Privacy Policy

1. CONTENT OF THIS PRIVACY POLICY

With this privacy policy, we would like to inform you about how, for what purpose, and to what extent we process personal data (hereinafter also referred to as "Personal Data"). This policy applies to all personal data processing activities carried out by us, both in the context of using our online services at http://tastyurban.com, www.birdiebirdie-food.com, www.birriaandthebeast.com, www.nanuh-food.com, www.flydumplings-food.com, www.pacificwings-food.com as well as the respective sub-domains of these web addresses ("Online Services"), and when using our external online presences, such as our social media profiles (collectively referred to as "Services").

2. CONTROLLER RESPONSIBLE FOR DATA PROCESSING

Unless otherwise specified for a particular market or service, the "Controller" within the meaning of the General Data Protection Regulation (GDPR) and other data protection laws applicable in the Member States of the European Union, as well as other regulations of a data protection nature, is:

Tasty Urban GmbH
Winsstraße 12, 10405 Berlin
Email: office@tastyurban.com
Phone: +49 30 233270720

(hereinafter referred to as "TastyUrban", "we" or "us").

3. TYPES OF PERSONAL DATA COLLECTED

The type of personal data we collect depends on your specific business relationship with us. Below, we describe the types of data we collect, their sources, the purpose and legal basis for processing, the duration of storage and the recipients to whom the data may be disclosed. One or more of the following situations may apply to you:

To explain the respective processing of personal data, different types of data are grouped into categories:

Category and Types of Data

• Personal Identification Data: Title, salutation, first name, last name

• Address Data: Street, house number, additional address details (if applicable), postal code, city, country

• Contact Data: Phone number, fax number, email address

• Order Data: Ordered products, prices, payment and delivery information, voucher details, payment services or payment method

• Payment Data: Bank account details, data related to other payment services such as PayPal

• Access Data: Date and time of visit to the respective service; the page from which the accessing system reached our online service; when using the online service: session identification data (Session ID); additionally, the following information about the accessing computer system: Internet Protocol (IP) address used, browser type and version, device type, operating system, and similar technical information

• Location Data: Information about the location of the device used to access the online service

• Login Data: Information about the online service used for login, timestamps and technical information regarding login, confirmation upon logout, and data provided by you during the login process

3.1 Processing when accessing our Online Services

a) Affected Data

Each time our online services or other digital platforms are accessed, we or our web hosting providers collect Access Data.

b) Purpose of processing and legal basis

The collected data is used to provide contractual services and customer support, ensure the correct delivery and optimization of our services’ content and maintain the long-term functionality and technical security of our systems. This purpose represents our legitimate interest in data processing according to Art. 6(1)(f) GDPR.

Personal data that you voluntarily provide to us, such as via email or contact forms, is stored for processing your request or further communication. The legal basis for this processing is Art. 6(1)(f) GDPR.

c) Disclosure of your data

We share your data with third parties that store it on their servers. The types of third parties we share your data with include:

• IT service providers, including cloud providers for data storage purposes.

• External support service providers.

• Public authorities and government agencies, where required by applicable legal regulations (e.g., tax and customs authorities) based on Art. 6(1)(c) GDPR.

3.2 Processing when placing an order

a) Affected Data

When you place an order via our Online Services, we or our web hosting provider collect personal identification data, order data, address data and contact data. Additionally, when using our online services, location data — either collected from your device or manually entered by you — may be processed.

b) Purpose of Processing and Legal Basis

We process the data of our customers or potential customers to enable them to select, purchase or order products, goods and related services as well as to facilitate payment, delivery or other requested services.

The collected data is necessary for establishing a contractual relationship, conducting pre-contractual measures, contacting you if needed, verifying age (if applicable) and delivering our Services, including the delivery of food and beverages to your location.

As part of our Services, we offer food and beverage delivery to the customer’s specified location or the option for pickup. To enable this, access to location data is required.

The legal basis for this data processing is Art. 6(1)(b) GDPR (performance of a contract).

Personal data that you voluntarily provide to us will be stored for processing your request or further communication. The legal basis for this processing is Art. 6(1)(f) GDPR (legitimate interest).

c) Recipients of Your Data

We share your data with third parties that store it on their servers. The types of third parties we share the data with include:

• Restaurant operators

• Delivery services

• IT service providers, including cloud providers for data storage purposes

• External support service providers

• Public authorities and government agencies, where required by applicable legal regulations (e.g., tax and customs authorities), based on Art. 6(1)(c) GDPR

3.3 Processing in the context of email marketing

a) Affected data

If you subscribe to our newsletter or receive promotional information as a customer, we process your registration data, personal identification data (email) and access data.

b) Purpose of processing and legal basis

We process this data to:

• Track subscription, confirmation and unsubscription of the newsletter.

• Send you the newsletter.

• Personalize and tailor the newsletter to your interests.

• Provide individualized recommendations based on your usage data.

• Maintain and improve the quality of our Services.

These purposes constitute our legitimate interest in data processing under Art. 6(1)(f) GDPR, as they enable us to participate effectively in business activities.

c) Recipients of your data

We share your data with third parties that store it on their servers. The types of third parties we share your data with include:

• IT service providers, including cloud providers for newsletter distribution.

• External support service providers.

3.4 Processing of Data in the Application Process

a) Affected data

Personal data that you provide to us as part of the application process. This may include the following:

• Personal identification data (e.g., name, title)

• Address data (e.g., street, house number, postal code, city, country)

• Contact data (e.g., phone number, email)

• Application documents (e.g., cover letter, CV, certificates, diplomas, references)

During the application process, you are required to provide personal data that is necessary for evaluating your potential employment or that we are legally required to collect. Without this data, we may not be able to process your application or enter into an employment contract with you.

b) Purpose of processing and legal basis

The legal basis for processing application data is Art. 6(1)(b) GDPR (pre-contractual measures).

We may retain your application data for a limited time to protect ourselves against legal claims. The legal basis for this is our legitimate interest under Art. 6(1)(f) GDPR.

If you provide your consent under Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, we may store your data in our applicant pool for future job opportunities.

c) Recipients of Your Data

We may share your data with third parties that store it on their servers or devices. The types of third parties we share your data with include:

• External service providers or contractors (e.g., for data processing, hosting, recruitment agencies and applicant tracking software).

• Public authorities or government agencies where required by law (e.g., tax authorities and customs offices), based on Art. 6(1)(c) GDPR.

d) Duration of Data Storage

If your application does not result in employment, your application data will be deleted after a maximum of six months, unless:

• You have given explicit consent for your data to be stored longer in our applicant pool.

• Another legal basis for further retention applies.

3.5 Social Media

We maintain online presences on social networks and process user data in this context to communicate with active users or provide information about our company.

When you visit or interact with a social media profile, your personal data may be processed. Information linked to a social media profile is generally considered personal data, including messages and posts made using the profile. Additionally, certain technical data may be automatically collected during your visit to a social media profile, which may also qualify as personal data.

a) Affected Data

• Personal identification data (e.g., name, title)

• Address data (e.g., street, house number, postal code, city, country)

• Contact data (e.g., phone number, email)

• Content data (e.g., form submissions, comments, messages)

• Usage data (e.g., visited web pages, interest in content, access times)

• Meta/communication data (e.g., device information, IP addresses)

b) Purpose of Processing and Legal Basis

We process your data for:

• Handling contact requests and communication

• Tracking (e.g., interest/behavior profiling, use of cookies)

• Remarketing and retargeting

• Measuring reach and engagement (e.g., tracking visitor statistics, identifying returning users)

The legal basis for this processing is our legitimate interest under Art. 6(1)(f) GDPR.

c) Recipients of Your Data

For a detailed overview of data processing and opt-out options, please refer to the privacy policies of the respective social media platforms.

If you wish to exercise your data subject rights, we recommend contacting the respective platform providers directly, as they have direct access to the data and can take necessary actions.

Facebook

We are jointly responsible with Facebook Ireland Ltd. for collecting data from visitors to our Facebook page ("Fanpage"), but not for subsequent data processing. The collected data includes:

• User interactions (e.g., content views, engagement, actions taken)

• Device data (e.g., IP addresses, operating system, browser type, language settings, cookie data)

Facebook also collects and processes data to provide "Page Insights", which offer analytics on user interactions with our page and its content.

We have entered into a special agreement with Facebook regarding Page Insights (see: Facebook Page Controller Addendum), which regulates security measures and Facebook's obligation to respect data subject rights (e.g., users can request data access or deletion directly from Facebook).

For more information, see Facebook's privacy policy: Facebook Privacy Policy.

Processed Data Categories

• Contact data (e.g., email, phone numbers)

• Content data (e.g., form entries, messages)

• Usage data (e.g., visited websites, content interactions, access times)

• Meta/communication data (e.g., device information, IP addresses)

Affected Individuals

• Users of our social media pages and online services

Purpose of Processing

• Handling contact requests and communication

• Collecting feedback (e.g., via online forms)

• Marketing and engagement tracking

Legal Basis

• Legitimate interests (Art. 6(1)(f) GDPR)

Service Providers Used:

Instagram

• Provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA

• Parent company: Meta (Facebook), 1 Hacker Way, Menlo Park, CA 94025, USA

• Website: www.instagram.com

• Privacy policy: Instagram Privacy Policy

Facebook

• Provider: Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland

• Parent company: Meta (Facebook), 1 Hacker Way, Menlo Park, CA 94025, USA

• Website: www.facebook.com

• Privacy policy: Facebook Privacy Policy

• Opt-out settings: Facebook Ad Settings

3.6 Cookies

Cookies are text files containing data from visited websites or domains, which are stored by a browser on the user's computer. The primary purpose of a cookie is to store information about a user during or after their visit to an online service. Stored data may include language preferences, login status, or shopping cart details. The term "cookies" also includes other technologies that perform the same functions (e.g., when user information is stored via pseudonymous online identifiers, also known as "user IDs").

a) Types and Functions of Cookies

• Temporary Cookies (Session Cookies): These cookies are automatically deleted once the user leaves an online service and closes their browser.

• Permanent Cookies: These cookies remain stored even after closing the browser. They enable websites to remember login statuses, preferred content or store user interests for marketing and analytics purposes.

• First-Party Cookies: These cookies are set by our website directly.

• Third-Party Cookies: These cookies are primarily used by advertisers (third parties) to process user information.

• Essential Cookies: Some cookies are strictly necessary for a website to function properly (e.g., saving login details, ensuring security).

• Analytics, Marketing & Personalization Cookies: Cookies are often used to measure website traffic or track user behavior (e.g., viewed content, used features). Such profiles help display content tailored to user interests. This practice is also referred to as "tracking". If we use cookies or tracking technologies, we will inform you separately in our privacy policy or during the consent process.

b) Legal Basis for Using Cookies

The legal basis for processing your personal data via cookies depends on whether we require your consent.

• If you give consent, the legal basis is Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR.

• If consent is not required, data processing via cookies is based on our legitimate interests (Art. 6(1)(f) GDPR)(e.g., ensuring the functionality and improvement of our online services) or Art. 6(1)(b) GDPR when cookies are essential to fulfill contractual obligations.

c) Duration of Data Storage

Unless we explicitly inform you about the storage duration of permanent cookies (e.g., during cookie consent management), cookies are stored only as long as necessary to achieve the respective processing purpose.

d) Withdrawing Consent & Opt-Out Options

Depending on whether the processing is based on consent or legal permission, you have the right to withdraw your consent or object to data processing via cookies ("Opt-Out") at any time.

You can disable cookies in your browser settings, but this may limit the functionality of our online services.

e) Cookie Data Processing Based on Consent

We use a cookie consent management system that allows users to give, manage, and withdraw consent for cookie usage. The consent declaration is stored to prevent repeated requests and to comply with legal requirements for consent tracking.

Storage may occur server-side or in a cookie (Opt-In Cookie) to assign consent to a specific user or device.

4. Data retention

Unless a specific retention period has been specified for a particular data processing activity in Section 3, the following applies:

4.1 General retention principle

We generally store personal data only for as long as necessary to fulfill contractual or legal obligations for which the data was collected. Once these obligations are met, we immediately delete the data, unless we need it until the expiration of the statutory limitation period for evidence purposes in civil claims or due to legal retention obligations.

4.2 Retention for evidence purposes

For legal evidence purposes, we must retain contract data for up to three years from the end of the year in which the business relationship with you ended. Any legal claims typically expire at the earliest after this period.

Legal basis: Article 6(1)(f) GDPR (Legitimate Interest).

4.3 Retention for Accounting and Legal Compliance

After this period, some of your data must still be stored for accounting and legal compliance. We are legally required to document business records under laws such as the Commercial Code (HGB) and the Tax Code (AO).

• Retention periods for such records range from two to ten years.

• Legal basis: Article 6(1)(c) GDPR (Legal Obligation).

5. International data transfers

In some cases, the personal data we collect from you may be processed outside the European Economic Area (EEA). These countries may not provide the same level of data protection as the EEA. However, we are committed to ensuring that personal data processed by us and our partners outside the EEA is protected in the same way as if it were processed within the EEA.

When your data is processed outside the EEA, we implement specific safeguards to ensure protection. We guarantee a similar level of security by ensuring that at least one of the following protective measures is in place:

• Your personal data is transferred only to countries that the European Commission has deemed to provide an adequate level of data protection (Article 45 GDPR).

• We use EU-approved Standard Contractual Clauses (SCCs) to ensure appropriate protection.

• An exception under Article 49 GDPR applies.

• Suitable guarantees under Article 46 GDPR are in place.

6. Security

a) Robust security measures

We implement strong technologies and policies to ensure that your Personal Data is adequately protected.

b) Protection against unauthorized access

We take appropriate measures to safeguard your data from unauthorized access, unlawful processing, accidental loss, destruction, and damage.

c) Limitations of internet data transmission

Unfortunately, data transmission over the internet is not entirely secure. While we take necessary measures to protect your Personal Data, we cannot guarantee complete security of the information you transmit to us. Any transmission is at your own risk.

Once we receive your data, we apply strict procedures and security measures to prevent unauthorized access.

7. User Rights

Under data protection laws, you have several rights regarding the Personal Data we store about you. If you wish to exercise any of these rights, please contact us using the contact details provided above.

a) Right to information

You have the right to receive clear, transparent, and easily understandable information about how we use your data and what rights you have (Articles 13 & 14 GDPR). This is why we provide you with this privacy policy.

b) Right of access

You have the right to request access to your personal data (Article 15 GDPR). This allows you to check whether we are processing your data in compliance with data protection regulations.

c) Right to rectification

You have the right to request correction of your data if it is incorrect or incomplete (Article 16 GDPR). You can ask us to correct any errors in the data we store about you.

d) Right to erasure ("Right to be forgotten")

You have the right to request deletion or removal of certain Personal Data stored about you (Article 17 GDPR). However, this right is not absolute and only applies under specific circumstances.

e) Right to restriction of processing (Data Blocking)

You have the right to restrict or block the further use of your Personal data (Article 18 GDPR). If processing is restricted, we may still store your data but not process it further.

f) Right to Data portability

You have the right to receive your Personal Data in a structured, accessible, and transferable format so that you can reuse it with other service providers (Article 20 GDPR). However, this right is not absolute and is subject to certain exceptions.

g) Right to Lodge a Complaint with a Supervisory Authority

If you are dissatisfied with how we handle your data, you have the right to file a complaint with a competent data protection authority (Article 77 GDPR).

h) Right to withdraw consent

If you have given us consent for processing your data (and we rely on that consent as the legal basis for processing), you have the right to withdraw it at any time with effect for the future (Article 7 GDPR). This does not affect the lawfulness of processing carried out before the withdrawal.

i) Right to Object to Processing

You have the right to object to the processing of your Personal Data if it is based on Article 6(1)(e) or (f) GDPR (Article 21 GDPR). This includes direct marketing and related profiling.

We do not use automated decision-making or profiling as described above.

Special Notice on the Right to Object (Article 21(4) GDPR)

You have the right to object at any time to the processing of your Personal Data based on Article 6(1)(e) or (f) GDPR, including profiling based on these provisions, if reasons arise from your particular situation.

If you object, we will no longer process your Personal Data, unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms or the processing serves the establishment, exercise or defense of legal claims.

If Personal Data is processed for direct marketing purposes, you have the right to object at any time to the processing of your Personal Data for such purposes. This also applies to profiling in connection with direct marketing.

8. Changes to This Privacy Policy

We encourage you to regularly review the contents of our privacy policy. We will update this privacy policy whenever changes in our data processing practices make it necessary.

We will inform you if any changes require your action (e.g., providing consent) or any other individual notification.

If this privacy policy includes addresses and contact information of companies or organizations, please note that addresses may change over time. We recommend verifying the information before reaching out to us.

9. Obligation to Provide Data

Unless explicitly stated at the time of collection, the provision of your data is not mandatory or required. Such an obligation may arise from legal requirements or contractual agreements.

Failure to provide necessary personal data will typically result in inability to enter into a contract and/or our inability to provide the requested service.

We will assess, on a case-by-case basis, whether the provision of personal data is legally or contractually required, whether there is an obligation to provide it and what the consequences of not providing the data would be.

10. Complaints

If you are not satisfied with our response to a complaint or believe that our processing of your data is not in compliance with data protection laws, you have the right to file a complaint with:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
Phone: +49 30 13889-0
Email: mailbox@datenschutz-berlin.de

Since TastyUrban is headquartered in Berlin, you may also file a complaint with any other competent data protection authority.