Privacy policy of VielfaltMenü GmbH

You agree that this translation is provided for your convenience only and that the German language version of this Privacy Notice prevails.

We at VielfaltMenü GmbH take the protection and confidentiality of your data seriously. We collect and use your personal data as set out in the legal framework, in particular the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Below we inform you in detail about how your data is handled.

1. Responsible parts and the Data Protection Officer

VielfaltMenü GmbH
Büro Wolfen
Sonnenallee 17-21
06766 Bitterfeld-Wolfen
Tel.: +49 (0)3494 6694 400
E-Mail: servicecenter@vielfaltmenue.com

Managing directors: Heiko Höfer, Holger Joachim Schmidt und András Maria von Kontz
www.vielfaltmenue.com

You can reach our data protection officer as follows:
E-Mail: datenschutz@vielfaltmenue.com

2. Personal data

Personal data refers to any information relating to an identified or identifiable natural person, or one that can be directly or indirectly identified by reference to a name, to an identification number, to location data, to an online identifier or to one or more factors specific to this person, which express the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.

3. Scope and source personal data

Our online offer is primarily intended for adults. Persons under the age of 18 should not transmit any personal data to us without the consent of their parent or legal guardian.

We may collect your personal data directly from you or from certain third parties, e.g. the educational institution (day care centre, school, etc.).

4. Provision of the website and creation of log files

You can visit our website any time without registering or providing any personal information. However, each time you access our website, our system automatically collects data and information from the computer you access it with.

Overview and scope of data processing: The following data is automatically collected when a page is accessed:

• Browsertyp und -version,
• verwendetes Betriebssystem,
• Website, von der aus Sie uns besuchen (Referrer URL),
• Website, die Sie besuchen,
• Datum und Uhrzeit Ihres Zugriffs,
• Ihre Internet Protokoll (IP)-Adresse.
  

Collecting data for provision of the website and data storage in log files is required for website operation.

Legal basis for data processing: The legal basis in Germany for the temporary storage of the data and the log files is Art. 6 para. 1 lit. f GDPR.

Purpose of data processing: Temporary storage of the IP address by the system is necessary to ensure a user can access the website on their computer. For this purpose, the user's IP address must remain stored for the duration of the session. Storage in the log files is to ensure functionality and stability of the website. In addition, we use data to optimise the website and to ensure the security of our information technology systems. This data is not evaluated for marketing purposes. These data processing purposes are according to Art. 6 Para. 1 of the GDPR.

Duration of storage: Data is deleted as soon as it is no longer required for purpose for which it was collected. For data collected to use the website, this applies when the session has ended. Data stored in log files is deleted after 14 days, at the latest.

5. Contact by email, phone or post

Data processing description and scope: It is possible to contact us by email, phone or post. In this case, your data transmitted by email, telephone or post will be stored.

Legal basis of data processing: The legal basis of data processing is our legitimate interest according to Art. 6 (1) lit. f GDPR. Our legitimate interest is to answer an enquiry by email, telephone or post. If the contact request is aimed at entering into a contract, the data may be processed according to Art. 6 (1) lit. b GDPR.

Purpose of data processing: Processing of personal data provided to by email, phone or post is exclusively used to process a contact request.

Duration of storage: The data is deleted as soon as it is no longer required for the intended purposed. For personal data transmitted by email, phone or post, this is the case when the respective exchange with the user has concluded. This is the case when the circumstances indicate the matter in question has been resolved. This does not apply if a deletion conflicts with legal or contractual obligations, in particular retention periods.

6. Registering or logging in on our website

Description and scope of data processing: You have the option to order meals on our website. To place an order, you must first cre-ate an account, or if you already have one, log in to your account. In the online registra-tion form, you enter personal information, which we save.

For the initial registration, it is necessary to enter information about the person we will serve meals to as well as the data of the contractual partner and, if applicable, the in-voice recipient.

When you create an account, you must also provide the name of the person we will be serving meals to as well as, for invoicing purposes, the school or day care centre we partner with.

We save the following information about each person dining with us:

• First name, surname
• Date of birth
• Class or group
• The characteristic pupil/child oder teacher/educator

We also save the following information for the contract partner and for an invoice recipient who differs from the contract partner:

• First name, surname
• Date of birth
• Address
• Contact information, such as telephone and email

If you pay by SEPA direct debit, your bank details such as IBAN and account holder name are also saved.

The following data is also saved at the time of account creation or login:

• Your IP address
• Date and time of account creation/login
  

Legal basis for data processing: Creating an account/logging in establishes and processes a contract between you and us, so that the legal basis for processing the data is Art. 6 (1) lit. b DS-GVO.

Purpose of data processing: The account creation enables you to order on our website. You are guided through the ordering process more quickly because we can access your stored personal information including, for example, different shipping and billing addresses. In addition, you can re-trieve orders from the past in your user account.

Duration of storage: Your personal information is deleted as soon as it is no longer required to achieve the purpose for which it was collected. At any time, you can request we delete your user ac-count immediately or you can change the information yourself. Personal information stored for creating an account will be deleted upon request, unless it's required to pro-cess your orders and/or there are legal storage obligations that prevent deletion. The ex-planations in section 7 apply to the storage of your order data.

7. Orders place on our website

Description and scope of data processing: For orders placed on our website, we collect, store and process the information saved in your user account in addition to the following:

• 
  Order details: meals ordered, quantity, purchase price
  
• Additional details on the order and delivery, if applicable

Legal basis for data processing: The legal basis for processing is Art. 6 para. 1 lit. b DS-GVO, as a contractual relation-ship has been established and processed with the data.

Purpose of data processing: Collection, storage and use of data transmitted as part of your order serve exclusively to execute and conclude the contract we have with you.

Duration of storage: The data is stored for the duration of the contractual relationship. It is possible that data will also be stored beyond this in accordance with the statutory tax and commercial legal obligations, usually for six or ten years.

8. Sharing personal data

We will not share your data to third parties unless you have given explicit prior consent, or the disclosure is required or permitted by law. Exceptions to this are VielfaltMenü GmbH's service partners who are required to work according to the contractual relationship and who have been commissioned by us to process personal data in accordance with our instructions under a contract processing agreement. We will neither sell your data to third parties nor pass it on to third parties for advertising purposes. Our employees are obliged to maintain confidentiality and to comply with data protection regulations.

9. Use of Cookies

Description and scope of data processing: Our website uses cookies. Cookies are small text files that are stored locally in the cache of your internet browser. Cookies allow an internet browser to be recognised. Cookies enable us to improve the comfort and quality of our services, for example by saving user settings. Cookies do not cause any damage to your computer and do not contain viruses.

It is also possible to use our website without cookies. You can deactivate storage of cookies in your internet browser, restrict them to certain websites, or set your internet browser to notify you before a cookie is saved. You can delete cookies from your computer's hard drive at any time using the security functions of your internet browser. In this case, the functions and user-friendliness of our website might be impacted.

Browsers allow you to block and delete cookies. The following links show you how to adjust the settings in the following common browsers:

Chrome: https://support.google.com/chrome/answer/95647?hl=de
Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen
Internet Explorer: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
Safari: https://support.apple.com/de-de/guide/safari/sfri35610/mac

Blocking cookies may impair the functionality of this website.

Legal basis for data processing: If personal data is processed using technically necessary cookies, the legal basis is Art. 6 (1) of the GDPR.

Any use of cookies that is not absolutely technically necessary constitutes data processing that is only permitted with your explicit and active consent. The legal basis is then Art. 6 para. 1 of the GDPR. This applies in particular to the use of advertising, targeting or sharing cookies. Furthermore, we will only pass on your personal data processed by cookies to third parties if you have given your express consent to do so in accordance with Art. 6 para. 1 of the GDPR. More information on cookies that are not technically necessary can be found in section 10 of this privacy policy.

Purpose of data processing: The purpose of using technically necessary cookies is to simplify website use for users. Some functions of our website cannot be offered without cookies. For such cases, it’s necessary that the browser is recognised even after a page change. These purposes are also our legitimate interest in processing personal data according to Art. 6 (1) of the GDPR.

The user data collected through technically necessary cookies are not used to create user profiles.

Duration of storage: Cookies are stored on the user's computer and transmitted by it to our website. The technically necessary cookies described are usually deleted when your browser session expires. In addition, you can deactivate or restrict the transmission of cookies by changing the settings in your internet browser. Cookies that have already been stored can be deleted at any time. This can also be done automatically.

Specifically, we are talking about the following cookies:

Technically necessary cookies:

Technically necessary cookies are required so that you can browse a website and use its features. Without these cookies, functions cannot be guaranteed, for example actions performed during a visit (e.g. text input) are retained, even when navigating between individual pages of the website.

Name: CookieControlPrefs
Provider: internal
Purpose: Saving a user’s cookie preferences
Duration: 2 months

Performance cookies:
Performance cookies collect information about how a website is used, such as which pages a visitor views most often and whether they receive error messages from a page. These cookies do not store any information that allows the user to be identified. The information collected is aggregated and anonymous. These cookies are only used to improve the performance of a website and thus the user experience.

Name: _ga
Provider: Google Analytics
Purpose: Differentiates users
Duration: 6 months

Name: _gid
Provider: Google Analytics
Purpose: Differentiates users
Duration: 24 hours

Lokaler Speicher
Name: XSRF-Token
Provider: internal
Purpose: Protects against XSRF attacks
Duration: 2 weeks

Name: Laravel_session
Provider: internal
Purpose: Functional session cookie
Duration: 2 weeks

Name: notificationRead
Provider: Herrlich & Ramuschkat
Purpose: Saves if a messages was read after clicking the save button

10. Website analytics

Use of Google Analytics
With your consent, we use Google Analytics, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland, hereinafter "Google"), on our website. This makes it possible to assign data, sessions and interactions across several devices to a pseudonymous user ID and thus to analyse the activities of a user across devices. Google Analytics uses cookies, which are text files placed on your computer, to help the website analyse how users use the site.

The information generated by the cookies, such as the time, place and frequency of your website visit, including your IP address, is transmitted to Google and stored there. As this website uses Google Analytics with the extension "_gat. anonymizeIp", your IP address will be truncated by Google within Member States of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser within the scope of Google Analytics will, according to its own information, not be merged with other data from Google. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

Furthermore, Google offers a deactivation add-on for the most common browsers, which gives you more control over what data Google collects about the websites you visit. The add-on tells the JavaScript (ga.js) of Google Analytics that no information about the website visit should be transmitted to Google Analytics. However, the Google Analytics browser deactivation add-on does not prevent information from being transmitted to us or to other web analytics services we may use. For more information on how to install the browser add-on, please click on the following link: https://tools.google.com/dlpage/gaoptout?hl=de. Opt-out cookies prevent the future collection of your data when visiting this website. To prevent collection by Universal Analytics across different devices, you must opt-out on all systems used.

The legal basis for use of Google Analytics is your consent in accordance with Art. 6 Para. 1 of the GDPR.

This data is processed to analyse the behaviour of our users anonymously and to improve our website on the basis of these findings.

The data sent by us and linked to cookies, user IDs (e.g. user ID) or advertising IDs are automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month. For more information on terms of use and data protection, please visit https://www.google.com/analytics/terms/de.html and https://policies.google.com/privacy?hl=de&gl=de.

11. Google Tag Manager

Google Tag Manager is used on this website. The Google Tag Manager is a solution that allows website operators to manage website tags via an interface. The Google Tag Manager itself (which implements the tags) is a cookie-free domain, does not collect any personal data and provides for the triggering of other tags, which in turn may collect data. The Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager. For more information, please refer to the usage guidelines for Google Tag Manager at: https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/.

12. Use of YouTube videos

On our website you can watch videos integrated via a plug in from YouTube LLC (901 Cherry Avenue, San Bruno, CA 94066, USA; a Google LLC company). YouTube uses cookies for data collection and statistical data analysis. YouTube uses cookies, among other things, to collect reliable video statistics, to prevent fraud and to improve user-friendliness. Through YouTube cookies, the website operator receives statistical values on the retrieval of individual videos embedded in the website without any reference to the respective user. If you view a video embedded in this way, this data may also be stored and further used by YouTube. In this case, if you are logged into YouTube at the same time as your YouTube account, YouTube may be able to associate your surfing behaviour with your YouTube user profile. You can prevent such data processing by logging out of your YouTube account before visiting our website.

The "extended data protection mode" for YouTube videos is activated on our website. This means YouTube does not store cookies for a user who views a website with an embedded YouTube video player, but does not click on the video to start playback. You will also be informed before calling up a video that by clicking on a video link you will leave the website of the responsible party and be transferred to the Internet offering of the YouTube video portal, transferring the website you are currently calling up. If you accept this, YouTube may store cookies on the user's computer, but no personal cookie information is stored for playbacks of embedded videos.

As this is a third-party service, we have no influence on the processing of corresponding data by YouTube. For the purpose and scope of the data collection and the further processing and use of the data by YouTube or Google, as well as your rights in this regard and setting options for protecting your privacy, please refer to the corresponding notes on data protection at https://policies.google.com/privacy?hl=de. Google also processes your personal data in
the USA.

13. Automated decision-making including profiling

No automated decision-making, including profiling, takes place.

14. Rights of data subjects

If your personal data is processed, you are a data subject as defined by GDPR. This makes you entitled to the following rights vis-à-vis the controller:

Right to information: According to Article 15 of the GDPR, you have the right to request information about your personal data we process. In particular, you can request information about the processing purposes, category of personal data, categories of recipients to whom your data have been or will be disclosed, planned storage period, existence of a right to rectification, deletion, restriction of processing or objection; existence of a right of complaint, origin of your data if it has not been collected by us, as well as the existence of automated decision-making, including profiling, and if applicable, meaningful information. You may also request meaningful information about aspects such as decision-making.

Right to rectification: According to Article 16 of the GDPR, you have the right to request the correction of inaccurate or incomplete personal data stored by us without delay.

Right to deletion: According to Article 17 of the GDPR, you have the right to request deletion of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.

Right to restriction: According to Article 18 of the GDPR, you have the right to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its deletion and we no longer require the data, but you need it for the assertion, exercise or defence of legal claims or you have objected to the processing pursuant to Art. 21 GDPR.

Right to data portability: According to Article 20 of the GDPR, you have the right to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller.

Right to complain: According to article 77 of the GDPR, you have the right to complain to a supervisory authority. Generally, you can contact the supervisory authority for your place of residence or workplace, or our designated office. Currently, the supervisory authority is: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin, phone: +49 (0) 30 13889-0, fax: +49 (0) 30 2155050; email: mailbox@datenschutz-berlin.de.

Right to object: You have the right to object at any time, on personal grounds, to the processing of your personal that is carried out according to Article 6(1)(f) GDPR.

If your personal data is used for direct marketing purposes, you have the right to object at any time.

Right of revocation: You have the right to revoke any consent you have given for use of your personal data at any time. Revoking consent does not affect the lawfulness of processing carried out on the basis of the consent until the revocation. You can revoke your consent at any time by sending an email to servicecenter@vielfaltmenue.com or by post, to the address provided above.

15. Data security

In the case of data communication in open networks such as the internet, protecting transmitted data cannot be entirely guaranteed according to the current state of technology and cannot be completely protected against access by third parties. Therefore, do not send us any confidential data via the internet (such as by email) without sufficient protection.

We use the widespread SSL procedure (Secure Socket Layer) in connection with the highest encryption level supported by your browser when visiting our website. As a rule, this is 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can recognise this encryption by the closed display of the key or lock symbol in the lower status bar or the address line of your browser (https).

We also use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

16. Change of our data protection regulations

We reserve the right to amend this data protection declaration from time to time so that it always complies with the current legal requirements or in order to implement changes to our services in the data protection declaration, e.g. when introducing new services. If you visit our website again, the latest data protection declaration will apply.

Last update: September 2021