Privacy Policy

Last updated: 4 April 2026

1. Who we are

Wonder Things Ltd (trading as "MenuSync"), registered in England and Wales with company number 15197334, is the data controller for the personal data described in this policy.

Registered address: 142-143 Parrock Street, Gravesend, England, DA12 1EY

Contact email: hello@menusync.co.uk

2. What personal data we collect

We collect the following personal data when you sign up for and use our service:

  • Account information: your name, email address, phone number, and business name
  • Restaurant details: your restaurant name, address, and the delivery platforms you use
  • Platform access: team member login credentials for Just Eat, Deliveroo, UberEats, and any other platforms you ask us to manage
  • Payment information: billing details processed by our payment providers (we do not store your full card number)
  • Communications: messages you send us containing menu change instructions

3. Why we collect it

We process your personal data on the following lawful bases:

  • Contract performance (Article 6(1)(b)): we need your data to provide the menu update service you have subscribed to
  • Legitimate interests (Article 6(1)(f)): to improve our service, prevent fraud, and communicate with you about your account
  • Legal obligation (Article 6(1)(c)): to comply with tax, accounting, and regulatory requirements

4. How we store platform credentials

Your platform login credentials are stored using AES-256 encryption at rest. Access is strictly limited to authorised personnel who need it to perform menu updates on your behalf. Credentials are transmitted only over TLS 1.2+ encrypted connections.

When you cancel your subscription, your credentials are permanently deleted within 30 days.

5. Who we share data with

We share your personal data with the following third-party processors, solely to provide and support our service:

  • Stripe (Stripe Payments Europe, Ltd) - payment processing
  • GoCardless (GoCardless Ltd) - Direct Debit payment processing

We do not sell, rent, or share your personal data with any other third parties for marketing purposes.

6. International transfers

Stripe processes some data in the United States. This transfer is protected by the UK-US Data Bridge (the UK extension of the EU-US Data Privacy Framework). Stripe is certified under this framework.

7. How long we keep your data

  • Account and restaurant data: for the duration of your subscription plus 30 days, then deleted
  • Platform credentials: deleted within 30 days of subscription cancellation
  • Payment records: retained for 7 years as required by UK tax law
  • Communications: retained for the duration of your subscription plus 90 days

8. Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate personal data
  • Erase your personal data (subject to legal retention requirements)
  • Restrict processing of your personal data
  • Data portability
  • Object to processing based on legitimate interests
  • Withdraw consent at any time (where consent is the lawful basis)

To exercise any of these rights, email us at hello@menusync.co.uk.

9. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk

10. Cookies

We use Plausible Analytics, which does not set cookies or collect personal data. See our Cookie Policy for full details.