Privacy Policy

 

Dear Customer,

We are pleased that you are interested in data protection. We would like to give you an easily understandable overview of the data processing practices and our privacy compliance measures in relation to our delivery websites, applications and related services (we’ll call all of these together simply the “platform” below). Our goal is to provide you with an amazing customer experience while keeping your personal data secure. Trust, transparency and honesty are our leading principles. Your trust in our product is the reason why we can provide you with an amazing customer experience.

 

  1.  Who We Are

We are Delivery Hero Innovations Hub GmbH, but usually we just use the name foodpanda. You can always contact us via the following methods:

 

Oranienburger Straße 70

10117 Berlin, Germany

E-mail address: [email protected]

 

As regards the processing activities conducted on our platform, foodpanda will be the data controller responsible for what happens with your personal data. “Data controller” is a legal term and simply means that we are the party determining how your personal data is processed, for what purposes this is done and by what means. While we are required by law to provide you with all of the following information, we do so also out of the belief that a partnership should always be honest. 

 

If you have any questions about data protection at foodpanda, you can also contact our data protection officer at any time by sending an email to [email protected]

 

We are also a member of the large and fascinating family of the international Delivery Hero Group. As a family, we make certain decisions together. Both our parent company, Delivery Hero SE, Oranienburger Straße 70, 10117 Berlin and foodpanda, to some extent, jointly decide which means we will use to process your personal data and which purposes we consider to be appropriate. Legally, this means that foodpanda and Delivery Hero SE are also jointly responsible for these joint data processing activities and you are free to assert your rights against both parties in relation to the processing activities listed in this Privacy Policy.

 

          2. Privacy Is Your Right and the Choice Is Yours

As a customer, you have the choice which information you would like to share with us. Please be aware, however, that when signing up to our platform you are required to accept our terms of use. Legally speaking, this means you will enter into a contract with us under which you are entitled to use the platform, in accordance with the terms of use. Of course, we need some information from you to be able to perform our obligation under this contract. However, it is entirely up to you to choose whether you would like to provide such information or would rather not use our platform.

 

Basically, you can take the following steps to control and manage how much personal data you share with us:

 

Cookies & web-tracking: You can set your device or web browser to decline cookies and other web-tracking technologies (which is also possible through our consent manager). If you deactivate web-tracking, you will no longer see any personalized contents, offers or ads.

 

Direct marketing: If you do not want to receive newsletters or offers from us, you can unsubscribe at any time. In this case, we will not be able to send you any cool offers any more.

 

No data sharing: If you don’t want to share any information with us at all, that’s a shame. Of course, you are free to decline the creation of a user account. In this case, you are also free to decline the creation of an account, or to delete it at any time.

           3. Your Legal Rights

Under the EU General Data Protection Regulation (GDPR) and other data protection laws, you can assert the following legal rights against us:

 

Right to access

 

You have the right to be informed which data we store about you and how we process this data. This also includes receiving a copy of your data.
Right to rectification

 

If you notice that processed data is incorrect, you can always ask us to correct it.
Right to erasure

 

You can ask us at any time to delete the data we have stored about you.
Right to restriction of processing If you do not wish to delete your data, but do not want us to process it further, you can ask us to restrict the processing of your personal data. In this case, we will archive your data and only reintegrate it into our operative systems if you so wish. However, during this time you will not be able to use our platform, otherwise we will process your data again. We will also restrict the processing of your data if you have requested us to delete it but we are not able to comply with your request due to the applicability of statutory retention periods.
Right to data portability You can ask us to transmit the data stored about you in a machine-readable format to you or to another responsible person. In this context, we will make the data available to you in JSON or another customary format.
Right to withdraw consent

 

You can withdraw your given consent at any time, with future effect.
Right to object You are free to object to receiving newsletters or any other direct marketing communications, as well as associated processing activities, at any time and free of charge. 

You also have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is processed on the basis of Art. 6 (1) f) GDPR (data processing on the basis of a balance of interests); this also applies to any associated profiling for the purposes of Art. 4 (4) GDPR. If you object, we will no longer process your personal data in the future unless we can prove compelling grounds for the processing that outweigh your interests, rights and freedoms.

Automated decision-making On the platform, we do not subject you to any decisions based solely on automated processing, including profiling, producing a legal effect for you or similarly significantly affecting you. One notable exception to this are our fraud detection and prevention systems; these will determine in an automated way, based on your behaviour on our platform, whether you might be a fraudulent actor. 

We also provide you with a personalized user experience on our platform so you will see contents based on your previous orders or meal preferences.You are free to request us to provide you with a non-customized experience instead of tailoring the platform to your needs.

In any case, you always have the right to contact us and challenge a decision made by our automated systems. To do this, just get in touch with us.

Right of complaint If you believe that we have done something wrong with your personal data or your rights, you can complain to a supervisory authority at any time. You can raise a complaint about our processing of your personal data with the data protection authority in the EU Member State of your habitual residence, at our seat of business, your place of work or the place where you think a violation of the GDPR has occurred. You can also lodge a complaint with our international lead supervisory authority in Berlin, Germany.

 

To exercise your rights, you can use the functions provided in your user account at any time. For example, if you would like to delete your data, or receive a copy of it, you can do so directly by logging in to your profile to delete it or be granted access to your data. Alternatively, you can also contact [email protected] and request our customer support to assist you.

 

Please note that we are usually receiving a large number of requests – so self-service deletion or access to your personal data will always be the fastest way to exercise your rights.

          4. An Overview of The Personal Data We Process

In this section you can find general information about the categories of personal data we process about you. For your understanding, personal data is information that directly identifies you (such as your name or photo picture) or enables us to indirectly identify you (for example, on the basis of a user ID linked with the personal information in your profile).

 

You will find more detailed information on our processing activities below, in the next section. But our data processing activities on the platform can be summarized by reference to the main categories of personal data:

a. Profile data (master data)

This includes your name, email address, password, telephone number, country, and your age.

 

Why do we process this category?

This data is your master data, which we absolutely need for you to use our platform. Without an email address / telephone number and a password, you cannot create a profile. Together with your name, this is your master data. We need your age to ensure that you are not a minor. 

b. Delivery data

This includes your name, delivery address, phone number, order details and order ID.

 

Why do we process this category?

In accordance with the principle of data minimization, we only provide our riders and restaurants with the information that they need from you to prepare and deliver your order. 

c. Order history data

 

This includes your order history, selected restaurants, invoices, order ID, comments on orders, information on payment method, delivery address, successful orders and cancelled orders. 

 

Why do we process this category?

Each time you place an order, this information will be added to your profile. You can view all this information in your profile at any time. We will use this information to improve our services and optimize the platform for your interests. 

d. Location data

 

This includes your address, postcode, city, country, as well as your device’s longitude and latitude.

 

Why do we process this category?

We need this data to be able to deliver your orders (or enable the restaurant you have ordered from to deliver it to you). We create the longitude and latitude automatically in order to be able to process your delivery address in our other linked systems, such as our Rider app, and to display your address to our riders.

e. Device information and access data

This includes your device ID or other device identification, operating system and corresponding version, time of access, configuration settings, and your IP address. 

 

Why do we process this category?

Each time you access our platform this information is stored by us for technical reasons. We also use parts of this information to detect suspicious behaviour at an early stage and to protect our platform.

f. Customer care data

 

This includes your name, address, telephone number, email address, or your ID from any social media.

 

Why do we process this category?

If you contact us, we collect this data because we need to know who we are talking to and what we have been talking about so that we can help you with your reason for contacting us. This also applies if you leave comments on social media on our fan pages. We do not combine this data with your profile data on our platform, but we can still identify you by your social media ID. 

g. Marketing contact and communications data

 

This includes your name, email address, telephone number, and device ID.

 

Why do we process this category?

If you would like to receive an email, an SMS or an in-app push notification from us, we need certain information to send you the messages. Instead of addressing you with “Hey You”, we find it more customer friendly to address you with your name. This category of personal data is also used by us to contact you, for example, if a product cannot be delivered and we want to offer you an alternative instead. 

h. Payment data

 

This includes your payment method, and encrypted, pseudonymized credit card information.

 

Why do we process this category?

We need this information to initiate your payments and assign them to the orders you have placed. We also need this data to store your payment information for future orders (if you give us your consent to do so).

           5. Our Detailed Processing Activities, Processing Purposes & The Applicable Legal Basis

We respect the legal limits of data protection laws such as the GDPR when processing your personal data. We pay particular attention to the fact that all legally required principles for the processing of personal data are taken into account. Therefore, we only process your data if this is lawful and you can reasonably expect it to be processed. Still, in order to be able to offer you our online platform, the processing of your personal data is essential. You do provide us with some of this data proactively by entering them on your device. Other data we collect automatically when you are using our platforms. 

 

We process your personal data as follows:

a. Creating and operating your account, delivering your orders


  • Account creation

 

When creating a customer account you will be asked to enter your master data. This is absolutely necessary, as we cannot create a customer profile without this data. Your email address and telephone number are particularly important, as we can use this information to identify you in our system the next time you want to log in again. Furthermore, we would like to ask you to choose your password carefully. Do not use the same password on multiple websites. Your password should also be at least 12 characters long, at least one lowercase letter, one uppercase letter, one special character (!?#,%& etc.) and one digit. 

 

Categories of personal data:

Profile data (master data)

Device information and access data

 

Legal basis: 

Art. 6  (1) b) GDPR, performance of contract.

  • Log-in to an existing account 

 

If you already have an existing customer account, you will need to enter your email address and password to log in. If we detect irregularities during registration, such as entering the wrong password several times, we will take appropriate measures to prevent damage to you and us.  

 

Categories of personal data:

Profile data (master data)

 

Legal basis: 

Art. 6 (1) b) GDPR, performance of contract;

Art. 6 (1) f) GDPR, for the security measures.

  • Single-Sign-On with Facebook

 

If you have a Facebook profile, you can register on our platform to create a customer account or to register using the “Facebook Connect” function provided by the social network Facebook, operated by Facebook Ireland Limited 4 Grand Canal Square, Grand Canal Harbour, Dublin, Ireland (“Facebook”), within the framework of the so-called single sign-on technology. You can recognize the social plugins of “Facebook Connect” on our website by the blue button with the Facebook logo and the label “Login with Facebook” or “Connect with Facebook” or “Log in with Facebook” or “Sign in with Facebook”.

 

By using this “Facebook Connect” button on our website, you can log in or register on our website using your Facebook user data. Only if you give your express consent prior to the registration process on the basis of a corresponding note on the exchange of data with Facebook, will we receive the general and publicly accessible information stored in your profile when using the Facebook “Facebook Connect” button on Facebook, depending on your personal data protection settings on Facebook. This information includes user ID, name, profile picture and age.

 

Further information on the Facebook Login can be found at: https://www.facebook.com/privacy/explanation

 

Categories of personal data:

Profile data (master data)

Facebook profile data

 

Legal basis: 

Art. 6 (1) a) GDPR, consent.

  • ​​Single-Sign-On with Google

If you have an account with Google, you can use this account to log in to our service. Google accounts for European users are provided by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (“Google Ireland”), a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 (“Google”).

By using the “Continue with Google” button on our website, you can log in or register on our website using your Google user data. Only if you give your express consent in accordance with Art. 6 Para. 1 (a) GDPR prior to the registration process on the basis of a corresponding note on the exchange of data with Google, will we receive your Google user ID, user name and email address. We will never receive your Google password and cannot log in to your Google account. You can learn more about data sharing with Google when logging in to our service with Google by reviewing Google’s explanations here: https://support.google.com/accounts/answer/112802

The data transmitted by Google is stored and processed by us solely for the creation of a user account with the necessary data. 

Categories of personal data:

Profile data (master data)

Contact Information

Google ID and associated account data

 

Legal basis:

Art. 6 (1) (a) GDPR, Consent

  • ​​Single-Sign-On with Apple

If you have an account with Apple, you can use this account to log in to our service. Apple accounts for European users are provided by Apple Computer Limited, Hollyhill Industrial Estate, Cork, Ireland  (“Apple Ireland”), a subsidiary of Apple Inc., One Apple Park Way, Cupertino, CA 95014, United States.

By using the “Continue with Apple” button on our website, you can log in or register on our website using your Apple user data. Only if you give your express consent in accordance with Art. 6 Para. 1 (a) GDPR prior to the registration process on the basis of a corresponding note on the exchange of data with Apple, will we receive your Apple user ID, user name and email address. We will never receive your Apple password and cannot log in to your Apple account. You can learn more about data sharing with Apple when logging in to our service with Apple by reviewing Apple’s explanations here: https://support.apple.com/en-us/HT204053

The data transmitted by Apple is stored and processed by us solely for the creation of a user account with the necessary data. 

Categories of personal data:

Profile data (master data)

Contact Information

Apple ID and associated email address

 

Legal basis:

Art. 6 (1) (a) GDPR, Consent

  • Managing your profile

 

You can log in to your profile at any time and change your personal data, such as name, email address or telephone number. You can also view your previous orders.

 

Categories of personal data:

Profile data (master data)

Location data 

Order history data

Device information and access data

Marketing contact and communications data

Payment data

 

Legal basis: 

Art. 6 (1) b) GDPR, performance of contract.

  • Order processing

 

Once you have successfully registered and decided to place your order, we will store this information in your profile and process it in further processes so that you can submit your order to us. When you submit your order, your personal data is transferred to our backend where it is transferred to other systems for further processing.

 

Categories of personal data:

Profile data (master data)

Order data

Delivery data

Location data

Device information and access data

 

Legal basis: 

Art. 6 (1) b) GDPR, performance of contract.

  • Storing your cart for later

 

After you have logged in to your profile and made your selection, the products will be saved in your profile. If you accidentally close your browser or app, you can continue to the last point of your order. We store this data to provide you with a better ordering experience where you can conveniently continue your order with browsers or apps that are accidentally closed. 

 

Categories of personal data:

Profile data (master data)

Device information and access data

Order data

 

Legal basis: 

Art. 6 (1) f) GDPR, legitimate interests.

  • Delivering your order

 

Once you have successfully placed your order, a number of processes are running in the background to ensure that your order is delivered quickly. This includes sharing your order data with the restaurant preparing your meal as well as with the rider delivering your order. In this context, please be informed that we use different types of riders for delivery. These can be permanent employees, freelancers or riders employed by third-party logistics companies. 

 

Categories of personal data:

Delivery data

 

Legal basis: 

Art. 6 (1) b) GDPR, performance of contract.

  • Enabling calls from riders or restaurants to check on your order

 

If a product of your choice is not available for delivery or our riders cannot reach you at the delivery address you provided, they have received instructions from us to call you so that the problem can be solved easily. Both the restaurants as well as the riders have no claim whatsoever to your personal data and under no circumstances may they use it for their own purposes. If you should nevertheless be contacted by a restaurant without your prior consent, we ask you to report this to us by e-mail to [email protected].

Categories of personal data:

Delivery data

 

Legal basis:

Art. 6 (1) b) GDPR, performance of contract.

  • Saving your payment methods

 

In order to make the ordering process even more convenient for you, we offer to save your preferred payment method. This means that you don’t have to enter your payment details again the next time you place an order. Your payment data will be stored securely and we’ll make sure it stays encrypted at all times. Restaurants will never receive your payment data.

 

Categories of personal data:

Payment data

 

Legal basis:

Art. 6 (1) a) GDPR, consent.

b. Fraud detection, prevention and security of our platform

 

In order to protect our customers and our platform from possible attacks, we continuously monitor the activities on our websites and mobile applications. To keep the platform secure and guarantee you a safe ordering experience, we use various technical measures to ensure that suspicious behavior patterns are detected at an early stage and prevented as early as possible. To achieve this goal, several software-based monitoring mechanisms run in parallel and prevent potential attackers from accessing our platform at all. 

 

The decision-making process is automated and could potentially have an impact on the use of your registered account on our platform. If any such decision leads to a negative result for you and you do not agree with this, you can contact us at [email protected]. In this case, we will individually assess the circumstances of your case. All of our fraud detection and prevention algorithms are always open to human review. If you think that a mistake has been made we are happy to look into it and make corrections, if necessary.

 

Categories of personal data:

Profile data (master data)

Device information and access data

Payment data

Order data

Voucher information

 

Legal basis:

Art. 6 (1) f) GDPR, legitimate interests.

c. Direct marketing


  • Newsletters and user surveys by email and/or text message

 

If you have provided us with your contact data when signing up for our platform, we will send you by email, SMS or other text message regular offers of goods or services similar to those offered on our platform. We are constantly striving to improve our services. Your constructive feedback is very important to us. Therefore, our direct marketing newsletters might also include surveys where we ask for your honest feedback. So we will occasionally also send you customer surveys and ask you to give us your opinion.

 

If you have objected to receiving such communications when registering your account, or at a later point in time, you will not receive any direct marketing emails. You are of course always free to opt out of such emails. In this case, we will store your contact details in a list of customers who have objected to receiving direct marketing, to make sure we can continuously comply with your objection.

 

Not only do the contents of our newsletters and surveys vary, but so do the technologies and criteria we use to design our newsletters and segment customer groups. For example, a group of customers may receive a special newsletter promoting special deals from restaurants where customers have ordered. Other newsletters may refer to specific products that relate to a particular flavour, such as sushi, Indian cuisine or pizza. We use different information from your order history and delivery addresses to create these tailor-made offerings for you. Please be also aware that we are recording, in a pseudonymous manner, key performance indicators to assess the effectiveness of our direct marketing campaigns. This includes aggregated information about the opening and click-through rate for our direct marketing messages.

 

This is a profiling process in which we automatically process your data. The specific customer segmentation will not have a legal effect on you, nor will it similarly significantly affect you. The only effect you will notice are interesting offers on our platforms, bespoke to your interests and meal preferences.

 

Nonetheless, if this automated decision-making leads to a negative result for you and you do not agree with this, you can contact us at [email protected]. In this case, we will opt you out of customized newsletter communications and you will no longer receive any such messages going forward. 

 

Categories of personal data:

Profile data (master data)

Location data

Order data

Device information and access data

 

Legal basis: 

Art. 6 (1) f) GDPR, legitimate interests.

 

ATTENTION: As already mentioned, you are entitled to object to the use of your email address for the aforementioned advertising purposes at any time, and free of charge, with effect for the future by changing your message preferences, using the “unsubscribe” button at the end of a newsletter, or by contacting us to the email address already mentioned. For this purpose you only incur transmission costs according to the basic tariffs. 

  • App notifications

 

We have a strong interest in informing you about new restaurants or deals when using our app. We are always working to give you an amazing customer experience. To achieve this, we negotiate very good deals for you with our restaurant partners. To inform you about these deals, we send you in-app-notification or push-notifications. It is imperative that you have activated this on your end devices. 

 

Categories of personal data:

Location data

Profile data (master data)

Order information

 

Legal basis: 

Art. 6 (1) a) GDPR, consent. 

d. Online marketing

 

Convincing potential customers that we offer an amazing customer experience, and that every visit to our platform is worthwhile, is one of our key business priorities. In order to reach as many potential customers as possible, we are very active in the field of online marketing. As a consequence, we conduct the following online marketing activities to attract new customers to our platform:

  • Targeting

 

In principle, targeting means simply showing online advertisements (e.g. by showing banners on websites, or delivering ads on social media service timelines) tailored to specific target groups. We strive to deliver to you only advertisements that are in fact relevant for your interests and bring added value to your online experience. 

 

In our targeting process, as a first step, we define a target group based on certain criteria such as location, age or meal preferences and, secondly,  we commission our service providers to show our advertising to the defined target group, both on our own websites as well as on online properties owned and operated by third-party publishers. To better define the intended target groups, we segment customer types and place different ads on different portals. We will use pseudonymous data for this purpose only. That means we will not be able to identify individual persons within the defined target groups.

  • Retargeting

 

As soon as you have visited our platform and, for example, have already placed an order in your shopping cart, we record this information through cookies and other web-tracking technologies. If you continue to surf other websites, our advertising partners will remind you on our behalf that you have not yet completed your order. We don’t want you to miss out on our amazing customer experience.

 

Categories of personal data:

Device information and access data

Location data

 

Legal basis:

Art. 6 (1) a) GDPR, consent. 

  • Cookies and web-tracking

 

In the context of our online marketing activities we also use cookies and other web-tracking technologies. As stated above, these technologies help us to recognize your device and deliver to you only the type of advertisements relevant to your interests. As a matter of principle, our web-tracking technologies will process your device information and access data in pseudonymous form only. This means that we will not be able to identify you as a person on the basis of this data and we will not be able to attribute your interactions outside of our platform to your user account with us.

 

To give you all the information you need, we have prepared a comprehensive Cookies, SDKs and Web-Tracking Policy explaining not only the details of our web-tracking technologies but also explaining how exactly you can opt-in or opt-out of the use of web-tracking technologies on our website.

 

Categories of personal data:

Device information and access data

 

Legal basis:

Art. 6 (1) a) GDPR, consent.

  • Bonus programs

 

We want to reward our customers’ loyalty with attractive deals and points. For this reason, we offer our customers the opportunity to participate in bonus and customer loyalty programs. Participation in a bonus program requires your consent. You can revoke your consent at any time for the future. Please send us an email to [email protected] for this purpose, or log into your account and change your settings. 

 

Categories of personal data:

Profile data (master data)

 

Legal basis: 

Art. 6 (1) a) GDPR, consent.

  • Sweepstakes

 

We sometimes run sweepstakes to provide our customers with the chance of winning prizes in relation to our platform (this might be a voucher, special offer or other cash-value award). Before you participate, we will ask you to grant us your consent to process your personal data for the purpose of signing you up for the campaign. If you refuse to grant your consent we cannot offer you to take part in the sweepstake.

 

If you have already given your consent and would like to revoke it for the future, you can do so at any time by sending an email to [email protected]. In this case, we will exclude you from participating in our sweepstakes and you will not receive any further invitations to sweepstakes. 

 

Categories of personal data:

Profile data (master data)

 

Legal basis: 

Art. 6 (1) a) GDPR, consent.

  • User interviews for market research purposes:

 

We always develop new products and try to adapt our platform to the wishes of our customers. In order to measure the effectiveness of these changes, we regularly offer interviews with our User Experience team. In these interviews we record your usage behaviour and ask you for possible optimisation possibilities. 

 

Participation in the interviews requires your consent. If you have already given your consent and would like to revoke it for the future, you can do so at any time by sending an email to [email protected]. In this case we will exclude you from participating in our interviews and you will not receive any further invitations for them. 

 

Categories of personal data:

Profile data (master data)

Order history data

Delivery data

 

Legal basis:

Art. 6 (1) a) GDPR, consent.

  • Vouchers

 

We often offer vouchers for our platforms. The reasons can vary. The purpose of these vouchers is to reward our loyal customers and to encourage them to continue to lead our loyal customers. In order to be able to check the number, the value and the frequency of use of the vouchers, but also to avoid misuse of these vouchers, we collect various personal data.

 

Categories of personal data:

Profile data (master data)

Voucher information

 

Legal basis:

Art. 6 (1) f) GDPR, legitimate interests.

e. Social Media Sites

 

We have profiles on various social media platforms on which we advertise our products and interact with customers. Since we operate these profiles on third-party platforms, including Facebook and Instagram, each time you visit these social media offerings the operators of these social media platforms collect different personal data from you. The social media platforms Facebook and Instagram are operated by Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (“Facebook”). 

  • Responsibilities

 

We and the respective operators of the social media platforms act as joint controllers with respect to the collection of your personal data on our social media sites, as well as the analysis of the use of our social media sites by social media users. For this purpose, we and Facebook have agreed on a joint controllership agreement in accordance with Art. 26 GDPR. 

 

Also, the operators of the social media platforms themselves are data controllers for the general use of their social media services and interactions outside our profiles and social media sites. This sole responsibility also applies to any processing of your social media profile data for purposes other than analyzing the traffic on our social media sites.

 

The following links will show you exactly which data is collected by the respective social media operators:

Privacy Policy Facebook

Privacy Policy Instagram

  • Data processing

 

Facebook provides page administrators with aggregated statistics and insights that help them understand the types of actions people take on their pages (“Page Insights”). Please be informed that we only receive aggregated user reports from Facebook. At no point can we attribute any page visit or other interaction to individual social media profiles.

 

When you visit or interact with one of our social media sites or its content, information such as the following may be collected and used to create Page Insights:

 

  • Viewing a page, or a post or video from a page
  • Following or unfollowing a page
  • Liking or unliking a page or post
  • Recommending a page in a post or comment
  • Commenting on, sharing or reacting to a page post (including the type of reaction)
  • Hiding a page’s post or reporting it as spam
  • Clicking a link to a page from another page on Facebook or from a website off Facebook
  • Hovering over a page’s name or profile picture to see a preview of the page’s content
  • Clicking on the website, phone number, Get Directions button or other button on a page
  • Whether you’re on a computer or mobile device while visiting or interacting with a page or its content.

  • Your data subject rights

 

As part of our agreement with Facebook, with respect to our social media sites, we have determined that Facebook is primarily responsible for fulfilling its information obligations in connection with the Page Insight data and for ensuring that you exercise your rights under the GDPR. For more information about your data subject rights on Facebook, please see Facebook’s Page-Insights Privacy Policy.

f. Mergers & Acquisitions, change of ownership

 

We would also like to inform you that in the event of a merger with or acquisition by another company, we will be required to disclose certain limited information to that company. Of course, we will require the company to comply with the legal data protection regulations. We will keep the extent of the data to the absolute minimum required to conduct the transaction.

 

Categories of personal data:

Delivery data

Location data

Profile data (master data)

Device information and access data

Order data

Customer care data

Marketing contact and communications data

Payment data

Voucher information

 

Legal basis:

Art. 6 (1) f) GDPR, legitimate interests.

        6. Whom We Share Your Personal Data With

We never give your data to unauthorized third parties. However, to run our business efficiently, we obtain the services of selected service providers and give them limited and strictly monitored access to some of our data. However, before we forward personal data to these partner companies for processing on our behalf, each individual company undergoes an audit. All data recipients must meet the legal data protection requirements and prove their data protection level with appropriate documentation.

a. Delivery Hero Group companies

 

As we already let you know at the beginning of this Privacy Policy we are part of an international group of companies with legal entities in many parts of the world. This also includes our group’s headquarters operated by Delivery Hero SE in Berlin, Germany. To use our resources efficiently and ensure that our business processes are functioning properly, we will share personal data with our joint controller Delivery Hero SE on a regular basis. In certain situations, we might also share limited data with other group companies, for example, to assist with customer support requests, conduct legal assessments or implement IT and platform security measures.

 

All Delivery Hero Group Companies are bound by strict intra-group data transfer agreements ascertaining compliance with the GDPR’s data processing principles whenever sharing personal data with affiliated companies.

b. Service providers and data processors

 

We use different service providers for our daily processing activities. Most of these providers process your personal data as so-called “data processors” in accordance with the requirements of Art. 28 GDPR. This means they are permitted to process any personal data only according to our instructions and have no claims whatsoever to process your personal data for their own, independent purposes. We also monitor our processors and include only those who meet our high data protection standards. 

 

You have already learned about some of the parties we use as service providers above and can also find information on data recipients in our Cookies, SDKs and Web-Tracking Policy. Our user platforms and databases run on cloud resources provided by the EU subsidiaries of Google and Amazon Web Services (AWS). Because we use different data processors and change them from time to time, it is not possible for us to identify all individual recipients of personal data in this Privacy Policy. However, if you are interested, we will be happy to disclose the name of the processor(s) in use at that time upon request.

c. Third parties

 

In addition to data processors, we also work with third parties, to whom we also transmit your personal data, but who are not bound by our instructions. These are, for example, our consultants, lawyers or tax consultants who receive your data from us on the basis of a contract and process your personal data for legal reasons or to protect our own interests. We do not sell or rent your personal data to third parties under any circumstances. This will never take place without your explicit, informed consent.

d. Prosecuting authorities, courts and other public bodies

 

Unfortunately, it can happen that a few of our customers and service providers do not behave fairly and want to harm us. In these cases, we are not only obliged to hand over personal data to public authorities due to legal obligations, it is also in our interest to prevent damage and to enforce our claims and to reject unjustified claims.

         7. International Data Transfers

We process your data mainly within the European Union (EU) and the European Economic Area (EEA). However, some of our service providers or affiliated companies mentioned above are based outside the EEA in so-called “third countries”. The GDPR has high requirements for the transfer of personal data to such third countries. All our data recipients have to measure up to these requirements. 

 

Before we transfer your data to a recipient in a third country, this recipient is first assessed with regard to their data protection level. They will only be chosen if they can demonstrate an adequate level of data protection even outside the territory of the EEA. According to Art. 44 ff. GDPR personal data may be transferred to service providers meeting at least one of the following requirements:

 

  • The European Commission has decided that the third country ensures an adequate level of protection (e.g. Israel and Canada).
  • Standard contractual clauses (also called “standard data protection clauses”) have been incorporated into our contract with the data recipient (including any supplementary measures, if required to guarantee an adequate level of protection for personal data).
  • Further appropriate safeguards in accordance with Art. 46 GDPR have been provided (for example Binding Corporate Rules).

          8. How Long We Store Your Data

We generally delete your personal data after the purpose of their processing has been fulfilled. The exact deletion rules are defined in our global policies and supporting local retention schedules. Different deletion rules apply depending on the purpose of the processing. Within our deletion concepts we have defined various data classes and assigned regular maximum retention and deletion periods to them. When the retention period has expired, the stored data will be deleted accordingly. If you have not used your user account on our platform for a period of more than three years, we will delete your account to make sure to comply with the principle of storage limitation. Before this happens, you will receive a separate notification from us to the email address registered for your user account.

 

In addition to the deletion rules we have defined ourselves, there are other legal retention periods which we must also observe. For various legal documents, such as invoices or business letters, applicable law defines minimum retention periods. For example, tax data must be kept for a period of between six and ten years or even longer in some cases. These special retention periods vary according to local legal requirements.

 

Furthermore, we will continue to store your data if we have a right to do so in accordance with Art. 17 (3) GDPR. This applies in particular if we need your personal data for the establishment, exercise or defence of legal claims.

         9. Right of Modification

We reserve the right to change this data protection declaration in compliance with the statutory provisions. We will inform you of any significant changes, such as changes of purpose or new purposes of processing.

 

Date: Mar 16, 2022