Legal

Privacy Policy

Last updated: 11 June 2026

1. Who we are

OUF (“we”, “us”) provides digital menu tools for restaurants: a management app for restaurant owners and a public web menu for their guests. OUF is operated from Malmö, Sweden, and is the data controller for the personal data described here. Contact: ouf.design.studio@gmail.com.

2. Data we collect from restaurant accounts

  • Account data — username, email address, and a hashed password.
  • Restaurant content — restaurant details, dish photos you upload, menus, and the images and text our AI generates from them.
  • Usage data — counts of feature use (e.g. AI images generated, menu views) to enforce plan limits, plus login timestamps, IP address, and device type for account security.
  • Push tokens — if you enable notifications in the app.

3. Data we collect from menu guests (diners)

Guests who scan a restaurant’s QR code view the menu in their browser — no account, no app. For these visits we process: the visitor’s IP address and browser type (to count visits, prevent abuse, and de-duplicate analytics — visits are aggregated per day), the language and currency the guest selects, and — if the guest uses the menu assistant — the chat messages, which are processed to generate an answer about the menu. If a guest chooses to subscribe to a restaurant’s updates, we store the name/email/phone they submit, on behalf of that restaurant.

4. How we use AI

Dish photos and menu text are processed by Google’s Gemini models (Google Cloud) to generate menu images, descriptions, translations, and assistant answers. We do not use your content to train our own models. Generated content belongs to your restaurant account.

5. Service providers

We use a small set of processors to run the service: Google Firebase (database, file storage, Google Cloud / Gemini AI processing), Railway (API hosting), Vercel (website hosting), and an email delivery provider for transactional emails. Some providers process data in the United States; transfers rely on the EU–US Data Privacy Framework and/or standard contractual clauses.

6. Cookies

We use only functional cookies: a session cookie when you sign in to your dashboard. No advertising or cross-site tracking cookies.

7. Retention & deletion

Account data is kept while your account is active. You can delete your account in the app (Settings → Delete account) or by emailing us; deletion takes effect after a 30-day grace window, after which personal data is removed or anonymized. Diner visit logs are kept in aggregate form for restaurant analytics.

8. Your rights (GDPR)

You have the right to access, correct, export, and erase your personal data, and to object to or restrict processing. Email us to exercise any of these. You may also lodge a complaint with the Swedish data protection authority (IMY, imy.se) or your local supervisory authority.

9. Changes

We’ll update this page when our practices change and revise the date above. Material changes will be announced to account holders by email or in-app.