Nimo GmbH, Berlin, c/o Nicolo Luti, Fehrbelliner Straße 48, 10119 Berlin, e-mail DPO@discoeat.com („Discovery App“)
2. Data Protection Officer
You may contact our data protection officer under:
UBG GmbH, Im Breitspiel 21, 69126 Heidelberg, Germany, E-Mail: firstname.lastname@example.org, Tel.: + 49 (0) 6221 18 50 170
3. Collection of personal data through our website
Server log files
We collect information relating to your access to our website (so-called server-log-files). Such information includes the URL and name of the accessed website, files, date and time of access, amount of data transferred, notification of successful access, browser type and version, your operating system, referrer URL (the previously visited page), IP address and your internet service provider.
Such information will be stored for a period of up to three months after the respective use of our website. In addition, after that period the IP address is only stored in the server-log-files in anonymous form. The processing related to this information is carried out in accordance with Art. 6 para. 1 lit f) GDPR to protect our legitimate interest in improving the operation, security and optimization of our website.
To the extent individual cookies implemented by us also process your personal data, the processing is carried out in accordance with Art. 6 para. 1 lit f) GDPR to safeguard our legitimate interests in the best possible functionality and a customer-friendly and effective design for your visit to our website. Furthermore, we customize the platform for your individual experience and use for this purpose a "Unique User ID". This Unique User ID allows us to adjust our offers to your reservations and other interactions. The legal basis is Art. 6 para 1 lit. f) GDPR our legitimate interests to improve our customer relationship. As far as a processing beyond the scope necessary for the use of our website takes place, such processing is based on your consent in accordance with Art. 6 para. 1 lit a) GDPR.
Social Media, Shariff
We do not use any social media plug-ins on our website, but only simple link buttons to our presence in the corresponding social networks and platforms. We use the privacy-secure "Shariff" buttons for this purpose. "Shariff" has been developed to allow more privacy on the internet and to replace the usual "Share" buttons of social networks. It is not the user's browser, but the server on which this online service is located, that establishes a connection with the server of the respective social media platforms and queries, for example, the number of likes. The user remains anonymous. More information about the Shariff project can be found under https://www.ct.de. The data processing in the social networks and platforms is completely independent of our website, which is why we have no influence on the data processing that takes place when clicking on the link.
We collect and process your data that you provide to us when and as long as you maintain a user account on our website. The data collected is be displayed on the relevant input forms on the registration screen. You may delete your user account at any time contacting us or by choosing the relevant option within your user account. In such a case, the data stored within your customer will be automatically deleted.
In order to prevent any cases of improper practice, we may request that the inquirer provides a document to legitimizes him- or herself.
We use the data collected from you in this way in accordance with Art. 6 para. 1 lit b) GDPR for the purpose of contract processing and execution.
Registration using Single-Sign-On Account
When registering a user-account, you also have the option of using a single sign-on account ("SSO"). With an SSO, you can sign up for various different services and platforms with a single account. Our website currently offers you the opportunity to use the SSO services offered by Facebook Ireland Limited, Hanover Reach, 5-7 Hanover Quay, Dublin 2 Ireland ("Facebook") and Google, LLC, Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").
At the beginning of the registration of a user-account on our website, we will inform you about the option to register using an SSO. Using an SSO requires that you are already registered with one of the above-mentioned SSO-providers or that you create a new account with them.
If you decide to register using your SSO, you will first be redirected to your SSO-provider. The SSO-provider will then ask you to enter your login details or register with the SSO service. This prompt may be skipped if you are already logged in to the SSO. We will not be informed of your login details of your SSO, as they will not be transmitted to us.
In a second step, you will be asked to link your SSO-profile with our website. We will use the data provided by your SSO-provider during the registration process to create a user-account on our website for you. During this step, you will also be informed about the data that we will be able to request from your SSO-provider. Generally, this data includes your name, your profile and title picture, your gender and your username with the respective SSO-provider. Furthermore, we will need the e-mail address stored in your SSO-profile to register your user-account on our website. Obtaining your e-mail-address serves the purpose to ensure that you able to continue to use your user-account in case you wish to terminate the link between your SSO-profile and your user-account on our website in the future. If you consent to us using your above data for the purposes described above, you will be redirected to our website to complete the registration of your user-account.
In the event that you wish to use our website with your SSO, your SSO-provider will become aware that you wish to register a user-account on our website. Your SSO provider will usually place a cookie in your browser when you click on the button with the relevant SSO-provider's logo. The SSO-provider may use this cookie to collect further information about you and your surfing behavior. The information generated through the cookie is transferred to the servers of your SSO-provider. It is possible that these servers are located in a third country, for example in the United States. Your information will be saved there and possibly merged with other profile data that the SSO-provider has stored about you. This may result in your SSO-provider creating user profiles that include information about you that exceeds that which you have provided yourself.
Google has submitted to the EU-US Privacy Shield for cases in which personal data is transferred to Google in the United States. Facebook is also certified under the EU-US Privacy Shield. According to the regulations of the GDPR, such certification offers a sufficient guarantee for the compliance with the European data protection level for processing outside the EEA. More information can be found at https://www.privacyshield.gov/EU-US-Framework.
If you have completed your registration using your SSO, we will store the information that you have registered with us via your SSO-provider. This information is stored in the form of a key. We do not automatically receive updated information if you change your SSO-provider profile. Similarly, we will not send any information to your SSO-provider without your consent. If you wish to use your user-account independently of your SSO profile, you can do so by creating a new password using the "forgot password" function our website. You can terminate the link between our website and your SSO-profile by logging into your SSO profile and adjusting your preferences as necessary, provided that this is possible with your SSO-provider. By doing so, you will be able to deny us the right to access and use the information from your SSO-profile. You will only be able to continue using your user-account once you have created a new password, e.g. by requesting a new password on our website using the "forgot password" function.
You may also log into your user-account on our website directly and terminate the link with the respective SSO service. Once you do this, your SSO-provider will no longer be notified when you are using our website.
The legal basis for our processing relating to the single sign on function offered on our website is your consent in accordance with Art. 6 para. 1 lit a) GDPR.
Contact form, E-Mails
Your personal data will be collected if you are contacting us via our contact form on the website or e-mail. If your data is collected via the contact form provided on our website, the data concerned can be identified from the respective contact form. Your data is collected and used by us exclusively for the purpose of replying to your request or contacting you in relation thereto. The data provided you have provided you will be deleted as soon as your contact request has been answered conclusively. This is the case if the circumstances indicate that the matter in question has been conclusively clarified and if there are no legal storage obligations to the contrary.
The legal basis for the processing of your data is our legitimate interest in responding to your request pursuant to Art. 6 para. 1 lit f) GDPR.
We collect your surname, name, e-mail address, phone number and other information displayed on the reservation form for each reservation placed through the reservation tool on our website unless you are logged in with your user-account, in case of which we will use the information saved within your user account. If you place a reservation without being logged into your user-account, we will store your information and your reservation request for up to four years. During that time, your information may be combined with information we receive from you in the future during the retention period. If you place your reservation request while being logged into your user-account, your reservation request will be saved in your user-account.
Regardless of whether you place your reservation request while being logged into your user-account or not, we will transmit a notification with your last name and the number of people you are placing the reservation request for to the restaurant you chose in order to confirm your reservation, but no other information. We may use your name, e-mail-address and/or phone number provided by you during the placing of your reservation request or saved within your account to confirm your reservation and send you reminder-notifications relating to your reservation. We may also use your data to contact you in relation to your reservation whenever there are reasonable grounds for us to do so, e.g. in case the restaurant notifies us that the reservation must be cancelled or otherwise changed, or if the restaurant sends us of other material information in connection with your reservation which you should be aware of before your visit.
To the extent that processing your information is required for the execution of your reservation request and providing our services in connection thereto, the legal basis is Art. 6 para 1 lit b) GDPR. Beyond that purpose, the relevant processing is based on our legitimate interests to improve and optimize our service in accordance with Art. 6 para. 1 lit f) GDPR.
Ratings and Reviews
The Platform gives you the possibility to use certain social functions: you can submit reviews and ratings for restaurants. You can also subscribe to comments and reviews by other users. Your reviews and ratings will be published with your username at the post. We recommend to use a pseudonym instead of your given name.
If you use these functions, it is necessary to enter your username and e-mail address, all other information is voluntary. Furthermore, your IP address will be stored when you submit a review or rating. We store your username, email and IP address which you have used to submit a review or rating for the period of your registration. This is a safeguard measure for us for cases where someone posts illegal content, comments and/or contributions (insults, prohibited political propaganda, etc.). We need to be able to determine the identity of the author in such cases, as legal action may arise based on the content in the reviews or ratings.
We do not check the review and ratings before their publication. Nevertheless, we might check them after they were published. We have also the right to delete comments or reviews in case third parties object to them as unlawful.
If you opt to subscribe to successor comments, a confirmation email will be sent to verify that you are actually the owner of the email address entered. Subscriptions to comments can be cancelled at any time. The confirmation email will contain the relevant instructions in this respect.
If you wish to participate in our Loyalty Program, additional data must be processed to provide this service to you. To participate you need to create an account. For this purpose, we will process your reservation and booking history to manage your loyalty points and to offer you bonus offers and other offers.
The legal basis is Art. 6 para 1 lit. f) GDPR. It is our legitimate interest to offer our loyal customers a bonus program to consolidate the customer relationship.
If you subscribe to our newsletter, we will use the data you provide for this purpose (first name, surname, e-mail address) to integrate it into our newsletter database and to send you our e-mail newsletters on a regular basis subject to your consent. The integration into our newsletter database takes place via the so-called double opt-in procedure in order to prevent any abuse of your data; i.e. that upon submission of your data, an activation mail is first sent to the specified e-mail address and that your data is finally integrated in the newsletter database only when the activation link contained in the activation mail has been clicked. If the activation link is not clicked within one week of the activation mail being sent, your submitted data will be deleted.
You may unsubscribe from the newsletter or object to receiving information on direct marketing at any time with effect for the future and can do so either by updating your user preferences within your user account or via a link in the newsletter provided for this purpose.
The legal basis for our processing relating to sending you our newsletter is your consent in accordance with Art. 6 para. 1 lit a) GDPR.
We use Google Analytics only with the previously described activated IP anonymization. This means that Google will only process your IP address in abbreviated form. A personal reference can thus be ruled out.
To cover the exceptional cases in which your personal data is transferred to the United States, Google has submitted to the Privacy Shield Agreement concluded between the European Union and the USA and certified itself. This means that Google is committed to complying with the standards and regulations of European data protection law. Further information can be found under https://www.privacyshield.gov/participant.
Further information on the use of data by Google, on settings and objection possibilities and options and on data protection can be found on the following Google websites:
- Terms of Service: https://www.google.com/analytics/terms
- Google's use of data when you use the websites or apps of our partners: https://policies.google.com/technologies/partner-sites
- Use of data for advertising purposes: https://www.google.com/policies/technologies/ads
- Settings about personalized advertising by Google:https://www.google.de/settings/ads
As an alternative to the browser add-on or within browsers on mobile devices, please click this link to prevent Google Analytics from collecting data from this website in the future (the opt-out only works in this browser and only for this domain). An opt-out cookie will be placed on your device. If you delete your cookies in this browser, you must click this link again.
The processing of your data is based on our legitimate interest in optimizing our website pursuant to Art. 6 para. 1 lit f) GDPR.
Google Tag Manager
We use Google Tag Manager on our website, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as "Google"). Google Tag Manager enables us to manage website tags via an interface for marketing purposes. The tool Google Tag Manager, which implements the tags, is a cookie-free domain and does not collect any personal data itself. Google Tag Manager triggers other tags that may themselves collect data. Google Tag Manager does not access this information. If deactivation has been made at the domain or cookie level, it will persist for all tracking tags implemented with Google Tag Manager.
Google is certified under the Privacy Shield Agreement between the European Union and the United States. Google has therefore committed to comply with the standards and regulations of European data protection law. For more information, please refer to www.privacyshield.gov/participant
Further information on data protection can be found on the following Google websites:
- Datenschutzerklärung: https://policies.google.com/privacy
- Google Tag Manager Terms of Service:https://www.google.com/analytics/terms/tag-manager/
We use the services of "Google Maps" on our website, an online map service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as "Google"). This enables us to display interactive maps directly on the website and allows you to use the map feature in a convenient manner. When you visit our website, Google receives the information that you have accessed the corresponding subpage of our website. Your IP address will be transmitted to Google. This takes place regardless of whether or not you are logged into a Google account. If you are logged in at Google, your data will be assigned directly to your account. If you do not want your profile to be associated with Google, you must log out before using our website. Google saves your data to create user profiles and uses them for marketing purposes, market research and/or to design websites to meet your demand. Such evaluation is carried out in particular (even for users who are not logged in) to provide tailored advertising and to inform other users of your activities on our website.
an opt-out option can be found at https://adssettings.google.com/authenticated.
For the cases in which personal data is transferred to the United States, Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. This is proof within the meaning of the GDPR that your data is processed at a level of data protection comparable to that of similar processing in the EU.
We use Google Maps in order to be able to display interactive maps for you and thus enable you to have a better user experience on our website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit f) GDPR.
In certain cases, our service providers (website providers, cloud providers, business centers, newsletter providers) who are active in the operation, maintenance and update of our website and the administration of our business can view the above-mentioned personal data. Such external service providers only act in accordance with our instructions and are monitored on a regular basis. Your IP address may be transmitted to Google, LLC. Your data may also be transmitted or otherwise made available to our tax advisors, auditors and (for example as part of a tax audit) to the tax authorities responsible for our business.
Such processing is carried out in accordance with Art. 6 para. 1 lit f) GDPR to protect our legitimate interest in a technically and economically optimized operation of our website and enterprise.
We may also transmit your information to the restaurant you wish to make a reservation with in as described above. Such processing is required for us to be able to fulfil your request to execute your reservation pursuant to Art. 6 para. 1 lit b) GDPR.
5. Period for which the personal data will be stored
Unless stated otherwise in section 3. or else unless you have consented to a longer retention period, we will not store and process any or your personal data beyond such time as the actual use of our website is ceased. This does not apply where we are obliged to store such data in accordance with the applicable statutory retention periods (e.g. commercial and tax retention periods). In such a case, we may store some of your data for up to 10 years following the end of the calendar year in which it was last processed.
6. Necessity of data collection
The collection of your personal data as described in section 3 for the use of our website is required neither by law nor by contract, but is required for achieving the purposes described herein.
7. Rights of the data subject
In accordance with the provisions of the GDPR, you have the following rights and claims against the controller:
- the right of access (Article 15 GDPR)
- the right to rectification (Article 16 GDPR)
- the right to erasure (Article 17 GDPR)
- the right to restriction of processing (Article 18 GDPR)
- the right to data portability (Article 20 GDPR)
You have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of our processing based on your consent before your withdrawal.
You may also object to the processing for the purpose of receiving our newsletter or other direct advertising with future effect.
9. Right to object, Art. 21 GDPR
At any given time, you have the right to object to any processing of your personal data that is based on Art. 6 para. 1 lit f), including profiling based on this provision, on grounds relating to your particular situation. In such an event, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or if the processing is required for the establishment, exercise or defense of legal claims.
You have the right to object at any time to processing of your personal data for purposes of sending you our newsletter or other direct marketing, including any profiling that is related to such direct marketing. Upon receiving your objection, we will no longer process your personal data for such purposes.
Apart from the other forms described herein to submit your objection, you may also send us an e-mail with your objection to email@example.com
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes applicable data protection law.
We do encourage you to contact us first to discuss any issue that may arise so we can find a quick and amicable solution that satisfies your needs.