Last updated: May 17, 2026
This Privacy Policy explains how Checklabs (“we”, “us”, or “our”) collects, uses, and protects information when you use our menu management and publishing platform (the “Service”). By using the Service, you agree to the practices described below.
Account & workspace data you provide when signing up or operating the Service: your name, email address, password (stored as a one-way bcrypt hash), profile image, workspace name, and the role-based permissions you grant to your team.
Content you upload: menus, categories, items, descriptions, prices, allergen and dietary metadata, item imagery, property and venue details, location, and operating hours.
Guest data you (the workspace operator) add about your own customers, including name, email, phone number, dietary notes, birthday and anniversary dates, VIP level, and free-form notes. If you also enable payments, we store Stripe payment-method identifiers and the card brand, last four digits, and expiry date returned by Stripe — never the full card number.
Communications: when you send SMS or email through the Service, we retain the message body and recipient for delivery, audit, and dispute resolution.
Integrations: if you connect Google Drive (or another optional integration), we store the OAuth access and refresh tokens needed to act on your behalf. Tokens are stored in our database and used only for the connected integration.
Technical & analytics data collected automatically: IP address, browser and device type, country derived from IP, pages visited, referrer, UTM campaign parameters, and a per-visit session identifier. We use this for product analytics, debugging, and abuse prevention.
We use collected information to operate and maintain the Service, authenticate users, process payments, publish your menus to the audiences you designate, communicate with you about your account, prevent abuse, and improve product features. We do not sell personal information.
Application data — including account details, workspace content, guest records, communications history, and integration tokens — is stored in a managed PostgreSQL database operated by Neon. Uploaded files (menu images, item photos, logos) are stored in Vercel Blob object storage with public-read URLs so that published menus can render them. Payment data is held by Stripe; we retain only the Stripe payment-method ID plus the card brand, last four digits, and expiry. Email is delivered through Brevo.
We share information with the following sub-processors so we can run the Service. Each is contractually bound to protect your data and to use it only to perform services on our behalf.
We use cookies and similar technologies to keep you signed in, remember preferences, and understand how the Service is used. The specific cookies we set are:
authjs.session-token — authentication session (HttpOnly, Secure in production).checklabs_locale — preferred language for the public menu.checklabs_table_id / checklabs_table_code — short-lived (6 hours) identifier set when a guest scans a QR code, so we can associate menu interactions with the table.You can disable cookies through your browser settings, though some features (notably sign-in and QR-linked ordering) will not function without them.
We retain account and content data for as long as your account is active, and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce our agreements. You may request deletion of your account data at any time.
We use industry-standard administrative, technical, and physical safeguards to protect your data, including encryption in transit, access controls, and audit logging. No system is completely secure, and we cannot guarantee absolute protection against unauthorized access.
Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing activities. You can exercise most of these rights directly from your workspace settings.
The Service may be operated from, and your data may be processed in, jurisdictions other than your own. We take appropriate steps to ensure that international transfers comply with applicable data protection law.
The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with information, please contact us so we can remove it.
We may update this Privacy Policy from time to time. Material changes will be communicated through the Service or by other reasonable means. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.