉程序，其中也说明了如何根据 UK GDPR 第 77 条向 ICO 申诉。

Email: hello@menuva.co.uk

More: Visit Contact page

邮箱: hello@menuva.co.uk

更多: 前往联系页面