How to Tell If a Restaurant Tool Is Safe (Before You Type a Real Number)

Leer este artículo en español →

Most “free margin audit” tools have a price tag. It's just paid in data. The pattern is well-worn: you type your real ticket, your real food cost, your real labor — and the tool returns a number. It also tends to return sales reps in your inbox by morning, each with a proposal built on numbers that were never supposed to leave your office. The tool was the funnel. Your numbers were the qualifier.

The pattern hides because nobody asks the obvious question: where do my inputs go the moment I type them? In a working browser, you can answer that question in under a minute. This article is the framework — five tests, four data tiers, one worked example — and at the end, a checklist you can run on any tool you encounter.

The tools that pass these tests will tell you so, plainly. The tools that fail are about to explain why the tests don't apply to them. That's the tell.

1. The five tests — run before you type

Open DevTools ↗ on whatever tool you're evaluating (Cmd+Opt+I on Mac, Ctrl+Shift+I on Windows). Five questions:

1. Does typing a number trigger a network request? Open the Network tab. Type. If the request list grows on every keystroke, the tool is silently sending your inputs to a server. Walk away.
2. Is the privacy claim at the point of input? A trustworthy tool tells you what it does with your data where you're typing — not in a footer link three clicks deep.
3. Is there an account / newsletter / cookie gate? “Enter your email to see your results” means your numbers are the price of admission. The tool is not free.
4. Are there third-party analytics, session replay, or marketing scripts? Filter the Network tab by JS. If you see Google Analytics, Meta Pixel, HubSpot, FullStory, Hotjar — your inputs are being recorded by surveillance vendors who weren't even part of the deal you thought you were making.
5. Is the source code readable? Right-click → View Source. A small, readable, unminified script is a tool you can audit. A 4-megabyte minified bundle from a SaaS framework is a tool you can't.

Pass all five and the tool is at least honest about its data flow. Fail any of them and the tool either doesn't know or doesn't want you to know — both are reasons to leave.

2. The four-tier model — what to share, where

Most small-business owners carry all their data in the same mental bucket — which means the supplier list and the tax ID get the same protection (often the same low level of it). Four tiers, each with a different audience and a different level of caution:

• Tier 1 — Public. Menu, hours, photos, address, phone, schema.org markup. Optimize aggressively; this is how customers find you.
• Tier 2 — Competitive-sensitive. Cost of goods, supplier list, your actual commission tier (not the public rate), labor schedule template. Share with bookkeeper / consultant / broker — under NDA. Not with platforms, competitors, or “free audit” tools that keep your input.
• Tier 3 — Operational-confidential. Monthly P&L, actual food cost %, customer pipeline, employee schedules. Inside the business only. POS vendor, payroll, accountant — and only under written contract.
• Tier 4 — Regulated. SSN, EIN, customer card data, bank details, food-safety logs, I-9s. Encrypted storage, access logging, contracts with cybersecurity terms. Never email. Never in a shared spreadsheet.

The principle: data never flows up a tier. A Tier 3 vendor doesn't get Tier 4 access just because they asked. A Tier 1 audience (a platform, a listing site) doesn't get Tier 2. The easiest way to reduce your attack surface is to stop volunteering data that wasn't actually required.

3. What “safe” looks like — the worked example

Here's the standard every tool on this site is held to. Nine claims about how every Muntin tool handles your inputs, each one verifiable in your own browser. Tap any claim to see the DevTools step that confirms it.

The full version with each claim's specific DevTools verification step lives at /security/. Four of them (1, 2, 4, 5) are build invariants — the cohesion-check pass that runs on every deploy fails CI if a future tool ships a forbidden pattern. So “verifiable” isn't marketing copy; it's a contract enforced by the build, with a public hash of the production bundle published at /security/integrity.txt.

"Verifiable" should be a build flag, not a marketing claim. If the only proof is the brochure, treat it as the brochure.

4. Run the audit

The 5-test framework is also an interactive checklist at /learn/checklists/audit-any-tool/ — walk through it with DevTools open on any tool you're evaluating. Save the result to your Workshop as a baseline; re-run it whenever a vendor pushes a “new feature.”

And if you find a tool that fails the audit but you can't tell whether it's malicious or just sloppy, write through The Window and tell me about it. I read every one. The pattern of free tools that quietly turn operators into the product is worth naming — out loud, with the tool's name attached.