MamChef

PRIVACY NOTICE FOR MAMCHEF PARTNERS

Last updated: 04/04/2026

This Privacy Notice explains how MB "MamChef" ("MamChef", "we", "us", "our") collects, uses, shares, and safeguards personal data relating to partners who prepare and sell food or goods via the MamChef platform - including restaurants, dark kitchens, stores, and their authorised staff - through the Partner Portal and related integrations (the "Services"). "You/your" refers to a Partner (sole proprietor or company) and your authorised representatives (owners, managers, chefs, staff). Read this Notice with our Partner Terms, policies, and any country-specific addendum (if applicable).

For details about how to request account deletion, what data will be erased, what may be retained, and expected timelines, please see our Account Deletion Information page.

1. Scope and definitions

This Notice applies to partners who publish menus, receive orders, prepare items, and (where applicable) hand orders to couriers or provide self-delivery using MamChef tools. It covers owners, beneficial owners, authorised contacts, and employees using the Partner Portal/Tablet App or POS/API integrations.

For clarity: this Notice does not cover couriers or end-clients. Separate notices apply to those roles.

2. Controller, roles and how to contact us

Data Controller (for Partner onboarding, operations, payouts, compliance):

MB "MamChef"
Company code: 307277177
Registered office: Krivių g. 5, LT-01204 Vilnius, Lithuania
Email (privacy): info@mamchef.com

Data Protection Officer (DPO): info@mamchef.com ("For the attention of the DPO").

Role clarity: MamChef and the Partner generally act as independent controllers for their respective processing. Where MamChef provides optional tools that process Client data on the Partner's documented instructions (e.g., certain marketing or CRM features), MamChef acts as a processor and a Data Processing Agreement (DPA) applies, listing sub-processors.

3. What personal data we collect

We collect data you provide, data generated when you use Partner tools, and data from third parties (KYB/AML, payments, POS).

A. Data you provide

  • Business identity & KYB: legal name, registration code, VAT/TIN, VMVT registration number, corporate documents, beneficial owner (UBO) declarations (where required).
  • Food-safety & licensing: food business registration, hygiene certificates, permits, allergen handling policies, staff certificates.
  • Operational profile: kitchen and pickup addresses, opening hours, delivery areas (if self-delivery), menus, allergen & nutrition fields, images, availability/stock rules, prep-time targets, substitution rules.
  • Brand assets: logos, trade names, photographs and marketing creatives you authorize us to use.
  • Financials: bank/IBAN, payout preferences, invoicing details, DAC7 or similar tax data where applicable.
  • Contacts & roles: owners/admins/finance/support/tech contacts (names, work emails/phones), role assignments and permissions.
  • Integration credentials: POS/API keys, webhooks, printer details.

B. Data generated by your use of Partner tools

  • Account & status: account creation date, role changes, permission logs, suspensions/blocks (date, reason, expiry).
  • Menu & catalogue logs: item additions/edits, pricing changes, stock toggles, imagery updates, timestamps and user IDs.
  • Orders & fulfilment: order items, timestamps, client notes (e.g., substitutions), acceptance/cancellation and reasons, prep/ready-time metrics, accuracy/missing items, refunds and adjustments.
  • Performance metrics: on-time rate, quality/accuracy indicators, customer ratings/comments, incident flags, remake/recook signals.
  • If applicable, POS/integration telemetry: sync success/failure logs, request/response metadata (excluding raw card PANs), error diagnostics.
  • Communications: chats/calls with clients, couriers and MamChef Support; number masking where available; ticket history. Calls may be recorded where notified.
  • Device & usage: partner tablet model/OS, app version, IP, session activity, push notification tokens, crash/diagnostic logs for reliability and security.
  • Fraud & integrity signals: unusual refund/pricing patterns, fake closures, review manipulation, unauthorised menu swaps.

C. Data from third parties

  • KYB/AML/verification providers: document validity, sanctions/PEP screening (where legally required).
  • Payment acquirers/banks: settlement identifiers, chargeback metadata.
  • Couriers/clients: incident reports relevant to food safety/quality; public reviews collected from third-party sites where you opt-in.

4. Purposes and legal bases for processing

We process personal data only where a legal basis applies under GDPR or relevant law.

Purpose Legal basis Main data used
Partner onboarding, KYB/food-licensing checks Legal obligation; Legitimate interests; Contract Business identity, KYB/AML, licensing, contacts
Publish menus, brand assets, offers in the app Contract; Legitimate interests Operational profile, brand assets, images
Order intake, preparation, substitutions and ready-time flows Contract Orders & fulfilment, client notes (limited), performance metrics
Client/courier/MamChef communications (masked where available) Contract; Legitimate interests Communication logs, contacts, order context
Payments, settlements, invoicing, taxation (incl. DAC7 where applicable) Legal obligation; Contract Financials, payouts, order/adjustment records
Quality, food safety & incident handling (incl. recalls, delisting) Legitimate interests; Legal obligation Performance metrics, incident data, communications
Marketplace integrity & fraud prevention (human review for termination) Legitimate interests Fraud signals, menu logs, refunds, device/usage
Ranking & discovery (transparency on factors used) Legitimate interests Performance metrics, proximity, availability, pricing
Analytics & service/product improvement Legitimate interests; Consent (for certain analytics/cookies) Orders, performance, device/usage
Co-marketing and placements using Partner brand assets Contract; Legitimate interests; Consent where required Brand assets, operational profile, campaign stats
Security, reliability, debugging, crash reporting Legitimate interests Device/usage, diagnostics
Legal claims, audits, regulatory/law-enforcement requests; Business reorganisation (M&A, restructuring) Legal obligation; Legitimate interests All necessary; Limited necessary data

Client health data: Partners should not receive clients' medical data. Allergen/nutrition fields are for compliance and transparency. If client allergy notes are received via an order, they are used strictly to fulfil that order and retained only as necessary.

5. Who we disclose data to

  • Clients: Partner name, logo, address, menu, allergens/nutrition, availability, pricing; limited contact where self-delivery or clarification is needed.
  • Couriers: Partner name, pickup address, contact channel during active order only.
  • Payment acquirers/banks and tax/accounting providers: settlements, payouts, chargeback metadata, invoices.
  • POS/integration vendors and IT/cloud providers: catalogue, order and sync data necessary to operate integrations.
  • Marketing/advertising and analytics providers: limited Partner brand/metadata for placements and measurement, subject to law and settings.
  • KYB/AML/compliance providers and public authorities (food safety, tax) as required by law.
  • Law enforcement/regulators/courts where legally required or to protect vital/public interests.
  • Prospective buyers or reorganised entities under confidentiality during M&A or restructuring.

6. International data transfers

Where data is transferred outside your country (including outside the EEA/UK), we rely on adequacy decisions, Standard Contractual Clauses and appropriate safeguards. Limited statutory exceptions may apply (e.g., legal requests). Details available on request.

7. How we protect your data

We implement technical and organizational measures: encryption in transit/at rest, least-privilege access, monitoring, secure development, staff training, incident response, backups/BCDR. Only authorised personnel and vetted processors access data on a need-to-know basis.

8. Retention periods

We retain data only as long as necessary for the purposes above or as required by law, then delete or anonymise it.

Category Typical retention
Contracts, KYB/AML, tax and settlements Up to 10 years (or per local law)
Menu/catalogue & change logs For audit and chargeback windows (e.g., 3-5 years)
Orders & fulfilment metadata (non-tax) Per limitation periods (e.g., 3-5 years)
Food-safety incidents/recalls Per regulatory requirements (often several years)
Support tickets and communications Up to 3 years from last interaction
Fraud/abuse investigations As long as necessary for investigation and defence
Marketing consent & preference logs For the life of the preference + proof periods

Uninstalling the App does not delete data. To request account deletion, use the in-app Delete Account flow or visit our Account Deletion Information page.

9. Your rights

  • Access: request a copy of your personal data.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion in certain cases (subject to legal retention duties).
  • Restriction: request limited processing in certain cases.
  • Objection: object to processing based on legitimate interests and to direct B2B marketing at any time.
  • Portability: receive data you provided in a structured, machine-readable format where applicable.
  • Withdraw consent: at any time (e.g., marketing/cookies); prior processing remains lawful.
  • Automated decisions: request human review, an explanation, and contest decisions with legal or similarly significant effects.

How to exercise: email info@mamchef.com. For account deletion, you can also use the in-app Delete Account flow or review our Account Deletion Information page. We may request ID to verify. We aim to respond within one month (extendable for complexity).

You may lodge a complaint with the Lithuanian Data Protection Authority (VDAI) or your local authority; please contact us first so we can help.

10. B2B marketing and preferences

We may contact Partner representatives about features, promotions and seasonal opportunities under legitimate interests (B2B). Where required by local law, we will obtain consent. Manage preferences via the Partner Portal, unsubscribe links, or by contacting Support.

11. Automated decision-making, rankings & human review

We may use automated tools to surface partners to clients (ranking) and to detect fraud/abuse. Ranking signals can include proximity, availability, menu accuracy, prep-time reliability, pricing and client ratings. If a decision produces legal or similarly significant effects (e.g., permanent delisting), you can request human intervention, express your view and contest the outcome.

12. Mobile App Permissions

When you use the MamChef Partner mobile application, the app may request access to certain device permissions to enable core functionality:

  • Camera – to upload profile photos, menu images, and verification documents
  • Photos/Media/Files – to select and upload images for menus and documents
  • Notifications – to receive order alerts and operational updates
  • Internet & Network access – to connect securely to MamChef services
  • Device information & diagnostics – for app performance, crash reporting and security

These permissions are used strictly to operate the partner services and are never used for unrelated purposes.

13. Cookies, SDKs & Partner devices

The Partner Portal/Tablet App and sites use cookies, SDKs, analytics pixels and device identifiers to operate the Services, secure accounts, measure performance, remember preferences and (subject to your settings) personalise placements. See our Cookie Notice and manage choices via the Portal/OS.

14. Children

The Partner Services are for business users and not intended for persons under 16 acting without proper authorisation.

15. Changes to this Notice

We may update this Notice from time to time. Material changes will be communicated via the Partner Portal, email or website before taking effect.

16. Local disclosures

Lead supervisory authority: Valstybine duomenu apsaugos inspekcija (VDAI), L. Sapiegos g. 17, 10312 Vilnius, Lithuania, ada.lt.

GDPR bases: Articles 6 & 9. Transfers: Chapter V safeguards (SCCs/adequacy). Tax/food-safety reporting as required by law.

Annex A. Data categories

  • Business identity & KYB: legal name, registration, VAT/TIN, UBO details (where required).
  • Food-safety & licensing: registrations, hygiene permits.
  • Operational profile: addresses, hours, menus, allergen/nutrition fields, stock/availability, prep-time targets, substitution rules, imagery.
  • Brand assets: logos, photos and creatives authorised for use.
  • Financials & taxation: IBAN, payout setup, invoices/settlements, DAC7-type data.
  • Contacts & roles: owner/admin/finance/support contacts and permission mappings.
  • Integrations: POS/API keys, webhook endpoints, printer details.
  • Orders & fulfilment: timestamps, items, notes for preparation, acceptance/cancellation, ready times, accuracy/missing items, refunds.
  • Performance metrics: on-time rate, quality indicators, ratings/comments, incident flags.
  • Device & usage: tablet/OS, app version, IP, session activity, push notification tokens, crash/diagnostics.
  • Communications: partner - client/courier/support chats/calls; masked numbers where available; ticket history.
  • Fraud & integrity telemetry: unusual refund/pricing patterns, fake closures, review manipulation.

Annex B. Retention schedule

Data set Typical retention
KYB/AML and licensing files Up to 10 years or as required by law
Orders & fulfilment metadata 3-5 years (local limitation periods)
Menu/catalogue & change history 3-5 years (audit/chargeback windows)
Settlements, invoices and payouts Up to 10 years (tax/accounting)
Food-safety incidents/recalls Per regulator guidance (often several years)
Support/communications Up to 3 years from last interaction
Fraud/abuse investigations and blocks As long as necessary for investigation/defence
Consent/preference logs For the life of the preference + statutory proof periods