Privacy Policy

Who this policy covers

This policy applies to visitors to our marketing sites, venue owners and staff who use vendor tools, guests who browse menus or use menu features we host, and individuals who contact us for support or sales.

Rumizi generally acts as a service provider for venues when processing guest personal information on their instructions; venues may be separate controllers or organizations responsible for their own privacy compliance. Where we determine the purposes and means of processing for a given activity, we act as responsible for that processing as described here.

Personal information we collect

We may collect the following categories of information, depending on how you use the Service:

• Account and contact details: name, email address, phone number, business name, role, and similar identifiers you provide when you register, complete onboarding, or communicate with us.

• Authentication and security: session tokens, login timestamps, device or browser identifiers used to protect accounts, and records of verification or magic-link flows.

• Menu and operational content: files and text you upload for menu extraction or publishing (which may incidentally contain personal information if present in a document), menu structure, images, and configuration you save in the product.

• Order and usage data: cart or draft selections, interactions with menu items where the product logs them, approximate location inferred from IP address or browser settings (for example, language or timezone), and feature usage needed to operate and improve the Service.

• Support and communications: messages you send to us, call or chat transcripts if you use supported channels, and metadata such as timestamps.

• Technical and cookies: IP address, user agent, diagnostic logs, and data from cookies or similar technologies as described in the “Cookies” section below.

• Payment information: billing contact details and payment status; card or bank details are typically collected directly by our payment processor, not stored on our servers.

Purposes for which we use personal information

We use personal information to:

• provide, maintain, secure, and improve the Service;

• authenticate users, prevent fraud and abuse, and enforce our terms;

• process subscriptions and payments;

• operate optional features you or a venue enable (for example, AI-assisted menu tools or in-product assistants), using prompts and context only as needed for those features;

• communicate with you about the Service, including transactional messages, service announcements, and (where permitted) marketing—see “Commercial electronic messages” below;

• comply with legal obligations and respond to lawful requests from public authorities;

• analyze usage in aggregate or de-identified form to understand product performance; and

• exercise or defend legal claims.

Consent and legal bases

We collect, use, and disclose personal information with meaningful consent where required, including for collections that are not obvious from context. You may withdraw consent subject to legal or contractual restrictions and reasonable notice; withdrawing consent may limit your ability to use some features.

For certain processing (for example, security logging, fraud prevention, or legal compliance), we may rely on purposes that do not require consent under applicable law, provided use is reasonable and proportionate.

Where venues instruct us to process guest data on their behalf, they are responsible for obtaining any required consent from guests and for the lawfulness of their own marketing.

Service providers and disclosure

We use trusted service providers to host infrastructure, send email or SMS, process payments, analyze reliability, provide customer support tooling, or offer optional integrations. They may access personal information only as needed to perform services for us and are subject to contractual obligations consistent with this policy and applicable law.

We may disclose personal information if required by law, court order, or legal process, or to protect the rights, property, or safety of Rumizi, our users, or others. We may disclose information in connection with a merger, acquisition, or financing, subject to confidentiality obligations.

We do not sell your personal information in the conventional sense of selling lists to data brokers.

International transfers

Your personal information may be processed and stored in Canada and in other countries where we or our service providers operate. Those countries may have different data protection rules. Where we transfer personal information across borders, we take steps that are appropriate in the circumstances, such as contractual clauses or reliance on adequacy mechanisms recognized under Canadian law, to protect the information.

Retention

We retain personal information only as long as necessary for the purposes described in this policy, including to meet legal, accounting, or reporting requirements. Retention periods vary: for example, account data is kept while your account is active and for a reasonable period afterward; backups may persist for a limited additional period; and aggregated or de-identified information may be retained longer where it no longer identifies you.

Venues may have their own retention settings for certain records; we process according to product configuration and lawful instructions.

Security

We implement reasonable physical, organizational, and technical safeguards appropriate to the sensitivity of the information we handle, including access controls, encryption in transit where standard for the Service, and monitoring. No method of transmission or storage is completely secure; you should protect your credentials and devices.

Your privacy rights in Canada

Subject to applicable exceptions, you may have the right to request access to personal information we hold about you, to ask for correction of inaccuracies, and in some circumstances to challenge our compliance with applicable privacy laws.

To exercise these rights, contact us using the contact section below. We may need to verify your identity. We will respond within the time frames required by law, which may vary by province.

If you are not satisfied with our response, you may complain to the Office of the Privacy Commissioner of Canada (OPC) or, where applicable, a provincial privacy commissioner or ombudsman (for example, in Alberta, British Columbia, or Quebec).

Cookies and similar technologies

We use cookies, local storage, and similar technologies to remember preferences, keep you signed in, measure performance, and protect the Service. You can control cookies through your browser settings; blocking some cookies may affect functionality.

Where we use analytics or advertising partners, their use is subject to their policies and your choices where offered.

Children

The Service is not directed at children under the age of majority. We do not knowingly collect personal information from children without appropriate parental or guardian consent. If you believe we have collected information from a child in error, contact us and we will take steps to delete it where required.

Changes, contact, and commercial electronic messages

We may update this Privacy Policy from time to time. We will post the revised policy and change the “Last updated” date. For material changes, we will provide additional notice where appropriate.

For privacy questions or requests, contact us using the contact options published on our website, or through your vendor workspace if you are a customer.

Canada’s Anti-Spam Legislation (“CASL”) restricts commercial electronic messages without consent. We send commercial emails or texts only where permitted—typically because you have an existing relationship with us, you have expressly consented, or an exemption applies. You can unsubscribe from marketing messages using the link in those messages or by contacting us, without affecting transactional or legal notices we must send.