Legal

Privacy Policy

Effective date: January 1, 2026  ·  Last updated: April 14, 2026

Linglong Inc. ("Linglong," "we," "us," or "our") operates the Linglong digital menu and ordering platform, accessible at menu.linglong.mom and through our operator dashboard. This Privacy Policy explains how we collect, use, disclose, and safeguard information about restaurant operators ("Operators") who subscribe to our platform and the guests ("Guests") who access digital menus via QR code.

By using our Services, you agree to the collection and use of information in accordance with this policy. If you are an Operator, your use is also governed by our Terms of Service.

1. Information We Collect

From Operators (restaurant accounts)

  • Account registration data: name, business name, email address, phone number, billing address.
  • Payment information: credit or debit card details processed and tokenized by Stripe. Linglong never stores raw card numbers.
  • Menu content you upload: item names, descriptions, prices, photos, and categories.
  • Order and transaction records generated through the platform.
  • Usage data: dashboard interactions, feature usage frequency, session duration, and browser/device identifiers.
  • Support communications: emails, chat logs, and call recordings (where permitted by law).

From Guests (QR code menu visitors)

  • Order data: items selected, quantities, special instructions, and table identifier.
  • Payment data when paying via Linglong Checkout: processed by Stripe; we receive only a tokenized reference and the last four digits of the card used.
  • Device and browser data: IP address, user agent string, operating system, screen resolution, and the referring URL that directed the Guest to the menu.
  • Location data: approximate city/country derived from IP address only. We do not request GPS location from Guest devices.
  • If a Guest opts into loyalty notifications: email address or phone number, consent timestamp, and engagement history (opens, redemptions).

Automatically collected data (all users)

  • Cookies and similar tracking technologies — see Section 6 (Cookies) below.
  • Log data: server access logs including timestamps, request paths, response codes, and data volumes.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Service delivery: to publish digital menus, route orders to kitchen displays, process payments, and generate QR codes.
  • Account management: to create and maintain Operator accounts, process billing, and send transactional emails (receipts, password resets, subscription renewals).
  • Analytics and reporting: to generate the revenue and menu performance dashboards Operators use to run their businesses. Operator-facing analytics aggregate Guest behavior — they are not shared with third parties in identifiable form.
  • Platform improvement: to understand how features are used, identify bugs, and prioritize product development.
  • Safety and fraud prevention: to detect and prevent fraudulent transactions, chargebacks, and abuse of the platform.
  • Legal compliance: to respond to valid legal process and comply with applicable law.
  • Marketing (Operators only, with consent): to send product updates, case studies, and promotional offers. Operators may opt out at any time via the unsubscribe link in any marketing email or by emailing privacy@linglong.mom.

We do not sell Guest personal data to third parties. We do not use Guest data to serve behavioral advertising.

3. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process personal data under the following legal bases:

  • Contract performance: processing necessary to deliver the Services under our Terms of Service with Operators, and to fulfill orders placed by Guests.
  • Legitimate interests: fraud prevention, platform security, product analytics, and improving Service quality — where these interests are not overridden by your rights.
  • Consent: for optional loyalty program participation, marketing emails, and any non-essential cookies (per our Cookie Policy).
  • Legal obligation: where we are required to retain or disclose data by law.

4. Sharing of Information

We share personal data only in the following circumstances:

  • Service providers: we share data with sub-processors who help us deliver the platform — including Stripe (payment processing), Amazon Web Services (cloud hosting), Postmark (transactional email), and Datadog (infrastructure monitoring). All sub-processors are bound by data processing agreements that prohibit them from using your data for any purpose other than providing services to Linglong.
  • POS integrations: when an Operator enables a POS integration (e.g., Square, Toast), order data is transmitted to that third-party POS system in accordance with the Operator's own agreement with that provider.
  • Business transfers: if Linglong is acquired by or merges with another company, your data may be transferred as part of that transaction. We will notify affected users via email and in-product notice before any such transfer.
  • Legal process: we may disclose data to law enforcement or courts when required by valid legal process (subpoena, court order, etc.). We will notify affected Operators where legally permitted to do so.

5. Data Retention

We retain Operator account data for the duration of the subscription plus 30 days after cancellation (to allow data export). After that window, account data is permanently deleted from production systems within 90 days and from backups within 180 days.

Guest order data is retained for 13 months in identifiable form (to support the analytics features Operators rely on for year-over-year comparison), then aggregated and anonymized. Guest loyalty data is retained until the Guest opts out or the Operator disables the loyalty program.

Server logs containing IP addresses are retained for 30 days for security and debugging purposes.

6. Cookies

The Linglong platform uses the following categories of cookies:

  • Strictly necessary: session authentication cookies for logged-in Operator dashboard users. These cannot be disabled without breaking the service.
  • Functional: cookies that remember Operator preferences (language, timezone, dashboard layout). These are enabled by default and can be disabled in your browser without affecting core functionality.
  • Analytics: first-party analytics cookies (based on Plausible Analytics) that track aggregate page views on the Operator dashboard — privacy-preserving, no cross-site tracking, no fingerprinting. Guests accessing QR menus are not subject to analytics cookies.

We do not use third-party advertising or tracking cookies. You can manage cookie preferences via your browser settings or the cookie banner displayed on first visit to our marketing site.

7. Security

We implement industry-standard technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and encryption at rest (AES-256) for all personal data.
  • PCI-DSS Level 1 compliance for payment processing (via Stripe).
  • SOC 2 Type II audit completed annually; report available to Operators on request under NDA.
  • Role-based access controls limiting employee access to personal data to those with a documented need.
  • Regular penetration testing by an independent third-party security firm.

Despite these measures, no system is 100% secure. In the event of a data breach affecting your personal information, we will notify affected parties in accordance with applicable law (within 72 hours to supervisory authorities where required by GDPR, and without undue delay to individuals).

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request that inaccurate data be corrected.
  • Deletion: request that your personal data be deleted ("right to be forgotten"), subject to legal retention requirements.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Restriction: request that processing be restricted while a dispute is resolved.
  • Withdrawal of consent: where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, email privacy@linglong.mom. We will respond within 30 days (or 45 days where permitted by law). We may request identity verification before fulfilling any request.

If you are in the EEA or UK and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or the relevant DPA in your EU country).

California residents may exercise rights under the California Consumer Privacy Act (CCPA) using the same contact address. We do not sell personal information as defined by the CCPA.

9. International Transfers

Linglong is headquartered in the United States. If you access our Services from outside the US, your data will be transferred to and processed in the United States. For transfers from the EEA and UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO, respectively, to provide appropriate safeguards.

10. Children's Privacy

Our Services are not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@linglong.mom and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify active Operators by email at least 14 days before the change takes effect. Your continued use of the Services after the effective date constitutes acceptance of the revised policy.

12. Contact Us

For any questions, concerns, or data requests related to this Privacy Policy, please contact:

  • Email: privacy@linglong.mom
  • Post: Linglong Inc., Attn: Privacy Team, 222 W Merchandise Mart Plaza, Suite 1212, Chicago, IL 60654, USA
  • EEA/UK Representative: Linglong EU Ltd., c/o Prighter Group, Sophienstraße 10, 10178 Berlin, Germany