Trust & Security

Your business data is safe here.

We have built MenuList from the ground up with security and data integrity as non-negotiable foundations — not features. Here is exactly how we protect your business.

Security at a glance

For technical owners and their teams — the facts, plainly stated.

Password breaches possibleZero — we store no passwords

Data sold to third partiesNever

Cross-account data accessImpossible by design

Customer identities in analyticsNot collected

Infrastructure providerGoogle Cloud / Firebase

Transit encryptionTLS/HTTPS everywhere

Webhook verificationHMAC-SHA256 signed

How we protect your business

Eight layers of security and data integrity built into the platform.

Your data, your ownership

Your menu, your business information, and your customer-facing content belong to you. MenuList does not sell, share, or monetise your business data.

You can export your data at any time
Deleting your account removes your data from our systems
We do not sell data to third parties — ever

Isolated by design

Every business on MenuList operates in a completely isolated environment. Your data is logically separated from every other business on the platform — at the database level.

Tenant ID and Store ID enforced on every database query
No shared data between businesses
Firestore security rules prevent cross-account access

Authentication without passwords

MenuList uses industry-standard OAuth via Google Sign-In. We never store passwords — there are no passwords to breach.

Powered by NextAuth.js — industry standard
Google OAuth — the same login billions of people trust daily
Session tokens expire automatically

HTTPS everywhere

Every connection to MenuList — your dashboard, your public menu pages, your official page — is encrypted in transit.

TLS/SSL on all endpoints
Customer-facing menu pages served over HTTPS
No unencrypted data in transit

Built on Google Cloud

MenuList runs on Firebase and Google Cloud infrastructure — the same foundation trusted by millions of production applications worldwide.

Firebase Firestore for real-time, secure data storage
Google Cloud infrastructure with 99.95% SLA
Automated backups handled by Google infrastructure

Webhook security

If you use integrations like POS Webhook Sync, every request is signed with HMAC-SHA256. Your endpoint can verify the request is genuinely from MenuList.

HMAC-SHA256 signatures on all outbound webhooks
Secret keys stored securely, never exposed in UI
Replay attack prevention built in

Privacy-conscious analytics

MenuList keeps menu and official-page activity visible without turning customers into profiles. The system records business signals, not personal identity.

No customer names, emails, payment details, scroll heatmaps, hover tracking, or per-keystroke tracking
Menu sessions, category interest, searches, unavailable-item attention, source quality, and final actions remain visible
Approximate location is optional and never stored as exact GPS coordinates in this analytics flow

Menu data integrity

Every menu save goes through automatic validation. Incomplete data, missing prices, or broken items are caught before they can reach your customers.

Client-side validation on every save
Menu Correctness Engine runs automatically
Published surfaces always reflect validated data

Found a security issue?

We take security reports seriously. If you discover a vulnerability, please contact us directly before public disclosure so we can address it promptly.

Reach us at security@menulist.ai

Built to be trusted.

Security is not a feature we added — it is the foundation we built on.

Create your MenuList →