Legal

Privacy Policy

Last updated: 07 June 2026

1. Who We Are

TheMenu - Product of Byon Media (Pty) Ltd ("TheMenu", "we", "us", "our") is the responsible party as defined under the Protection of Personal Information Act 4 of 2013 (POPIA). We operate the TheMenu platform, which provides digital menu management, QR code generation, analytics, and an advertising network to South African restaurants and hospitality businesses.

Our Information Officer can be contacted at: info@byonmedia.com

2. Information We Collect

We collect and process the following categories of personal information:

2.1 Restaurant Account Holders

  • Name and surname of the account holder
  • Business name, address, and province
  • Email address and phone number
  • Billing information (processed via our payment provider — we do not store card details)
  • Login credentials (passwords are hashed and never stored in plain text)
  • Menu content you create and upload, including images

2.2 Visitors to Public Menu Pages

  • Device type, operating system, and browser type
  • IP address (used only for geo-targeting of ads and aggregate analytics — not stored against a personal identity)
  • Pages and menu items viewed, and time spent on each
  • QR code scan events (timestamp and approximate location by city)
  • Clicks on social media links embedded on the menu page

2.3 Advertisers

  • Contact details of the advertising representative
  • Business information and billing details
  • Ad creative content and targeting preferences

3. How We Use Your Information

We process personal information only for the purposes for which it was collected or for a compatible purpose. Specifically:

  • Service delivery: To create and manage your restaurant account, host your menu page, generate QR codes, and provide your analytics dashboard.
  • Billing and payments: To process your subscription and issue invoices.
  • Analytics: To provide you with menu view statistics, QR scan data, and social click tracking in your dashboard.
  • Advertising: On the Standard (Ads Enabled) plan, anonymous visitor location data (city/province) is used to serve geo-targeted advertisements from our South African ad network. We do not sell or share identifiable visitor data with advertisers.
  • Service communications: To send you account notices, security alerts, and updates about the platform. These are not optional while you hold an active account.
  • Marketing: To send you news and promotional materials — only with your consent. You may opt out at any time by clicking "Unsubscribe" in any marketing email.
  • Legal compliance: To comply with applicable South African law, respond to lawful requests from public authorities, and enforce our Terms of Service.

4. Legal Basis for Processing

Under POPIA, we process your personal information on the following grounds:

  • Contract: Processing is necessary to perform our services under our subscription agreement with you.
  • Consent: For marketing communications and the placement of non-essential cookies.
  • Legitimate interest: For analytics, fraud prevention, and platform security, where your interests and fundamental rights do not override ours.
  • Legal obligation: Where processing is required by South African law.

5. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

  • Essential cookies: Required for the platform to function (e.g., session management, login state). These cannot be disabled.
  • Analytics cookies: Used to count menu page views and QR scan events. Data is aggregated and not linked to identifiable individuals.
  • Advertising cookies: Used on Standard plan menu pages to serve geo-targeted ads. These may be set by our advertising partners and are subject to their own privacy policies.

You may control non-essential cookies through your browser settings. Disabling cookies may affect the functionality of the public menu pages.

6. Sharing of Personal Information

We do not sell your personal information. We share it only in the following circumstances:

  • Service providers (operators): Hosting providers, payment processors, and email delivery services who process data on our behalf under written data processing agreements.
  • Advertisers: Only aggregated, non-identifiable audience data (e.g., "1 240 views in Cape Town this week") is shared with advertising partners. No personal details of menu visitors are disclosed.
  • Legal requirements: Where we are required to disclose information by a court order, law, or regulatory authority.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you via email before this occurs.

7. International Transfers

Our platform is hosted in South Africa. Where we use third-party services that process data outside of South Africa (such as cloud infrastructure or email services), we ensure that adequate safeguards are in place as required by POPIA, including contractual protections with those parties.

8. Data Retention

  • Active accounts: We retain your personal information for the duration of your subscription plus 5 years for tax and accounting purposes.
  • Cancelled accounts: Account data is deleted or anonymised within 90 days of cancellation, except where retention is required by law.
  • Menu visitor analytics: Aggregated analytics data is retained for up to 24 months. Raw event logs are retained for 90 days.
  • Marketing data: Retained until you opt out or withdraw consent.

9. Security

We implement appropriate technical and organisational measures to protect your personal information against loss, unauthorised access, disclosure, or destruction. These include password hashing, encrypted data transmission (HTTPS), restricted access controls, and regular security reviews. However, no system is completely secure — please use a strong, unique password for your TheMenu account.

10. Your Rights Under POPIA

As a data subject under POPIA, you have the right to:

  • Access: Request confirmation of whether we hold your personal information and receive a copy of it.
  • Correction: Request that we correct or update inaccurate or incomplete personal information.
  • Deletion: Request the deletion of your personal information where it is no longer necessary for the purpose it was collected, subject to our legal obligations.
  • Objection: Object to processing based on our legitimate interests.
  • Withdrawal of consent: Withdraw consent for processing at any time where consent is the legal basis, without affecting the lawfulness of prior processing.
  • Complaints: Lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za if you believe we have violated your rights.

To exercise any of these rights, email our Information Officer at info@byonmedia.com. We will respond within 30 days.

11. Children's Privacy

Our platform is intended for use by businesses and persons aged 18 and over. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected such information, please contact us immediately.

12. Third-Party Links

Public menu pages may include links to restaurants' social media profiles and third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies before providing any personal information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top and, where changes are material, notify registered account holders by email at least 14 days before the changes take effect.

14. Contact Us

For any privacy-related queries, requests, or complaints: