Privacy Policy

Last Updated: February 2026

1. Introduction and Scope

Techstack sp. z o.o. ("Techstack," "we," "us," or "our") operates the Menu-Ready service (available at menu-ready.com). We are committed to protecting your privacy and handling all personal information responsibly and in accordance with the law – in particular with the EU General Data Protection Regulation (GDPR). This Privacy Policy explains what data we collect from users worldwide, how we use and protect that data, and the rights you have. It applies to all users of the Menu-Ready website and image enhancement services globally, regardless of your location. By using our service, you agree to the practices described in this Policy. If anything in this Policy seems unclear, please contact us using the information in the Contact Information section below.

2. What Data We Collect

We only collect personal data that is necessary to provide our one-time image processing services and to operate our platform. This includes:

  • Account/Contact Information: If you create an account or place an order, we may collect personal details such as your name, email address, and any contact details you provide. This information is used to identify you, communicate with you (for example, to send order confirmations or deliver enhanced images), and provide customer support.
  • Payment Information: When you make a purchase, your payment is processed by a trusted third-party payment processor (e.g. Stripe or a similar provider). We do not receive or store your full credit card details. For instance, our payment processor will collect your payment card number, billing address, and transaction amount to process the payment, but we only retain records of the transaction (such as an order ID and payment status). All payment transactions are transmitted securely and handled in accordance with the payment processor's privacy policy.
  • Uploaded Images: When you use Menu-Ready, you will upload images of food (or other graphics) to be enhanced. We temporarily store and process these images and the resulting enhanced images to fulfill your request. The images you upload may be considered personal data if they contain information about an identifiable individual (for example, if a person appears in a photo). We treat all uploaded content as private and confidential.
  • Usage Data and Logs: Like most online services, we automatically collect certain technical information about your device and how you interact with our site. This includes your IP address, browser type, operating system, referring URL, pages viewed, date/time of visits, and other usage details. We also use cookies or similar technologies to remember your preferences and enhance user experience (for example, to keep you logged in or to understand how you use our site). You can control cookies through your browser settings; however, disabling cookies may affect some functionality of our service.
  • Customer Support Communications: If you contact us for support or with inquiries, we will collect the information you choose to give us (such as your email address and the content of your message) in order to respond to you and resolve any issues.

We do not collect any sensitive personal data that is not necessary for providing our service. In particular, we do not intentionally collect information about your race, religion, health, or other special categories through this service. We also do not knowingly collect any personal information from children (see Children's Privacy below).

3. How We Use Your Data

We use the collected data strictly for the following purposes, in line with international privacy standards and only as necessary to serve you:

  • Providing and Improving the Service: We process your personal data (such as your uploaded images and account info) to generate enhanced images as requested and to deliver the final results to you. This includes using your images and associated data to run the enhancement algorithms and return the processed images back to you. We may also analyze usage patterns (e.g. which features are used most) and feedback to improve our service, develop new features, and enhance the quality of our image processing algorithms. Any analysis for improvement is typically done on an aggregated or de-identified basis without identifying individual users.
  • Order Processing and Payment: We use your contact and payment information to process transactions and fulfill your one-time purchase. For example, we use your payment details to charge you for the service requested, and your email address to send you an order confirmation or receipt. Payment processing is performed by our third-party payment provider, which also uses the data to prevent fraud and ensure secure payment (e.g. verifying that the transaction is not fraudulent).
  • Communication and Customer Support: We use your email or other contact info to communicate with you about your order and our services. This includes sending you status updates (such as notification when your enhanced images are ready for download), answering your questions, responding to support requests, and sending necessary technical or administrative messages (for example, if we update our terms or privacy policy). We will not send you promotional or marketing emails unless you have explicitly agreed to them. If you do opt in to receive marketing communications, you can opt out at any time.
  • Legal Compliance and Security: We may process and retain certain data to comply with our legal obligations and to ensure the security and integrity of our platform. For instance, we keep transaction records for accounting/tax purposes and to meet financial record-keeping laws. We also may use log and device information to detect, prevent, and address fraud, abuse, or security issues (for example, to identify and block malicious activity on our site). This is part of our legitimate interest in maintaining a safe and lawful service. If necessary, we could use personal data to enforce our terms of service or to defend against legal claims.

We will not use your personal data for any purposes incompatible with those described above without first obtaining your consent. In particular, we do not sell your personal information to third parties, and we do not use your data for any automated decision-making or profiling that has legal or similarly significant effects on you.

4. Legal Bases for Processing (GDPR Compliance)

For users in the European Economic Area (EEA) or where GDPR or similar laws apply, we process personal data only when we have a valid legal basis. The legal grounds on which we rely include:

  • Performance of a Contract (Article 6(1)(b) GDPR): Most of our data processing is necessary to provide the service that you request. When you upload images and pay for our service, a contract is formed for us to enhance those images. We must process your images, payment information, and contact details to fulfill our obligations under that contract (i.e. deliver the service and processed images to you). Without this data, we cannot perform the service.
  • Your Consent (Article 6(1)(a) GDPR): We will ask for your consent in situations where it's required. For example, if we ever wish to use your email to send you marketing materials, or if we wanted to retain your uploaded images for a purpose beyond the original service (such as featuring before/after examples on our site), we would only do so with your explicit consent (and you are free to decline). Where consent is the legal basis, you have the right to withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of any processing that occurred before your withdrawal.
  • Legal Obligation (Article 6(1)(c) GDPR): In some cases we need to process certain data to comply with laws. For instance, we retain transaction records and related personal data as required by tax laws, accounting rules, or other regulations. We may also be legally obliged to provide information to authorities if properly required (e.g., for law enforcement investigations), in which case we will only disclose data to the extent required by law.
  • Legitimate Interests (Article 6(1)(f) GDPR): We may process your data as necessary for our legitimate interests, provided those interests are not overridden by your data protection rights. Our legitimate interests include: maintaining and improving our service (e.g. using aggregated usage data to troubleshoot and optimize features), ensuring IT and network security, preventing fraud/abuse, and communicating with you to support your experience. When we rely on legitimate interests, we apply appropriate safeguards to protect your privacy, and you have the right to object to such processing as described in the Your Rights and Choices section.

We will clearly inform you of the legal basis for processing your data where required. If more than one legal basis applies, we rely on all relevant bases to the extent applicable. For example, the act of processing an order involves contract necessity, but retaining the record afterward might be both a legal obligation and in our legitimate interest for business record-keeping.

5. Data Sharing and Disclosure

We treat your personal data with care and confidentiality. We do not sell or rent your personal information to third parties for their own marketing or other purposes. However, we do share certain information with trusted third parties in the following scenarios, but always under strict safeguards and only to the extent necessary:

  • Service Providers: We use third-party companies to help us operate the Menu-Ready service and fulfill your requests. This includes:
    • Payment Processors: As noted, a payment processing company (e.g. Stripe) handles credit card transactions on our behalf. They receive the necessary payment details to process your payment securely. These processors are PCI-DSS compliant and are responsible for safeguarding your payment information according to industry standards.
    • Cloud Hosting and Storage: We may store data (including your images and account data) on third-party cloud servers or use cloud computing services to process images. These hosting providers have access to the data stored on their infrastructure but only for the purpose of storage and retrieval; they are not allowed to use your data for any other purpose. We choose reputable providers with strong security practices (for example, data centers that are ISO 27001 certified or similar).
    • Image Processing Tools: In some cases, we might utilize third-party algorithms or AI services to enhance images. If so, we would send the image data to those processing services only for the purpose of fulfilling your requested enhancement.
    • Analytics and Performance Monitoring: We may use third-party analytics services (such as Google Analytics or similar) to collect usage data and analyze how users interact with our website. This helps us understand traffic patterns and improve the user experience. These analytics providers might set cookies or use similar identifiers to gather information on our behalf (e.g., page views, click events). Any data shared with analytics partners is aggregated or pseudonymized; we do not share personally identifying information for analytics purposes.
    • Email/Communication Tools: If we send emails or support communications, we might use an email delivery service or customer support platform that processes your contact info and correspondence. They only use this data under our instructions to send emails or manage support tickets.

All our service providers are bound by confidentiality and data protection obligations. They are only permitted to process your data for the purposes we specify, and they must protect it in line with this Privacy Policy and applicable law. We aim to have data processing agreements in place with all processors as required by GDPR, ensuring they provide equivalent protection for personal data.

  • Business Transfers: If Techstack (or the Menu-Ready service) is involved in a merger, acquisition, bankruptcy, or sale of all or part of its assets, your data may be transferred to the successor or acquiring entity as part of that transaction. If such a transfer occurs, we will ensure the new owner understands that they must honor the commitments we have made in this Privacy Policy. We will notify you (for example, via email or a prominent notice on our site) of any change in ownership or use of your personal data, as well as any choices you may have regarding your personal data in such an event.
  • Legal Compliance and Protection: We may disclose personal information to courts, law enforcement or regulatory authorities, or other competent bodies when we believe disclosure is necessary to comply with a legal obligation or valid legal process (such as a subpoena or court order). We may also disclose data if we believe it is necessary to prevent fraud or abuse, to enforce our terms of service, or to protect the rights, property, or safety of Techstack, our users, or the public. This includes exchanging information with other companies and organizations for fraud prevention or investigating security threats. We will only disclose the minimum data necessary in such cases and will, where legally possible, inform you of such disclosures.

Aside from the scenarios above, we will not share your personal data with third parties unless you give us specific permission to do so. If we ever propose to share your data for any new purpose not covered in this Policy, we will notify you and obtain your consent when required.

6. Data Retention Policy

We will retain your personal data only for as long as necessary to fulfill the purposes outlined in this Policy, and to comply with legal or business obligations. In practice, this means:

  • Uploaded Images: We understand that the images you upload may be sensitive to you or your business. Our policy is to retain uploaded images and the enhanced results for as long as they remain stored in your account. We do not automatically delete uploaded or processed images after any fixed period. Instead, you are given full control over your image storage: you may choose to delete any uploaded or enhanced images at any time directly from your account interface. If you request deletion of an image (or your account) via our platform or support, we will promptly remove those images from our active systems. Backups or cached copies might persist for a short additional period, but will be purged according to our regular cleanup cycles and policies. We do not use your uploaded images for any purpose other than providing the service, unless you explicitly allow us (e.g., for testimonials or demos, with your consent).
  • Account and Contact Information: If you create an account, we retain your account data (such as your name, email, and password) for as long as your account remains active. You can delete your account at any time, which will remove or anonymize personal information associated with your profile (though data like transaction records may be retained if required for legal reasons). If you do not have an account and only provided contact information for an order, we retain that information as long as needed to provide services and handle any post-order support, and for a reasonable period thereafter in case you return or have follow-up inquiries.
  • Payment and Transaction Records: We retain records of transactions (e.g., invoices, payment confirmation, and related billing details) to fulfill legal and financial obligations. These records are kept for the period required by applicable law (for example, tax and accounting laws may require us to keep invoices and payment records for a number of years, such as 5–7 years in many jurisdictions). Note that these records may include personal data such as your name, email, billing address, and purchase history. We safeguard this information and limit its use to compliance and financial record-keeping purposes.
  • Usage Data and Logs: Usage data (like server logs or analytics data) is typically retained for a shorter period, generally for internal analysis and security monitoring. We may keep logs for 12 months (or another reasonable duration) to analyze site performance and investigate any technical issues or security incidents. If such data is used for analytics, we may retain aggregate (non-identifiable) information longer to identify long-term trends, but this will not include anything that personally identifies you.
  • Backups: Our systems may keep backup copies of data (including personal data) for disaster recovery purposes. These backups are securely stored and are retained only for a limited time according to our backup retention schedule. When backups expire, they are deleted or overwritten. If we restore data from a backup due to a system issue, we will make sure that any data previously deleted (per your request or our policy) is not unexpectedly restored.

When we no longer need personal data for the purposes for which it was collected, we will either delete it or anonymize it so it can no longer be associated with an identifiable individual. We periodically review the data we hold and erase or anonymize personal data that is no longer necessary. If there is any data that we are unable to completely delete from our systems (for example, data stored in long-term backups), we will continue to protect that data and isolate it from active use until deletion is possible.

7. Data Security Measures

We take the security of your personal data very seriously. Techstack has implemented a variety of technical and organizational measures to protect your information from unauthorized access, disclosure, alteration, or destruction. These measures include:

  • Encryption: All data transmitted between your browser and our service is protected using encryption protocols such as SSL/TLS. This means that when you upload images or enter personal details on our site, the information is encrypted in transit to prevent eavesdropping. We also encrypt sensitive data at rest in our databases or storage systems whenever feasible (for example, hashed passwords, encrypted keys, and, in some cases, encrypted stored files).
  • Access Controls: We limit access to personal data to only those employees, contractors, and service providers who need it to operate or improve our service. Access to internal systems is protected by strong authentication (e.g., passwords, two-factor authentication) and is logged and monitored. All personnel who handle personal data are bound by confidentiality obligations.
  • Infrastructure Security: Our servers are hosted in secure data centers which employ industry-standard security practices including firewalls, intrusion detection systems, and regular monitoring. We keep our software and infrastructure updated with the latest security patches to guard against vulnerabilities. Regular data backups are performed to ensure data integrity and business continuity.
  • Testing and Assessments: We periodically test and evaluate the effectiveness of our security measures. This may include routine security scans, penetration testing by security experts, and internal reviews of our practices. We also maintain an incident response plan to address any security breaches swiftly and effectively, should one occur.
  • Payment Security: For financial transactions, our integrated payment processor handles sensitive payment information and is fully PCI DSS compliant. We never store your full credit card details on our systems to reduce risk.

While we strive to protect your data with a high standard of care, please be aware that no method of transmission over the Internet or method of electronic storage is 100% secure. Thus, we cannot guarantee absolute security of your information. However, we continuously work to improve our safeguards and will promptly notify you (in accordance with applicable laws) if we discover any reportable security breach that compromises your personal data. We also encourage you to use a strong, unique password for any account and to contact us immediately if you suspect any unauthorized access to your account or information.

8. Your Rights and Choices

You have significant rights regarding your personal data. Techstack is committed to honoring these rights and providing you with control over your information, regardless of where you are located. In particular, if you are in the EU or a region with similar data protection laws, you have the following data subject rights (as outlined in GDPR Chapter 3):

  • Right to Access: You have the right to request a copy of the personal data we hold about you. Upon verification of your identity, we will provide you with a summary of your information, and an explanation of how we use it, within the timeframe required by law (usually within one month).
  • Right to Rectification: If any of your personal information is incorrect or incomplete, you have the right to request that we correct or update it. For example, if you change your email address or notice an error in your profile information, you can ask us to fix it. We encourage you to keep your information up-to-date and will promptly make requested corrections.
  • Right to Erasure: You have the right to request deletion of your personal data in certain circumstances. This "right to be forgotten" means we will erase personal data at your request if it is no longer needed for the purpose it was collected, or if you have withdrawn consent (where consent was the basis) or successfully objected to processing, or if we are required to delete it to comply with a legal obligation. Please note that we might retain certain information if we have a compelling legal reason to do so (for example, we cannot immediately delete data that is required for an ongoing contractual obligation or legal compliance; in such cases we will inform you). When we delete data, it will be removed from our active systems and backups will be updated in the next scheduled cycle.
  • Right to Restrict Processing: You have the right to ask us to limit or "pause" the processing of your data in certain scenarios (for instance, while a data accuracy issue or an objection request is being resolved). If you exercise this right, we will mark the affected data and ensure it is only processed for specific purposes (such as storage or to comply with legal requirements) unless you consent or the restriction is lifted.
  • Right to Data Portability: For data that you have provided to us and which we process by automated means on the basis of your consent or contract, you have the right to request a copy in a structured, commonly used, machine-readable format (for example, a JSON or CSV file). You also have the right to request that we transmit this data directly to another service provider, where technically feasible. Data portability supports your ability to move to other services if you choose.
  • Right to Object: You have the right to object to our processing of your personal data when that processing is based on our legitimate interests (or those of a third party) and you feel it impacts your rights and freedoms. If you lodge an objection, we will evaluate whether our legitimate grounds for using your data override your rights, and if not, we will cease the processing in question. Where your personal data is used for direct marketing purposes, you have an absolute right to object at any time and we will stop using your data for that purpose upon request. (Note: As of now, we do not use your data for direct marketing without consent.)
  • Right to Withdraw Consent: If we are processing any of your personal data based on your consent, you have the right to withdraw that consent at any time. For example, if you consented to receive promotional emails, you can opt out later by clicking "unsubscribe" or contacting us. If you consented to a particular use of your images or data, you can change your mind and we will stop that use. Withdrawing consent will not affect the legality of processing we conducted prior to your withdrawal.
  • Right to be Informed: You have the right to clear and transparent information about how we use your data – which is exactly the purpose of this Privacy Policy. We aim to provide all required details about our data practices here. If you have any questions about how we handle your data, please reach out to us and we will be happy to provide more information.

To exercise any of your rights, please contact us at our privacy contact email provided below. We will respond to your request as soon as possible and within any timeframe mandated by applicable law. Please note that for security, we may need to verify your identity before fulfilling certain requests (such as access or deletion requests) to ensure that your data is not disclosed to someone impersonating you.

We will not charge you for making a request or exercising your rights, unless the requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse the request, as permitted by law). We will inform you of the outcome of your request or if any exemptions apply that allow us to retain or continue processing certain data (for example, if fulfilling your erasure request is not possible because of a legal obligation to keep records).

In addition to the rights above, please note: We do not engage in "selling" personal information as defined under laws like the California Consumer Privacy Act (CCPA), and we do not share personal data with third parties for their direct marketing purposes without your consent. If you are a California resident, you may have additional rights (such as the right to know specific details of data we hold, or rights under the "Shine the Light" law), but any such rights are essentially covered by the broader rights already described above. We also affirm that we will not discriminate against you for exercising any privacy rights (for example, we will not deny you service or charge different prices simply because you made a data request, in accordance with applicable laws).

Right to Lodge a Complaint: If you believe your privacy rights have been violated or you are dissatisfied with our handling of your personal data, you have the right to lodge a complaint with a supervisory data protection authority. If you are in the European Union, this would be the Data Protection Authority in the country of your residence or where Techstack is established (in Poland, the supervisory authority is the President of the Personal Data Protection Office). We would, however, appreciate the chance to address your concerns before you approach a regulator, so please consider reaching out to us first. We will do our best to resolve any issue to your satisfaction. (European users are reminded that they can also contact their local Data Protection Authority for advice or to file a complaint.)

9. International Data Transfers

Menu-Ready is a global service – users can access it from anywhere in the world. Data you provide will likely be transferred to, and stored on, servers located in countries different from your own. Primarily, your data will be processed in the European Union (EU) (since Techstack is based in the EU), but it may also be processed or stored in other countries where we or our service providers maintain facilities. For example, if we use a U.S.-based cloud provider or if you're accessing the service from outside the EU, your data might transit through or be stored in the United States or other jurisdictions. Some of these countries may have data protection laws that are different from (and in some cases less protective than) the laws of your country of residence.

However, we take steps to ensure that your personal data remains protected according to the standards of this Privacy Policy wherever it is processed. If you are located in the EU or United Kingdom, for instance, and your personal data is transferred to a country that the European Commission (or UK authorities) has not deemed to have "adequate" data protection laws, we will safeguard the information by one of the following legally recognized mechanisms:

  • Standard Contractual Clauses: We may incorporate the European Commission's Standard Contractual Clauses (SCCs) into our contracts with service providers who process or access EU personal data in a non-EU country. These SCCs are standardized contractual commitments approved by the EU to ensure that personal data continues to receive a level of protection essentially equivalent to EU law when transferred abroad. In other words, the SCCs require the recipient of the data to protect it in line with European privacy standards.
  • Additional Safeguards: In some cases, we may implement supplementary measures on top of SCCs, such as encryption of data in transit and at rest (so even if data were intercepted, it would be unintelligible) and strict access controls. We also carefully assess any government access laws in the destination country to ensure they do not unduly compromise privacy, and if needed, we can adjust our practices or challenge unlawful access requests.
  • Adequacy Decisions: Where applicable, we might rely on an "adequacy decision" by the European Commission, which is a determination that a non-EU country's laws offer adequate protection. For instance, if data is transferred to a country that the EU has recognized as adequate, or if transferred under frameworks like the EU-U.S. Data Privacy Framework (should we utilize services participating in that framework), such transfers are permitted.
  • Consent or Necessary Transfers: In rare cases, we may rely on your explicit consent for a transfer, or transfer data as necessary to perform a contract with you (for example, if you are located in a country and we need to route data there to provide the service you requested). However, we will generally use this only as a last resort when other safeguards are not available, given our commitment to robust data protection.

By using our service or submitting your information, you acknowledge that your data may be transferred to other jurisdictions as described. Rest assured, these transfers are only done in compliance with applicable data protection laws and with appropriate safeguards in place. If you would like more information about our international data transfer practices, or copies of the relevant safeguards (such as SCCs), please contact us.

10. Children's Privacy

Our service is not intended for children under the age of 13, and we do not knowingly collect personal information from children under 13 years old. If you are under 13, you should not use Menu-Ready or provide any information about yourself to us. If we learn that we have inadvertently collected personal data from a child under 13 (or under the applicable minimum age in your jurisdiction, which may be 16 in some regions), we will take prompt steps to delete such information from our records.

Parents or guardians: if you become aware that your child has provided us with personal information without your consent, please contact us immediately so that we can remove the information and terminate any associated account. We encourage parents to be involved in their children's internet usage and to help enforce this Privacy Policy by instructing their children never to provide personal data on this service without permission.

(Note: We also do not specifically market our services to minors. The nature of the Menu-Ready service – professional image enhancement for food/menu images – is generally not of interest to children. However, these provisions are in place to protect minors who may still access the site.)

11. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please do not hesitate to contact us. We are here to help and will respond as promptly as possible.

  • Data Controller: Techstack sp. z o.o. – This is the company responsible for the processing of your personal data in connection with the Menu-Ready service.
  • Contact Email: privacy@menu-ready.com – You can email us here for any privacy-related inquiries or to exercise your rights. (Please include "Privacy Request" in the subject line for faster handling.)

We will do our best to address and resolve any issues brought to our attention. If you contact us by email or mail, please provide sufficient information for us to verify your identity (if you're making a rights request) and to understand the nature of your question or request.

12. Changes to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. If we make material changes, we will notify users by posting the updated Policy on this page and updating the "Last updated" date at the top, and/or by providing a more prominent notice (such as a banner or an email notification, if appropriate). We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

Your continued use of Menu-Ready after any changes to this Policy constitutes your acceptance of the updated terms (to the extent permitted by law). If you do not agree with any changes, you should discontinue use of the service and can request that your data be deleted.

We keep prior versions of this Privacy Policy available for review (upon request) so you can see how our privacy practices have evolved over time. If you have any questions or concerns about changes, please contact us using the information provided above.