Privacy policy

VielfaltMenü GmbH (hereinafter “VielfaltMenü”) and its subsidiaries (VielfaltMenü Verwaltungs GmbH, VielfaltMenü Service GmbH & Co.KG), Berlin office, Oberlandstraße 13-14, 12099 Berlin, Tel: +49 (0) 34946694400; E-Mail: Servicecenter@vielfaltmenue.com provides information here about the processing of personal data carried out by us.

You can reach our data protection officer by e-mail at: datenschutz@vielfaltmenue.com.

Below we have compiled the most important information on typical data processing for you, broken down by data subject group. For certain data processing operations that only affect specific groups, the information obligations are fulfilled separately.

Where the term “data” is used in the text, only personal data within the meaning of the GDPR is meant.

Visitors to the website
Visitors to the VielfaltMenü social media profiles
Customers with their own profile on the VielfaltMenü website
Customers and contact persons there
Communication partners
Rights of data subjects and further information

1. visitors to the website

1.1 Server log data

When using the website, certain information is sent to the server of our website by the browser used on the end device for technical reasons. This data is stored and processed on our server.

(i) We process the data listed below for the purpose of providing the content accessed on the website, to ensure the security of the IT infrastructure used, to rectify errors, to enable and simplify searches on the website and to manage cookies. There are no plans to change this purpose.

(ii) The processed data is HTTP data: HTTP data is protocol data that is generated for technical reasons when the website is accessed via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access. HTTP(S) data is also collected on the servers of service providers (e.g. when third-party content is accessed).

(iii) The legal basis for the processing is our legitimate interest in the technical operation of a website in accordance with Art. 6 para. 1 lit. f GDPR.

(iv) The data is automatically provided by the data subject’s browser.

(v) Recipients of the personal data are IT service providers that we use within the framework of an order processing agreement.

(vi) IP addresses are anonymized at the end of the session. Pseudonymous usage data will be deleted after 14 days at the latest.

(vii) It is not possible to use the website without disclosing personal data – such as the IP address. Communication via the website without providing data is not technically possible.

1.2 Technically required cookies

We use cookies on the website. Cookies are small text files that can be stored on the respective end device via the browser when the website is visited. When the website is called up again with the same end device, we can read and process the information stored in cookies. In doing so, we use the processing and storage functions of the end device’s browser and collect information from the end device’s browser memory.

In the structure of this privacy policy, we distinguish between technically necessary cookies, statistics cookies, marketing cookies and content from external media. Cookies that are technically necessary for the function of the website cannot be deactivated via the cookie management function of this website. However, cookies can generally be deactivated in the respective browser at any time. Different browsers offer different ways to configure the cookie settings in the browser. However, we would like to point out that some functions of the website may not work or may no longer work properly if cookies are generally deactivated in the respective browser.

a) Session cookies

We use so-called session cookies to manage the registration on the competition platform and the technical presentation of the images on the website. These enable us to save individual settings and certain decisions or actions of visitors for the duration of their visit (e.g. login).

(i) The purposes of data processing are to enable login and individual settings and the technical presentation of content and images on the website.

(ii) The processed data are data relating to the account on the competition platform and the individual settings as well as http data. This is protocol data that is generated via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons. This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access. HTTP(S) data is also collected on the servers of service providers (e.g. when third-party content is accessed).

(iii) The legal basis for the processing is our legitimate interest in the provision of the individual sessions (Art. 6 para. 1 lit. f GDPR and § 25 para. 2 no. 2 TTDSG).

(iv) The data is automatically provided by the data subject’s browser.

(v) Recipients of the personal data are IT service providers that we use within the framework of an order processing agreement.

(vi) The cookie is only set after a successful login and is automatically deleted when you log out. Otherwise, the cookie expires automatically after 24 hours.

(vii) It is not possible to use the website without disclosing personal data. Communication via the website without providing data is not technically possible.

b) Matomo Tag Manager

The Matomo Tag Manager enables us to manage cookies and control their placement. This allows us to, for example, implement the consent of the user, a withdrawal of consent or an opt-out.

(i) The purpose of the data processing is to control the display of statistics and marketing cookies on our website and to ensure the security of the application. There are no plans to change the purposes.

(ii) The processed data is HTTP data. This is protocol data that is generated via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons. This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access. HTTP(S) data is also collected on servers of service providers (e.g. when accessing third-party content). Your IP address is automatically anonymized during processing.

(iii) The legal basis for the processing is our legitimate interest in the simple and reliable control of cookies and the legally compliant presentation of the cookie notice text (Art. 6 para. 1 lit. f GDPR, § 25 para. 2 no. 2 TTDSG).

(iv) The data is automatically provided by the data subject’s browser.

(v) For the provision of services, in particular for the provision, maintenance and care of IT systems, we use service providers within the framework of an order processing agreement. The recipient of the data as part of the order processing is InnoCraft Ltd, 7 Waterloo Quay, PO Box 625, 6140 Wellington, New Zealand. An adequacy decision has been issued by the European Commission for New Zealand (Art. 45 (3) GDPR). We only use Matomo products on premise.

(vi) IP addresses are anonymized after 24 hours at the latest. Pseudonymized usage data is deleted after 12 months.

(vii) The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation to provide the data. If the data is not provided, we cannot use the Matomo Tag Manager.

c) Consent cookies

We use so-called consent cookies to store the respective consents, possible revocations of consents and objections to the use of cookies by users of our website.

(i) The purpose of data processing is the storage of visitors’ decisions regarding cookies (consent, revocation, opt-out).

(ii) The data processed are:

HTTP data: This is protocol data that is generated for technical reasons when the website is accessed via the Hypertext Transfer Protocol (Secure) (HTTP(S)). This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access. HTTP(S) data is also collected on servers of service providers (e.g. when accessing third-party content).
Decisions on cookies: Decision on individual cookies or groups of cookies, time of decision and last visit.

(iii) The legal basis for the processing is our legitimate interest in the simple and reliable control of cookies in accordance with the visitor’s decision (Art. 6 para. 1 lit. f GDPR and § 25 para. 2 no. 2 TTDSG).

(iv) The data is actively provided by the data subject (decision on cookies) or automatically by the data subject’s browser (log data, time stamp).

(v) The recipients of the data are IT service providers that we use within the framework of an order processing agreement.

(vi) The data will be deleted after one year.

(vii) It is not possible to use the website without disclosing personal data. Communication via the website is not technically possible without providing data.

1.3 Statistics cookies

In the structure of this privacy policy, we differentiate between technically necessary cookies, statistics cookies, marketing cookies and external media content. Depending on their function and purpose, the use of certain cookies may require the consent of the person using them. Your consent is given by means of a so-called “cookie banner”: When you visit our website, we display our cookie banner. In our cookie banner, you can give your consent to the use of all cookies requiring consent on this website by clicking on the “Allow all” button. Without such consent, the cookies requiring consent will not be activated. By clicking on the “Settings” and “Allow selection” button, you can also completely reject the use of cookies requiring consent (“Reject all”). Your decision will be saved in a cookie. In the cookie board via the “Settings” button, you can make an individual selection of cookies and customize them at a later date. We store your cookie settings in the form of a cookie on your end device in order to determine whether you have already made cookie settings when you visit the website again.

a) Matomo (on premise)

We use the web analysis tool Matomo (on premise) on our website. With the help of Matomo, we can analyze your usage behavior on our website in pseudonymized and anonymized form.

You can deactivate data processing by Matomo at any time in our “Cookie Board”. Alternatively, you can deactivate Matomo cookies for the browser you are currently using by deactivating the storage of cookies in your browser settings.

(i) The purpose of data processing is to analyze user behavior and measure the reach of our website and advertising in order to optimize our website. There are no plans to change the purposes.

(ii) The data or information processed are:

HTTP data: This is data that is generated for technical reasons when using the web analysis tool Matomo used on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page accessed and URL, the previously visited page (referrer URL), the set language, date and time of access.
Location data (based on anonymized IP address): Such data may include country, region and city.
Data generated for web analysis and assigned to your device: This includes the user ID. Such a user ID is a function in Matomo that enables us to link certain data about you that has been collected from multiple devices and browsers.
Interaction and event tracking data: Such data is generated from your interactions with features on our website.
Measurement and reporting data: Data contained in aggregated segment and device-related reports.

(iii) The legal basis for the processing is your consent (Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TTDSG).

(iv) The data is provided automatically by the visitor’s browser.

(vi) The data will be deleted after 12 months at the latest.

(vii) The provision of data is not required by law or contract or necessary for the conclusion of a contract. You are not obliged to provide the data. If you do not provide the data, we will not be able to analyze your usage behavior.

b) Clarity (Session Replay, Heatmaps and ML Insights)

If you have given your consent to this, we use the Clarity tool from Microsoft on our website.

As part of the use of this tool on our advertising site, we work with Microsoft Clarity and Microsoft Advertising to track how you use and interact with our website. This works using behavioral metrics, heatmaps and session replay to improve the VielfaltMenü experience. We would like to point out that the use of Clarity on our website also enables Microsoft to collect and process your usage data, which Microsoft processes under its own separate responsibility under data protection law. Further information on data processing by Microsoft can be found in Microsoft’s privacy policy: https://about.meta.com/de/actions/protecting-privacy-and-security/

You can deactivate data processing by Clarity at any time in our “Cookie Board”. Alternatively, you can deactivate Clarity for the browser you are currently using by deactivating the storage of cookies in the browser settings.

(i) The purpose of data processing is to evaluate usage behavior on our website by means of session replay, heat maps and ML Insights and to enable Microsoft to collect and process your usage data on our website. The purposes of processing by Microsoft are determined solely by Microsoft: https://privacy.microsoft.com/de-de/privacystatement

(ii) The data processed are:

Metadata information about the payload and the page
Information about user interactions on the website. This is used for analysis and the reproduction of interactions. Clarity collects the following types of events.
– Interaction events: Click, scroll, mouse movement, window resizing, selection, input, etc.
– Diagnostic events: Script and image errors, logs, performance events, etc.
– Page events: Document sizes, page visibility, page unload, metrics and page dimensions.
– User-defined events: User-defined variables/events that are set by the website based on a specific event.
Information about the DOM (Document Object Model) and mutation events. Used for the replay of sessions. The data contains information about each DOM node, such as:
– Position information: parent node, position, previous node, etc.
– Layout details: attributes, height and width of the node used for the display.
– Content: the content of the node. For privacy-sensitive fields, this is the masked content and not the actual text.

(iii) The legal basis for the processing is your consent (Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TTDSG).

(iv) The data is provided automatically by the visitor’s browser.

(v) The recipient of the data is Microsoft Ireland Operations Limited as a separate controller for the collection and processing of personal data by Microsoft Clarity. It cannot be ruled out that Microsoft Ireland Operations Limited will transfer personal data to the USA. As a separate controller, Microsoft Ireland Operations Limited is responsible for ensuring appropriate
data protection safeguards for the transfer of data.

(vi) Information on click data (i.e. data displayed on the Clarity portal or aggregated data per page on the website, such as the URL, the user ID and the pointer distance) is deleted after 13 months, playback data (i.e. the data collected for the playback of recordings) is deleted after 30 days and sessions that have been enabled or favorited are also deleted after 13 months. Information about Microsoft’s retention periods can be found in Microsoft’s privacy policy linked above; VielfaltMenü has no influence on this.

1.4 Marketing cookies

a) Google Ads (Conversion)

If you have given your consent, we use Google Ads (Conversion) Tracking on our website. Google Ads (Conversion) enables us to monitor the success of ads placed via Google.

You can deactivate data processing by Google Ads (Conversion) at any time in our “cookie board” or install a browser plug-in from Google that prevents data collection by Google Ads (Conversion): http://tools.google.com/dlpage/gaoptout?hl=de. Alternatively, you can deactivate Google Ads (Conversion) for the browser you are currently using by deactivating the storage of cookies in the browser settings.

(i) The purpose of data processing is to track the reach of ads placed via Google (AdWords). If you click on our ad placed via Google, Google stores a cookie for conversion tracking on your end device. If you then visit our website linked in the ad and the cookie has not yet expired, we can recognize that you clicked on the ad and were redirected to our website. We can only recognize clicks on our own ads, not any clicks on ads from other Google customers. Google uses the cookies to bill us for advertising costs, among other things. We only receive the evaluations and other information in aggregated, anonymized form and cannot assign the information to any natural person. There are no plans to change the purposes.

(i) The data processed are:

Google Ads log data: This is data that is generated for technical reasons when using the Google AdWords tool used on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access.
Usage data: Usage data includes clicks on ads, time spent on the website and information about websites visited.
Conversion event: The results of the conversion are summarized in the conversion event.

(ii) The legal basis for the processing of personal data via our website by Google Ads (Conversion) is your consent (Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TTDSG).

(iii) The data is provided automatically by your browser.

(iv) The recipient of the data is Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) as part of the order processing. Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as a service provider. Google has concluded the EU standard contractual clauses (2021/914; Module 3) to protect your data and has agreed additional security precautions. You can request a copy of the main contractual contents of the EU standard contractual clauses at any time.

(v) The cookies lose their validity after 30 days, do not contain any personal data apart from the cookie ID and are not used to identify you personally.

(vi) The provision of the data is not required by law or contract or necessary for the conclusion of a contract. You are not obliged to provide the data. If you do not provide the data, we will not be able to carry out Google Ads tracking.

b) Microsoft Advertising Conversion Tracking

If you have given your consent to this, we enable Microsoft Ireland Operations Limited (“Microsoft”) to collect data for so-called “Microsoft Advertising Conversion Tracking” via our website. Microsoft Advertising Conversion Tracking is an analysis service from Microsoft. When you click on an ad placed via Microsoft Advertising, Microsoft stores a conversion tracking cookie on your device. If you then visit the website linked in the ad and the cookie has not yet expired, Microsoft and the company that placed the ad can recognize that you clicked on the ad and were redirected to the page. We can only recognize clicks on our own ads, not any clicks on ads from other Microsoft customers. Microsoft uses cookies to bill us for advertising costs, among other things.

However, we do not receive any information from Microsoft with which you can be personally identified. The collection and processing of this data is the sole responsibility of Microsoft. Microsoft only provides us with aggregated, anonymized evaluations or other information based on the data collected. We cannot assign the information provided to us to any natural person.

We have no knowledge of the details of the processing of personal data in Microsoft’s area of responsibility. Information about the processing of personal data by Microsoft can be found in the Microsoft Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement.

You can deactivate data processing by Microsoft Advertising Conversion Tracking for the browser you are currently using at any time in our “Cookie Board”. Alternatively, you can deactivate Microsoft Advertising Conversion Tracking for the browser you are currently using by deactivating the storage of cookies in the browser settings.

The controller for data processing is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

(i) The purpose of Microsoft Advertising Conversion Tracking is to enable Microsoft to collect and process your usage data on our website. The purposes of processing by Microsoft are determined solely by Microsoft: https://privacy.microsoft.com/de-de/privacystatement

(ii) The processed data are, according to Microsoft:

Microsoft Advertising protocol data: This is data that is generated for technical reasons when the Microsoft Advertising tool used on the website is used via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access.
Usage data: Usage data includes clicks on ads, time spent on the website and information about websites visited.
Conversion event: The results of the conversion are summarized in the conversion event.

(iii) The legal basis for enabling the collection of personal data via our website by Microsoft is your consent (Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TTDSG). We do not process any personal data in our area of responsibility. We have no knowledge of the details of data processing in Microsoft’s area of responsibility, in particular the legal basis used by Microsoft for processing.

(iv) The conversion tracking data is generated independently by Microsoft. We do not know whether Microsoft uses other data sources.

(v) The recipient of the data is Microsoft Ireland Operations Limited as the controller responsible for the collection and processing of personal data by Microsoft Advertising Conversion Tracking. It cannot be ruled out that Microsoft Ireland Operations Limited will transfer personal data to the USA. As an independent controller, Microsoft Ireland Operations Limited is responsible for ensuring appropriate
data protection guarantees for the data transfer.

(vi) The cookies lose their validity after 30 days and, according to Microsoft, do not contain any personal data other than the cookie ID and are not used to identify you personally. We do not collect or store this data ourselves. The collection and processing of this data is the responsibility of Microsoft.

(vii) The provision of data is not required by law or contract or necessary for the conclusion of a contract. You are not obliged to provide the data. If you do not provide the data, Microsoft will not be able to carry out conversion tracking.

c) Meta Pixel

If you have given your consent to this, we use the so-called “Meta pixel”. This involves the use of cookies from Meta Platforms Ireland Limited, Harbour, D2, 4 Grand Canal Quay, Square, Dublin, Ireland (“Meta”). The “meta pixel” enables Meta to collect information about your activities on our website, among other things. By integrating the “Meta Pixel”, we enable Meta to collect personal data.

However, we do not receive any information from Meta with which you can be personally identified. The collection and processing of this data takes place exclusively within Meta’s area of responsibility after you have given your consent. Meta only provides us with the evaluations or other information created on the basis of the data collected in aggregated, anonymized form. We cannot assign the information provided to us to any natural person.

We have no knowledge of the details of the processing of personal data in Meta’s area of responsibility. Information about Meta’s processing of personal data can be found in Meta’s data policy: https://de-de.Meta.com/about/privacy/.

You can deactivate data processing by Meta Pixel on our website at any time in our “Cookie Board”. Alternatively, you can deactivate Meta Pixel for the browser you are currently using by deactivating the storage of cookies in the browser settings. You can also use WebChoices: Digital Advertising Alliance’s Consumer Choice Tool for Web US (aboutads.info) to prevent the setting of meta cookies.

The controller for data processing is Meta Platforms Ireland Limited, Harbour, D2, 4 Grand Canal Quay, Square, Dublin, Ireland.

(i) The purpose of the Meta Pixel is to enable Meta to collect and process your usage data on our Website. The purposes of the processing by Meta are determined solely by Meta https://de-de.facebook.com/privacy/policy/

(ii) The processed data are, according to Meta:

Meta pixel protocol data: This is data that is generated for technical reasons when using the meta pixel used on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access.
Meta pixel end device data: Data that is assigned to your end device by the meta pixel: This includes a unique ID for (re-)recognizing returning users.
Meta pixel event data: This is data that Meta collects through the meta pixel by assigning it to the unique visitor ID of the respective visitor contained in the meta pixel end device data: This includes actions that take place on the website (so-called “events”). These include, for example, conversions, link clicks and page views. This also includes information associated with the respective actions recorded (so-called “parameters”). This includes, for example, the submission of contact details or the downloading of documents.
Meta Pixel Analytics Data: Data that Meta generates based on the information collected by the meta pixel by associating it with your unique user ID contained in the meta pixel end device data: This includes information about the effectiveness of Meta advertisements and mappings of users to target groups for Meta advertisements. Meta may generate additional data for its own purposes or for the purposes of third parties based on the information collected. We have no knowledge of the details of the data generated by Meta.

(iii) The legal basis for enabling the collection of personal data via our website by Meta is your consent (Art. 6 para. 1 lit. a) GDPR, § 25 para. 1 TTDSG). We do not process any personal data in our area of responsibility. We have no knowledge of the details of the processing of the data in Meta’s area of responsibility, in particular the legal basis used by Meta for the processing.

(iv) The Meta Pixel analysis data is generated independently by Meta. We do not know whether Meta uses other data sources.

(v) The recipient of the data collected via our website is Meta Platforms Ireland Limited as the controller responsible for the collection and processing of personal data. Meta Platforms Ireland Limited in turn uses Meta Platforms Inc. in the USA (1 Hacker Way, Menlos Park, CA 94025, USA) as a service provider. As an independent controller, Meta Platforms Ireland Limited is responsible for ensuring appropriate data protection safeguards for the transfer of data.

(vi) We do not collect or store this data ourselves. The collection and processing of this data is the responsibility of Meta. We have no knowledge of the storage period.

(vii) The provision of data is not required by law or contract or necessary for the conclusion of a contract. You are under no obligation to provide the data. If the data is not provided, Meta will not be able to offer the Meta Pixel function.

(viii) We do not use automated decision-making in our area of responsibility. We have no knowledge of the details of data processing in Meta’s area of responsibility, in particular of any automated decision-making.

1.5 Contents of external media

Youtube embedding and Google Fonts

If you click on the YouTube videos to play them or activate the corresponding fields in the cookie banner to display the content, you agree that we allow Google, as the provider of the YouTube service, to collect data for its own purposes. We do this by embedding videos stored on YouTube on our website. The collection and processing of this data is the sole responsibility of Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as a service provider.

As soon as you click on the YouTube videos to play them or activate the corresponding fields in the cookie banner, the video is loaded from the YouTube server. YouTube receives all the information that your browser automatically transmits (including your IP address).

YouTube also sets its own cookies on your end device (e.g. Google Fonts cookies or other cookies). This also happens if you do not have a YouTube user account. If you are logged in to YouTube or Google, your data will be assigned directly to your respective account. If you do not wish to be associated with your YouTube or Google user account, you must log out of YouTube and Google before clicking on the video file of the corresponding YouTube video or the slider in the cookie banner.

The collection and processing of this data is the sole responsibility of Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as a service provider. We have no knowledge of further details of the processing of personal data in Google’s area of responsibility or of possible data processing in the USA. We have no influence on Google’s data processing.

Information about the processing of personal data by Google can be found in the Google privacy policy: https://policies.google.com/privacy

2. visitors to the VielfaltMenü social media profiles

VielfaltMenü has profiles on social media. The social media platforms are operated by service providers who process the data for the provision of such sites.

(i) The purpose of data processing on our social media profiles is to provide interesting content and to interact with visitors on social media platforms. Depending on the social media service, the usage data may also be analyzed in order to improve our social media presence.

(ii) The data processed is content and usage data on such social media profiles.

(iii) Information and data displayed or shared on VielfaltMenü’s social media profiles may be accessible to the respective operator of the social media platform, its users or contracted service providers.

(iv) Further details on data processing are set out below:

Instagram:
We and Meta Platforms Ireland Limited, 4 Grad Canal Square, Dublin 2, Ireland (hereinafter “Meta”) as the provider of Instagram are jointly responsible for the processing of personal data via the Instagram profile of VielfaltMenü. The joint controllership agreement is available at: https://www.facebook.com/legal/terms/page_controller_addendum. Under the agreement, Meta is responsible for informing the data subjects about the processing. Instagram’s privacy policy is available at: https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect. Data subjects may exercise their rights against any of the data controllers, VielfaltMenü and/or Meta. Further information about the data that Meta shares with VielfaltMenü can be found at https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect. The legal basis for the processing of data by VielfaltMenü is our legitimate interest in analyzing usage data to improve VielfaltMenü’s Instagram profile (Art. 6 para. 1 lit. f) GDPR).

LinkedIn:
We and LinkedIn (for users in the EU/EEA: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland) are jointly responsible for the processing of personal data via the VielfaltMenu Linkedin profile. The joint controllership agreement is available at: https://legal.linkedin.com/pages-joint-controller-addendum. According to the agreement, LinkedIn is responsible for informing the data subjects about the processing activities. LinkedIn’s privacy policy is available at: https://www.linkedin.com/legal/privacy-policy. Data subjects may assert their rights against any of the data controllers, VielfaltMenü and/or LinkedIn. Further information about the data that LinkedIn shares with VielfaltMenü can be found at https://www.linkedin.com/help/linkedin/answer/a547077/viewing-company-page-analytics?lang=de. The legal basis for the processing of data by VielfaltMenü is the legitimate interest in analyzing usage data to improve VielfaltMenü’s LinkedIn profile (Art. 6 para. 1 lit. f) GDPR).

YouTube:
We operate a channel on the YouTube platform. The collection and processing of this data is the sole responsibility of Google (for EU/EEA Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland and Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as a service provider). We are not aware of any further details of the processing of personal data in the area of data control by Google or possible data processing in the USA. VielfaltMenü has no influence on Google’s data processing. Information on the processing of personal data by Google can be found in Google’s privacy policy: https://policies.google.com/privacy

3. customers with their own profile on the VielfaltMenü website or in the app

On the VielfaltMenü website and in the app, customers can create a corresponding profile and then place orders.

(i) We process the data for the purpose of enabling the use of the VielfaltMenü platform and app and offering an ordering option.

(ii) The data processed are:

Registration and profile data: The data includes your customer number and a password
Data of meal participants for meal orders: The data includes name, date of birth, class and group, status of pupil or child or teacher or details of the company.
Order details: This includes the meals, quantity, purchase price, further details on the order and output
Data of the contractual partners: The data includes name, date of birth, address, contact details such as telephone and e-mail as well as invoice data, order date
IP address
Date and time of registration/login

(iii) In the case of contracts with natural persons, the legal basis for processing is the performance of the respective contract (Art. 6 para. 1 lit. b GDPR), as well as our legal obligations, in particular tax and commercial law regulations (Art. 6 para. 1 lit. c) GDPR). The legal basis for the processing of your data as a contact person for customers who are not natural persons is our legitimate interest in communicating with our customers (Art. 6 para. 1 lit. f GDPR). In the case of information about products, the legal basis is our legitimate interest in carrying out advertising (Art. 6 para. 1 lit. f GDPR). The legal basis for the transmission of payment data to payment service providers is our legitimate interest in centrally controlled payment processing by a payment service provider (Art. 6 para. 1 lit. f GDPR).

(iv) When ordering meals, the data of the meal participants are provided by the contractual partner who places the orders via their profile. The IP address and the date and time of registration or login are automatically collected by the data subject’s browser. The other data is provided by the data subject themselves.

(v) We also use service providers within the scope of order processing for the provision of services, in particular for the provision, maintenance and servicing of IT systems. The recipient of the data in the context of order processing is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (“Microsoft”). We have instructed Microsoft to use a European server location for data processing. However, in the event of disruptions and malfunctions, Microsoft can also access the servers in Germany from so-called third countries such as the USA in order to carry out maintenance work. Microsoft has concluded the EU standard contractual clauses (2021/914; Module 3) to protect your data. You can request a copy of the main contractual contents of the EU standard contractual clauses at any time. We use payment service providers such as PAYONE GmbH, Lyoner Straße 15, 60528 Frankfurt am Main, Germany. This provider processes the payment data as part of payment processing under its own responsibility under data protection law. The data protection information of PAYONE GmbH applies here: https://www.payone.com/DE-de/datenschutz

(vi) The information in the profile can be changed or completely deleted at any time, provided it is not relevant to the contract or booking. All contract and booking-related data is stored for a period of ten calendar years after the end of the contract in accordance with retention periods under tax and commercial law.

(vii) It is not possible to use the profile function on the VielfaltMenü website or app or to use the ordering option without providing data.

4. customers and contact persons there

(i) We process your data for the purpose of implementing the contractual relationship and for payment processing. This also includes advice, support, information about product innovations and new products. There are no plans to change the purposes.

(ii) The data processed are:

Data of meal participants for meal orders: The data includes name, date of birth, class and group, student or child or teacher or educator.
Order details: This includes the meals, quantity, purchase price, other details of the order and delivery
Data of the contractual partners: The data includes name, date of birth, address, contact details such as telephone and e-mail as well as invoice data, order date
Other contract data, unless it concerns food orders
Contract-relevant communication data

(iii) In the case of contracts with natural persons, the legal basis for processing is the performance of the respective contract (Art. 6 para. 1 lit. b GDPR), as well as our legal obligations, in particular tax and commercial law regulations (Art. 6 para. 1 lit. c GDPR). The legal basis for the processing of your data as a contact person for customers who are not natural persons is our legitimate interest in communicating with our customers (Art. 6 para. 1 lit. f GDPR). In the case of information about products, the legal basis is our legitimate interest in carrying out advertising (Art. 6 para. 1 lit. f GDPR). The legal basis for the transmission of payment data to payment service providers is our legitimate interest in centrally controlled payment processing by a payment service provider (Art. 6 para. 1 lit. f GDPR).

(iv) The data is provided either by the data subject themselves or their supervisor. In the case of meal orders, the data of the meal participants shall be provided accordingly by the contractual partner who places the orders.

(v) We use payment service providers such as PAYONE GmbH, Lyoner Straße 15, 60528 Frankfurt am Main. This provider processes the payment data as part of payment processing under its own responsibility under data protection law. The data protection information of PAYONE GmbH applies here: https://www.payone.com/DE-de/datenschutz In individual cases, data may be transmitted to debt collection service providers, lawyers and courts. We also use service providers as part of order processing for the provision of services, in particular for the provision, maintenance and servicing of IT systems.

(vi) All data relevant to the contract and bookings will be stored for a period of ten calendar years after the end of the contract in accordance with retention periods under tax and commercial law.

(vii) The provision of data is both legally and contractually obligatory for you. The contractual relationship cannot be established and executed without the provision of data.

5. communication partners and interested parties

(i) The purpose of the processing is the preparation and execution of a contractual relationship or other communication, including via our contact form on the website. There are no plans to change the purposes.

(ii) The processed data are name, contact details, communication content, time and technical metadata of the communication.

(iii) In the case of contracts with natural persons, the legal basis for processing your data is the initiation of a contract or the contract itself (Art. 6 para. 1 lit. b GDPR), in the case of contracts with legal entities, our legitimate interest in communicating with the contact persons relevant to the contract (Art. 6 para. 1 lit. f GDPR), and always legal obligations, in particular tax and commercial law regulations (Art. 6 para. 1 lit. c GDPR). In the case of pure communication, the legal basis is our legitimate interest in the documentation of communication processes (Art. 6 para. 1 lit. f GDPR).

(iv) The contact details are actively provided by the data subject themselves. The communication metadata and communication data are collected automatically.

(v) Contact and contract data may be transmitted to other service providers, business partners, offices and authorities if this is necessary for the performance of the contract or order. We also use service providers as part of order processing for the provision of services, in particular for the provision, maintenance and servicing of IT systems.

(vi) The data of contractual partners and service providers will be deleted ten calendar years after the end of the contract or order. Inquiries and pure communication are automatically deleted after ten calendar years.

(vii) The processing of the contact data of service providers and business partners is necessary in order to execute the contract or order. If the data is not provided, communication may be significantly disrupted. The provision of data is required for interested parties. Communication is not possible without providing data.

6. participants in surveys

If you have consented to take part in our surveys, we will send you the relevant links and content for the pseudonymous surveys. In the case of surveys specifically aimed at children or minors, the consent of a parent or guardian is always required.

(i) If you have consented to participation or, in the case of minors, to your child’s participation in surveys, we will process your data or your child’s data for the purpose of conducting and evaluating surveys. There are no plans to change the purposes.

(ii) The processed data includes the name of the person participating in the survey (unless it is a pseudonymous survey), the content of the survey, the timestamp of participation and the technical metadata of participation.

(iii) The legal basis for the processing of the data is your consent or, in the case of minors, the consent of the legal guardian (Art. 6 para. 1 lit. a GDPR).

(iv) Participants enter their name and the content of the survey themselves when they take part in the survey. The other data is transmitted automatically by your browser.

(v) We use service providers for the provision of services by way of order processing, in particular for the provision, maintenance and servicing of IT systems. We use the Microsoft Forms tool from the provider Microsoft Ireland Operations, Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18P521, Ireland, to conduct the surveys. Microsoft Ireland Operations, Ltd (MIOL) uses Microsoft Corporation in the USA (One Micrsoft Way, Redmond, Washington 98052, USA) as a service provider. MIOL has concluded the EU standard contractual clauses (2021/914; Module 3) with Microsoft Corporation and other subcontractors to protect data. You can request a copy of the main contractual contents of the standard contractual clauses at any time. In addition, Microsoft Corporation is certified in accordance with the EU-US Data Privacy Framework (Art. 45 GDPR).

(vi) The data will be deleted or completely anonymized two years after the survey has been conducted.

(vii) Participation in surveys is voluntary and not mandatory.

(viii) If the survey is a purely pseudonymous survey, we cannot identify you personally (Art. 11 GDPR). However, as participation in the survey is of course voluntary, you can cancel your participation in the survey at any time in order to withdraw your consent.

7. recipients of marketing communication

If you have consented to receiving marketing communications, you will receive information from us about our program and our projects. We also check the reach and success of our marketing communication using pseudonymized analyses. In addition, we contact the relevant contact persons at schools or other institutions whose contact details we have obtained from publicly accessible sources or databases. It is of course possible to unsubscribe from marketing communication at any time.

(i) If you have consented to receiving marketing communications or have been identified by us as the responsible contact person at schools or other institutions, we will process your data for the purpose of sending marketing communications and measuring the reach of marketing communications. There are no plans to change the purposes.

(ii) The data processed are:

Name, e-mail address
Protocol data: This is data that is generated for technical reasons when the marketing communication is opened via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access.
Marketing communication opening rates
Clicks within marketing communication
File downloads

(iii) The legal basis for the processing of your data is your consent (Art. 6 para. 1 lit. a) GDPR) or our legitimate interest in contacting responsible contact persons whose contact details are available in public sources or databases (Art. 6 para. 1 lit. f) GDPR).

(iv) You provide your contact details yourself when consenting to marketing communication; the other data for analysis is provided automatically by your browser. It is also possible that we receive the data of responsible contact persons from publicly accessible sources or databases.

(v) We also use service providers in the context of order processing for the provision of services, in particular for the provision, maintenance and care of IT systems. In particular, we use the Mailchimp service of the provider The Rocket Science Group LLC d/b/a Mailchimp, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA (“Mailchimp”) to send and organize marketing communications. We have concluded the EU standard contractual clauses (2021/914) with Mailchimp to protect your data. You can request a copy of the essential contractual contents of the EU standard contractual clauses at any time. In addition, Mailchimp and Celonis are also certified in accordance with the EU-US Data Privacy Framework (Art. 45 GDPR). If you click on a link of the appointment booking tool Calendly, Inc, 115 E Main St., Ste A1B, Buford, GA 30518 USA for the purpose of making an appointment via our marketing communication, you will be redirected to a Calendly appointment booking page. Calendly may set cookies here, over which we have no control. The privacy policy of Calendly https://calendly.com/legal/privacy-notice applies.

(vi) Data on the recipients of marketing communication will be deleted when you unsubscribe from marketing communication.

(vii) The provision of data is necessary for the receipt of marketing communications. We cannot send marketing communication without the provision of data. Consent can be withdrawn at any time. To do so, please use the unsubscribe function within the marketing communication.

8 Rights of data subjects and further information

(i) We do not use automated individual decision-making procedures.

(ii) There are no plans to change the above-mentioned purposes.

(iii) The right to request information about all personal data that we process from the data subject at any time.

(iv) If the personal data is incorrect or incomplete, there is a right to rectification and completion.

(v) The deletion of personal data can be requested at any time, unless we are legally obliged or entitled to continue processing the data.

(vi) If the legal requirements are met, the processing of personal data may be restricted.

(vii) You have the right to object to the processing insofar as the data processing is carried out for the purpose of direct marketing or profiling.

(viii) If the processing is carried out on the basis of a balancing of interests, the processing may be objected to, stating reasons arising from the particular situation of the data subject.

(ix) If the data processing takes place on the basis of consent or within the framework of a contract, there is a right to transfer the data provided by the data subject, provided that this does not adversely affect the rights and freedoms of other persons.

(x) If we process the data on the basis of a declaration of consent, you have the right to withdraw this consent at any time with effect for the future. The processing carried out before a revocation remains unaffected by the revocation.

(xi) You also have the right to lodge a complaint with a data protection supervisory authority at any time if the data subject considers that data processing has been carried out in breach of applicable law.

Status: April 2024