PRIVACY POLICY
Dear Customer,
We are pleased that you are interested in data protection. We would like to give you an easily understandable overview of the data processing practices and our privacy compliance measures in relation to our delivery websites, applications and related services (collectively referred to as “platform” below). Our goal is to provide you with an amazing customer experience while keeping your personal data secure. Trust, transparency and honesty are our leading principles. Your trust in our product is the reason why we can provide you with an amazing customer experience.
1. Who we are
We are Mmenu Vietnam (MMENU TECHNOLOGY COMPANY LIMITED), Mmenu Singapore (MMENU PT2. LTD), Mmenu Thailand (Mmenu (Thailand) Co., Ltd) (“we”, “us” or “our”), but usually we just use the name Mmenu.
As regards the processing activities conducted on our platform, we will be the data controller responsible for what happens with your personal data. “Data controller” is a legal term and simply means that we are the party determining how your personal data is processed, for what purposes this is done and by what means. While we are required by law to provide you with all of the following information, we do so also out of the belief that a partnership should always be honest.
If you have any questions about data protection, you can contact our data protection officer at any time by sending an email to contact@mmenu.vn.
While visiting our platform, registering, doing business, or contacting us, you agree to this privacy policy. This privacy policy applies to all personal data obtained by us through your use of our platform. It does not apply to any websites controlled by third parties not affiliated with us that our platform may link to (“Third Party Sites”). The relevant privacy policies set out in the respective Third Party Sites shall apply in those cases.
2. Privacy is your right and the choice is yours
As a customer you have the choice which information you would like to share with us. Please be aware, however, that when signing up to our platform, you are required to accept our terms of use. Legally speaking, this means you will enter into a contract with us under which you are entitled to use the platform, in accordance with the terms of use. Of course, we need some information from you to be able to perform our obligations under this contract. However, it is entirely up to you to choose whether you would like to provide such information or would rather not use our platform.
You can take the following steps to control and manage how much personal data you share with us:
Cookies & web-tracking: You can set your device or web browser to decline cookies and other web-tracking technologies (which is also possible through our consent manager). If you deactivate web-tracking, you will no longer see any personalized contents, offers or ads.
Direct marketing: If you do not want to receive newsletters from us, you can unsubscribe at any time. In this case, we will not be able to send you any cool offers.
You may also withdraw your consent for the processing of your personal data for certain Purposes (e.g. marketing) by submitting your request via email to contact@mmenu.vn.
3. Your Legal Rights
Right to be informed
We will inform you, prior to or at the time of the collection of your personal data, together with clarify required details (e.g., the purpose of collection, the retention period, and the data subject rights).
Right to access
You have the right to be informed which data we store about you and how we process this data.
We will respond to your access request as soon as practicable, in any case within thirty (30) days upon receiving your access request. We will also inform you within the timeframe if we are unable to adhere to your request (with reasons) or require additional time to effect the request.
Right to rectification
If you notice that stored data is incorrect, you can always ask us to correct it.
We will respond to your correction request as soon as practicable, in any case within thirty (30) days upon receiving your correction request. We will also inform you within the timeframe if we are unable to adhere to your request (with reasons) or require additional time to effect the request.
Right to erasure
You can ask us at any time to delete, destroy, or de-identify the personal data we have stored about you.
Right to restriction of processing
If you do not wish to delete your personal data, but do not want us to process it further, you can ask us to restrict the processing of your personal data. In this case, we will archive your personal data and only reintegrate it into our operative systems if you so wish and you will not be able to use our services during this time. However, if you change your mind to use our services again, we will process your personal data accordingly.
Right to object to the processing of your personal data
You can object to the further processing of your personal data. This also includes objecting to our processing, which we process without your consent but based on our legitimate interest. This applies, for example, to direct marketing. You can object to receiving further newsletters at any time.
Right to withdraw your consent to the processing of your personal data
You can withdraw your consent to our collection, use and disclosure of your personal data at any time for any or all of the Purposes. Upon receiving your withdrawal request, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be Processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. However, it will not affect any actions and processing of the personal data, which has been conducted legally before the withdrawal of such consent. Please note that depending on the nature and scope of your request, we may not be in a position to continue providing our services to you and we shall, in such circumstances, notify you before completing the processing of your request.
Right to personal data portability
You can ask us to transmit the personal data stored about you in generally readable or usable – with automatic tools or equipment format to you or an authorized representative, or another data controller. In this context, we will make the personal data available to you in JSON, PDF or similar format.
We will endeavour to process your request within thirty (30) days upon receipt, and will notify you accordingly if we require additional time.
To exercise your rights, you may send in your request via email to contact@mmenu.vn at any time and we will process such requests in accordance with this Privacy Policy and our obligations under applicable laws.
We may charge you a reasonable fee for the handling and processing of your requests to access your personal data, and will inform you of the amount charged in advance.
You may also delete your account through your user profile on our platform.
Right of complaint
If you believe that we have done something wrong with your personal data or your rights, we encourage you to contact us in order to resolve the issue, prior to lodging any complaint to the supervisory authority. However, you can complain to the appropriate supervisory authority at any time. The contact details of the supervisory authority are as written below.
You are free to lodge the complaint with a supervisory authority at the place of your habitual residence or place of the alleged infringement.
4. An overview of the personal data we process
In this section you can find general information about the categories of personal data we process about you. For your understanding, personal data is information that directly identifies you (such as your name or photo picture) or enables us to indirectly identify you (for example, on the basis of a user ID linked with the personal information in your profile).
You will find more detailed information on our processing activities below, in the next section. But our data processing activities on the platform can be summarized by reference the main categories of personal data:
a. Profile data (master data)
This includes your name, email address, password, telephone number, addresses, interests, age, order data, device information and access data, payment data, and other information and personal data, which we may receive in the ordinary course of our business.
Why do we process this category?
This data is your master data, which we absolutely need for our services. Without an email address / telephone number and a password, you cannot create a profile. Together with your name, this is your master data. We need your age to ensure that you are not a minor.
b. Delivery data
This includes your name, delivery address, phone number, order details and order ID. If you are using our delivery service, this will also include the sender’s and recipient’s (if not yourself) names, pickup / delivery address and contact details.
Why do we process this category?
In accordance with the principle of data minimization, we only provide our riders, shops and restaurants (as the case may be) with the information that they need from you to prepare and deliver your order and otherwise provide services requested to you.
c. Order history data
This includes your order history, selected shops or restaurants (as the case may be), invoices, order ID, comments on orders, information on payment method, delivery address, successful orders and cancelled orders
Why do we process this category?
Each time you place an order, this information will be added to your profile. You can view all this information in your profile at any time. We will use this information to improve our services and optimize the platform for your interests.
d. Location data
This includes your address, postcode, city, country and your device’s longitude and latitude.
Why do we process this category?
We need these data to be able to deliver your orders (or enable the restaurant or shop you have ordered from to deliver it to you). We create the longitude and latitude automatically in order to be able to process your delivery address in our other linked systems, and to display your address to riders of restaurants.
e. Device information and access data
This includes your device ID, device identification, operating system and corresponding version, time of access, configuration settings, and your IP address.
Why do we process this category?
Each time you access our platform, this information is stored by us for technical reasons. We also use parts of this information to detect suspicious behaviour at an early stage and to protect our platform.
f. Customer care data
This includes your name, address, telephone number, email address, and your ID from any social media (if applicable).
Why do we process this category?
If you contact us, we collect this data because we need to know who we are talking to and what we have been talking about so that we can help you with your reason for contacting us. This also applies if you leave comments on social media on our fan pages. We do not combine this data with your profile data on our platform, but we can still identify you by your social media ID.
g. Marketing contact and communications data
This includes your name, email address, telephone number, and device ID.
Why do we process this category?
If you would like to receive an email newsletter, an SMS or an in-app push notification from us, we need certain information to send you the messages. Instead of addressing you with “Hey You”, we find it more customer friendly to address you with your name. This category of personal data is also used by us to contact you, for example, if a product cannot be delivered and we want to offer you an alternative instead.
h. Payment data
This includes your payment method, and encrypted, pseudonymized credit card information
Why do we process this category?
We need this information to initiate your payments and assign them to the orders you have placed. We also need this data to store your payment information for future orders (if you give us your consent to do so).
5. Our detailed processing activities and processing purposes
We process your personal data only in accordance with relevant data protection laws. We pay particular attention to the fact that all principles for the processing of personal data are taken into account. Therefore, we only process your data if this is lawful and you can reasonably expect it to be processed.
In order to be able to offer you our services, the processing of your personal data is essential. You do provide us with some of this data proactively by entering them on your device. Other data we collect automatically when you are using our platforms.
We process your personal data for the following purposes (“Purposes”):
I. Creating and operating your account; delivering your orders
a. Account Creation
When creating a customer account you will be asked to enter your master data. This is absolutely necessary, as we cannot create a customer profile without this data. Your email address and telephone number are particularly important, as we can use this information to identify you in our system the next time you want to log in again. Furthermore, we would like to ask you to choose your password carefully. Do not use the same password on multiple websites. Your password should also be at least 12 characters long, at least one lowercase letter, one uppercase letter, one special character (!?#,%& etc.) and one digit.
Categories of personal data:
Profile data (master data)
Device information and access data
b. Login to an existing account
If you already have an existing customer account, you will need to enter your email address and password to log in. If we detect irregularities during registration, such as entering the wrong password several times, we will take appropriate measures to prevent damage to you and us.
Categories of personal data:
Profile data (master data)
c. Managing Your Profile
You can log in to your profile at any time and change your personal data, such as name, email address or telephone number. You can also view your previous orders.
Categories of personal data:
Profile data (master data)
Location data
Order history data
Device information and access data
Marketing contact and communication data
Payment data
f. Order Processing
Once you have successfully registered and decided to place your order, we will store this information in your profile and process it in further processes so that you can submit your order to us. When you submit your order, your personal data is transferred to our backend where it is transferred to other systems for further processing.
Categories of personal data:
Profile data (master data)
Order data
Delivery data
Location data
Device information and access data
g. Delivering your order
Once you have successfully placed your order, a number of processes are running in the background to ensure that your order is delivered quickly. This includes sharing your order data with the restaurant preparing your meal or shops preparing your items as well as with the rider delivering your order.
Categories of personal data:
Delivery data
h. Enabling calls from riders, restaurants or shops to check on your order
If a product of your choice is not available for delivery or our riders cannot reach you at the delivery address you provided, they have received instructions from us to call you so that the problem can be solved easily. Both the restaurants as well as the riders have no claim whatsoever to your personal data and under no circumstances may they use it for their own purposes. If you should nevertheless be contacted by a restaurant, shop or rider without your prior consent, we ask you to report this to us by e-mail to contact@mmenu.vn.
Categories of personal data:
Delivery data
i. Saving your payment methods
In order to make the ordering process even more convenient for you, we offer to save your preferred payment method. This means that you do not have to enter your payment details again the next time you place an order. Your payment data will be stored securely and we’ll make sure it stays encrypted at all times. Restaurants and shops will never receive your payment data.
Categories of personal data:
Payment data
II. Fraud detection, prevention and security of our platform
In order to protect our customers and our platform from possible attacks, we continuously monitor the activities on our websites and mobile applications. To keep the platform secure and guarantee you a safe ordering experience, we use various technical measures to ensure that suspicious behavior patterns are detected at an early stage and prevented as early as possible. To achieve this goal, several software-based monitoring mechanisms run in parallel and prevent potential attackers from damaging our platform.
The decision-making process is automated and could potentially have an impact on the use of your registered account on our platform. If any such decision leads to a negative result for you and you do not agree with the outcome, you can contact us at contact@mmenu.vn. In this case, we will individually assess the circumstances of your case. All of our fraud detection and prevention algorithms are always open to human review. If you think that a mistake has been made we are happy to look into it and make corrections, if necessary.
Categories of personal data:
Profile data (master data)
Device information and access data
Payment data
Order data
Voucher information
III. Direct Marketing
a. Newsletters and user surveys by email and/or text message
If you have consented to receiving marketing materials from us when signing up for our platform, we may occasionally send you by email, SMS or other text message regular offers of goods or services similar to those offered on our platform. We are constantly striving to improve our services. Your constructive feedback is very important to us. Therefore, our direct marketing newsletters might also include surveys where we ask for your honest feedback. So we will occasionally also send you customer surveys and ask you to give us your opinion.
If you did not consent to receiving marketing materials from us when registering your account, you will not receive any direct marketing emails.
You are of course always free to opt out of such emails. In this case, we will store your contact details in a list of customers who have objected to receiving direct marketing, to make sure we can continuously comply with your objection.
You may withdraw your consent for us to send you all marketing materials by submitting your request via email to contact@mmenu.vn at any time, and we will endeavour to effect your request within 30 days. Your withdrawal of consent for marketing purposes will not affect your ability to use our services provided on our website and app.
You may also unsubscribe to our marketing newsletter sent via emails by clicking on the “unsubscribe” button at the end of our emails.
Not only do the contents of our newsletters and surveys vary, but so do the technologies and criteria we use to design our newsletters and segment customer groups. For example, a group of customers may receive a special newsletter promoting special deals from restaurants where customers have ordered. Other newsletters may refer to specific products that relate to a particular flavour, such as sushi, Indian cuisine or pizza. We use different information from your history and delivery addresses to create these tailor-made offerings for you. Please be also aware that we are recording, in a pseudonymous manner, key performance indicators to assess the effectiveness of our direct marketing campaigns. This includes aggregated information about the opening and click-through rate for our direct marketing messages.
This is a profiling process in which we automatically process your data. The specific customer segmentation will not have a legal effect on you, nor will it similarly significantly affect you. The only effect you will notice are interesting offers on our platforms, bespoke to your interests and meal preferences.
Nonetheless, if this automated decision-making leads to a negative result for you and you do not agree with this, you can contact us at contact@mmenu.vn. In this case, we will opt you out of customized newsletter communications and you will no longer receive any such messages going forward.
Categories of personal data:
Profile data (master data)
Location data
Order data
Device information and access data
ATTENTION: As already mentioned, you are entitled to object to the use of your email address for the aforementioned advertising purposes at any time, and free of charge, with effect for the future by changing your message preferences, using the “unsubscribe” button at the end of a newsletter, or by contacting us at contact@mmenu.vn.
IV.Online Marketing
Convincing potential customers that we offer an amazing customer experience and that every visit to our platform is worthwhile, is one of our key business priorities. In order to reach as many potential customers as possible, we are very active in the field of online marketing and conduct the following online marketing activities to attract new customers to our platform:
a. Targeting
In principle, targeting means simply showing online advertisements (e.g. by showing banners on websites, or delivering ads on social media service timelines) tailored to specific target groups. We strive to deliver to you only advertisements that are in fact relevant for your interests and bring added value to your online experience.
In our targeting process, as a first step, we define a target group based on certain criteria such as location, age or meal preferences and, secondly, we commission our service providers to show our advertising to the defined target group, both on our own websites/apps as well as on online properties owned and operated by third-party publishers. To better define the intended target groups, we segment customer types and place different ads on different portals. We will use pseudonymous data for this purpose only. That means we will not be able to identify individual persons within the defined target groups.
b. Retargeting
As soon as you have visited our platform and, for example, have already placed an order in your shopping cart, we store this information through cookies and other web-tracking technologies. If you continue to surf other websites, our advertising partners will remind you on our behalf that you have not yet completed your order. We don’t want you to miss out on our amazing customer experience.
Categories of personal data:
Device information and access data
Location data
c. Cookies and web-tracking
In the context of our online marketing activities we also use cookies and other web-tracking technologies. As stated above, these technologies help us to recognize your device and deliver to you only the type of advertisements relevant to your interests. As a matter of principle, our web-tracking technologies will process your device information and access data in pseudonymous form only. This means that we will not be able to identify you as a person on the basis of this data and we will not be able to attribute your interactions outside of our platform to your user account with us.
To give you all the information you need, we have prepared a comprehensive Cookies, SDKs and Web-Tracking Policy explaining not only the details of our web-tracking technologies but also explaining how exactly you can opt-in or opt-out of the use of web-tracking technologies on our website.
Categories of personal data:
Device information and access data
d. Bonus programs
We want to reward our customers’ loyalty with attractive deals and points. For this reason, we offer our customers the opportunity to participate in such bonus programs. Participation in a bonus program requires consent. You can revoke your consent at any time for the future. Please send us an email to contact@mmenu.vn for this purpose.
Categories of personal data:
Profile data (master data)
e. Sweepstakes
We sometimes run sweepstakes to provide our customers with the chance of winning prizes in relation to our platform (this might be a voucher, special offer or other cash-value award). Before you participate, we will ask you to grant us your consent to process your personal data for the purpose of signing you up for the campaign. If you refuse to grant your consent we cannot offer you to take part in the sweepstake.
If you have already given your consent and would like to revoke it for the future, you can do so at any time by sending an email to contact@mmenu.vn. In this case, we will exclude you from participating in our sweepstakes and you will not receive any further invitations to sweepstakes.
Categories of personal data:
Profile data (master data)
f. User interviews for market research purposes
We always develop new products and try to adapt our services to the wishes of our customers. In order to measure the effectiveness of these changes, we regularly offer interviews with our User Experience team. In these interviews we record your usage behaviour and ask you for possible optimisation possibilities.
Participation in the interviews requires your consent. If you have already given your consent and would like to revoke it for the future, you can do so at any time by sending an email to contact@mmenu.vn. In this case we will exclude you from participating in our interviews and you will not receive any further invitations for them.
Categories of personal data:
Profile data (master data)
Delivery data
Order history data
g. Vouchers
We often offer vouchers for our platforms. The reasons can vary. The purpose of these vouchers is to reward our loyal customers and to encourage them to continue to lead our loyal customers. In order to be able to check the number, the value and the frequency of use of the vouchers, but also to avoid misuse of these vouchers, we collect various personal data.
Categories of personal data:
Profile data (master data)
Voucher information
V. Social Media Sites
We have profiles on various social media platforms on which we advertise our products and interact with customers. Since we operate these profiles on third-party platforms, including Facebook, Instagram, Youtube, Tiktok, Zalo and Line, each time you visit these social media offerings the operators of these social media platforms collect different personal data from you. The social media platforms Facebook and Instagram are operated by Facebook.
a. Responsibilities
We and the respective operators of the social media platforms act as joint controllers with respect to the collection of your personal data on our social media sites, as well as the analysis of the use of our social media sites by social media users. For this purpose, we and Facebook have agreed on a joint controllership agreement in accordance with Art. 26 GDPR.
Also, the operators of the social media platforms themselves are data controllers for the general use of their social media services and interactions outside our profiles and social media sites. This sole responsibility also applies to any processing of your social media profile data for purposes other than analyzing the traffic on our social media sites.
The following links will show you exactly which data is collected by the respective social media operators:
b. Data processing
Facebook provides page administrators with aggregated statistics and insights that help them understand the types of actions people take on their pages (“Page Insights”). Please be informed that we only receive aggregated user reports from Facebook. At no point can we attribute any page visit or other interaction to individual social media profiles.
When you visit or interact with one of our social media sites or its content, information such as the following may be collected and used to create Page Insights:
c. Your data subject rights
As part of our agreement with Facebook, with respect to our social media sites, we have determined that Facebook is primarily responsible for fulfilling its information obligations in connection with the Page Insight data. For more information about your data subject rights on Facebook, please see Facebook’s Page-Insights Privacy Policy.
VI. Customer Relationship Management
(a) Your requests
Your satisfaction is our biggest goal. Therefore we are very keen to be available for all your questions and to answer them. In order to be able to answer these questions and understand the overall problem, we store the conversation content in our Customer Relationship Management System when you contact us.
The content of the information we store depends on the information you provide to us as part of our communications.
Categories of personal data:
Contact information
Order history and information
(b) Call Center
If you contact us by phone, we store the conversation for quality assurance purposes. In individual cases, we also use the recordings for quality improvement in customer service, i.e. for training purposes (coaching) with our employees. The content of the information we store depends on the information you provide to us as part of our communications.
Categories of personal data:
Contact information
Order history and information
VII. Mergers & acquisitions, change of ownership
In the event of a merger with or acquisition by another company, we will disclose certain limited information to that company. Prior to disclosure, we will ensure that the recipient company undertakes to protect your personal data to a comparable standard to that under this privacy policy, and also that the company complies with applicable data protection laws and regulations. We will endeavour to keep the extent of the data shared with the other company to the absolute minimum required in order to conclude the transaction.
Categories of personal data:
Delivery data
Location data
Profile data (master data)
Device information and access data
Order data
Customer care data
Marketing contact and communications data
Payment data
Voucher information
6. Who we share your personal data with
We never give your data to unauthorized third parties. However, in order to run our business efficiently, we obtain the services of selected service providers and give them limited and strictly monitored access to some of our data, in order to fulfil the Purposes. Before we forward personal data to these partner companies for processing on our behalf, each individual company undergoes an audit. All data recipients must meet the legal data protection requirements and undertake to protect your personal data to a comparable standard as required under other relevant data protection laws.
a. Service Providers and data processors
We use different service providers and data processors for our daily processing activities. These service providers and data processors process your personal data in accordance with the applicable local data protection laws and requirements and are permitted to process personal data only according to our instructions. Our services providers and data processors have no claims whatsoever to process your personal data for their own, independent purposes. We also monitor our processors and include only those who meet our data protection standards.
You have already learned about some of the parties we use as service providers above and can also find information on data recipients in our Cookies, SDKs and Web-Tracking Policy. Our user platforms and databases run on cloud resources provided by the EU subsidiaries of Google and Amazon Web Services (AWS). Because we use different data processors and change them from time to time, it is not possible for us to identify all individual recipients of personal data in this Privacy Policy. However, if you are interested, we will be happy to disclose the name of the processor(s) in use at that time upon request.
c. Third parties
In addition to data processors, we also work with third parties, to whom we also transmit your personal data, but who are not bound by our instructions. These are, for example, our consultants, lawyers or tax consultants who receive your data from us on the basis of a contract and process your personal data for legal reasons or to protect our own interests. We do not sell or rent your personal data to third parties under any circumstances. This will never take place without your explicit, informed consent.
d. Prosecuting authorities, courts and other public bodies
Unfortunately, it can happen that a few of our customers and service providers do not behave fairly and want to harm us. In these cases, we are not only obliged to hand over personal data to public authorities due to legal obligations, it is also in our interest to prevent damage and to enforce our claims and to reject unjustified claims.
We may also share your personal data with law enforcement agencies, government and regulatory bodies to meet applicable legal or regulatory obligations.
e. Restaurants/Merchants
Your personal data will be disclosed to our restaurants and merchants involved in providing the services to you, including fulfilling your operations and managing complaints. Nevertheless, we recognize your privacy, and thus, we will minimize the data sharing with said persons to the extent required for them and us to provide the services to you.
7. How long we store your data
We generally delete your data after the Purposes have been fulfilled. The exact deletion rules are defined in our global policies and supporting local retention schedules. Different deletion rules apply depending on the purpose of the processing. Within our deletion concepts we have defined various data classes and assigned regular maximum retention and deletion periods to them. When the retention period has expired, the stored data will be deleted accordingly. If you have not used your user account on our platform for a period of more than three years, we will delete your account to make sure to comply with the principle of storage limitation. Before this happens, you will receive a separate notification from us to the email address registered for your user account.
In addition to the deletion rules we have defined ourselves, there are other legal retention periods which we must also observe. For various legal documents, such as invoices or business letters, applicable laws define minimum retention periods. For example, tax data must be kept for a period of between six and ten years or even longer in some cases. These special retention periods vary according to local legal requirements.
Furthermore, we will continue to store your data if we have a right to do so in accordance with applicable local laws. This applies in particular if we need your personal data for the establishment, exercise or defence of legal claims.
8. Right of modification
We reserve the right to change this privacy notice to ensure compliance with relevant legal and statutory provisions. We will inform you of any significant changes, such as changes of purpose or new purposes of processing.
Last update: October 2024