This Privacy Notice explains how Hassam Hameed ("we", "us", "our"), operating Hambal Menu (the "Service"), collects and uses personal data. We act as the data controller for personal data about restaurant operators who sign up for the Service. For data uploaded into a restaurant's menu workspace about its own diners and staff, we act as a processor on that restaurant's behalf.
1. What we collect
- Account data — name, email, password hash, language preference.
- Restaurant data — restaurant name, menu content, images, social links and other content you upload.
- Support messages — what you send us when contacting support.
- Usage & telemetry — pages visited, features used, errors and diagnostics.
- Device & log data — IP address, browser, operating system, timestamps.
- Diner feedback — name, email and rating submitted by your diners through your published menu.
Payment card details are collected and processed directly by Paddle. We never see or store your full card number.
2. Why we use it
- Create and operate your account (legal basis: contract).
- Provide the Service, including AI extraction and publishing of your menus (contract).
- Bill subscriptions and prevent fraud (contract, legitimate interests).
- Respond to support requests (contract, legitimate interests).
- Improve product quality and security (legitimate interests).
- Send service announcements and, with your consent where required, marketing (consent / legitimate interests).
- Comply with legal obligations such as tax and accounting (legal obligation).
3. Who we share it with
- Merchant of Record (Paddle) — for sale of the product, subscription management, payments, tax compliance, invoicing and refunds.
- Service providers / subprocessors — hosting, database, email delivery, analytics, error monitoring, and AI inference providers used to power menu extraction and assistant features.
- Professional advisers — legal, accounting and similar advisers, under confidentiality.
- Authorities — where required by law, court order, or to protect rights and safety.
We do not sell personal data.
4. International transfers
Our subprocessors may host or process data outside your country, including in the United States and the European Economic Area. Where personal data is transferred out of the UK or EEA, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.
5. Retention
We keep personal data only as long as needed for the purposes above or as required by law. Account and restaurant content is retained while your account is active and for a reasonable period after closure so you can re-activate or export it; after that we delete or anonymise it. Billing records are kept for the period required by applicable tax law.
6. Your rights
Depending on your country, you may have the right to access, rectify, erase, restrict or object to processing of your personal data, to portability, and to withdraw consent at any time. UK and EEA users additionally have these rights under the UK GDPR / GDPR and the right to lodge a complaint with their supervisory authority. We aim to respond to requests within one month. To exercise your rights, contact us using the details in section 9.
7. Security
We use appropriate technical and organisational measures to protect personal data, including encryption in transit, role-based access controls and audit logging. No system is perfectly secure; if you believe your account has been compromised, please contact us immediately.
8. Cookies
We use strictly necessary cookies and similar technologies to keep you signed in and to remember preferences. We may use a small number of analytics cookies to understand product usage. You can control cookies through your browser settings. Where required by law, we will ask for your consent before setting non-essential cookies.
9. Contact
Data controller: Hassam Hameed, operating Hambal Menu. For privacy questions or to exercise your rights, contact us via the in-app support channel or at the contact address listed on our website. You can also read our Terms of Service and Refund Policy.