1. Data controller

The operator of this website is the data controller within the meaning of the General Data Protection Regulation (GDPR). The technical platform is provided by “Menuella”. The controller pursuant to Article 4(7) GDPR is:

Nuh Kayran / Menuella
NORTHAON
Sulgauer Str. 28, 78713 Schramberg
Phone: +49 170 1234432
Email: [email protected]

2. Collection and processing of personal data

We process personal data when you:

The data collected may include:

• place an order

• create or use a customer account (Menuella One)

• submit a support request

• visit our website

• use interactive components such as maps, reviews or contact forms

• subscribe to our newsletter or receive other communications

• Name, address, telephone number, email address

• Payment data (encrypted via Stripe)

• Order history

• Location data (if required for delivery)

• Log data (IP address, device type, browser information)

• Map data from Mapbox for location-based features

• Interaction data (e.g. button clicks, reviews, navigation)

3. Legal bases for processing (Article 6 GDPR)

• Article 6(1)(b): Contract performance for orders and customer accounts

• Article 6(1)(a): Consent for account creation, data sharing, marketing

• Article 6(1)(f): Legitimate interests (e.g. fraud prevention, IT security, service improvement)

4. Use of Menuella One (single sign-on system)

When you use a Menuella One account, you can sign in to all partner restaurants with the same credentials. On your first visit to a new restaurant, you will be asked whether it may access your profile data for order processing. Data sharing only takes place after you have given explicit consent.

5. Disclosure to third parties

• The restaurant receives personal data required to process orders (name, address, product preferences, etc.)

• Payment data is processed exclusively via the PCI DSS-certified provider Stripe

• Location data may be processed by Mapbox, a US-based provider relying on standard contractual clauses pursuant to Article 46 GDPR

• Technical service providers (e.g. hosting, maintenance) only gain access within the scope of a data processing agreement pursuant to Article 28 GDPR

• No data is passed on to third parties for advertising purposes

6. Storage periods

• Order data: 10 years in accordance with Section 147 AO (tax retention)

• Account data: Until deleted by the user or after 24 months of inactivity at the latest

• Support requests: 2 years

• Log data: up to 12 months for error analysis and security monitoring

• Newsletter data: Until you unsubscribe or, at the latest, 12 months after inactivity

7. Your rights (Articles 15–21 GDPR)

You have the following rights:

Please send your request to the respective restaurant or contact us via [email protected].

• Access to the personal data stored about you

• Rectification of inaccurate data

• Erasure, provided no statutory retention obligations apply

• Restriction of processing

• Data portability

• Objection to processing based on legitimate interests

8. Withdrawal of consent (Article 7(3) GDPR)

You may withdraw consent (e.g. for newsletters or restaurant data sharing) at any time with effect for the future.

9. Data security (Article 32 GDPR)

• SSL-encrypted data transmission

• Access controls including two-factor authentication

• Database-level encryption

• Regular updates and security reviews

10. Use of cookies

This website uses:

For further details, please consult our cookie policy.

• Strictly necessary cookies (e.g. basket, session)

• Optional cookies (e.g. for analytics, if actively consented)

11. Hosting & IT service providers

Hosting is provided by Hetzner Online GmbH (Germany) under a data processing agreement pursuant to Article 28 GDPR.

12. Online payments via Stripe

Payments are processed by Stripe Payments Europe, Ltd., an EU-based provider operating a GDPR-compliant infrastructure. Stripe processes payment information under its own data protection responsibility.

Further information: https://stripe.com/privacy

13. Use of Google Fonts (self-hosted)

We use Google Fonts to style this website. The fonts are delivered directly from our own servers in compliance with the GDPR, so no connection is made to Google servers.

14. Use of Mapbox

We use Mapbox for map functionality. Technical data (e.g. IP address, location, browser data) may be processed. Processing is based on legitimate interests (Article 6(1)(f) GDPR). Mapbox relies on standard contractual clauses pursuant to Article 46 GDPR.

More information: https://www.mapbox.com/legal/privacy

15. Newsletter and email communication

If you have consented to receiving newsletters or information by email, we will use your email address exclusively for that purpose. You can unsubscribe at any time via the link in the newsletter or by contacting us directly.

16. Use of Sentry (error monitoring)

We use the monitoring tool Sentry (Functional Software Inc., USA) to ensure technical stability and monitor errors. Anonymous or pseudonymised usage data may be processed. Processing is based on Article 6(1)(f) GDPR (legitimate interest in functional reliability). Sentry relies on standard contractual clauses pursuant to Article 46 GDPR.

More information: https://sentry.io/privacy/

17. Supervisory authority

You can address complaints to the competent data protection authority:

State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
PO Box 10 29 32, 70025 Stuttgart
Email: [email protected]

18. Changes to this privacy policy

We reserve the right to update this privacy policy. The version published on this page is always the one currently in force.