Privacy Policy Order Management

Berlin, 26.06.2024

General information

The following privacy policy explains how we handle your personal data when you use our order management system.
Data is any information relating to an identified or identifiable natural person, in particular information that can be used to identify you personally.
We take the protection of your personal data very seriously. We treat your personal data as confidential and only process it in accordance with the statutory data protection regulations, as explained in this privacy policy.

I. General information

1. Responsible body

The responsible body for data processing within the scope of this online offer is

Name: orderbird GmbH
Street: Ritterstraße 12, Aufg. 3
Postcode, city: 10969 Berlin
Phone: +49 30 208 983 099
Fax: +49 321 214 681 89
E-mail: [email protected]

2. Contact details of our data protection officer

Protectra GmbH
Lerchenweg 3
40789 Monheim on the Rhine
Phone: +49 2173 9930310
E-mail: [email protected]
Website: www.protectra.de

3. Scope of application of this privacy policy

This privacy policy applies to all users who either view the services of restaurants and place orders as end customers via our online offer ("guests") or who make use of our offer as operators of restaurants ("restaurateurs"). This privacy policy does not apply to the services of third parties to which the online offer may refer via so-called links. We assume no responsibility for their content or for compliance with data protection regulations by these third parties, unless otherwise stated in the privacy policy of the linked content. This applies, for example, to links to social networks such as Facebook and X. Information on the handling and protection of the user's personal data on these platforms can be found in the privacy policy of the respective platform.

4. Encryption and encrypted payment processing

This website generally uses TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us. In particular, if your payment data is transmitted in connection with the conclusion of a chargeable contract, this is done exclusively via an encrypted connection. You can recognize an encrypted connection by the fact that the address line of your browser displays "https://" in front of the website address and a closed "lock" symbol. If this TLS encryption is activated, the data that you transmit to us cannot generally be read by unauthorized third parties during transmission.

5. Disclosure of personal data

We generally only pass on personal data to third parties - subject to other provisions in this privacy policy - if this is necessary for the provision of our services, in particular for the provision of the order menu and for payment processing as part of a contract with you. Accordingly, data is transferred to such service providers (such as technical service providers and payment service providers) for the purpose of fulfilling the contract with you on the basis of Art. 6 para. 1 lit. b GDPR. Before passing on your personal data, we will of course ensure that the respective service provider has taken appropriate technical and organizational measures to guarantee the security of the data.
Otherwise, your personal data will not be passed on to third parties unless you have expressly consented to the transfer (Art. 6 para. 1 lit. a GDPR) and we are not authorized or obliged to pass it on due to legal provisions or court orders. In the latter case, the transfer is carried out by us to fulfill a legal obligation in accordance with Art. 6 para. 1 lit. c GDPR.

6. General storage period and deletion

We store your personal data for as long as it is necessary to fulfil the intended purpose (e.g. contract fulfilment) or as long as statutory retention periods make storage necessary. As long as statutory retention obligations, such as tax and commercial law regulations, prevent the deletion of your personal data, we will restrict the processing of your data; your data will then be deleted in accordance with the statutory provisions.

7. Rights of data subjects, in particular of information, blocking and erasure

As a guest or, if you use our online offer for restaurateurs as a natural person, you have the following rights within the framework of the applicable legal provisions.

a. Right to object

You have the right to object at any time, on grounds relating to your particular situation, to data processing based on Article 6(1)(e) or (f) GDPR, unless we can demonstrate compelling legitimate grounds which override your interests or the processing serves the establishment, exercise or defence of legal claims. You can object to data processing for the purpose of direct marketing at any time without any special reasons being required.

b. Right of information

You have the right to obtain information from us free of charge in writing about the personal data concerning you that we have stored, the purposes of the processing, its origin, which recipients or categories of recipients it has been passed on to, the storage period and the rights available to you as a data subject.

c. Right to rectification, erasure and/or restriction of data processing

You also have the right to request the correction of incorrect data, the deletion and/or restriction of the processing of the personal data stored about you at any time, insofar as we are not subject to a statutory retention obligation. Insofar as this includes personal data that is required for the provision of services to you, the erasure or restriction of the processing of this data can only take place if you no longer use our services.

d. Right to data portability

If you provide data that concerns you and we process this data on the basis of your consent or to fulfil a contract, you can request that you receive this data from us in a structured, commonly used and machine-readable format or that we transfer this data to another controller, insofar as this is technically possible (so-called right to data portability).

e. Right to withdraw consent

You can freely revoke any consent you have given for the use of personal data at any time with effect for the future.

f. Right to lodge a complaint with a supervisory authority

You can also lodge a complaint with a supervisory authority against data processing that you consider to be in breach of the statutory provisions. The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

8. Changes to the privacy policy

We reserve the right to amend this privacy policy at any time, in particular to take account of changes in the legal situation and processing procedures, whereby we will of course always comply with the statutory data protection requirements.

We therefore recommend that you regularly take note of the applicable privacy policy. We will inform you in advance about any further use of data.

II. Data entry in the order management menu

1. Registration

You must register in order to use parts of our services such as the order management menu. For this purpose, we collect the data that you enter in the registration form, in particular your name and contact details including your address and, if applicable, data for payment processing. The provision of this information is necessary to complete the registration and thus to conclude a contract for the use of the services in question. We only use the data entered for the purpose of using the respective offer or service for which you have registered.

For important changes, such as changes to the scope of the offer or technically necessary changes, we use the e-mail address provided during registration to inform you in this way about such topics that are important for the processing of the contractual relationship with you.

We may collect further data that you voluntarily provide when using the order management menu, e.g. if you send a review to the restaurant as a guest, and process it to provide the corresponding functions of the order management menu.

The data entered during registration and use of the order management menu is processed for the conclusion and fulfilment of the contract with you for the use of the order management menu on the basis of Art. 6 para. 1 lit. b GDPR.

We may verify the address provided during registration using services to prevent errors or misuse, for example for orders for collection or takeaway. The basis for this processing is our legitimate interest in preventing misuse of our services in accordance with Art. 6 para. 1 lit. f GDPR.

You may also be able to register for our online services using a so-called single sign-on function of certain third-party providers, e.g. a social network, which requires a user account with this third-party provider. We offer this function on our website with the help of the service provider Auth0, Inc, 10900 NE 8th Street, Bellevue, WA 98004, USA ("Auth0").

Registration via an account or single sign-on function is supported by the following third-party providers

Google LLC (more information on data protection at Google at:

https://policies.google.com/pr...) and

Facebook, Inc. (for more information on data protection at Facebook, see https://www.facebook.com/priva...).

For this function, you must provide your access data to your user account with the aforementioned third-party provider, which will be sent directly to this third-party provider for verification without us gaining access to this data. After verification, the third-party provider only informs us of the data required for registration with us, such as your name and e-mail address, which we process to create your account with us. By using this single sign-on function, the respective third-party provider receives the information that you have created a profile for our online offering and can link this information to your respective user account with this third-party provider.

As part of registration using the single sign-on function and subsequent logins, the data required for this is sent to Auth0 servers in the USA and processed by Auth0 on our behalf to validate proper registration and login (such as your IP address, login time, login method and information from the third-party provider about the successful verification of your access data with them). All other data in your profile with us, such as the favorites and orders you have created, are stored exclusively on our servers in Germany and are not transmitted to Auth0. You can find more information on data protection at Auth0 at: https://www.okta.com/privacy-p...;

We have also concluded an order processing contract with Auth0 that includes the EU standard contractual clauses. The transfer of your data to Auth0 therefore takes place on the basis of Art. 45 and 28 GDPR.

The legal basis for data processing in the context of these single sign-on functions is your consent (Art. 6 para. 1 lit. a GDPR), which you give when you access the individual single sign-on option and then enter your access data for your account with the third-party provider. You have the option to revoke your consent to this data processing at any time. A revocation does not affect the effectiveness of data processing operations carried out in the past.

2. Processing of data for orders via order management (customer and contract data)

For ordering and, if applicable, payment processing via the order management menu as a guest, we collect, process and use the personal data required to fulfil your order, in particular your name, the exact order and the selected means of payment, and transmit this data to the respective restaurateur with whom you have placed the order, insofar as this is necessary for the conclusion of the contract for your order and the processing of your order.

To call up the menu of a restaurant, you can scan a so-called QR code provided in the restaurant using the camera of your smartphone or other device. This requires a corresponding app to be installed on your device to recognize the QR code.

This data processing in the context of orders via the order management menu is carried out on the basis of Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfilment of the contract with you for the use of the order management menu.

3. Payment processing for orders

To process a guest's orders via the order management menu, we collect and process the necessary usage data in accordance with the above sections as well as the payment information provided by you and provide the restaurateur with the payment information required for billing.

We use the Stripe payment service to process payments by credit card. The provider of this payment service is Stripe Payments Europe, Ltd, 61A Nile St, Hoxton, London N1 7RD, United Kingdom. If you select payment by credit card, the payment data you enter will be transmitted to Stripe for the purpose of processing your payment. Stripe may also transmit the data to servers of Stripe, Inc. in the USA for this purpose. You can find more details in Stripe's privacy policy at https://stripe.com/privacy;

We have also concluded an agreement with Stripe on order processing including the EU standard contractual clauses. The transfer of data to Stripe is therefore based on Art. 45 and 28 GDPR.

In the order management menu, we may also offer payment via PayPal. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as "PayPal"). If you select payment via PayPal, you will be redirected to a PayPal website and the payment details you enter there will be transmitted to PayPal. Payment via PayPal requires that you have registered an account with this service. PayPal therefore processes your data independently in accordance with the agreement that you concluded with PayPal when you registered your PayPal account. Further information on data processing by PayPal can be found in the PayPal privacy policy at https://www.paypal.com/en/weba....

PayPal may also transmit the data to servers of PayPal, Inc. in the USA for payment processing. We have concluded the standard contractual clauses approved by the EU Commission with PayPal, Inc. for this forwarding. The transfer of data to PayPal, Inc. is therefore based on Art. 46 para. 2 lit. b GDPR.

The legal basis for data processing for the processing of payments and the involvement of the payment service providers explained above is Art. 6 para. 1 lit. b GDPR, because this is necessary for the processing of the user contract concluded with you via the order management menu, insofar as you use the payment function in the order management menu.

4. SMS notification

Users can be notified by SMS when the order is ready and can be picked up. To carry out the dispatch of the order notification on your mobile phone, we use a service from Vonage. (Vonage Holdings Corp., 101 Crawfords Corner Rd Ste 2416 Holmdel, NJ, 07733-1980, USA). We have concluded a contract with this company in accordance with Art. 28 GDPR (data processing agreement). As part of the SMS notification, we process users' phone numbers. The number will only be stored for the purpose of order notification and will be deleted after two weeks. The notification via SMS is part of our offer and the processing is therefore carried out in accordance with Art. 6 para. 2 lit. b GDPR. Regarding data transfer to the United States, we would like to point out that Vonage is a company based in the United States. The European Union has issued an adequacy decision (EU-U.S. Data Privacy Framework) that governs the transfer of personal data to the United States. Vonage is committed to complying with the privacy regulations of the U.S. Data Privacy Framework and is certified accordingly. For more information, please refer to Vonage's Privacy Policy, which can be viewed here: www.vonage.com/legal/privacy-policy/