Privacy Policy

Websumo Solutions (Co. Reg. No. 201803015504) ("WhatsMenu", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the WhatsMenu platform and services. Please read this policy carefully.

This policy applies to two groups of data subjects:

  • Merchants — business owners and staff who register for and operate a WhatsMenu account.
  • End-Customers — individuals who interact with a Merchant's WhatsMenu storefront, place orders, or otherwise engage with a Merchant through WhatsMenu (e.g., via WhatsApp, QR code menus, or the online ordering page).

For Merchant data, WhatsMenu acts as the data controller. For End-Customer data collected through a Merchant's WhatsMenu storefront, WhatsMenu acts as a data processor on behalf of the Merchant, who is the data controller. End-Customers with questions about how a specific Merchant handles their data should contact that Merchant directly.

1. INFORMATION WE COLLECT

1.1 Information Provided by Merchants

  • Account Information: Name, email address, phone number, and business details
  • Payment Information: Billing address, subscription plan, and payment history. WhatsMenu does not store payment card information — card payments are handled securely by Stripe.
  • Business Information: Business name, address, operating hours, menu items, product catalogs, images, and business documents
  • End-Customer Data uploaded by the Merchant: Any information Merchants input, import, or upload into our platform about their own customers
  • Communications: Messages, feedback, and support requests sent to us

1.2 Information Collected from End-Customers (via Merchant Storefronts) When an End-Customer interacts with a Merchant's WhatsMenu storefront or ordering flow, we may process on the Merchant's behalf:

  • Name, phone number, and delivery or pickup address
  • Order details, order history, and special instructions
  • WhatsApp messages sent to the Merchant's business number through our ordering flow
  • Loyalty or points balance, where the Merchant uses the loyalty feature
  • Payment confirmation details (actual payment processing is handled by the Merchant's chosen payment provider)

1.3 Information Collected Automatically

  • Usage Data: How users interact with our platform, pages visited, features used
  • Device Information: IP address, browser type, operating system, device identifiers
  • Log Data: Server logs, access times, pages viewed, and other technical information
  • Cookies and Similar Technologies: See Section 8

1.4 Information from Third Parties

  • Payment Processors: Stripe provides us with payment confirmation and transaction details
  • Analytics and Marketing Services: Usage statistics, platform performance data, and advertising attribution data (e.g., Google Analytics, Meta Pixel)
  • Business Partners: Information shared through integrations and partnerships

2. HOW WE USE INFORMATION AND LEGAL BASIS

Under applicable data protection law (including the EU General Data Protection Regulation ("GDPR") and the UK GDPR), we process personal data only where we have a valid legal basis. Our processing purposes and corresponding legal bases are:

2.1 Service Provision — Legal basis: performance of a contract

  • Process account registration and manage subscriptions
  • Provide customer support and technical assistance
  • Process payments and manage billing
  • Deliver platform features (WhatsApp-based ordering, QR code menus, loyalty, stock tracking, analytics)
  • Send service-related notifications

2.2 Business Operations — Legal basis: legitimate interests

  • Improve our platform and develop new features
  • Analyze usage patterns to enhance user experience
  • Ensure platform security and prevent fraud or abuse
  • Conduct research and analytics

Where we rely on legitimate interests, we balance those interests against your rights and freedoms. You may object to this processing at any time (see Section 5).

2.3 Legal and Regulatory Compliance — Legal basis: legal obligation

  • Comply with tax, accounting, and anti-fraud laws
  • Respond to lawful requests from authorities

2.4 Marketing — Legal basis: consent

  • Send marketing communications where you have opted in
  • Display or measure advertising (subject to cookie consent where required)

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

2.5 Use of End-Customer Data End-Customer data processed through a Merchant's storefront is used solely to provide ordering and platform services to that Merchant. We do not use End-Customer data for our own marketing, nor do we sell or rent it to third parties.

3. INFORMATION SHARING

3.1 With Your Consent
We may share your information with third parties when you explicitly consent to such sharing.

3.2 Service Providers (Sub-processors)
We work with trusted third-party service providers who assist us in:

  • Payment processing (Stripe)
  • Cloud hosting and infrastructure
  • Analytics and performance monitoring (e.g., Google Analytics, Meta Pixel)
  • Customer support services
  • Email and communication services
  • WhatsApp Business API providers, where applicable

These providers are bound by contractual obligations consistent with this policy and applicable data protection law. A current list of sub-processors is available on request.

3.3 Between Merchants and End-Customers
Information entered by End-Customers on a Merchant's storefront (e.g., name, phone, address, order details) is shared with that specific Merchant for the purpose of fulfilling the order. WhatsMenu does not share End-Customer data with other Merchants on the platform.

3.4 Legal Requirements
We may disclose information when required by law, including:

  • Compliance with applicable laws and regulations
  • Response to valid legal process or government requests
  • Protection of our rights, property, or safety, or that of our users
  • Investigation of potential violations of our Terms of Service

3.5 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify affected users where required by law.

4. DATA RETENTION AND DELETION

4.1 Retention Periods
We retain information for as long as necessary to fulfill the purposes set out in this policy. Typical retention periods:

  • Active account data: for as long as the account is active
  • Billing and tax records: up to 7 years after the last transaction, as required by applicable tax and accounting law
  • Support communications: up to 3 years after the last interaction
  • Marketing data: until consent is withdrawn, or 2 years of inactivity, whichever is sooner
  • Server logs: typically 90 days unless needed for security investigations

4.2 Merchant Account Deletion
Upon Merchant account termination, we will delete or anonymize the Merchant's personal data and the End-Customer data stored within that Merchant's account within 90 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, unresolved disputes).

4.3 End-Customer Deletion Requests
End-Customers who wish to have their data removed from a Merchant's WhatsMenu storefront should contact the Merchant directly, as the Merchant is the data controller. Where we receive such requests directly, we will forward them to the relevant Merchant and assist where reasonably possible.

5. YOUR RIGHTS

Depending on your jurisdiction, you may have the following rights in relation to your personal data:

5.1 General Rights

  • Access: request a copy of the personal data we hold about you
  • Correction: request correction of inaccurate or incomplete data
  • Deletion: request deletion of your data ("right to be forgotten" under GDPR)
  • Restriction: request that we limit how we process your data
  • Objection: object to processing based on legitimate interests, or to direct marketing
  • Data Portability: receive your data in a commonly used, machine-readable format, or request transfer to another provider
  • Withdraw Consent: where processing is based on consent, withdraw it at any time
  • Not Be Subject to Automated Decision-Making: we do not carry out any automated decision-making or profiling that produces legal or similarly significant effects

5.2 How to Exercise Your Rights
To exercise any of these rights, contact us at support@whatsmenu.my. We will respond within 30 days (or a shorter period where required by law). We may ask you to verify your identity before fulfilling the request.

5.3 Right to Lodge a Complaint
If you believe we have not handled your data in accordance with applicable law, you have the right to lodge a complaint with a data protection authority:

  • EU residents: your local EU Data Protection Authority
  • UK residents: the Information Commissioner's Office (ICO)
  • Malaysian residents: the Personal Data Protection Commissioner
  • California residents: the California Privacy Protection Agency
  • Other jurisdictions: your local supervisory authority

We encourage you to contact us first so we can try to resolve your concern directly.

5.4 Region-Specific Rights

  • California (CCPA/CPRA): California residents have additional rights, including the right to know what personal information is collected, the right to delete, the right to opt out of the "sale" or "sharing" of personal information, and the right to non-discrimination. WhatsMenu does not sell personal information.
  • Brazil (LGPD): Brazilian data subjects have rights substantially similar to those listed in Section 5.1, as provided by the Lei Geral de Proteção de Dados.
  • Australia (Privacy Act): Australian users are protected by the Australian Privacy Principles.
  • Malaysia (PDPA): Malaysian users have rights under the Personal Data Protection Act 2010, including access, correction, and withdrawal of consent.

6. SECURITY MEASURES

6.1 Technical and Organizational Measures
We implement appropriate measures to protect information:

  • Encryption of data in transit (TLS/HTTPS) and at rest where applicable
  • Regular security assessments and updates
  • Access controls, role-based permissions, and authentication systems
  • Employee training on data protection
  • Secure handling of financial and billing documents

6.2 Incident Response
In the event of a personal data breach likely to result in a risk to your rights and freedoms:

  • We will notify affected users and the relevant supervisory authorities as required by applicable law. Under GDPR, this notification will be made without undue delay, and where feasible, within 72 hours of becoming aware of the breach.
  • We will take immediate steps to contain and remediate the breach
  • We will provide guidance on protective measures users can take

7. INTERNATIONAL TRANSFERS

7.1 Cross-Border Transfers
As a global platform, your data may be processed and stored in countries outside your country of residence, including but not limited to Malaysia, Singapore, the United States, and the European Union, depending on the location of our infrastructure and service providers.

7.2 Transfer Mechanisms for EU/UK Data
Where we transfer personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to a country not recognized as providing an adequate level of protection, we rely on appropriate safeguards, including:

  • The European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum
  • Binding Corporate Rules, where applicable
  • Other lawful transfer mechanisms permitted under GDPR and UK GDPR

You may request a copy of the safeguards in place for data transfers by contacting us at support@whatsmenu.my.

7.3 Third-Party Services
When data is processed by third-party services (e.g., Stripe, Meta, Google), those providers' privacy policies also apply. We encourage you to review them.

8. COOKIES AND TRACKING

8.1 Types of Cookies and Trackers
We use:

  • Essential Cookies: required for platform functionality, login sessions, and security
  • Analytics Cookies: help us understand platform usage (e.g., Google Analytics)
  • Marketing and Advertising Cookies: used for measuring ad performance and retargeting, including the Meta (Facebook) Pixel

8.2 Cookie Consent
Where required by applicable law (including in the EU, UK, and certain other jurisdictions), we will request your consent before placing non-essential cookies. You may manage or withdraw your cookie consent at any time through our cookie settings or your browser preferences. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

9. CHILDREN'S PRIVACY

The WhatsMenu platform is intended for business use by Merchants and adult End-Customers. We do not knowingly collect personal information from children under the age of 16, or the minimum age applicable in their country of residence, without parental or guardian consent. If you believe a child's data has been collected without appropriate consent, please contact us at support@whatsmenu.my and we will take steps to remove it.

10. DATA PROCESSING FOR MERCHANTS

Merchants who use WhatsMenu to collect and process End-Customer data act as data controllers under applicable law. WhatsMenu acts as their data processor. Where required by GDPR Article 28 or equivalent law, a Data Processing Agreement (DPA) is available on request or automatically incorporated into our Terms of Service. Merchants are responsible for ensuring they have a lawful basis to process End-Customer data and for maintaining their own privacy notice to End-Customers.

11. POLICY CHANGES

11.1 Policy Updates
We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the updated policy on our platform
  • Sending email notifications to registered Merchants
  • Updating the "Last updated" date

11.2 Continued Use
Your continued use of our platform after policy changes constitutes acceptance of the updated policy, subject to any consents required by applicable law.

12. CONTACT INFORMATION

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Websumo Solutions (Co. Reg. No. 201803015504)
G-09, Jalan Pandan Prima 1, Dataran Pandan Prima, 55100 Kuala Lumpur, Malaysia
Email: support@whatsmenu.my

Last updated on: 15 March 2026