Privacy Notice

Visitors of Foodli digital menus (end users)

Version 1.0 — March 2026 · Pursuant to Art. 13 EU Regulation 2016/679 (GDPR)

Who is this notice for?

This notice is for anyone who opens a public digital menu via link or QR code without registering. If you are a restaurant or food business operator using Foodli, your notice is at foodli.app/privacy.

1. Data Controller

Sicilean S.r.l.

Via Roma no. 95 — 91021 Campobello di Mazara (TP), Italy

VAT and tax code: 02898760810 | REA: TP - 204826

Email: privacy@sicilean.tech · PEC: sicilean@pec.it

Note: The content of the menu (dishes, allergens, prices) is entered by the food business operator (restaurant/bar/etc.), who is responsible for it. For questions about the menu, contact the venue directly.

2. What Happens When You View a Foodli Menu

2.1 View counts (aggregated data)

Legal basis: Art. 6(1)(f) GDPR — legitimate interest (anonymous aggregate statistics)

We record that a menu was viewed in a purely aggregated way (e.g. "menu X viewed 47 times on day Y"). We do not collect your IP or any data that identifies you.

Anti-duplication: your browser stores a temporary key (foodli_menu_view:{id-menu}:{data}) to avoid counting the same visit twice. This stays only in your browser, is not sent to anyone, and resets the next day.

Ref.: Art. 6(1)(f) GDPR

2.2 Infrastructure logs (Vercel)

Legal basis: Art. 6(1)(f) GDPR — legitimate interest (platform security)

Like any website, servers automatically log: device IP, browser, OS, requested URL, HTTP status, timestamp. Purposes: security, anomaly detection, attack prevention. Retention up to 90 days, then automatic deletion.

Infrastructure provider: Vercel Inc. (USA) — transfer safeguarded by SCC Decision 2021/914/EU.

2.3 Technical cookies

Public menus do not require authentication and do not set login cookies. Strictly necessary technical cookies may be used to load the page. They do not require consent (Art. 122(1) Italian Legislative Decree 196/2003).

2.4 Behavioural analytics (PostHog and Google Analytics — only with consent)

Legal basis: Art. 6(1)(a) GDPR + Art. 122 Legislative Decree 196/2003 — explicit consent

If you consent via the cookie banner, the platform may send PostHog and/or Google Analytics an anonymous event (page type, anonymous menu identifier, device/browser, approximate time). If you do not consent, you can still view the menu in full.

  • PostHog Inc. — EU servers (eu.i.posthog.com) — no transfers outside the EEA.
  • Google LLC (Google Analytics) — IP anonymised — certified under the EU-US Data Privacy Framework.

Ref.: Art. 6(1)(a) GDPR · Art. 122 D.Lgs. 196/2003 · Provv. Garante 231/2021

3. What Foodli Does NOT Do

  • ❌ Does not build a profile about you.
  • ❌ Does not use profiling or marketing cookies.
  • ❌ Does not sell your data to third parties for advertising.
  • ❌ Does not link your visits across different Foodli menus.
  • ❌ Does not collect your food preferences or allergies (filtering runs entirely in the browser).
  • ❌ Does not require login to view the menu.

4. Allergen Filter — How It Works

The allergen filter runs entirely in your browser. Your selections are never sent to Foodli, the restaurant, or third parties, and are not stored.

⚠️ Warning: The allergen filter is an informational aid only. Legal responsibility for correct allergen information (EU Regulation 1169/2011) lies with the food business operator. For severe allergies, always speak to venue staff.

5. Transfers Outside the EU

  • Vercel Inc. (USA) — infrastructure logs — SCC Decision 2021/914/EU.
  • PostHog Inc. — EU servers — no transfers outside the EEA.
  • Google Analytics (only with consent) — DPF + SCC.

Ref.: SCC 2021/914/UE · DPF 2023/1795/UE

6. Your Rights

Ref.: Artt. 15-22, 77 GDPR

By writing to privacy@sicilean.tech or via PEC sicilean@pec.it:

  • Art. 15 — Access: Know whether we process data about you.
  • Art. 16 — Rectification: Correct inaccurate data.
  • Art. 17 — Erasure: Request deletion of data.
  • Art. 18 — Restriction: Request suspension of processing.
  • Art. 21 — Objection: Object to processing based on legitimate interests (e.g. view counts).
  • Art. 7(3) — Withdraw consent: Via the "Manage cookie preferences" link in the footer.
  • Art. 77 — Complaint to the supervisory authority: www.garanteprivacy.it

Response within 30 days.

7. Children's Data

We do not knowingly collect personal data of children under 14 for analytics (Art. 8 GDPR; Art. 2-quinquies Legislative Decree 196/2003). If you are a parent or guardian and believe a child's data was processed, write to privacy@sicilean.tech.

8. Updates

This notice may be updated. Planned changes: possible Google Analytics and AI features — the notice will be updated before activation. Check the version date periodically.

9. Contact

Email: privacy@sicilean.tech

PEC: sicilean@pec.it

Controller: Sicilean S.r.l. — Via Roma no. 95 — 91021 Campobello di Mazara (TP), Italy