Privacy Policy | MunchHQ

1. Introduction

MunchHQ ("we," "us," or "our") operates a platform that helps independent restaurants launch SEO-optimized online ordering sites. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, whether you are a restaurant owner (merchant) or a customer placing an order.

By using MunchHQ, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, do not use our services.

2. Information We Collect

2.1 Information from Restaurant Owners (Merchants)

When you sign up as a restaurant owner, we collect:

Account Information: Email address, password (encrypted), display name
Business Information: Restaurant name, business address, phone number, tax identification details
Payment Information: Stripe Connect account details (for receiving payments)
Content: Menu items, photos, videos, descriptions, branding (logo, colors, fonts)
Social Media: Links to your Facebook, Instagram, Twitter, TikTok, Yelp pages (optional)
Security: Admin PIN (hashed using bcrypt for employee access control)
Subscription Data: Billing period, subscription status, payment history

2.2 Information from Customers

When you place an order through a restaurant's site, we collect:

Contact Information: Full name, email address, phone number
Delivery Information: Delivery address (for delivery orders)
Order Details: Items ordered, quantities, special instructions, order total
Payment Information: Payment method type (card/cash), Stripe payment intent ID (no card numbers stored)
Order History: Timestamps for order confirmation, preparation, ready, and completion stages

2.3 Delivery Information

When delivery is arranged through DoorDash, we collect:

Dasher Information: Dasher name, phone number, real-time location coordinates
Delivery Status: Pickup time, dropoff time, delivery status updates
Support Information: Tracking URLs, support reference IDs, delivery quotes

2.4 Automatically Collected Information

Log Data: IP address, browser type, pages visited, time spent, referring URLs
Cookies: Session cookies (authentication), analytics cookies (Vercel Analytics)
Device Information: Device type, operating system, unique device identifiers

3. How We Use Your Information

We use the information we collect for the following purposes:

Order Processing: To fulfill customer orders, process payments, and coordinate deliveries
Communication: To send order confirmations, status updates, and customer support responses
Payment Processing: To process transactions via Stripe and distribute funds to restaurant accounts
Delivery Coordination: To arrange deliveries through DoorDash and provide real-time tracking
Platform Operation: To provide, maintain, and improve our services
Authentication: To verify your identity and secure your account via Stack Auth
Analytics: To understand how users interact with our platform and improve user experience
Fraud Prevention: To detect and prevent fraudulent transactions and unauthorized access
Compliance: To comply with legal obligations, including tax reporting and record-keeping
Marketing: To send promotional communications to merchants (opt-out available)

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

4.1 Service Providers (Third-Party Processors)

Stripe: Payment processing, merchant payouts, subscription billing. Stripe receives payment amounts, customer email (for receipts), order metadata, and restaurant business details.
DoorDash: Delivery services. DoorDash receives customer name, phone number, delivery address, order contents, and special instructions for delivery orders.
Stack Auth: Authentication and user management. Stack Auth manages login credentials, session tokens, and user profile information.
Vercel: Hosting, content delivery, blob storage (uploaded images/videos), and analytics. Vercel processes all data transmitted through our platform.
Neon (Neon Database): Database hosting. Neon stores all application data including restaurant information, orders, and customer details.
Upstash: Rate limiting and caching services. Upstash receives IP addresses and request metadata for abuse prevention.

4.2 Restaurant Owners

Customer order information (name, phone, email, address, order details) is shared with the restaurant where the order is placed to fulfill your order.

4.3 Legal Requirements

We may disclose your information if required by law, court order, subpoena, or government request, or to protect our rights, property, or safety, or that of our users.

4.4 Business Transfers

If MunchHQ is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our platform.

5. Data Retention

We retain your information for the following periods:

Order Records: 7 years (for tax, accounting, and legal compliance)
Customer Personal Information: Until deletion is requested, or account closure
Delivery Webhook Data: 30 days (raw webhook payloads from DoorDash)
Analytics Data: Aggregated and anonymized indefinitely
Merchant Account Data: Duration of your subscription plus 7 years for financial records

After the retention period, we will delete or anonymize your personal information, unless required by law to retain it longer.

6. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

6.1 Right to Know

You have the right to request that we disclose what personal information we collect, use, and share about you.

6.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, fraud prevention, order records for tax purposes).

6.3 Right to Opt-Out of Sale

We do not sell your personal information. We only share data with service providers as described in Section 4.

6.4 Right to Non-Discrimination

You have the right to not receive discriminatory treatment for exercising your CCPA privacy rights.

6.5 How to Exercise Your Rights

To submit a data access or deletion request, email us at privacy@munchhq.com. We will verify your identity and respond within 45 days.

7. Cookies and Tracking Technologies

We use the following types of cookies:

Essential Cookies: Session cookies from Stack Auth for authentication (required for platform functionality)
Analytics Cookies: Vercel Analytics to track page views, performance, and user interactions

You can control cookies through your browser settings. However, disabling essential cookies may prevent you from using certain features of our platform. For more details, see our Cookie Policy.

8. Data Security

We implement industry-standard security measures to protect your information:

Encryption: All data transmitted via HTTPS/TLS encryption
Password Security: Passwords hashed using industry-standard algorithms (bcrypt)
Access Controls: Role-based access restrictions, authentication required for sensitive operations
Payment Security: PCI-DSS compliant payment processing via Stripe (we do not store card numbers)
CSRF Protection: Cross-site request forgery protection on all API routes
Rate Limiting: Automated abuse prevention and brute-force attack mitigation
Security Headers: Content Security Policy (CSP), X-Frame-Options, HSTS
Webhook Verification: Cryptographic signature verification for third-party webhooks

Despite our efforts, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. Children's Privacy

Our services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us at privacy@munchhq.com and we will delete it.

10. Third-Party Links

Our platform may contain links to third-party websites (e.g., restaurant social media pages, DoorDash tracking). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

11. International Data Transfers

Our services are based in the United States. If you access our platform from outside the U.S., your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last Updated" date. For significant changes, we may also send an email notification to registered merchants. Your continued use of the platform after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

MunchHQ Privacy Team

Email: privacy@munchhq.com

For California Residents: You may also submit requests through ourCCPA Data Request Form.

This Privacy Policy was last updated on January 17, 2025. By using MunchHQ, you acknowledge that you have read and understood this Privacy Policy.