Privacy Policy

For personal data we collect about you as a visitor to our website, a prospective customer, an employee of a customer, or a job applicant, the data controller is:

PulseMenu ApS
CVR (Danish company registry) on request
Copenhagen, Denmark
privacy@pulse-menu.com

For personal data we process on behalf of our customers (for example, your venue's guest data inside the PulseMenu platform), our customer is the controller and PulseMenu acts as a processor. Our obligations in that role are governed by the Data Processing Agreement (DPA).

Information you give us

• Account data — name, work email address, role, employer, and any phone number you provide.
• Billing data — billing name, address, tax ID, and the last four digits of payment instruments held by our payment processor.
• Support and sales communications — content of emails, chat messages, and call notes.
• Recruitment data — CVs, cover letters, references, and notes from interviews when you apply for a role.

Information collected automatically

• Usage telemetry — pages viewed, actions taken, device and browser metadata, IP address, and approximate location derived from IP.
• Logs — request, application, and security logs that may incidentally contain personal data such as user IDs.
• Cookies and similar technologies — see our Cookie Policy.

Information from third parties

• Identity & authentication providers — name and email from Google or Microsoft when you sign in via single sign-on.
• Integration partners — operational data we receive from connected POS, booking, and inventory systems on the instruction of our customers.
• Public sources — publicly available business contact information used for sales outreach.

We only process personal data when we have a valid legal basis. The matrix below summarises the most common processing activities.

We never sell personal data. We share it only with:

• Our service providers (subprocessors) — cloud hosting, payment processing, support tooling, analytics, and email delivery. A current list of subprocessors is available on request.
• Your authorised collaborators — other users within your venue or group.
• Integration partners you choose to connect — POS, booking, accounting, and similar systems.
• Authorities — when required by law, with appropriate scrutiny and the narrowest possible disclosure.
• Acquirers — in connection with a corporate transaction, subject to equivalent confidentiality and protection commitments.

Personal data is hosted in the European Economic Area (EEA) by default. Where data is transferred outside the EEA — for example, to a subprocessor's support team — we rely on:

• European Commission adequacy decisions, where they apply;
• The 2021 Standard Contractual Clauses with supplementary technical and organisational measures; and/or
• For UK-originated data, the UK International Data Transfer Addendum.

Transfer impact assessments are performed before any new transfer mechanism is relied upon.

We retain personal data for as long as we need it for the purposes set out above. Specifically:

• Active accounts — for the duration of your subscription.
• Closed accounts — up to 90 days after closure to allow reactivation, then deleted or anonymised.
• Customer venue data — retained according to the customer's instructions and the DPA.
• Billing records — minimum 5 years under Danish bookkeeping law.
• Recruitment data — up to 6 months after a decision, or with consent for future opportunities.
• Backups — purged according to a documented backup retention schedule, typically within 35 days.

If you are in the EU, EEA, UK, or Switzerland you have the right to:

• Access the personal data we hold about you;
• Request rectification of inaccurate data;
• Request erasure where one of the grounds in GDPR Art. 17 applies;
• Request restriction of processing;
• Object to processing based on legitimate interests, including direct marketing;
• Data portability for data you provided to us and we process by automated means under contract or consent;
• Withdraw consent at any time, without affecting the lawfulness of previous processing; and
• Lodge a complaint with a supervisory authority — for example, the Danish Data Protection Agency (Datatilsynet).

To exercise any of these rights, email privacy@pulse-menu.com. We respond within 30 days, extendable by 60 days for complex requests.

PulseMenu maintains administrative, technical, and physical safeguards designed to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
• Role-based access control with least-privilege principles;
• Multi-factor authentication on all administrative accounts;
• Comprehensive audit logging and anomaly detection;
• Regular vulnerability scanning, third-party penetration testing, and secure SDLC practices;
• An incident response programme with notification within 72 hours of a confirmed breach affecting personal data.

PulseMenu is not directed at children under 16 and we do not knowingly collect their personal data. If you believe a child has provided us with personal data, contact us and we will delete it.

The platform offers AI-assisted recommendations (for example, suggested prices or forecasts). These are recommendations only — every meaningful operational decision in PulseMenu requires a human user to approve it. We do not perform solely automated decision-making with legal or similarly significant effects on individuals.

We may update this Privacy Policy from time to time. When we make material changes, we will notify account administrators by email and update the "Last updated" date above. Continued use of the platform after a change becomes effective constitutes acceptance.

Privacy questions, data subject requests, and compliance enquiries should be directed to privacy@pulse-menu.com. For urgent security issues, write to security@pulse-menu.com.