Legal Document

Data Processing Addendum

This Data Processing Addendum (DPA) forms part of the agreement between Magia Menu and venues using our platform.

Last updated: February 2026

This DPA establishes the terms under which Magia Menu processes personal data on behalf of venues (Data Controllers) in connection with the provision of our ordering and venue management services. This addendum is designed to ensure compliance with GDPR and other applicable data protection regulations.

Controlling Language

This English version of the Data Processing Addendum is the controlling version. Translations into other languages are provided for convenience only. In case of any discrepancy between the English version and a translation, the English version shall prevail.

1

Parties

Data Controller (Venue)

The venue that has entered into an agreement with Magia Menu for the use of our platform services. The venue determines the purposes and means of processing customer data related to their operations.

Data Processor (Magia Menu)

Magia Menu Limited, operating the Magia Menu platform, processes personal data on behalf of the venue in accordance with this DPA and documented instructions.

2

Subject Matter & Duration

Subject Matter

Processing of personal data to provide ordering, venue operations, customer experience features, and related services through the Magia Menu platform.

Duration

For the term of the service agreement between Magia Menu and the venue, plus any retention periods required by law or as specified in our Data Retention Policy.

3

Nature and Purpose of Processing

  • Authentication and session management for guests and staff
  • Order processing and fulfillment
  • Real-time order status notifications
  • Customer support and issue resolution
  • Security monitoring and abuse prevention
  • Analytics and reporting (aggregated/anonymized where possible)
4

Categories of Data Subjects

Guests and customers of the venue
Venue staff with platform accounts
Delivery personnel (if applicable)
5

Categories of Personal Data

  • Identifiers: phone number, email address (if provided), optional name
  • Order details: items ordered, special requests, preferences
  • Technical data: device type, browser, IP address, usage logs
  • Location data: only for venue search feature, with user permission
  • Payment references: transaction IDs only (no card data stored)
6

Controller Obligations

  • Provide appropriate notices to customers regarding data processing
  • Ensure lawful basis exists for all processing activities
  • Handle customer-facing consent collection where required
  • Respond to data subject requests with processor assistance
  • Notify processor of any changes affecting data processing
7

Processor Obligations (GDPR Article 28)

In accordance with GDPR Article 28

  • Process data only on documented instructions from the controller
  • Ensure confidentiality commitments from all personnel
  • Implement appropriate technical and organisational security measures
  • Assist with data subject access requests (DSAR)
  • Notify controller of personal data breaches without undue delay
  • Delete or return all personal data after end of services (subject to legal retention requirements)
  • Make available information necessary to demonstrate compliance
8

Technical and Organisational Measures (TOMs)

Magia Menu implements comprehensive security measures as detailed on our Security page. Key measures include:

TLS 1.3 encryption in transit
AES-256 encryption at rest
Role-based access control (RBAC)
Continuous monitoring and audit logging
Encrypted backups (daily/weekly/monthly)
Documented incident response procedures
View full Security & Compliance details
9

Sub-processors

Current Sub-processors

Iyzico

Payment processing

Per provider PCI DSS policy

Mapbox

Map and location services

Anonymized, per provider policy

Controller will receive prior notice of any new sub-processors with the right to object within 14 days.

10

International Transfers

Where personal data is transferred outside the EEA, Magia Menu ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where applicable. Primary data processing occurs within the EEA (Netherlands).

11

DSAR Assistance

  • Processor assists Controller in responding to data subject requests
  • Response time target: 30 days (extendable to 60 for complex requests)
  • Secure identity verification procedures in place
  • Automated tools available for data export and deletion requests
12

Audit & Compliance

  • Provide reasonable information to demonstrate compliance upon request
  • Allow audits under agreed scope and frequency (typically annually)
  • Maintain records of processing activities as required by GDPR Article 30
13

Security Incident / Breach Notification

Notification without undue delay (within 72 hours of becoming aware)

Notification content includes:

  • Nature and scope of the breach
  • Categories and approximate number of affected data subjects
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
14

Return/Deletion of Data

Upon termination of services, Magia Menu will delete or anonymize all personal data processed on behalf of the venue, except where retention is required by law or as specified in our Data Retention Policy.

View Data Retention Policy
15

Liability & Governing Law

Liability for data protection breaches shall be determined in accordance with GDPR provisions and the main service agreement between the parties.

This DPA is governed by the laws of the Republic of Turkey. For processing of personal data of EEA residents, GDPR applies to the extent required by law.

Questions About This DPA?

Contact us for clarification or to request a signed copy for your records.

magiamenu@gmail.com