For KITCHEN & CO APPLICATIONS
The KITCHEN & CO and all KITCHEN & CO franchisees (“KITCHEN & CO Franchisee”) undertake to protect the privacy of their visitors and users. The following data protection declaration describes which data KITCHEN & CO processes and how we use the relevant data to help our users and visitors use our customer application for mobile device users, via a web application on a website (e.g. kitchen&co.com) or via an application on a “self-order kiosk” (together, the “Applications”) and our on-demand services (collectively referred to as the “Services“) to offer even greater benefits.
Please read the following provisions carefully so that you become aware of our data protection declaration. Please note that KITCHEN & CO involves MENU Technologies AG (“MENU”) located in Switzerland as data processor as part of data processing and that it also processes your personal data for us as listed in this data protection declaration.
“User” refers to a person who uses the Applications and / or has registered and registered with KITCHEN & CO for the use or potential use of the Services.
KITCHEN & CO never knowingly collects personal information from children under the age of 18. The Applications are only intended for use by adults aged 18 and over. If you believe that a person under 18 years of age used the Applications and thus provided us with personal data, please contact us at [insert]. We will then endeavour to delete the application account and the corresponding personal data.
KITCHEN & CO is the data controller of your personal data. Should you wish to contact KITCHEN & CO, please do so by email at [-] or by telephone on [-].
KITCHEN & CO and other companies (e.g. MENU) may be involved in the processing of data that are related to activities via the Applications and / or in connection with the Services described in the data protection declaration. KITCHEN & CO and any other companies act for the purposes stated in this data protection declaration and comply with the applicable data protection laws.
We collect and process personal data in different ways. The personal data is voluntarily provided by the User in the course of creating and / or changing the user profile, when interacting with or using the Applications and / or the Services and by email communication with support or other employees. For Users of the Applications and / or Services, this includes in particular the following information: name, address, email address, password (encrypted), restaurant orders, user agent when logging in, IP address, credit card information (will not be saved by KITCHEN & CO or MENU; see paragraph 3.4 below), comments on orders, business e-mail address, home and / or delivery address, hosted persons, occasion, signature, possibly collected and / or redeemed points, type of bonus for redeeming points. password (encrypted), telephone number, VAT, currency, tip (if any), contact person and bank details. If you place an order via an Application on a “self-order kiosk” or web-application without having registered or logged in, the orders placed will be processed by us and t we will only receive the data for order processing (including order, payment details and at store location). The receipts are saved on our servers which are hosted by MENU. The payment information is processed by the payment processor. The payment process is authorized by the payment processor and confirmed back to MENU. When ordering from a “self-order kiosk” with a login (if any) – provided that personal data is being processed – no more data is processed than when ordering via the other applications.
In detail, your order triggers a process in the participating restaurant’s system and thereafter KITCHEN & CO and its service provider MENU accordingly, use your personal data, e.g. your contact details, phone number and your order information. When your order is ready to be picked up at the counter, you will be informed either via a push message (for orders placed via the mobile application) or via SMS message (for orders placed via the web application). If the restaurant you are visiting works with guest localization, your table number or your location in the participating restaurant will also be determined by means of table number entry (on the mobile and web application), placed transmitters or antennas (kiosks). In order to receive push messages, you must have push messages activated on your smartphone and to enable the determination of your location via transmitters or antennas you must have Bluetooth activated on your smartphone and give the application permission to determine your location. For orders that you place through the self-order kiosk, a puck may show you when your order is ready for collection at the counter or your order number is displayed on a screen. Your location can also be determined using a puck, which may be distributed to you at the self-order kiosk or at the counter or you may need to enter a number into the screen. You hereby authorize KITCHEN & CO to disclose and process your orders, personal data and in particular your location data to participating restaurants. For delivery orders, your data will be processed for the execution of this delivery to the home or other delivery address you have provided. We can also process your personal data in order to send you coupons, which we generate in the back-end system and which we then send to you, for example, as push messages. You can redeem these coupons on the mobile application, on the web application on a website (e.g. kitchen&co.com) or via an application on a “self-order kiosk”.
KITCHEN & CO is the platform operator of the application and obtains your personal data, such as order data, telephone number, home and / or other delivery address, email address, and can use them for marketing purposes, provided that KITCHEN & CO has obtained your explicit consent to do so. KITCHEN & CO operates the KITCHEN & CO platform in their restaurants and can view their order and payment details for their respective restaurants. As a technology supplier, MENU provides the application platform [Name] and can view your personal data. MENU provides KITCHEN & CO within the application platform with functions that enable KITCHEN & CO to communicate with you in a personalized form and to provide you with relevant information at the appropriate time.
In cases where you provide us with data on other persons within the legally permissible framework (such as when issuing a receipt), it is your responsibility to ensure that the personal data given to us is accurate, correct and up-to-date and you shall ensure to provide these data subjects with this Declaration. Furthermore, if necessary, you must obtain their consent to the processing of their personal data for the purposes described in this data protection declaration.
Your personal data will be processed by MENU and saved by an external provider.
3. FOR WHAT PURPOSES WE PROCESS YOUR PERSONAL DATA?
3.1 TECHNICAL OPERATION AND FUNCTIONALITY OF THE WEBSITE AND APPLICATION
When you visit our website, e.g. to use our web application, our web administrators can store your personal data, including technical data, such as your IP address, the websites you visit, the internet browser you use, the one you used beforehand and subsequently visited websites and the duration of the visit / session, so that we can guarantee the proper functioning of our website. In certain cases, the browser can also query your current location to optimize your user experience. This technical data enables our web administrators to manage the website, for example by solving technical problems or improving access to certain areas of the website. This is how we ensure that you can (still) find the information provided on the website quickly and easily.
If you use our mobile application or web application, we also process your personal data, including technical data, such as for example your IP address and your device type. We use this data to provide the services, to guarantee the functions of the application, to solve technical problems, to provide you with the correct and up-to-date version of the application and to further improve the functionality of the application.
Insofar as GDPR is applicable, the legal basis for the technical operation and functionality of the website and the application is Art. 6 (1)(f) GDPR (balancing interests, based on our legitimate interest in providing you with the functions of the website and the application) and Art. 6(1)(b) GDPR (contract initiation and contract fulfillment).
3.2 CUSTOMER SERVICE
When you register as a user, we collect your name, your email address, your password, your IP address and your device type as well as your credit card number and the expiry date of the card (see above).
As far as GDPR is applicable, the legal basis for customer service is Art. 6(1)(f) GDPR (balancing of interests, based on our legitimate interest in providing you with the services of our customer service) and Art. 6(1)(b) GDPR (contract initiation and contract fulfillment).
3.3 ACTIVATION OF KITCHEN & CO APPLICATION
We collect and process location information, for example in participating restaurants or when you place an order via the applications, provided you have given us your prior consent. We use the relevant data to inform the relevant participating restaurant in which the respective order was placed so that the service staff can process the order accordingly.
Insofar as the GDPR is applicable, the legal basis for processing the location information is Art. 6(1)(a) GDPR (consent).
When you place an order via the application, we process in particular your first and / or last name, your order and your telephone number and forward it to the participating restaurant so that the service staff is able to process your order accordingly and notify you once your order is ready for pick-up. If one of our restaurants serves the orders to the table, the table number or your location is also determined so that the service staff can serve your order accordingly to your table. If you have placed an order for delivery, your home and / or delivery address will also be processed in order to be able to deliver. If you collect points with your order, we will credit it to the points account we hold for you. If you redeem points with an (award) order, we also book this redemption in the points account we hold for you.
Insofar as GDPR is applicable, the legal basis for processing the above-mentioned order data is Art. 6(1)(b) GDPR (contract initiation and contract fulfillment).
3.4 PAYMENT PROCESSING
If you register as a user, your credit card data and data of other payment methods will be forwarded by MENU to a PCI-compliant payment processing provider and processed by the latter in order to process payments for orders placed by you via the applications. KITCHEN & CO and its service providers are allowed to transfer the credit card details or data of other payment methods you have registered to other PCI-compliant payment processors. However, KITCHEN & CO and MENU in particular do not collect credit card information.
As far as the GDPR is applicable, the legal basis for payment processing is Art. 6(1)(b) GDPR (contract initiation and contract fulfillment).
KITCHEN & CO can use your contact information to send you general information about what’s new at KITCHEN & CO You can unsubscribe from these notifications at any time.
As far as GDPR is applicable, the legal basis for processing for marketing purposes is Art. 6(1)(a) GDPR (consent).
3.6 COMPILATION OF ADMINISTRATIVE AND STATISTICAL DATA
KITCHEN & CO use your personal data in an anonymous and aggregated form to monitor exactly which functions of the service are used the most, to analyse usage patterns and to determine where they offer their services and where they should focus. We can provide this information to third parties for industry analysis and statistical purposes.
3.7 COOKIES / GOOGLE ANALYTICS
As far as GDPR is applicable, the legal basis for the processing of personal data using cookies is Art. 6(1)(f) GDPR.
Most browsers can be set in the settings so that they no longer accept cookies or you will be notified when you receive a cookie. In most browsers you will find information on possible changes to your browser settings under the “Help” menu item. If you decide to deactivate and / or delete cookies in the future, you must take into account that some KITCHEN & CO functions will then no longer be available to you.
As far as the GDPR is applicable, the legal basis for the processing of personal data using cookies is Art. 6(1)(f) GDPR.
KITCHEN & CO may also disclose your personal data to the extent legally required or necessary for the establishment, exercise and defence of legal claims and legal procedures and, in an emergency, also data relating to security.
In addition, we transmit your personal data via the cash register system to the participating restaurant in which you would like to place an order.
3.8 LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
As far as GDPR is applicable, the following applies:
Insofar as we obtain the data subject’s consent for the processing of personal data, Art. 6(1)(a) GDPR is relied upon as the legal basis for the processing of personal data.
When processing personal data, which is necessary for the performance of a contract to which the data subject is a party, Art. 6(1)(b) GDPR is relied upon as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6(1)(c) GDPR as the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6(1)(d) GDPR serves as the legal basis.
If processing is necessary to safeguard the legitimate interests of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6(1)(f)f GDPR as the legal basis for processing.
3.9 NO OBLIGATION TO PROVIDE PERSONAL DATA
You are not obliged to provide your personal data. Without your personal data, however, we cannot provide our special services to you, or only partially, through the applications.
4. RELEASE OF YOUR DATA BY US / TRANSMISSION IN THIRD COUNTRIES
We may use various third parties and external companies to enable or provide the Services for us, process payments, provide customer support, provide location information to participating restaurants, provide marketing services, and provide website-related services (including maintenance services, database management, web analysis) and improving website functions) or to support us in analysing the use of our services. These third parties have access to your personal data and process it in order to fulfil the tasks mentioned for us. This is in particular MENU, which operates the application and services for us.
For this purpose, your personal data will be transmitted to and processed in countries other than the EU, including Switzerland, and other countries like the USA that do not have data protection laws comparable to the EU. We transfer personal data to locations in countries outside the European Union (so-called third countries) only if:
- it is required by law (e.g. tax reporting requirements),
- You have given your consent,
- this is legitimated by the legitimate interest under data protection law and there are no higher interests worthy of protection of the data subject that conflict with this or
- it is necessary to provide our services to you.
The entities located outside the EU which may process your personal data are in particular:
– PCI compliant payment processor for payment processing;
– Hosting provider especially for hosting data and applications;
– Business Intelligence Provider;
– Communications service;
– Business applications for email communication.
To protect your personal data, we and our service providers have agreed the EU standard contractual clauses with the recipients of your data abroad.
5. YOUR RIGHTS
As a user, you have a right to information about your personal account. This also applies to information that you have provided to us with regard to orders placed via the application. You can exercise your rights under applicable data protection laws, such as: a. enforce the right to request the correction or deletion of your personal data or to object to the processing of your personal data at any time by sending us an email at [insert] or contacting us at the address given in section 10. A copy of your ID card or passport may be requested for clear identification.
As far as GDPR is applicable, the following applies: According to Article 15 GDPR, every data subject has a right of access. According to Article 16 GDPR, the data subject can request the correction of incorrect personal data. According to Article 17 GDPR, the data subject has the right to erasure or, according to Article 18, the right to restrict processing. Likewise, the person concerned can object to the processing of personal data relating to them under the conditions of Article 21 GDPR. According to Article 20 GDPR, the data subject has the right to data portability. To exercise these rights, you can contact the following office: [insert]
You have the right to withdraw your declaration of consent under data protection law at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal. In addition, you have a right to lodge a complaint with the competent data protection supervisory authority in accordance with Article 77 GDPR. The competent data protection supervisory authority in Malta is the Commissioner for Information and Data Protection. A complaint may be lodged with the Commissioner via the following link: https://idpc.org.mt/raise-a-concern/
KITCHEN & CO reserves the right to charge reasonable processing fees for providing relevant information in the event of unsubstantiated or excessive requests.
You can also change your personal data via your KITCHEN & CO account and revoke the consent you have given.
Please note that your rights in relation to your Personal Data are not absolute and we may not be able to entertain such a request if we are prevented from doing so in term of an applicable law.
6. Automated decision in individual cases including profiling
As far as GDPR is applicable, the following applies: In connection with the provision of our services, you will not be subject to a decision based on automated processing in accordance with Article 22 GDPR. If we use such procedures in individual cases, you will be informed about them and your associated rights within the framework of the legal requirements.
Some of your data is processed automatically in order to evaluate certain personal aspects (profiling). In particular, your order behaviour for the promotion of products is analysed. When undertaking such profiling, we shall ensure that this processing activity does not produce legal effects concerning you.
7. DATA STORAGE
Unless otherwise stated in this data protection declaration, we store your data until you delete your KITCHEN & CO account. If you would like to delete your KITCHEN & CO account or request that we no longer use your data in the future to provide services to you, please contact us at [insert].
If these are not necessary to comply with legal obligations or to settle disputes, we will delete your personal data after deleting your account.
KITCHEN & CO has taken appropriate technical and organizational security measures against the loss or unlawful processing of your personal data. For this purpose, your personal data will be securely stored in our database, i.e. the database of MENU. We use industry-standard, economically appropriate security measures, such as firewalls and SSL (Secure Socket Layers), and also physically secure the locations where the data is stored.
As effective as our security measures are, no security system is infallible. We cannot guarantee the security of our database, nor can we guarantee that the information you provide will not be intercepted when it is transmitted to us over the Internet. The transfer of your data to KITCHEN & CO is always at your own risk. We recommend that you do not disclose your password to anyone.
10. CONTACT INFORMATION
11. Information about your right to object in accordance with Article 21 GDPR
11.1 Right to object on a case-by-case basis
As far as GDPR is applicable, the following applies: You have the right, for reasons that arise from your particular situation, at any time against the processing of your personal data, which is based on Article 6(1)(e) (data processing in the public interest) or article 6(1)(f) (data processing based on a balance of interests), or where your personal data is processed for direct marketing purposes, to object; this also applies to profiling based on these provisions.
11.2 Recipient of an objection