Privacy notice for https://www.louis-breakfast.com/

Dear users,
Thank you for your interest in our website. In the following, we would like to inform you about the handling of your personal data.
The protection of your privacy is important to us. We use information that we receive and store during your visit to our website exclusively for internal purposes and to improve the design of our website.

I. Who is responsible for data processing and whom can you contact?



Responsible for data processing is
Saint Louis GmbH
Deutzer Freiheit 89
50679 Cologne

Represented by the managing director Sascha Bayer
Phone +49 (0)221 - 16 84 28 10
E-mail: cologne@louis-breakfast.de

II. General information on data processing



1. Scope of data processing
The processing of your personal data, i.e. data that can be traced back to you, is carried out exclusively for the fulfillment of our requested services and for the protection of our own legitimate business interests.

2. Legal basis of the data processing Legal basis for the processing of your data by us are
Art. 6 para. 1 lit a) DSGVO (GDPR), provided that you give us your consent;
Art. 6 para. 1 lit. b) DSGVO (GDPR), if the data processing serves the establishment or implementation of a contract;
Art. 6 para. 1 lit. c) DSGVO (GDPR), if we are legally obliged to collect data;
Art. 6 para. 1 lit. f), if we have a legitimate interest in the data processing and our interests in this respect override your rights and freedoms.

3. Duration of the storage / deletion of the data
As a matter of principle, we delete or block personal data as soon as the purpose for which it was stored no longer applies. If we are required by law to retain data, it will not be blocked or deleted until the statutory retention period has expired, unless there is a need to continue to store the data for the purpose of concluding or fulfilling a contract. Storage and documentation obligations may arise for us from the German Civil Code (BGB), the German Commercial Code (HGB), the German Fiscal Code (AO), among others. The periods specified there for storage and documentation are two to a maximum of ten years. Finally, the storage period is also assessed according to the statutory limitation periods, which are generally three years, for example, according to §§ 195 ff. of the German Civil Code (BGB).

4. Recipients of the collected data
The recipients of the data collected via the website are primarily us. In addition, processors (web hosters, technical support) have access to the data collected via our website. However, compliance with legal regulations is ensured in this respect by order processing contracts that we conclude with our order processors based in the EU. Data is only transferred to third countries to the extent specified below.
In addition, your data will only be transferred to third parties within the scope of our services if the transfer of your data is mandatory and permitted by law.

5. Profiling / automated decision making
We do not perform any profiling / automated decision-making in the sense of the GDPR.

6. Obligation to provide data
When visiting our website, there is no legal or contractual obligation to provide personal data. The purchase of vouchers, the reservation of tables and booking of events requires the release of personal data (eg name, e-mail address). If you do not wish to provide us with your data, you will not be able to use these services.

III. Data processing when visiting our website and using our services



1. General

1.1 Scope of data processing
Each time our website is called up, our system automatically collects data and information from the computer system of the calling computer in order to display our website. The following data is collected:
Date and time of retrieval
Transferred amount of data and name of the requested file
Operating system used
The IP address of the user
Requested URL including subpages
Referrer URL
Search phrases and keywords
Error messages (error codes)
Visit duration
The data is also stored in the log files (log files / log of all or certain processes on a computer system) of our system. A storage of this data together with other personal data of the user does not take place.

1.2 Legal basis for data processing
The legal basis for the temporary storage of the data and the log files is Art. 6 para. 1 lit. f) DSGVO (GDPR), our legitimate interest.

1.3 Purpose of the data processing
The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.
The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. These purposes are also our legitimate interest in data processing according to Art. 6 para. 1 lit. f) DSGVO (GDPR). Since it is not readily possible for us to draw conclusions from an IP address to a natural person, since an IP address is not a sensitive date, since it is deleted no later than seven days after a visit to the website, and since we need it to offer our website, our interest outweighs your interest.

1.4 Duration of storage
The collected data is deleted as soon as it is no longer required to achieve the purpose for which it was collected (provision of the website). In the case of storage of data in log files, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, however, the IP addresses of the users are deleted or rendered anonymous, so that an assignment of the calling client is no longer possible.

1.5 Possibility of objection and elimination
The collection of data for the provision of the website and the storage of the data in log files is mandatory for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

2. Use of cookies
2.1 Use of Cookiebot
Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user calls up a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.

Cookies may be stored on your computer without your consent if they are absolutely necessary for the operation of the website or if they are required for a service that you have expressly requested and which is associated with an active action on your part (e.g. filling out a form). For other cookies, consent is required.

In order to manage cookies in a privacy compliant manner, we use the cloud-based software solution Cookiebot from the company Cybot A/S, based in Copenhagen (Denmark). The company Cybot A / S is a processor within the meaning of Art. 28 DSGVO (GDPR). In this respect, we have concluded an order processing agreement with Cybot.

With cookiebot, we provide you with a so-called cookie banner, through which you can give us your consent to the use of cookies. The cookie banner also informs you about the use of cookies when you first visit our website and asks for your consent to the use of cookies. Until you give your consent, all initial and third-party cookies that we use on our website and that are not technically necessary are automatically blocked. You can only prevent technically necessary cookies via the settings in your browser. In this case, however, you will no longer be able to use our website correctly. You have the possibility to refuse unwanted cookies via the cookie banner and still continue to use the website.

We distinguish the following cookies in the cookie banner:
Technically necessary cookies
Statistical cookies
Marketing cookies
If you give your consent via the cookie banner by setting a check mark, the following data will be logged automatically:
The IP number of the end user in anonymized form (the last three digits are set to '0').
Date and time of consent
User agent of the end user's browser.
The URL from which the consent was sent.
An anonymous, random and encrypted key.
Consent status of the end user, which serves as proof of consent.

The key and consent status are also stored in the end user's browser in the cookie "CookieConsent" so that the website can automatically recognize and follow the end user's consent in all subsequent page requests and future end user sessions for up to 12 months. The key is used for proof of consent and for an option to verify that the consent status stored in the end user's browser is unchanged from the original consent submitted to Cybot.

The user's consent is logged and documented via the registration of the user's anonymized IP address, browser type agent, website URL, date and time of consent, and unique encrypted key stored in the Cybot Cloud vendor's data center, Microsoft Ireland Operations Ltd. in Dublin, Ireland. Microsoft Ireland Operations Ltd. is ISO / IEC 27001 audited and has adopted the international code of conduct for cloud data protection, ISO / IEC 27018. There is no disclosure of data beyond this.

After 12 months, your consent is automatically deleted from the log and, if necessary, used in aggregated and anonymized form for statistical purposes.

You can revoke your consent at any time by clicking on the link. Clicking this link activates the "Renew" function of Cookiebot.


2.2 Technically necessary cookies
Our website uses technically necessary cookies (own and third-party cookies).

We use cookies to make our website more user-friendly and secure. Some elements of our website require that the calling browser can be identified even after a page change (e.g. table reservation). The user data collected through technically necessary cookies are not used to create user profiles.

In the technically necessary cookies are stored:
Language setting
Page identifiers

The cookies are needed for the following applications:
Adopting the language setting
Recognition of the user when changing pages (e.g. reservation tool, voucher purchase)
IT security (protection against misuse by bots)
Cookie banner (consent)

We offer some services where we use the help of third parties. For example, the purchase of vouchers and online reservations are made via an application of Gastronovi GmbH from Bremen, Germany. We have concluded an order processing agreement with Gastronovi, which ensures that Gastronovi processes your data in accordance with data protection regulations. Gastronovi sets the functional cookie "gastronavi" when you want to purchase a voucher or make a table reservation in order to save the state of the application and to securely integrate the application into our website. There is also an exchange with our system to query available tables. This is a session cookie that is deleted after the session ends.

The gastronavi cookie enables basic services and is technically mandatory for the proper functioning of the application used. Therefore, you cannot unselect this cookie, but you are free to use the corresponding services.

We use the payment service provider Stripe, based in Ireland. This sets the http cookies _stripe_mid and stripe_sid, which are necessary to process payment transactions via our website. The cookie _stripe_mid has a storage period of 1 year, the cookie _stripe_sid is stored for one day. Stripe also sets the http cookie _m, which determines which device you are using to access our website, in order to format the page accordingly. The storage period is 2 years.

The legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 lit. f) DSGVO (GDPR) and Art. 6 para. 1 lit. a) DSGVO (GDPR) if you give your consent. The legal basis for processing personal Data about technically unnecessary cookies is Art. 6 para. 1 lit. a) DSGVO (GDPR), your consent.

Since we only set necessary cookies without consent, you are free to use our website with the functions provided and we inform you about the data processing, our legitimate interests in data processing outweigh your rights and freedoms.

For more information on the individual cookies, please refer to our cookie banner. You can also find more information about individual tools below.

3. Contact form for EVENT bookings
3.1 Description and scope of data processing
If you would like to celebrate an event with us, you can make an inquiry via our contact form. We need the following information: Name, e-mail address, desired date with time and number of people, type of event, the choice between drinks and / or food, the budget. There is also a text field.

At the time of submitting the form, we also store the following data:
Date and time of sending the request

To protect against misuse of our IT systems, we use the service "reCAPTCHA" of the company Google LLC (Google) when using the request form. The query is used to distinguish whether the input is made by a human or misused by automated, machine processing.

The query includes the sending of the IP address and possibly other data required by Google for the reCAPTCHA service to Google. For this purpose, your input is transmitted to Google and used there. By using reCaptcha, you agree that the recognition you provide will be used for the digitization of old works. Due to the activation of IP anonymization on this website, your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser as part of reCaptcha is not merged with other data from Google. The deviating data protection regulations of the Google company apply to this data. You can find more information about Google's privacy policy at: https://www.google.com/intl/de/policies/privacy/.

3.2 Legal basis for data processing
The legal basis for the processing of the data is Art. 6 para. 1 lit. b) DSGVO (GDPR), for the use of Google reCAPTCHA Art. 6 para. 1 lit. f) DSGVO (GDPR).

3.3 Purpose of the data processing
The data processing of the data from the inquiry form is mandatory for the implementation of pre-contractual measures and answering your inquiry.

The reCAPTCHA serves to protect us from misuse (e.g. by bots). Since you are free to make the request via the form, our legitimate interests prevail in this respect. You are free to call us about an event or to send us an email. In this case, Google cannot store any of your data.

3.4 Duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.

For the data collected via the form, this is the case when the data is no longer required for the execution of the contract or your request. Even after the conclusion of a contract, it may be necessary to store personal data of the contractual partner in order to comply with contractual or legal obligations (e.g. from the tax code, the civil code, etc.).

The storage periods to be observed in the event of the conclusion of a contract cannot be determined in a blanket manner, but must be determined on a case-by-case basis for the contracts and contracting parties concluded in each case.

3.5 Possibility of objection and elimination
If the data is required for the fulfillment of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion.

If you wish to delete your data from the request form, please inform us. We will then check the deletion request and delete your data immediately if necessary.

4. Contact by e-mail

4.1 Scope of data processing
On our website, it is possible to contact us via the e-mail address provided. If you write us an e-mail, the personal data transmitted with the e-mail will be stored. The contact data will be used exclusively for the processing of the conversation or request.

4.2 Legal basis for data processing
The legal basis for the processing of data received in the course of sending an e-mail is Art. 6 (1) a) and f) DSGVO (GDPR). If the contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b) DSGVO (GDPR).

4.3 Purpose of the data processing
The processing of the personal data of the contact serves us solely to process the contact and your request. This is also our legitimate interest. Since the contact is initiated by you, you are free and we inform you in advance how we handle the transmitted data, our legitimate interest prevails over your privacy rights.

4.4 Duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when it is clear from the circumstances that the matter in question has been conclusively clarified.

4.5 Possibility of objection and elimination
You have the option to object to the storage of your personal data at any time. In such a case, the conversation can not be continued. The objection can be made by e-mail, by contact form or by mail. All personal data stored in the course of contacting you will be deleted by us in this case.
Insofar as data is collected within the scope of a contractual relationship, the possibility of objection does not exist, as this is absolutely necessary for the execution of the contract.

5. Online reservations

5.1 Description and scope of data processing
We offer the possibility to make a table reservation online. For this purpose, we use the software solution of the company Gastronovi GmbH, based in Bremen (Germany), with whom we have concluded an order processing agreement. You can find more information about Gastronovi at https://www.gastronovi.com/de/datenschutz/ and https://www.gastronovi.com/de/.

If you use our reservation tool, you will need to provide the following information: Desired area, number of people, date and time. We will then check the availability. If availability is given, we need the following data from you: title, first and last name, e-mail address. In addition, there is the possibility to voluntarily make comments and to voluntarily indicate whether you need space for a stroller. You can also indicate if you are bringing a dog or if you need a high chair for children. We cannot reserve a table for you online without your information.

Gastronovi also collects the following data:
▪ IP address
▪ Terminal device
▪ Time of access
▪ Request made to the server
This data is automatically evaluated in order to detect attacks on our system and to be able to initiate countermeasures. The data is regularly deleted automatically by overwriting the log files.

5.2 Legal basis for data processing
The legal basis for the processing of data when making a reservation is your consent (Art. 6 para. 1 lit. a) DSGVO (GDPR)), which you give when you tick the appropriate box. In relation to the mandatory data, however, the legal basis is also Art. 6 para. 1 lit. b) DSGVO (GDPR), as it is a pre-contractual / contractual measure.

5.3 Purpose of the data processing
The collection of data serves to process your request, check availability, reserve the required table and IT security. Since you are free to use the tool, our legitimate interest in the data provided outweighs this, unless it is absolutely necessary for the reservation as a pre-contractual or contractual measure itself.

5.4 Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. This depends, among other things, on the period for which you reserve. The data will also be deleted if you revoke your consent to data processing.

5.5 Possibility of objection and elimination
If you would like us to delete your data, please contact us using our contact details.

6. Newsletter - Mailchimp

6.1 Description and scope of data processing
You can subscribe to a newsletter (in German language) on our website and as part of an online reservation. If you register for our newsletter, we will send you regular information about our offers, services and events for marketing purposes. We use the so-called double opt-in procedure for this purpose. This means that we only send the user an e-mail newsletter if the user has expressly consented to receiving the newsletter and then clicked on an authentication link sent by e-mail. We hereby ensure that the e-mail address provided really belongs to the person giving consent. Within the scope of the consent, we inform the user once again about the data processing.

After extensive research and risk assessment, we have decided to use "MailChimp", a newsletter delivery platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA, to send our newsletter.

We expressly point out the following:

It cannot be ruled out that U.S. authorities may access personal data processed to provide the service. Due to the powers of the U.S. intelligence agencies and the legal situation in the U.S., U.S. government surveillance measures are disproportionate and, from the EU's perspective, there is no adequate level of government data protection for personal data. In particular, Sec. 702 of the U.S. Foreign Intelligence Surveillance Act (FISA) provides no limits on the surveillance activities of the intelligence agencies and no safeguards for non-U.S. citizens. Moreover, Presidential Policy Directive 28 (PPD-28) does not provide data subjects with effective remedies against measures taken by U.S. authorities and does not provide for barriers to ensure proportionate measures. In addition, U.S. authorities can demand that a U.S. company hand over all stored data on the basis of the U.S. Cloud Act, even if this data is located on servers within the EU.

After extensive research and risk assessment, we nevertheless decided to use MailChimp for the following reasons:

Mailchimp has implemented compliance measures for international data transfers. These apply to all global activities where Mailchimp processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). You can find more information here:
https://mailchimp.com/legal/data-processing-addendum/
https://mailchimp.com/de/help/mailchimp-european-data-transfers/
We are of the opinion that knowledge of the receipt of a newsletter on the subject of marketing does not give rise to fears of personal or economic disadvantages and that the probability of knowledge is low, at least based on the number of queries according to the transparency report (https://Mailchimp.com/transparency-report). In addition, Mailchimp uses special security measures, namely encryption among other state-of-the-art technical protection measures, checking of queries for necessity and permissibility, and publication of a transparency report:
https://Mailchimp.com/help/Mailchimp-european-data-transfers
https://Mailchimp.com/transparency-report

After a risk assessment, we have therefore come to the conclusion that an appropriate level of data protection is guaranteed. The newsletters contain a so-called "web beacon", i.e. a pixel-sized file that is retrieved from our server when the newsletter is opened, or, if we use a shipping service provider, from their server.

The following information is collected as part of the retrieval process:

First names, surnames, e-mail addresses, analytic data, i.e. (if consent has been given) profiles with information on opening and link click rates of newsletters as well as registration and confirmation time together with IP address as well as changes to e-mail addresses, classification in segments or similar internal identification, usage data (e.g. Internet pages visited, interest in content, access times).

This analysis information is assigned to the individual newsletter recipients and stored in their profiles until they are deleted. We use the analyses to identify the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

The measurement of the opening rates and the click rates as well as the storage of the measurement results in the profiles of the users and their further processing are based on the consent of the users. A separate revocation of the performance measurement is unfortunately not possible, in this case the entire newsletter subscription must be cancelled, or it must be contradicted. In this case, the stored profile information will be deleted.

Mailchimp requires this data to ensure the security and reliability of the systems, compliance with the terms of use and the prevention of abuse and to technically improve the newsletter dispatch. This corresponds to the legitimate interest of Mailchimp (according to Art. 6 para. 1 lit. f) DSGVO (GDPR)) and serves the execution of the contract (according to Art. 6 para. 1 lit. b) DSGVO (GDPR)). Furthermore, Mailchimp evaluates performance data, such as the delivery statistics of emails and other communication data. This information is used to create usage and performance statistics of the services.

You can find more information about the data processing and objection options of Mailchimp here:
https://mailchimp.com/legal/privacy/#3._Privacy_for_Contacts

6.2 Legal basis for data processing
The legal basis for the processing of data after registration for the newsletter by the user is your consent pursuant to Art. 6 para. 1 lit. a) DSGVO (GDPR) by placing a check mark in the text field "I would like to receive exclusive offers and information from "St. Louis The Breakfast Company" by e-mail". The legal basis for logging and storage after revocation is Art. 6 para. 1 lit. f) DSGVO (GDPR).

6.3 Purpose of the data processing
The collection of the e-mail address is used to deliver the newsletter and for marketing purposes. The collection of other personal data serves to prevent misuse of the services or the e-mail address used as well as to be able to prove registrations and unsubscriptions. This is also our legitimate interest in data processing.

6.4 Duration of storage
In principle, the data will be deleted three years after the termination of the mail subscription (start is the end of the respective year) on the basis of legitimate interests, namely for proof of revocation and because of the possible assertion of legal claims of the subscriber.

6.5 Possibility of objection and elimination
The subscription to the newsletter can be terminated at any time. For this purpose, you will find a corresponding link in each newsletter. With the cancellation of the newsletter, the consent to the sending of the newsletter and the storage of the associated data is revoked with effect for the future. With regard to further rights concerning data processing when sending newsletters, please read the section "Your rights".

7. Voucher purchase

7.1 Description and scope of data processing

You can purchase a voucher via our website. We also use our service provider Gastronovi for this purpose on the basis of an order processing agreement.

All data collected on our website is processed on Gastronovi's servers.

You can configure via our website first from whom and for whom the voucher is and select the value of the voucher. Then we collect the following data from you via Gastronovi:
- First and last name
- E-mail address
- Payment method and voucher value
- Time and date of registration
- Consent to the GTC including time of consent
For IT security reasons, Gastronovi collects the IP address, the end device, the time of access and the request made to the server.

7.2 Legal basis for data processing
The legal basis for the processing of data when purchasing a voucher is Art. 6 para. 1 lit. b), c) and f) DSGVO (GDPR).

7.3 Purpose of the data processing
The purpose of the data processing is the processing of your order, or the technical processing of the concluded purchase contract, in which we also have our own legitimate interest and the legal obligations incumbent upon us. The other technical data serves as proof of consent to the terms and conditions and to protect against misuse of our systems.

7.4 Duration of storage
The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected, unless there are statutory retention periods (e.g. from the German Fiscal Code or the German Civil Code).

7.5 Possibility of objection and elimination
Since you are entering into a paid contract with us for the purchase of your voucher, you do not have the option to object or cancel.

7.6 Data transfer / payment procedure
We offer efficient and secure payment options and use other payment service providers in addition to banks and credit institutions. Your payment data (including the voucher amount) will be passed on to the commissioned credit institution in the context of payment processing, provided this is necessary for payment processing and you do not provide the data yourself to the selected payment service provider.

For payment transactions, the terms and conditions and the privacy policy of the respective payment service providers apply, which are available within the respective websites or transaction applications. Please also read the corresponding privacy statements of the providers themselves, as they are responsible for processing your data.

The data processed by the payment service providers includes inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as the contract, total and recipient-related information. The information is required to carry out the transactions. However, the data entered is only processed by the payment service providers and stored with them. I.e., we do not receive any account- or credit card-related information, but only information with confirmation or negative information of the payment.

7.6.1 Payment service provider Stripe
We have integrated the external payment service provider Stripe Payments Europe Ltd, a company incorporated in Ireland with its registered office at 1 Grand Canal Street Lower, Grand Canal Dock, Dublin (hereinafter referred to as "Payment Service Provider"). You have the option to complete the payment process via Stripe. The payment service provider offers payment services for the processing of contracts for the purchase of vouchers. Stripe accepts payments on our behalf. Stripe processes the following data in this context with the payment services to be provided, depending on the payment method, which we transmit to Stripe: First and last name of the customer, address, account number, email address, IP address, bank routing number, possibly credit card number, voucher amount, currency and transaction number.

The transfer of your data takes place exclusively for the purpose of payment processing with the payment service provider Stripe Payments Europe Ltd. and only insofar as it is necessary for this purpose. The legal basis for the integration of Stripe is in this respect Art. 6 para. 1 lit. b) DSGVO (GDPR). You can find more information about Stripe's data protection at https://stripe.com/de/privacy.

Payment methods provided by Stripe include payment via credit card (Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; privacy policy: https://www.mastercard.de/de-de/datenschutz.html and Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, UK; privacy policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html as well as Klarna Sofortüberweisung and PayPal.

In detail:

7.6.1.1. Credit card
If you choose to pay by credit card, your credit card information will be transmitted to Stripe in encrypted form. Stripe processes the following information: Credit card origin, IP address of the order page, expiration date of the card (month / year), type of credit card (credit / debit), name of the credit card company (VISA / Mastercard) and of course the amount of the voucher.

7.6.1.2 Instant bank transfer (Klarna)
Sofortüberweisung is a payment service that enables cashless payment for products and services on the Internet. Sofortüberweisung represents a technical procedure by which Stripe immediately receives a payment confirmation after completion of the payment. The operating company of Sofortüberweisung is SOFORT GmbH, Fußbergstraße 1, 82131 Gauting, Germany. SOFORT GmbH is part of the Klarna Group (Klarna Bank AB (publ), Sveavägen 46, 11134 Stockholm, Sweden).

If you select "Sofortüberweisung", you consent to an automated transmission of personal data required for payment processing. When processing payments via Sofortüberweisung, you transmit the PIN and the TAN to Sofort GmbH. Sofortüberweisung carries out a transfer after technical verification of the account balance and retrieval of further data to check the account coverage. Klarna stores in this case first and last name, account number, bank code, IBAN, BIC, subject and date and the voucher amount. This data can later also be found in the payment confirmation, which we need to process the purchase. PIN and TAN of the credit institution used by the customer are not stored by Klarna at any time. You can also find more information about Klarna here:
https://www.klarna.com/sofort/ and
https://www.klarna.com/de/datenschutz/
The purpose of the data transfer is payment processing and fraud prevention.

7.6.2 Payment service provider Paypal
When paying via PayPal, your payment data will be forwarded to PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal"), as part of the payment processing. The transfer takes place in accordance with Art. 6 para. 1 lit. b) DSGVO (GDPR) and only insofar as this is necessary for the payment processing.
PayPal reserves the right to conduct a credit check for the payment methods credit card via PayPal, direct debit via PayPal or purchase on account or installment payment via PayPal. If these payment methods are offered and you select them, your payment data may be forwarded to credit agencies in accordance with Art. 6 (1) f) DSGVO (GDPR) on the basis of PayPal's legitimate interest in determining your solvency. PayPal uses the result of the credit check with regard to the statistical probability of non-payment for the purpose of deciding on the provision of the respective payment method. The creditworthiness information may contain probability values (so-called score values). Insofar as score values are included in the result of the credit report, they have their basis in a scientifically recognized mathematical-statistical procedure. The calculation of the score values includes, but is not limited to, address data. For further information on data protection, including information on the credit agencies used, please refer to PayPal's privacy policy:
https://www.paypal.com/de/webapps/mpp/ua/privacy-full
You can object to this processing of your data at any time by sending a message to PayPal. However, PayPal may still be entitled to process your personal data if this is necessary for the contractual payment processing.

8. Food pick-up („click & collect“)

8.1 Description and scope of data processing
You can select food and drinks via our website, order them, pay online and pick them up at our To-Go Hut. We also use our service provider Gastronovi for this service on the basis of a contract processing agreement. All data collected on our website is processed on the servers of Gastronovi.

You can first select via our website which food and beverages you would like to order. We then collect the following data from you via Gastronovi:
- Title, first and last name
- E-mail address
- Payment method, shopping basket content and shopping basket total
- Time and date of the order
- Consent to the GTC including time of consent
- If used: Discount card data
For IT security reasons, Gastronovi collects the IP address, the end device, the time of access and the request made to the server.

8.2 Legal basis for data processing
The legal basis for the processing of the data is Art. 6 para. 1 lit. a), b), c) and f) DSGVO (GDPR).

8.3 Purpose of the data processing
The purpose of the data processing is the processing of your order, or the technical processing of the concluded purchase contract, in which we also have our own legitimate interest and the legal obligations incumbent upon us. The other technical data serves as proof of consent to the terms and conditions and to protect against misuse of our systems.

8.4 Duration of storage
The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected, unless there are statutory retention periods (e.g. from the German Fiscal Code or the German Civil Code).

8.5 Possibility of objection and elimination
Since you are entering into a paid contract with us for the purchase of food / beverages, there is no possibility of objection or removal.

8.6 Data transfer / payment procedure
We also use the payment service providers PayPal and Stripe as part of our pick-up service. Please read our information 7.6.1. and 7.6.2., which apply accordingly.

9. Social media links
We provide links to various social media on our website. However, these are merely links to external websites of third-party social media providers and not plugins. Consequently, no links are established or personal data transmitted to the third-party providers when you visit our website. When you click on the respective button, which is marked with the provider's symbol, you will be redirected to the website of this provider. You will leave our website at this moment. If you have questions about the data collection of the third-party providers, please read the privacy statements provided by the third-party providers. We refer to the following social media:

9.1. Facebook
Our website links via the "f" button to the social network facebook.com, whose operator for users outside the USA and Canada is Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Information on data protection can be found here: https://de-de.facebook.com/about/privacy/

9.2 Instagram
The operating company of the Instagram services is Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.
https://de-de.facebook.com/help/instagram/519522125107875

9.3. Spotify
"Spotify" is an audio streaming platform operated by Spotify AB, Birger Jarlsgatan 61, 113 56 Stockholm, Sweden. For more information about Spotify's privacy policy, please visit https://www.spotify.com/de/legal/privacy-policy.

10. Google maps

10.1 Description and scope of data collection
This website uses the Google Maps API, a mapping service for displaying maps and creating directions to help you find our location. Google Maps is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
By visiting our website, Google receives the information about the call of our page and, if necessary, other log files. Google stores and uses the data for purposes of advertising, market research and / or design of its own services. This cookie is usually not deleted by closing the browser, but expires after a certain time (up to 24 months), unless you delete it beforehand.

10.2 Legal basis of the processing
The legal basis for the use of Google Maps is Art. 6 para. 1 p. 1 lit. f) DSGVO (GDPR).

10.3 Purpose of the data processing
The purpose of data processing is to optimize the user-friendliness of our website and to make it easier to find our location. This is also our legitimate interest in the use of Google Maps.

10.4 Possibilities of objection and removal
You have the possibility to deactivate the Google Maps service in a simple way and thus prevent the data transfer to Google:
To do this, disable JavaScript in your browser. However, please note that in this case you will not be able to use the map display.
You can find detailed information about Google's data collection here: https://policies.google.com/privacy

11. Job applications

11.1 Description and scope of data processing
You can apply for a position in our company by e-mail or using our application form (in the German-language version of our website). We collect the data requested in the application form or the data that you send us as part of an application. Mandatory data are marked with an asterisk.
If an employment contract is concluded after the application process, we will store your personal data in your personnel file for the purpose of the usual organizational and administrative process - this, of course, in compliance with the more extensive legal obligations.

11.2 Legal basis of the processing
The legal basis is Section 26 BDSG (German federal data protection act) in the version applicable since May 25, 2018. Accordingly, the processing of data required in connection with the decision on the establishment of an employee relationship is permissible.
Should the data be required for legal prosecution after completion of the application process, data processing may take place on the basis of the requirements of Art. 6 DSGVO (GDPR), in particular to safeguard legitimate interests pursuant to Art. 6 (1) f) DSGVO (GDPR). Our interest then consists in the assertion or defense of claims.

11.3 Purpose of the data processing
The purpose of the data processing is to check your suitability for the position (or other open positions in our company, if applicable) and to carry out the application process. If legal claims are asserted after the application process, the purpose is to assert or defend against claims. Your personal data will only be passed on or otherwise transferred to persons involved in the application process.

11.4 Duration of storage
Data of applicants will be deleted after 6 months in case of rejection.
In the event that you have agreed to further storage of your personal data, we will transfer your data to our applicant pool. There, the data will be deleted after two years.
If you are chosen for a position during the application process, the data from our applicant data system will be transferred to our HR information system.
In the event of a rejection on our part, we automatically delete the data provided to us three months after notification of the rejection. However, the deletion does not take place if the data requires a longer storage of up to four months or until the conclusion of legal proceedings due to legal provisions, e.g. due to the obligation to provide evidence according to the AGG (German general anti-discrimination act).
If you expressly consent to a longer storage of your data, e.g. for your inclusion in our internal applicant pool, the data will be processed on the basis of your consent. Of course, you can revoke your consent at any time with effect for the future.

12. Google font
The integration of fonts via Google Fonts takes place in "offline" mode by local storage on our servers. In this case, the IP address is not transmitted to Google.

IV. Your rights



If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights in summary:

- Right to information
- Right to rectification
- Right to limited processing
- Right to deletion
- Right to information
- Right to data portability
- Right to object
- Right to revoke consent given
- Right to complain to a supervisory authority.

Details can be found below:

1. Right to information
You can request confirmation from us as to whether personal data concerning you is being processed by us.
If there is such processing, you can request information from us about the following:

(1) the purposes for which the personal data are processed;
(2) the categories of personal data which are processed;
(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
(4) the planned duration of the storage of the personal data concerning you or, if concrete information on this is not possible, criteria for determining the storage duration;
(5) the existence of a right to rectify or erase personal data concerning you, a right to have the controller restrict processing or a right to object to such processing;
(6) the existence of a right of appeal to a supervisory authority;
(7) any available information on the origin of the data, if the personal data are not collected from the data subject;
(8) the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information about whether the personal data in question is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 DSGVO (GDPR) in connection with the transfer.

2. Right to rectification
You have the right to rectification and/or completion if the personal data processed concerning you is incorrect or incomplete. We shall then carry out the correction without delay.

3. Right to restriction of processing
Under the following conditions, you can request the restriction of the processing of personal data concerning you:

(1) if you dispute the accuracy of the personal data concerning you for a period of time that allows us to verify the accuracy of the personal data;
(2) the processing by us is unlawful, you refuse the erasure of the personal data by us and instead request the restriction of the use of the personal data from us;
(3) we no longer need the personal data for the purposes of processing, but you need it for the assertion, exercise or defense of legal claims; or
(4) if you have objected to the processing pursuant to Art. 21 (1) DSGVO (GDPR) and it has not yet been determined whether our legitimate grounds override your grounds.

If the processing of personal data concerning you has been restricted, this data may - apart from being stored - only be processed by us with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.
If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by us before the restriction is lifted.

4. Right to deletion
a) Obligation to delete
You may request that we delete your personal data immediately. We are obliged to delete this data immediately if one of the following reasons applies:

(1) Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
(2) You revoke your consent on which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) DSGVO (GDPR) and there is no other legal basis for the processing.
(3) You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.
(4) The personal data concerning you have been processed unlawfully.
(5) The deletion of the personal data concerning you is necessary for compliance with a legal obligation under Union law or the law of the Member States to which we are subject.
(6) The personal data concerning you was collected in relation to information society services offered pursuant to Art. 8 (1) DSGVO (GDPR).

b) Information to third parties
If we have made your personal data public and we are obliged to erase it pursuant to Article 17(1) of the GDPR, we will take reasonable measures (including technical measures) to inform controllers who process the personal data that you have requested the erasure of all links to, copies of, or replications of that personal data.

c) Exceptions
The right to erasure does not exist insofar as the processing is necessary to

(1) to exercise the right to freedom of expression and information;
(2) to fulfill a legal obligation or to perform a task in the public interest or in the exercise of official authority vested in us, if applicable;
(3) for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) DSGVO (GDPR);
(4) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89(1) of the GDPR, insofar as the right referred to in Section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or
(5) to assert, exercise or defend legal claims.

5. Right to information
If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged to notify all recipients to whom your personal data have been disclosed of the rectification, erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort for us.
You have the right to be informed by us about these recipients.

6. Right to data portability
You have the right to receive the personal data concerning you from us in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another controller without hindrance from us, provided that

(1) the processing is based on consent pursuant to Art. 6 Para. 1 lit. a DSGVO (GDPR) or Art. 9 Para. 2 lit. a DSGVO (GDPR) or on a contract pursuant to Art. 6 Para. 1 lit. b DSGVO (GDPR) and
(2) the processing is carried out with the aid of automated procedures.

In this respect, you also have the right to have us transfer your data to another responsible party, insofar as this is technically feasible. However, the freedoms and rights of other persons must not be affected by this.
This right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

7. Right of objection
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6(1)(e) or (f) DSGVO (GDPR); this also applies to profiling based on these provisions.
We will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

8. Right to revoke the declaration of consent under data protection law
You have the right to revoke declarations of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

9. Right to complain to a supervisory authority
Regardless of any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority to which the complaint has been submitted will inform you, as the complainant, about the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

V. IT Security



To protect the security of your data during data transmission, we use the so-called TLS encryption method (256 bit key, TLS 1.3), which you can recognize by the small lock symbol in the address line of the URL of our website. In addition, we secure our IT systems with firewalls and virus protection.

VI. Reservation of right of modification



We reserve the right to adapt this data protection declaration so that it complies with the current legal requirements. If you visit our website again, the updated and published data protection declaration will apply.

Status: December 13, 2021