Privacy Policy (Mealzy)

Mealzy Privacy Policy

Last updated: 29 November 2025

This Privacy Policy explains how Atomic Labs Ltd (company no. 16867188) ("we", "us", "our"), trading as Mealzy, collects, uses, shares and protects personal data in connection with our digital menu, AI digital waiter, loyalty, and admin dashboard services (the Services). It also explains choices and rights. This Policy is designed for restaurants who use our platform (Restaurant Customers), their staff (Admins), and people who scan a menu QR code, chat with the AI waiter, or join a loyalty program (Guests).

We operate globally. If local law requires different disclosures, we include them below. If you have questions, contact mealzyapp@gmail.com.

1. Who we are & how to contact us

  • Controller: For our website, platform accounts, Google Sign‑In, Apple Sign-In, support, billing, and our own analytics/marketing, Atomic Labs Ltd (company no. 16867188), 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ, is the data controller.
  • Processor for Restaurants: For data that Restaurants load into the platform (e.g., menus, customer/loyalty records) we act as a processor on the Restaurant’s instructions. Each Restaurant is the controller of its Guest and loyalty data.
  • EU representative: Not currently appointed; we are established in the UK and do not target the EEA at this time. If this changes, we will appoint an EU representative and update this Policy.
  • UK representative: Not applicable (Atomic Labs Ltd is established in the UK).
  • Data Protection Lead: Alfin Jose — mealzyapp@gmail.com. We have not appointed a Data Protection Officer (DPO).
  • Contact: mealzyapp@gmail.com.

2. What this Policy covers (scope)

This Policy applies to:

  • our website and web/app experiences used by Admins and Guests;
  • the AI Digital Waiter chat interface;
  • the Loyalty Card System and enrollment flows;
  • the Admin Dashboard used by Restaurants; and
  • integrations such as Sign in with Google and Sign in with Apple

A separate Data Processing Addendum (DPA) applies to our processor role toward Restaurants (available on request). A live list of our sub‑processors is available on request.

3. Personal data we collect

A) Guests (scanning a QR / viewing the menu)

  • Device and interaction data: IP address, device/browser type, language, the page(s) viewed, timestamp, approximate location (derived from IP), and diagnostic logs.
  • Cookie/SDK data: strictly necessary cookies to provide the service; optional analytics/experience cookies (only with consent). See Cookie Notice.

B) AI Digital Waiter (chat)

  • Chat messages you type and the system’s responses.
  • Optional preference information you choose to share (e.g., cuisine likes, spicy level, favorite dishes).
  • Allergy/dietary details (special category data): We do not require you to share health-related information. If you choose to save allergies or dietary restrictions to your profile or loyalty account, we will ask for explicit consent and you can remove them at any time. If you use the chat without signing in or saving preferences, we process messages transiently to respond and then delete or de‑identify them as described in Retention.

C) Loyalty Program (Guest accounts)

  • Enrollment data: name, email, phone number; Restaurant join date; account credentials if you create a password; linked social/SSO identifier if you use Google Sign‑In or Apple Sign‑In.
  • Activity & rewards: points earned and redeemed, visit history metadata (time, location/restaurant), rewards selected, tier status.
  • Preferences: saved favorites, dietary tags or allergies only if you choose to store them (explicit consent required).

D) Restaurant Admin users

  • Account profile (name, email, role), authentication logs, support tickets.
  • Content created in the platform (menus, images, allergen/nutrition data) and actions (edits, toggling availability).

E) Images and menu content

  • Restaurants may upload photos of dishes and add allergen/nutrition fields. We process this as a processor for the Restaurant.

F) Sign in with Google or Sign in with Apple (optional)

  • If you choose Google to sign in, we receive your Google account basic profile (name, email, profile photo) and an identifier. We do not request access to your Gmail/Drive or other Google data.
  • If you choose Apple to sign in, we receive your Apple account basic profile (name, email, profile photo) and an identifier. We do not request access to your iCloud or other Apple data.

G) Support & communications

  • Emails, chat transcripts, and call recordings (where lawful and notified) when you contact support or participate in product research.

4. Why we process personal data & legal bases (UK/EU)

We only process personal data when we have a lawful basis:

Contract (Art. 6(1)(b))

  • Provide the Services you request (create/manage Restaurant accounts; let Guests join and use loyalty; show menus and availability; respond to chat; deliver rewards).
  • Authenticate users (including Google Sign‑In and Apple Sign‑In) and secure access.

Legitimate interests (Art. 6(1)(f))

  • Keep our services secure (fraud/abuse detection, incident response).
  • Service improvement (debugging, analytics with privacy safeguards, product usage metrics) – balanced against your rights and choices.
  • Business operations (reporting, forecasting). You can object to processing based on our legitimate interests.

Consent (Art. 6(1)(a))

  • Marketing emails or SMS (where required).
  • Non‑essential cookies/SDKs (analytics/experience; see Cookie Notice).
  • Special category data (allergies/dietary) saved to a profile or loyalty account – we ask for explicit consent (Art. 9(2)(a)); you may withdraw it anytime in‑app or via mealzyapp@gmail.com.

Legal obligation (Art. 6(1)(c))

  • Comply with accounting, tax, and regulatory requests; respond to lawful orders.

5. How we use personal data

  • To operate the Digital Menu System (menu pages, images, allergens, tags, availability).

  • To power the AI Digital Waiter (answer questions, highlight allergen/dietary matches, make recommendations, surface sold‑out items). We apply data minimisation and technical safeguards; we do not make automated decisions with legal or similarly significant effects.

  • To operate the Loyalty Card System (enrolment, points accrual, redemption, tiers, reward catalog).

  • To provide the Admin Dashboard (menu builder, allergen and nutrition editor, loyalty management, analytics, AI settings).

  • To communicate with you (service messages, security alerts, product updates; marketing only with consent where required).

  • To monitor, detect, and prevent fraud and misuse; to secure and debug.

  • Aggregated, de-identified insights. We may create and share industry statistics about how Mealzy is used. These insights never identify a person or a specific restaurant. We apply safeguards (minimum group sizes, suppression of small counts, and rounding/noise) to prevent re-identification.

6. AI model providers & automated processing

We may use third‑party AI infrastructure to process chat messages for the sole purpose of returning responses and improving safety and quality. Where we act as a controller (e.g., for our website or platform accounts), we contract with such providers as processors under appropriate data protection terms and international transfer safeguards. We do not rely on automated decision‑making that produces legal or similarly significant effects. Loyalty tiers reflect your points and activity; they do not affect your legal rights. You may contact us if you believe an automated result is incorrect.

7. Sharing & disclosure

We share personal data only as described below:

  • With Restaurants (controllers): If you join a Restaurant’s loyalty program or interact with its menu/chat, that Restaurant receives relevant data about your enrolment,personal details, points, redemptions, preferences you choose to save, and basic analytics about menu engagement.
  • Service providers (processors): hosting, storage/backup, content delivery, email/SMS, analytics (with consent where required), payment/billing (for Restaurants), security, and AI infrastructure. We require contracts and security measures and only permit processing on our instructions.
  • Business transfers: in a merger, acquisition, or asset sale, data may transfer to a new owner under this Policy’s protections.
  • Legal: where required to comply with law or respond to lawful requests; to enforce our terms, protect safety, security, and rights.

We may create and share or license aggregated or de‑identified statistics and trends about menu usage, loyalty activity and product performance. These outputs do not identify any individual or restaurant and we apply technical and organisational measures (e.g., cohort thresholds, suppression and noise) to prevent re‑identification.

8. International data transfers

If data is transferred outside the UK/EEA (e.g., to cloud or AI providers), we use lawful transfer mechanisms such as the UK International Data Transfer Addendum (IDTA), the EU Standard Contractual Clauses (SCCs), and additional safeguards where appropriate. Details are available on request, including our sub‑processors list (available on request).

9. Data retention

Data retention. We keep personal data only as long as necessary for the purposes described in this Policy. We decide retention based on factors like: the type of data, legal/contractual obligations, security and fraud-prevention needs, and limitation periods for claims. For example, we keep account and loyalty data while the account is active, security logs for a limited period, and backups on rolling cycles, after which we delete or de-identify the data.

10. Your rights (UK/EU)

You have the right to: access; rectify; erase; restrict; object to processing based on legitimate interests; data portability; and withdraw consent at any time (this does not affect processing before withdrawal). You also have the right to lodge a complaint with a supervisory authority—see ICO (UK) or your local EEA authority.

  • UK ICO:
  • EEA authorities list:

To exercise rights, email mealzyapp@gmail.com. For Restaurant‑controlled data (e.g., loyalty accounts), contact the Restaurant directly; we will assist as their processor.

11. Cookies and similar technologies

We use cookies and similar technologies to:

  • provide core functionality and security (strictly necessary);
  • remember choices; and
  • measure usage and improve the Service (analytics) with your consent.

12. Sign in with Google and Apple

Sign in with Google

You may choose to create or access your account using Sign in with Google. When you do, we receive your Google account name, email address, profile photo and an identifier to authenticate you. We use this solely to create and manage your account, secure the Service, and pre‑populate your profile.

  • Scopes we request: openid, email, profile.

  • Limited Use: We comply with the Google API Services User Data Policy, including the Limited Use requirements.

  • Revoking access: You can revoke our access at any time in your Google Account settings:

  • We do not request access to Gmail, Drive or other Google data. If we later introduce features that need additional Google scopes, we will ask for your permission and update this Policy. Sign in with Apple

  • You may choose to create or access your account using Sign in with Apple. When you do, we receive your Apple account name, email address (which may be an Apple private relay address if you use Hide My Email) and a persistent Apple user identifier to authenticate you.

  • We use this only to create and manage your account, secure the Service, and pre-populate your profile.

  • **What we don’t access - ** We do not request or access your iCloud data or other Apple services.

13. Children

Our Services are not directed to children under 13 and we do not knowingly collect personal data from them. Guests may view menus without creating an account. Creating a loyalty account or signing in requires that you are at least the digital age of consent in your country (13 in the UK; up to 16 in some EEA countries). If you believe a child provided personal data to us, contact mealzyapp@gmail.com and we will delete it.

14. Security

We use administrative, technical, and organisational measures appropriate to the risk, including encryption in transit, access controls, logging and monitoring, secure software development practices, and vendor due diligence. No system is perfectly secure; if we detect a breach impacting your data, we will notify you and regulators as required by law. If you detect any issues, including security or privacy concerns, please contact us at mealzyapp@gmail.com so we can investigate and address them.

15. Restaurant–Guest relationship and our role

  • When a Guest joins a specific Restaurant’s loyalty program, that Restaurant is the controller for the Guest’s loyalty data. We process that data on the Restaurant’s instructions and terms (see our DPA).
  • When a Guest interacts with a Restaurant’s menu or AI chat without logging in or saving preferences, we aim to process such data in a way that does not identify the Guest; where identification occurs (e.g., IP address), we minimise retention and apply security safeguards.
  • We may provide the Restaurant with aggregated, de‑identified analytics (e.g., popular dishes, allergen tag views).

16. International users

If you access the Services from outside your home country, your data may be processed in other countries where we or our service providers operate. We use appropriate transfer mechanisms and safeguards (see International data transfers).

17. Changes to this Policy

We may update this Policy to reflect changes to our practices, technologies, or legal requirements. We will post the updated Policy with a new "Last updated" date and, where appropriate, notify you by email or in‑app. Material changes will take effect no sooner than 2 days after notice unless required sooner by law.

18. Contact

  • Controller: Atomic Labs Ltd (company no. 16867188), 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
  • Email: mealzyapp@gmail.com
  • Data Protection Lead: Alfin Jose — mealzyapp@gmail.com
  • EU representative: Not currently appointed; we are established in the UK and do not target the EEA at this time. If this changes, we will appoint an EU representative and update this Policy.
  • UK representative: Not applicable (Atomic Labs Ltd is established in the UK).
  • For Restaurant‑controlled data, please contact the Restaurant directly; we will assist them in responding to your request.