Privacy Policy
Last updated: 12 June 2026
Who we are
INDIEMENU LTD ("IndieMenu", "we", "us") is a company registered in England and Wales under company number 17270377, with our registered office at The Copper Room, Deva City Office Park, Trinity Way, Manchester, M3 7BG, England. You can reach us about anything in this policy at [email protected].
1. Our two roles
IndieMenu handles personal data in two different capacities, and your rights work slightly differently depending on which applies to you.
If you run a restaurant or food business and hold an IndieMenu account, we are the data controller for your personal data - your name, email address, business details, and billing information. This policy describes how we handle that data.
If you are a customer placing an order through a restaurant's IndieMenu page, the restaurant you are ordering from is the data controller for your order data, and IndieMenu acts as their data processor. We process your order details only to provide the ordering service to that restaurant and on their instructions. For questions about how your data is used, or to exercise your data rights over your order data, contact the restaurant directly - their own privacy information applies. If you contact us instead, we will pass your request to the restaurant and assist them in responding.
We are also the data controller for limited purposes that apply across the platform regardless of which restaurant you order from: keeping the platform secure, preventing fraud and abuse, and meeting our own legal obligations.
2. What we collect
Account holders: your name, email address, restaurant or business details, and subscription billing information. Subscription payments are processed by Stripe - we never see or store your card details.
Customers placing orders (processed on behalf of the restaurant): your name, email address, phone number if provided, collection or delivery details, order contents, and payment information. Payments are processed by Stripe and paid directly to the restaurant's own Stripe account - IndieMenu never sees or stores card details.
Everyone visiting the site: standard technical data such as IP address, browser type, and pages visited, collected through server logs and our security provider for the purposes of keeping the service running and secure. If you enable push notifications, your browser generates a subscription token that we store to deliver order notifications; you can withdraw this at any time in your browser or device settings.
3. Why we use it, and our legal grounds
We rely on the following lawful bases under UK GDPR:
Performance of a contract - operating your account, processing orders, taking subscription payments, and sending transactional emails such as order confirmations and account notices.
Legitimate interests - securing the platform, preventing fraud and abuse, improving the service, and contacting prospective business customers about IndieMenu. You can object to processing based on legitimate interests at any time.
Legal obligation - keeping financial and tax records we are required to retain.
Consent - where we ask for it, for example browser push notifications. You can withdraw consent at any time.
We do not sell personal data, and we do not use it for third-party advertising.
4. Marketing by restaurants
One of the benefits of IndieMenu is that restaurants keep their own customer relationships. If a restaurant uses customer details collected through their IndieMenu page to send marketing, the restaurant is the data controller for that marketing and is responsible for complying with UK GDPR and the Privacy and Electronic Communications Regulations, including obtaining any required consents. IndieMenu does not send marketing to restaurant customers on its own behalf.
5. Who we share data with
We share personal data only with the service providers (sub-processors) we need to run IndieMenu - for example Stripe for payments and Resend for transactional email. The current list, what each provider does, and where they process data is published on our Sub-processors page. We also share data where the law requires it, or with professional advisers under confidentiality obligations.
6. International transfers
Some of our providers process data outside the UK, including in the United States. Where that happens, we make sure an appropriate safeguard recognised under UK law is in place - such as the UK Extension to the EU-US Data Privacy Framework, or the UK International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses. Details for each provider are on our Sub-processors page.
7. How long we keep it
Account data: for as long as your account is open, then deleted or anonymised within 90 days of closure, giving you a window to export your data.
Order data: processed on the restaurant's instructions and deleted or anonymised when the restaurant's account closes, or earlier on their instruction, except where we must keep records to meet a legal obligation.
Financial records: kept for 6 years as required by UK tax law.
Server and security logs: kept for 30 days.
8. Your rights
Under UK GDPR you have the right to access a copy of your personal data, to have it corrected, to have it erased, to restrict or object to our processing of it, and to data portability. Where we rely on consent, you can withdraw it at any time. To exercise any of these rights, email [email protected] - we will respond within one month. If you are a restaurant customer and your request concerns order data, we may need to refer it to the restaurant as controller, but we will help make that seamless.
You also have the right to complain to the UK's data protection regulator, the Information Commissioner's Office, at ico.org.uk - though we would appreciate the chance to resolve any concern first.
9. Cookies
We use essential cookies only: to keep you logged in, to secure your session, and cookies set by Stripe and our security provider for fraud prevention and bot protection. These are strictly necessary for the service to work, so no consent banner is required. We do not use analytics, tracking, or advertising cookies.
10. Security
We use encryption in transit, access controls, and reputable infrastructure providers to protect personal data. Card details never touch our systems - they go directly to Stripe. No system is perfectly secure, but if a breach occurs that risks your rights, we will notify you and the ICO as required by law.
11. Changes to this policy
If we make material changes we will update this page and, where appropriate, notify account holders by email. The date at the top shows when it was last revised.
12. Contact
Questions about this policy or your data? Email [email protected].