Menumiz Privacy Policy

B2B version (Australia)

About this Privacy Policy

Universal Apps Pty Ltd ACN 622 689 794, trading as menumiz (“menumiz”, “we”, “our” or “us”), respects the privacy of individuals and is committed to handling personal information responsibly, transparently and securely.

This Privacy Policy explains how we collect, hold, use, disclose, secure, retain and provide access to personal information in connection with:

• the menumiz platform;
• menumiz websites and applications;
• menumiz Business applications;
• menumiz Pay;
• customer onboarding and account management;
• identity verification and Know Your Customer checks;
• payment, ordering, point-of-sale and business-management services; and
• related support, marketing and administrative activities.

We are subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”). In relation to the Document Verification Service, we also comply with applicable requirements under the Identity Verification Services Act 2023 (Cth), the Identity Verification Rules, applicable DVS access policies and our DVS participation arrangements.

This Privacy Policy applies to personal information about individuals. Information relating solely to a business may not be personal information unless it identifies, or is reasonably capable of identifying, an individual.

Who this policy applies to

This Privacy Policy applies to personal information about:

• business owners, directors, partners and sole traders;
• authorised representatives and account administrators;
• employees, contractors and personnel of menumiz business customers;
• applicants for menumiz Pay and related payment services;
• beneficial owners and persons who exercise control over a business;
• guarantors and authorised signatories;
• customers of businesses using menumiz services;
• suppliers and professional advisers;
• individuals who contact us or visit our websites, applications or offices; and
• individuals whose identity information is submitted for verification.

menumiz primarily provides business-to-business services. Our business services are not directed to children. We do not knowingly conduct a DVS identity check on a child without appropriate consent and authority.

Our role when processing information for a business

In some circumstances, a business using menumiz determines what customer or employee information is entered into the menumiz platform and how that information is used.

Where we process personal information on behalf of a business customer, that business may have separate privacy obligations and may be responsible for deciding why the information is collected and used.

This Privacy Policy applies to menumiz’s own handling of personal information. It does not replace the privacy policy or privacy obligations of a restaurant, café, merchant, employer, payment provider or other third party.

Types of personal information we collect

Depending on the services used and the person’s relationship with us, we may collect the following categories of information.

Identity and contact information

This may include:

• full name;
• date of birth;
• residential, postal and business address;
• email address;
• telephone and mobile number;
• signature;
• profile photograph;
• job title or occupation;
• nationality or residency information, where lawfully required;
• authorised representative details; and
• information about an individual’s relationship with a business.

Business information

This may include:

• registered and trading names;
• Australian Business Number or Australian Company Number;
• company, partnership, trust or sole-trader details;
• business address and contact details;
• ownership and control information;
• beneficial-owner and director information;
• business licences, permits and registrations;
• tax-related information;
• business bank-account details;
• trading history;
• products, services, menus and pricing;
• suppliers and inventory information;
• sales, transaction and accounting records; and
• information required to establish or manage a menumiz business account.

Identity-document and KYC information

Where identity verification is reasonably necessary or required for menumiz Pay, fraud prevention, legal compliance or another approved function, we may collect:

• driver licence information;
• passport information;
• Medicare card information, where supported and appropriate;
• birth certificate information;
• visa or residency evidence;
• proof-of-age information;
• proof of residential address;
• copies or images of identity documents;
• government-related identifiers contained in those documents;
• verification status and match results;
• records showing when and how consent was obtained; and
• information required by payment providers, financial institutions, card schemes or regulators.

We will only collect government-related identifiers where permitted by law and reasonably necessary for our functions or activities, or where required or authorised by law.

Financial and transaction information

This may include:

• bank-account details;
• payment settlement details;
• payment method;
• partial or tokenised card information;
• transaction history;
• refunds and chargebacks;
• billing and subscription information;
• financial reports;
• credit information, where lawfully obtained;
• fraud-risk indicators; and
• information provided by payment processors and financial institutions.

Full payment-card information may be processed directly by an authorised payment provider and may not be stored by menumiz.

Technical and usage information

This may include:

• IP address;
• device identifiers;
• browser type;
• operating system;
• application version;
• login time and activity;
• pages, features and buttons used;
• system logs;
• cookie and similar-technology data;
• authentication and security events;
• transaction metadata;
• crash and diagnostic data; and
• information about how our systems are accessed and used.

Location information

Where a location-enabled service is used, we may collect approximate or precise location information to:

• support delivery or order fulfilment;
• identify nearby businesses or services;
• provide location-based functionality;
• record an authorised business visit or check-in;
• prevent fraud;
• protect account security; or
• provide a feature requested by the user.

Location permissions can generally be controlled through the device settings. Disabling location services may prevent some features from operating.

Information about customers of menumiz businesses

Where a customer places an order, makes a booking, joins a loyalty program, makes a payment or interacts with a business through menumiz, we may process:

• name and contact details;
• order and transaction details;
• booking information;
• delivery or collection information;
• dietary preferences and allergen information voluntarily supplied;
• loyalty and voucher information;
• feedback and reviews;
• device and technical information; and
• payment-related information.

How we collect personal information

We may collect personal information:

• directly from the individual;
• through menumiz applications, websites, forms and portals;
• when an account is registered or updated;
• during menumiz Pay onboarding;
• when identity documents are submitted;
• through telephone, email, chat or customer support;
• during meetings, demonstrations or office visits;
• from an authorised representative;
• from a business that employs or engages the individual;
• from payment providers, financial institutions and fraud-prevention providers;
• from identity-verification providers and approved DVS intermediaries;
• from credit-reporting bodies where legally permitted;
• from government registers and publicly available records;
• from social-media or business-directory sources;
• from cookies, logs and analytics technologies; and
• where required or authorised by law.

Where practical, we collect personal information directly from the relevant individual.

If personal information is provided to us about another person, the person providing it must be authorised to do so and must ensure that the other person has received any required privacy notice and provided any required consent.

Why we collect and use personal information

We may collect, hold, use and disclose personal information to:

• establish and administer an account;
• provide menumiz products and services;
• process orders, bookings, subscriptions and payments;
• provide menumiz Pay;
• verify identity;
• perform KYC, customer-due-diligence and fraud checks;
• assess whether we can provide a requested service;
• confirm authority to act for a business;
• comply with legal, regulatory, contractual and card-scheme obligations;
• prevent identity crime, fraud, misuse and unauthorised account activity;
• process settlements, refunds and chargebacks;
• provide technical and customer support;
• investigate complaints and disputes;
• manage security incidents;
• operate, maintain and improve our systems;
• perform analytics and service-quality assessments;
• maintain records and audit trails;
• enforce our agreements and protect legal rights;
• communicate service notices and operational updates;
• market our services where permitted by law; and
• perform corporate, risk, insurance, legal and administrative functions.

We will not use DVS identification information or DVS match information for advertising, direct marketing, behavioural profiling or market research.

menumiz Pay, KYC and identity verification

When a person applies for menumiz Pay or another service requiring identity verification, we may conduct KYC, fraud-prevention, eligibility and identity checks.

The information required may include:

• a driver licence, passport or other approved identity document;
• residential-address evidence;
• a business bank statement;
• licences or permits required to operate the business;
• director, beneficial-owner or controlling-person information; and
• other information reasonably required to comply with legal, regulatory, payment-provider or financial-institution requirements.

We will only collect information reasonably necessary for the relevant verification, compliance or payment-service purpose.

Providing false, misleading, incomplete or unauthorised identity information may result in an application being delayed, declined, suspended or reported where required by law.

Document Verification Service

What the DVS is

The Document Verification Service (“DVS”) is a secure Australian identity-verification service that checks whether information provided from an identity document matches information held by the relevant government document issuer or official record holder.

A DVS response generally indicates that the submitted information:

• matched;
• did not match; or
• could not be processed because of an error.

The DVS match result does not provide menumiz with a copy of the government agency’s underlying official record.

When we may use the DVS

We may use the DVS only where:

• identity verification is reasonably necessary for a lawful menumiz function or activity;
• identity verification is reasonably necessary for us to fulfil an obligation to a government agency or authority;
• use is required or authorised by Australian law or a court or tribunal order; or
• DVS access has been approved for the relevant purpose.

Possible approved uses may include verifying the identity of a person applying for menumiz Pay or confirming the identity of a business owner, director, beneficial owner, authorised representative or other person whose identity must be verified.

We do not use the DVS merely because it is convenient. We assess whether identity verification and use of a government-related identifier are reasonably necessary for the relevant function.

Express consent before a DVS check

We will not initiate a DVS identity check unless the individual, or a person lawfully authorised to act for that individual, has first provided informed and express consent.

DVS consent must be:

• adequately informed;
• given voluntarily;
• current;
• specific to the verification;
• provided by a person with capacity to understand the verification; and
• recorded by us.

Before requesting consent, we will explain:

• the identity information being collected;
• the identity document to be checked;
• that the document information will be submitted for matching against the records of the relevant government document issuer or official record holder;
• why we are verifying the person’s identity;
• how menumiz will use the DVS and the result;
• the categories of third parties and intermediaries that may collect, transmit, process, store or receive the information;
• the individual’s relevant privacy rights;
• the consequences of declining consent;
• where to obtain information about the DVS;
• how to make a privacy complaint; and
• any other information required by applicable DVS rules or participation terms.

Consent to a DVS check will be obtained separately from consent to receive marketing communications.

Authority to provide document information

A person submitting identity-document details must confirm that:

• the details relate to them; or
• they are lawfully authorised to provide the details and consent on behalf of the relevant individual.

We may request evidence of that authority.

Capacity to consent

We take reasonable steps to ensure that the person giving consent has the capacity to understand what is proposed.

Where appropriate, this may involve:

• providing information in an accessible format;
• permitting assistance from an interpreter;
• allowing an authorised representative, guardian or other legally authorised person to act; or
• declining to proceed where valid consent cannot be obtained.

Consequences of declining DVS consent

An individual may decline consent to a DVS check.

Where a DVS check is reasonably necessary or required to provide menumiz Pay or another regulated or identity-dependent service, we may be unable to approve, activate or continue that service without completing an acceptable identity-verification process.

Where reasonably practicable and legally permitted, we may offer an alternative verification process. An alternative method may take longer or require additional documentary evidence.

Declining DVS consent will not, by itself, enrol the individual in marketing or result in the individual’s identity information being used for another unrelated purpose.

Parties involved in a DVS check

Depending on the verification arrangement, identification information and related match data may be handled by categories of entities including:

• menumiz and specifically authorised menumiz personnel;
• an approved DVS Gateway Service Provider;
• authorised intermediary service providers or Information Match Agents;
• the Commonwealth Attorney-General’s Department as Framework Administrator;
• the relevant government document issuer or Official Record Holder;
• Austroads in connection with participating driver licence records;
• participating state or territory registries of births, deaths and marriages;
• secure hosting, transmission or technology providers approved for the verification process; and
• regulators, auditors or authorities where required or authorised by law.

The particular document issuer involved will depend on the document selected for verification.

Restrictions on DVS information

Identification information obtained for a DVS check and Information Match Data will not be used for:

• creating a behavioural or marketing profile;
• tracking the individual’s behaviour;
• advertising or promoting goods or services;
• offering unrelated goods or services;
• enabling another party to advertise, promote or offer goods or services;
• market research;
• sale or commercial data brokerage; or
• a purpose unrelated to the approved identity-verification activity.

We will not use a DVS match result as the sole evidence of identity in civil or criminal proceedings to which the individual is a party.

We will not publicly represent that a DVS match guarantees that a person is who they claim to be. A match indicates only that the submitted document information matched the relevant official record.

Government-related identifiers

We do not adopt a government-related identifier as our own customer or account identifier unless permitted by law.

We only use or disclose government-related identifiers where:

• reasonably necessary to verify identity for our lawful functions or activities;
• reasonably necessary to fulfil an obligation to an Australian government agency or authority;
• required or authorised by Australian law or a court or tribunal order; or
• otherwise permitted under APP 9.

Government-related identifiers are not used for general customer matching, advertising or analytics.

Who we may disclose personal information to

We may disclose personal information to the extent reasonably necessary to:

• authorised menumiz personnel;
• related corporate entities providing legitimate operational support;
• payment processors, acquiring banks and financial institutions;
• card schemes and payment networks;
• KYC, identity-verification and fraud-prevention providers;
• approved DVS Gateway Service Providers and intermediaries;
• government document issuers and official record holders;
• cloud-hosting, data-storage and cybersecurity providers;
• communications, email and SMS providers;
• accountants, auditors, insurers and professional advisers;
• debt-recovery and dispute-resolution providers;
• regulators, courts, tribunals, law-enforcement bodies and government authorities;
• a purchaser, investor or adviser involved in a proposed or completed sale, restructure or transfer of our business, subject to appropriate confidentiality protections; and
• another party where the individual has consented or disclosure is otherwise permitted or required by law.

We require service providers handling personal information on our behalf to protect it and use it only for authorised purposes.

We do not sell identity-document details or DVS information.

Information displayed to customers of a menumiz business

To enable a business to advertise, sell and provide its goods or services, information selected by the business may be displayed to its customers, including:

• business or trading name;
• logo;
• public telephone number or messaging contact;
• business address and map location;
• digital menus;
• products, ingredients and pricing;
• business hours and kitchen hours;
• facilities and amenities;
• public social-media details;
• photographs;
• ratings and reviews; and
• tax or registration details required to appear on invoices or receipts.

Business users are responsible for ensuring that information they choose to publish is accurate and appropriate for public disclosure.

Information not ordinarily displayed to restaurant customers

Unless the information is intentionally published by the business, authorised by the relevant individual, or disclosure is required or permitted by law, we do not ordinarily display to restaurant customers:

• a private mobile number;
• a private email address;
• date of birth;
• residential address;
• identity-document information;
• government-related identifiers;
• KYC documents;
• DVS match information;
• banking details;
• payment-card information;
• IP address;
• private supplier information;
• internal business reports; or
• account-security information.

Marketing

We may use business contact information to communicate about menumiz products, services, updates and offers where permitted by law.

An individual may opt out of marketing by:

• using the unsubscribe facility in the communication;
• adjusting available account or notification settings; or
• contacting us at support@menumiz.com.

Opting out of marketing does not prevent us from sending essential service, account, security, payment, legal or compliance communications.

Identity-document information, government-related identifiers, DVS Information Match Data and DVS match results are not used for marketing.

We will not use a business name or logo in a public client list or promotional material without appropriate authority or another lawful basis.

Cookies, analytics and online technologies

Our websites and applications may use cookies, software development kits, pixels and similar technologies to:

• operate login sessions;
• remember preferences;
• maintain security;
• prevent fraud;
• understand system usage;
• diagnose errors;
• improve functionality; and
• measure communications and marketing performance where permitted.

Browser or device settings may allow cookies or similar technologies to be restricted. Some features may not operate correctly when these technologies are disabled.

Information collected through analytics or advertising services is not combined with DVS Information Match Data for advertising, profiling or market research.

Overseas disclosure and access

Some general menumiz service providers or related companies may be located outside Australia, including in jurisdictions in which menumiz related entities, cloud providers, support providers or technology providers operate.

Before disclosing personal information overseas, we take reasonable steps required by applicable privacy law to ensure that the recipient handles it appropriately.

DVS access is subject to stricter controls. We will not permit personnel or entities located outside Australia or New Zealand to access or use the DVS or DVS Information Match Data unless:

• the access is permitted under our DVS participation arrangements;
• any required prior notification or approval has occurred;
• the access is limited to authorised personnel;
• appropriate security controls are in place; and
• the overseas personnel are required to comply with the APPs and applicable DVS requirements.

Security

We take reasonable technical and organisational measures to protect personal information against misuse, interference, loss, unauthorised access, modification and disclosure.

Depending on the information and system involved, controls may include:

• role-based access;
• least-privilege access;
• multi-factor authentication;
• password requirements;
• encryption in transit and at rest where appropriate;
• secure tokens, keys and credentials;
• network and application-security controls;
• monitoring and audit logs;
• access reviews;
• vulnerability and patch management;
• backup and recovery controls;
• staff confidentiality obligations;
• security awareness training;
• incident-response procedures; and
• restrictions on downloading, copying or exporting sensitive information.

Only authorised personnel with a legitimate operational requirement may access identity-document information, DVS data or KYC records.

Users must keep their credentials confidential and notify us immediately of suspected unauthorised access or account compromise.

DVS logging, monitoring and compliance

We maintain records reasonably necessary to demonstrate compliant DVS use, which may include:

• the purpose of the verification;
• the identity of the authorised user initiating the check;
• the date and time of the request;
• the document type;
• the consent notice presented;
• the individual’s express consent;
• confirmation of authority to provide the document information;
• relevant disclosures made to the individual;
• the DVS response or match status;
• access and security logs;
• incidents and remediation actions; and
• records supporting audits and compliance statements.

We may monitor DVS access and use to detect unauthorised activity and verify compliance.

We cooperate with lawful DVS compliance reviews and audits. Our DVS use may be subject to annual audits, compliance reporting and independent audits requested by the Framework Administrator.

Data retention and destruction

We retain personal information only for as long as reasonably necessary for:

• the purpose for which it was collected;
• providing or administering the relevant service;
• fraud prevention and security;
• legal, tax, accounting, payment and regulatory obligations;
• resolving disputes and complaints;
• establishing, exercising or defending legal rights; and
• DVS consent, audit and compliance requirements.

Retention periods vary according to the type of record and applicable legal or contractual requirements.

When personal information is no longer required and we are not legally or contractually required to retain it, we take reasonable steps to securely destroy it or permanently de-identify it.

Where practical, we minimise the amount of identity-document information stored. A DVS verification result may be retained separately from a full copy of the identity document.

Data breaches and security incidents

We maintain procedures for responding to suspected or actual privacy and security incidents.

Where an incident involves DVS access, credentials, Information Match Data, a suspected vulnerability or unauthorised use, we will promptly escalate and notify the relevant Gateway Service Provider, Framework Administrator or other required party in accordance with applicable requirements.

Where the Privacy Act’s Notifiable Data Breaches scheme applies, we will assess the incident and notify the Office of the Australian Information Commissioner and affected individuals where required.

Where we are informed that a DVS-related breach is reasonably likely to result in serious harm, we will take reasonable steps to notify affected individuals as required.

Suspected security incidents may be reported to:

• Email: legal@menumiz.com
• Support: support@menumiz.com

Access and correction

An individual may request:

• access to personal information we hold about them; or
• correction of inaccurate, out-of-date, incomplete, irrelevant or misleading information.

Requests may be sent to legal@menumiz.com.

We may need to verify the requester’s identity before processing a request. We will respond within a reasonable period and, where required, provide written reasons if access or correction is refused.

A DVS match result may indicate only whether submitted information matched an official record. If the official government record appears inaccurate, the individual may need to contact the relevant document issuer directly to request correction.

Anonymity and pseudonyms

Where lawful and practicable, an individual may interact with us anonymously or using a pseudonym.

This may not be practicable where:

• we are required to identify the person by law;
• identity verification is reasonably necessary;
• payment or settlement services require verified identity;
• the person is entering a binding agreement;
• fraud-prevention or security requirements apply; or
• we cannot provide the requested service without knowing the person’s identity.

Privacy and DVS complaints

An individual may complain about:

• our collection, use, holding or disclosure of personal information;
• a DVS identity check;
• consent obtained for a DVS check;
• access to identity information;
• an alleged misuse of a government-related identifier;
• a refusal to provide access or correction; or
• a suspected privacy breach.

Complaints should include sufficient information for us to investigate and should be sent to:

Privacy Officer
Universal Apps Pty Ltd trading as menumiz
Email: legal@menumiz.com
Postal address: 121 King St Melbourne VIC 3000 Australia

We will:

• acknowledge the complaint within a reasonable period;
• investigate it fairly;
• request further information where necessary;
• provide a written response, ordinarily within 30 days; and
• explain available escalation options if the complainant is dissatisfied.

A person may also contact the Office of the Australian Information Commissioner regarding an Australian privacy complaint.

Complaints relating to the accuracy of an official identity record may need to be directed to the government agency or document issuer responsible for that record.

Third-party websites and services

Our applications and websites may link to third-party websites or services.

Those third parties are responsible for their own privacy practices. We recommend reviewing their privacy policies before providing personal information.

This Privacy Policy does not apply to information independently collected or controlled by a third party, except to the extent menumiz remains legally responsible for that information.

Accuracy of information

We take reasonable steps to ensure that personal information we collect, use and disclose is accurate, up to date, complete and relevant.

Individuals and business users should promptly update information through their account or contact us when details change.

We may suspend or delay a service where information required for identity, payment, security or legal compliance is incomplete, inconsistent or appears inaccurate.

Changes to this Privacy Policy

We may update this Privacy Policy to reflect:

• changes to our products or services;
• legal or regulatory developments;
• changes to DVS requirements;
• security or operational improvements; or
• changes to third-party service arrangements.

The current version will be published on our website and will state its effective date.

Where a change materially affects how sensitive, identity or DVS information is handled, we will provide additional notice where reasonably practicable or legally required.

Contact us

Questions about this Privacy Policy or our handling of personal information may be directed to:

Privacy Officer
Universal Apps Pty Ltd trading as menumiz
Email: legal@menumiz.com
Support: support@menumiz.com
Postal address: 121 King St Melbourne VIC 3000 Australia