Vapiano Austria EN Privacy Policy


For VAPIANO Diretto – digital order service

The VAP restaurants GmbH, Karl-Popper-Straße 2b/Top 9, 6. Stock, 1100 Vienna (hereinafter referred to as “VAPIANO” or “we”) and all participating restaurants undertake to protect the privacy of their visitors and users. The following data protection declaration describes which data we process associated with VAPIANO Diretto and how we use the relevant data to help our users and visitors use our web application ( (hereinafter referred to as “Services”) to offer even greater benefits. Please read the following provisions carefully so that you become aware of our data protection declaration.

Please note that VAPIANO involves MENU Technologies AG, Zählerweg 5, CH – 6301 Zug («MENU») as data processor as part of data processing and that it also processes your personal data for us as listed in this data protection declaration.

If you visit our website, e.g. to use our web application, the privacy policy of the website apply additionally.

VAPIANO reserves the right to change this privacy policy. If you have any questions about this data protection declaration, please contact us at


“User” refers to a person who uses the applications and / or has registered and registered with VAPIANO for the use or potential use of the service.

“Participating restaurant” refers to restaurants run by VAPIANO or VAPIANO Franchisee, in which the digital order service VAPIANO Diretto can be used and you can order. These are solely responsible for the catering and restaurant services. „Personendaten“ are personal data iSd Art 4 Z 1 DSGVO.


VAPIANO never knowingly collects personal information from children under the age of 18. The applications are only intended for use by adults aged 18 and over. If you believe that your child under 18 years of age used the applications and thus provided us with personal data, please contact us at [insert]. We will then endeavour to delete the application account and the corresponding personal data.

The responsibility for the processed personal data is

VAP restaurants GmbH

VAPIANO, participating restaurants and other companies (e.g. MENU) may be involved in the processing of data that are related to activities via the applications and / or in connection with the services described in the data protection declaration. VAPIANO, the participating restaurants and any other companies act for the purposes stated in this data protection declaration and comply with the applicable data protection laws. Responsible always remains VAPIANO.

We collect and process personal data in different ways. The personal data is voluntarily provided by the user in the course of creating and / or changing the user profile, when interacting with or using the applications and / or the services and by email communication with support or other employees. For users of the applications and / or services, this includes in particular the following information: name, email address, password (encrypted), restaurant orders, user agent when logging in, IP address, credit card information (will not be saved by VAPIANO or MENU; see paragraph 3.4 below, comments on orders, business e-mail address, home and / or delivery address, hosted persons, occasion, signature, possibly collected and / or redeemed points VAPIANO, type of bonus for redeeming points. The data of the participating restaurants include the name, address, email address, password (encrypted), telephone number, VAT, currency, tip (if any), contact person and bank details. If you place an order via an application on a “self-order kiosk” or web-application without having registered or logged in, the orders placed will be processed by us and the participating restaurant will only receive the data for order processing (including order, payment details and at store location). The receipts are saved on our servers, i.e. those of MENU. The payment information is processed by the payment processor. The payment process is authorized by the payment processor and confirmed back to us, i.e. MENU. When ordering from a “self-order kiosk” with a login (if any) – provided that personal data is being processed – no more data is processed than when ordering via the other applications.

In detail, your order triggers a process in the participating restaurant, through which the participating restaurant, VAPIANO and the service provider MENU, using your personal data, e.g. your contact details, e.g. phone number, home and / or other delivery address (in case of orders to be delivered) and your order are informed accordingly. When your order is ready to be picked up at the counter, you will be informed either via SMS message (for orders placed via the web application). If the restaurant you are visiting works with guest localization, your table number or your location in the participating restaurant will also be determined by placed transmitters or antennas.

VAPIANO as the franchisor is the platform operator of the application and obtains your personal data, such as order data, telephone number, home and / or other delivery address and email address, and can use them for marketing purposes. The participating restaurants use the platform in their restaurants and receive your order and payment details for their respective restaurants to provide the desired catering and restaurant services. As a technology supplier, MENU provides the application platform and processes your personal data on behalf of VAPIANO. MENU provides VAPIANO within the application platform with functions that enable VAPIANO to communicate with you in a personalized form and to provide you with relevant information at the appropriate time.

Your personal data will be processed by MENU and saved by an external provider.



When you visit our website, e.g. to use our web application, your personal data, including technical data, such as your IP address, the websites you visit, the internet browser you use, the one you used beforehand and subsequently visited websites and the duration of the visit / session, so that we can guarantee the proper functioning of our website. In certain cases, the browser can also query your current location to optimize your user experience. This technical data enables us to manage the website, solve technical problems or improve access to certain areas of the website. This is how we ensure that you can (still) find the information provided on the website quickly and easily.

If you use our web application, we also process your personal data, including technical data, such as for example your IP address and your device type. We use this data to provide the services, to guarantee the functions of the application, to solve technical problems, to provide you with the correct and up-to-date version of the application and to further improve the functionality of the application.

The legal basis is Art. 6 Para. 1 lit. f GDPR (balancing interests, based on our legitimate interest in providing you with the functions of the website and the application) and Art. 6 Para. 1 lit. b GDPR (contract initiation and contract fulfillment).


When you register as a user, we collect your name, your email address, your password, your IP address and your device type as well as your credit card number and the expiry date of the card (see above).

We use your personal data and contact information to provide the services, for communication purposes relating to your orders and for announcements related to the services, such as when our services are temporarily unavailable due to maintenance work. We use your personal data and registration data to create and manage your VAPIANO account. We reserve the right to deactivate your account if we suspect that you are using our application to commit fraudulent or illegal acts or if you violate our terms of use.

The legal basis is Art. 6 Para. 1 lit. f GDPR (balancing of interests, based on our legitimate interest in providing you with the services of our customer service) and Art. 6 Para. 1 lit. b GDPR (contract initiation and contract fulfillment).



We collect and process location information, for example in participating restaurants or when you place an order via the applications, provided you have given us your prior consent. We use the relevant data to inform the relevant participating restaurant in which the respective order was placed so that the service staff can process the order accordingly.

The legal basis for processing the location information is your consent according Art. 6 Para. 1 lit. b GDPR (contract initiation and contract fulfillment).


When you place an order via the application, we process in particular your first and / or last name, your order and possibly your telephone number and forward it to the participating restaurant so that the service staff is able to process your order accordingly and notify you once your order is ready for pick-up. If one of our restaurants serves the orders to the table, the table number or your location is also determined so that the service staff can serve your order accordingly to your table. If you have placed an order for delivery, your home and / or delivery address will also be processed in order to be able to deliver. If you collect points with your order, we will credit it to the points account we hold for you. If you redeem points with an (award) order, we also book this redemption in the points account we hold for you.

The legal basis for this is Art. 6 Para. 1 lit. b GDPR (contract initiation and contract fulfillment).


If you register as a user, your credit card data and data of other payment methods will be forwarded by MENU to a PCI-compliant payment processing provider and processed by the latter in order to process payments for orders placed by you via the applications. VAPIANO and MENU itself do not collect credit card information.

The legal basis for this is Art. 6 Para. 1 lit. b GDPR (contract initiation and contract fulfillment).


If you give your consent, VAPIANO can use your contact information to send you general information about what’s new at VAPIANO. You can withdraw from this consent at any time with effect for the future and unsubscribe from these notifications at any time.

The legal basis for processing for marketing purposes is Art. 6 Para. 1 lit. a GDPR (consent).


VAPIANO and MENU use your personal data in an anonymous and aggregated form to monitor exactly which functions of the service are used the most, to analyse usage patterns and to determine where they offer their services and where they should focus. You can provide this information to third parties for industry analysis and statistical purposes.


VAPIANO uses cookies. Cookies are small text files that a website places on your computer or mobile device when you visit a page or website for the first time. Cookies help us to recognize your device the next time you visit the website. Cookies have different functions. With their help we can, for example, recall your attitudes and interests. Cookies can help us to analyze how well our website works or to adapt our content so that the relevant information is provided to you. Only the session ID is saved and transmitted in the cookies.

As far as GDPR is applicable, the legal basis for the processing of personal data using cookies is Art. 6 Para. 1 lit. f GDPR.

Most browsers can be set in the settings so that they no longer accept cookies or you will be notified when you receive a cookie. In most browsers you will find information on possible changes to your browser settings under the “Help” menu item. If you decide to deactivate and / or delete cookies in the future, you must take into account that some VAPIANO functions will then no longer be available to you.

As far as the GDPR is applicable, the legal basis for the processing of personal data using cookies is Art. 6 Para. 1 lit. f GDPR.


Insofar as we obtain the data subject’s consent for the processing of personal data, Art. 6 para. 1 lit. a (GDPR) applies as the legal basis for the processing of personal data.

When processing personal data, which is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

If processing is necessary to safeguard the legitimate interests of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 (1) lit. f GDPR as the legal basis for processing.


You are not obliged to provide your personal data. Without your personal data, however, we cannot provide our special services to you, or only partially, through the applications.


We may use various third parties and external companies to enable or provide the services for us, process payments, provide customer support, provide location information to participating restaurants, provide marketing services, and provide website-related services (including maintenance services, database management, web analysis) and improving website functions) or to support us in analysing the use of our services. These third parties have access to your personal data and process it only on our behalf, in order to fulfil the tasks mentioned for us. This is in particular MENU, which operates the application and services for us.

For this purpose, your personal data can be transmitted to and processed in countries outside the EU, including countries (such as the USA) that do not have data protection laws comparable to the EU. We ensure in any case that appropriate guarantees according to Art 46 GDPR are present, for example standard contractual clauses are concluded.

VAPIANO discloses your personal data to the extent legally required or necessary for the establishment, exercise and defence of legal claims and legal procedures and, in an emergency, also data relating to security.

In addition, we transmit your necessary personal data, for billing purposes via the cash register system to the participating restaurant in which you would like to place an order.


You can exercise your rights under applicable data protection laws by sending us an email at or contacting us at the address given in section 10. A copy of your ID card or passport must be enclosed for clear identification.

According to Article 15 GDPR, every data subject has a right to information. According to Article 16 GDPR, the data subject can request the correction of incorrect personal data. According to Article 17 GDPR, the data subject has the right to erasure or, according to Article 18, the right to restrict processing. Likewise, the person concerned can object to the processing of personal data relating to them under the conditions of Article 21 GDPR. According to Article 20 GDPR, the data subject has the right to data portability.

You have the right to withdraw your declaration of consent under data protection law at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal. In addition, you have a right to lodge a complaint with the competent data protection supervisory authority, which is the Data Protection Authority in Austria.

VAPIANO reserves the right to charge reasonable processing fees for providing relevant information in the event of unsubstantiated or excessive requests.

You can also change your personal data via your VAPIANO account and revoke the consent you have given.

6. Automated decision in individual cases including profiling

In connection with the provision of our services, you will not be subject to a decision based on automated processing in accordance with Article 22 GDPR. If we use such procedures in individual cases, you will be informed separately about them and your associated rights within the framework of the legal requirements.

Some of your data is processed automatically in order to evaluate certain personal aspects (profiling). In particular, their order behaviour for the promotion of products is analysed.


Unless otherwise stated in this data protection declaration, we store your data until you delete your VAPIANO account. If you would like to delete your VAPIANO account or request that we no longer use your data in the future to provide services to you, please contact us at

If these are not necessary to comply with legal obligations or to settle disputes, we will delete your personal data after deleting your account.


VAPIANO has taken appropriate technical and organizational security measures against the loss or unlawful processing of your personal data. For this purpose, your personal data will be securely stored in our database, i.e. the database of MENU. We use industry-standard, economically appropriate security measures, such as firewalls and SSL (Secure Socket Layers), and also physically secure the locations where the data is stored.

As effective as our security measures are, no security system is infallible. We cannot guarantee the security of our database, nor can we guarantee that the information you provide will not be intercepted when it is transmitted to us over the Internet. The transfer of your data to VAPIANO is always at your own risk. We recommend that you do not disclose your password to anyone.


We can update this privacy policy to reflect changes in our information and data processing practices. In the event of significant changes, we will inform you before the corresponding change takes effect by e-mail and via a message on our website. By continuing to use VAPIANO Diretto, you acknowledge and agree to the updated data protection declaration. We recommend that you visit this page regularly to find out about the latest innovations in our data protection measures.


VAP restaurants GmbH

Karl-Popper-Straße 2b/Top 9, 6. Stock

1100 Vienna


Telephone number: +43 1 526 348 100


11. Information about your right to object in accordance with Article 21 GDPR

11.1 Right to object on a case-by-case basis

You have the right, for reasons that arise from your particular situation, at any time against the processing of your personal data, which is based on Article 6 (1) lit. e (data processing in the public interest) or lit. f (data processing based on a balance of interests), to object; this also applies to profiling based on these provisions.

If you file an objection, we will no longer process your personal data. Something else only applies if we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms or if the processing serves to assert, exercise or defend legal claims.

11.2 Recipient of an objection

The objection can be made informally with the subject “objection” stating your name, address and date of birth and should be addressed to: