This Privacy Policy (the “Policy”) describes the personal data that 3D Menu Studio collects, the purposes and legal bases on which we process it, the recipients to whom it may be disclosed, and the rights available to data subjects. It applies to the website 3dmenustudio.com and related services. 3D Menu Studio acts as the data controller that determines the purposes and means of processing. In respect of the materials a restaurant Client provides to us to build the menu, we act as a processor on the Client’s behalf; on request we enter into a data processing agreement (DPA).
1. Categories of data we process
We process the following categories of personal data:
- identification and contact data — name, venue name, email address, telephone number, and other contact details provided when you contact us, register, or correspond with us;
- materials submitted for the provision of the service — images, texts, logo, and other brand materials;
- payment information — processed by our payment services provider; we do not store or have access to full card details and receive only the status and amount of a transaction;
- technical data — anonymized information about site visits and technical identifiers necessary for the operation of the site;
- menu visitor data (restaurant guests) — when a guest opens the AR menu via a QR code, we process device and browser technical data, IP address, and anonymized menu-interaction analytics.
2. Purposes of processing
We process personal data for the following purposes:
- to provide the service and perform our contract with you;
- to communicate with you, agree terms, and provide support;
- to receive and record payments;
- to ensure security and prevent fraud and abuse;
- to improve the site and services;
- to comply with applicable legal obligations.
3. Legal bases for processing
Processing is carried out on the following bases: performance of a contract; the data subject’s consent (in particular for marketing communications); our legitimate interests (security, fraud prevention, and improvement of the services); and compliance with legal obligations.
4. Disclosure to third parties
We do not sell personal data or disclose it to third parties in exchange for consideration. Data may be disclosed to the following categories of recipients acting on our behalf under appropriate agreements:
- Stripe — payment processing (US, EU);
- Vercel — website and application hosting (US);
- Supabase — database, authentication and storage (EU/US depending on project region);
- Cloudflare R2 and BunnyCDN — storage and delivery of images and 3D models;
- Resend — transactional email (signup confirmation, password reset);
- a web-analytics provider — anonymized visit statistics.
Data may also be disclosed to competent authorities where required by applicable law.
5. Retention
We retain personal data no longer than necessary for the purposes of processing and legal requirements. Indicative periods: contact data and Client materials — for the term of the contract and up to 10 years after it ends (tax and accounting records); payment statuses — for the periods set by our payment provider and tax law; technical data and anonymized analytics — typically up to 26 months; marketing data — until you withdraw consent. After these periods the data is deleted or anonymized.
6. Security
We maintain organizational, technical, and administrative measures designed to protect personal data against unauthorized access, loss, alteration, and misuse. Data is transmitted to and from the site over a secure protocol (HTTPS), and payment processing is performed by a PCI-DSS-compliant provider.
7. Cookies and similar technologies
The site uses strictly necessary files and browser local storage, together with anonymized analytics. Where required by applicable law, such processing is carried out with your consent. You can accept or decline anonymized analytics via the consent banner shown on your first visit. You may restrict these technologies in your browser settings; certain features of the site may then become unavailable.
8. Rights of the data subject
You have the right to request access to your personal data, its rectification or deletion, to restrict or object to its processing, to receive a copy of your data in a structured, machine-readable format, and to withdraw any consent previously given. You also have the right to lodge a complaint with the competent supervisory authority (for example, the PDPC in Thailand, the ICO in the UK, or the relevant EU data-protection authority). To exercise these rights, send a request to 3dmenustudio@gmail.com. We address such requests within a reasonable time, normally within 30 days.
9. International transfers
Personal data may be processed outside your country of residence, including in the US and the EU (our providers include Stripe, Vercel, Supabase, Cloudflare, Resend). For transfers from the EEA and the UK we rely on Standard Contractual Clauses (SCC) and, for the UK, the UK IDTA/Addendum; for transfers from Thailand and other jurisdictions we apply appropriate safeguards under the applicable data-protection law (including the PDPA).
10. Minors
The service is intended for businesses and sole proprietors and is not directed to minors. We do not knowingly collect the data of minors.
11. Changes to this Policy
We may update this Policy from time to time. The current version is published on this page with the date of the last update. We will notify you of material changes where required by applicable law.
12. Contact
For matters concerning the processing of personal data: 3dmenustudio@gmail.com.
See also our Terms of Service and Refund & Cancellation Policy.