This Privacy Policy and Cookie Notice applies to all mobile applications published by Marotino CY LTD on the Apple App Store and Google Play under the Menusso platform ("Applications"), as well as to the Menusso website at https://menusso.com.
Each Application is a white-label restaurant ordering app built and deployed by Marotino CY LTD on behalf of a restaurant business client ("Restaurant Partner"). Regardless of the branding displayed in the Application, Marotino CY LTD is the developer of record and the entity responsible for the technology and the data practices described in this Policy.
By using any Application or the Menusso website, you acknowledge the data practices described in this Policy.
Marotino CY LTD operates as the data controller in relation to:
The Restaurant Partner (the restaurant whose menu appears in the Application you are using) acts as a co-controller or independent data controller in relation to:
Where Marotino CY LTD processes personal data on behalf of the Restaurant Partner to deliver the service, it does so as a data processor under a Data Processing Agreement that complies with Article 28 of the GDPR.
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Creating and managing your account | Account and identity data | Contract (Art. 6(1)(b)) |
| Processing and fulfilling your orders | Order, payment, and delivery address data | Contract (Art. 6(1)(b)) |
| Dispatching deliveries via Wolt Drive | Delivery address, order details | Contract (Art. 6(1)(b)) |
| Processing payments via Stripe | Payment token, order value | Contract (Art. 6(1)(b)) |
| Sending order status notifications | Push notification token | Contract (Art. 6(1)(b)) |
| Fraud prevention and security | Device data, IP address, payment signals | Legitimate interest (Art. 6(1)(f)) |
| Platform analytics and performance monitoring | Usage and device data (aggregated) | Legitimate interest (Art. 6(1)(f)) |
| Sending promotional push notifications | Push notification token | Consent (Art. 6(1)(a)) |
| Legal compliance and record-keeping | Order and transaction data | Legal obligation (Art. 6(1)(c)) |
We do not use your personal data for targeted advertising on third-party platforms. We do not sell your personal data.
We share your personal data only with the following parties and only to the extent necessary:
The restaurant whose Application you are using receives your order details (items, delivery address, contact number, order time) in order to prepare and dispatch your order. The Restaurant Partner acts as an independent controller for this data in the context of your customer relationship with them.
Payment processing, fraud detection, and card tokenization. Stripe is an independent data controller for its own fraud prevention activities and a data processor for transaction processing. See https://stripe.com/privacy.
Delivery address and order reference are shared with Wolt to dispatch a courier. Wolt's own privacy policy applies: https://wolt.com/en/privacy.
Menusso uses vetted technical sub-processors (e.g., cloud hosting, error monitoring) to operate the platform. All sub-processors are bound by data processing agreements and may not use your data for their own purposes.
We may disclose data if required to do so by law, court order, or regulatory authority, or to protect our legal rights and the safety of users.
We do not share your data with any other third parties.
The Applications are native mobile apps. They do not use browser cookies. Instead, they use the following equivalent technologies:
Strictly Necessary (cannot be disabled)
| Technology | Purpose |
|---|---|
| Authentication token (local storage) | Maintains your login session |
| Cart and order state (local storage) | Preserves your in-progress order |
| Security tokens | Prevents fraudulent requests |
Functional (disable via device settings)
| Technology | Purpose |
|---|---|
| Saved delivery address (local storage) | Pre-fills delivery address for convenience |
| Language preference (local storage) | Remembers your chosen display language |
| Push notification token | Enables order status and promotional notifications |
Analytics and Performance
| Technology | Provider | Purpose |
|---|---|---|
| App usage analytics | Marotino CY LTD (internal) | Track feature usage, improve UX, detect errors |
Analytics data is aggregated and pseudonymized. It is not used to identify individual users.
Payment Processing and Fraud Prevention
| Technology | Provider | Purpose |
|---|---|---|
| Stripe SDK | Stripe, Inc. | Secure card tokenization, payment authentication, fraud scoring |
The Stripe SDK may collect device signals and behavioral data as part of its fraud prevention mechanisms. This is governed by Stripe's Privacy Policy at https://stripe.com/privacy.
The Menusso website uses standard web cookies:
Strictly Necessary
Analytics
You can manage web cookies through your browser settings. Note that disabling certain cookies may affect website functionality.
If you are located in the European Economic Area, you have the following rights:
| Right | What It Means |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data |
| Erasure (Art. 17) | Request deletion of your data, subject to legal retention obligations |
| Restriction (Art. 18) | Request that we limit processing of your data |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Objection (Art. 21) | Object to processing based on our legitimate interest |
| Withdraw Consent (Art. 7(3)) | Withdraw any consent given at any time, without affecting prior processing |
To exercise any of these rights, contact us at: [email protected]
We will respond within 30 days. For complex requests, we may extend this by a further 60 days and will inform you of the extension.
You also have the right to lodge a complaint with your national data protection supervisory authority. In Cyprus, this is the Office of the Commissioner for Personal Data Protection (https://www.dataprotection.gov.cy). You may also contact the supervisory authority in your country of residence.
Push Notifications
Disabling notifications does not affect your ability to use the Application or place orders.
Analytics Opt-Out
Email [email protected] to request an analytics opt-out. We will apply a do-not-track flag to your account within 5 business days.
Device-Level Tracking Controls
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion request |
| Order history | 24 months from order date |
| Payment tokens and transaction records | 5 years (legal/financial compliance) |
| Device and usage analytics | 12 months, then aggregated or deleted |
| Push notification tokens | Until notifications disabled or app uninstalled |
| Security and access logs | 12 months |
| Crash and error reports | 90 days |
After the relevant retention period, data is securely deleted or irreversibly anonymized.
Marotino CY LTD implements industry-standard technical and organizational measures to protect your personal data, including:
In the event of a personal data breach that is likely to result in high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR requirements.
Marotino CY LTD is based in Cyprus, an EU member state. All data is primarily processed within the EU/EEA.
Some sub-processors, including Stripe, may operate outside the EEA. In all such cases, Marotino CY LTD ensures appropriate safeguards are in place, including:
Our Applications are not directed to children under the age of 13 (or 16 in jurisdictions where that threshold applies under GDPR). We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact [email protected] immediately and we will delete it promptly.
We may update this Policy to reflect changes in our practices, technology, or applicable law. We will notify users of material changes via in-app notice or push notification, and will update the "Effective Date" at the top of this Policy. The current version is always available at https://menusso.com/privacy.
Continued use of any Application after notice of changes constitutes your acceptance of the updated Policy.
Marotino CY LTD (Menusso)
Evripidou 9A, Limassol 3031, Cyprus
Email: [email protected]
Web: https://menusso.com
For questions about this Policy, your data rights, or data practices in relation to a specific Restaurant Partner's application, contact us at [email protected] and specify which Application you are referring to.
Last updated: April 28, 2026