This Privacy Statement aims to clarify what personal data we process, why we process it, who receives your data and how you can exercise your legal rights.
In this Privacy Statement, “personal data” means any information which directly identifies you as a person (like the combination of your full name and address) or can be used to identify you as a person (like a user ID connected to your identity). Similarly, “processing” refers to any operation performed on your personal data, for example the collection, storage, use, disclosure, or destruction of your personal data.
We are Delivery Hero Finland Oy (registered number 1936684-6) and we are at the date of this Privacy Statement located at Pasilankatu 10, 00240 Helsinki, Finland and as of 2 May 2024 at Elielinaukio 5, 00100 Helsinki, Finland.
With regard to your privacy, it is us who decide how and for what purposes your personal data is processed. In data protection language that makes us a so-called “data controller” (the party responsible for how your personal data is processed).
If you have any questions related to how your personal data is processed, you can contact us at [email protected]. If you would like to reach our data protection officer, please contact [email protected].
When you use our platform, we process personal data actively provided by you, collected from your device when you interact with us or obtained from third parties. Broadly speaking we will process the following categories of personal data:
Account data including your name, email address, password, telephone number, country, user ID, language, communication, and other profile settings
Order and delivery data including delivery details (e.g., delivery address, date and time of the delivery, type of collection), order IDs, order history, product names and quantities
Location data including address, postcode, city, country, longitude, and latitude
Device data including device ID, IP address, session information, device configuration settings, operating system, platform interactions such as items added to the cart, and other data obtained through web-trackers (e.g., cookies, software development kits ("SDK"), pixels)
Payment data including bank account details, credit card data, tax ID, payment method data, payment amount, payment recipient details, refund details, and bank receipts
Customer support data including content of your customer support requests, responses from our customer care teams and images attached
You can find all details about how we process your personal data below.
When creating a customer account, we need to process your account data such as your name, email address, password, telephone number, country, and language. Once you have created an account, we will assign you a unique user ID. This measure will allow us to recognize you in our system without needing to use all your account-related information. This ID cannot be used by any outside parties.
The information we request during the account creation process is necessary to take the first step in establishing a customer relationship with you so that we can provide you with our services.
The legal basis for this processing is therefore ‘entering into or performance of a contract’ under Art. 6(1)(b) GDPR.
We store this personal data as long as you remain our customer and in the ordinary course of things, we delete it when you close your account, or after three years of inactivity, unless statutory legal requirements mandate longer retention.
We offer you the option to register on our platform by using one of the commonly used social networking systems such as Facebook, Google, or Apple. If you already have an account with any of these services, you can sign up and log in to our platform using your user data from those identity management providers.
When logging in with the SSO option, we may get access to SSO data such as your name, email address, telephone number, country, user ID, and your date of birth, if you have shared this data with the SSO provider.
This information is necessary for initiating our customer relationship and entering into a contract with you. We never receive or store the password you use for these systems.
Information on third-party SSO providers can be found here:
Facebook Google AppleThe legal basis for this processing is “entering into or performance of a contract” under Art. 6(1)(b) GDPR.
We process this personal data as long as you remain our customer, or until you delete your account with the SSO provider.
You can access your profile at any time to make changes, provide additional information about yourself, or view your previous orders. Your data is also processed to administer your profile, which includes tasks such as ensuring the accuracy of your personal details, processing any modifications you make, and managing technical issues you might have.
The information we process about you for this purpose includes account data, order and delivery data, payment data, and device data.
Managing and administering your profile is a fundamental function of our platform. Without this process, we cannot provide our services to you. Therefore, the legal basis for this processing is “performance of a contract” under Art. 6(1)(b) GDPR.
We store this personal data as long as you remain our customer and in the ordinary course of things, we delete it when you close your account, or after three years of inactivity, unless statutory legal requirements mandate longer retention.
We use web tracking technologies (e.g., cookies, SDKs, measuring pixels) when you browse our platform, whether you are a customer or a visitor. These technologies enable us to facilitate the functioning of our platform, improve its performance and security, or understand how our users interact with our platform. In addition, these technologies allow us to deliver customized content or targeted advertising to our users.
Cookies and web tracking technologies may be used to collect data that we classify as device data, including your device ID, IP address, session information, preferences such as language settings, platform interactions such as items added to the cart, platform performance analytics, and crash reporting.
You can find more information on these technologies (including on retention periods and the applicable legal basis) in our Cookies, SDKs and Web-Tracking Policy and in our consent management banner. The consent management banner appears the first time you log in to your account, but you can always access it and adjust Your settings via the “Terms & Conditions / Privacy” tab in the app.
When you browse our platform, we show you a variety of restaurants and shops, i.e., vendors, and products. We may customize the content on our platform so that you are shown vendors who are close to you, who you have ordered from in the past, or products we believe may be of interest to you. To make this feature available, we need your account data, location data, order and delivery data, and device data.
This process may involve customer segmentation based on the data we collect from you. Additionally, we can make predictions about our customers’ demographics (e.g., age, gender) or consumption preferences. As a result, our suggestions may highlight specific products or cuisines, such as Italian restaurants, or vegan products.
Please note that these processes will not have a legal or similar significant effect on you. The only result of this process will be that you will receive suggestions about products or vendors that match your interests and food preferences.
Our activities within personalized content and suggestions form the core of our platform, without which we could not offer you relevant products and therefore we would be unable to facilitate a ground for entering into a contract with you. We would like to highlight that personalized content that is shared in this context is separate from the marketing initiatives carried out on our platform.
The legal basis for processing your data for the purpose of suggesting products and vendors is "performance of a contract" under Art. 6(1)(b) GDPR. Additionally, we rely on "legitimate interest" under Art. 6(1)(f) GDPR for customer segmentation.
We will process the data we process for this purpose for the same duration as your other account data.
Once you log in to your profile and select items, they will be saved in your cart. Even if you close your browser or app, you can continue your order from where you left off. To make this feature available on our platform, we process your account data, device data, and order and delivery data.
The shopping cart function is essential to our platform as it enables us to receive and process your order. Without it, we would not be able to enter into a contract with you.
The legal basis for this processing is "entering into or performance of a contract" under Art. 6(1)(b) GDPR.
This data is deleted as soon as we no longer need it, such as once you place your order or soon after you have removed everything from your shopping cart.
Once you have successfully registered to our platform, you can place your order. To process your order, we need your account data as well as yourorder and delivery data including your address, postcode, city, country, longitude and latitude, order ID, your order instructions, product names and quantities.
This information is necessary for us to forward your order for the following steps to ensure the successful delivery of your order. Without this information, we would be unable to take necessary steps to fulfill our contractual obligations to you.
Where our platform offers the delivery of prescription medicines, the data we process may include special categories of personal data (i.e., health data). In this case, we will ensure that we clearly inform you, obtain your prior consent or otherwise comply with the requirements of Art. 9 GDPR. However, please note that your order of non-prescription (i.e., over the counter) products not specifying any particular medical condition is not regarded as involving special categories of personal data.
The legal basis for this processing is "performance of a contract" under Art. 6(1)(b) GDPR, and "consent" under Art. 9(2)(a) GDPR for health-related data.
The data we process for this purpose will be processed for the same duration as your other account data.
If you decide to proceed with your order, we will need to receive the payment for the items you have selected and applicable services such as delivery.
When you place an order and select a payment provider, your information will be shared with your selected payment provider to initiate the payment process. As a customer of these payment providers, you can find information on their privacy practices in their separate privacy statements.
Following the payment for your order, we are legally required to provide you with an invoice. To fulfill this requirement and to facilitate your payment, we need to process your account data, order and delivery data, and payment data including payment method data, payment amount, payment recipient details, refund details, and bank receipts.
The legal basis for this processing is "legal obligation" under Art. 6(1)(c) GDPR.
We store this personal data for seven years after the date of issuance of the receipt.
In order to make the ordering process even more convenient for you, our platform offers you the option to save your preferred payment method. This means that, if you choose to save your payment method, you will not have to re-enter your payment details the next time you need to make payments on our platform.
The information you can save within this feature is payment data including your name, bank account details, credit card data, tax ID, payment method data, payment amount, payment recipient details, refund details, and bank receipts.
The legal basis for this processing is "consent" under Art. 6(1)(a) GDPR.
We will keep this personal information for as long as you choose to share it with us.
When you subscribe for Foodora Pro, we will request to store your payment data to enable regular billing in accordance with your subscription. As maintaining a regular payment process for your subscription plan is a fundamental part of this service, the legal basis for this processing is "performance of a contract" under Art. 6(1)(b) GDPR.
After receiving your order, we share your order data with the vendor (e.g., restaurants, shops) preparing your order. We minimize the information we share with our vendors so that they only see the information necessary to process your order and, where applicable, hand the order over to a courier. The data We share with the vendors include account data such as your name and telephone number and in some cases your delivery data when the vendor is to carry out the delivery. In addition, vendors may use our platform’s chat feature or call you by phone to contact you in exceptional cases such as if the items you ordered are out of stock.
As the preparation of your order is a fundamental part of the services provided on our platform, the legal basis for this processing is "performance of a contract" under Art. 6(1)(b) GDPR.
Once your order has been prepared by the vendor, it is handed over to the courier who is responsible for delivering your order. In order to enable the delivery of your order, and thus fulfill our contractual obligations to you, we need to process your personal data and share some of that data with the rider who will deliver your order.
This data includes your order and delivery related data such as your name, telephone number, and delivery address. In addition, riders may use our platform’s chat feature or call you by phone to contact you if there are any exceptional delivery-related issues such as if the rider needs assistance during the delivery process. We will always ascertain that the rider receives as little information about you as possible.
As the delivery of your order is a fundamental part of the services provided on our platform, the legal basis for this processing is "performance of a contract" under Art. 6(1)(b) GDPR.
In some cases, our riders will be asked to provide proof of delivery. This proof of delivery may include details such as the time and date of delivery, your name, and in some cases, a signature or photo as evidence. In case of any disputes or issues, having this information helps us investigate and resolve matters efficiently, providing you with a higher level of customer satisfaction.
The legal basis for proof of delivery is "legitimate interest" under Art. 6(1)(f) GDPR.
We will process the data we process for this purpose for the same duration as your other account data.
In case you have questions or issues regarding your order, depending on the nature of your request, we will need your account data, order and delivery data, delivery related data, payment data, and the data you share with us when submitting your request. This information allows us to understand the specifics of your order, enabling us to provide you with relevant and accurate assistance.
As part of our customer care service, we may use automation for certain functions. For example, actions such as canceling your order or changing delivery instructions may be automated. In addition, our support agents may utilize algorithmic decision-making processes for the purpose of calculating compensation for any issues you may experience, and for issuing a refund or voucher.
We may use artificial intelligence technology such as chatbots powered by large language models as part of our customer care processes. When we do so, we will ensure that we remain the controller of your data and that your data is not shared with third parties to train their AI models.
As resolving your issues is an essential part of the complete fulfillment of the service we provide to you, the legal basis for processing your data for this purpose is "performance of a contract" under Art. 6(1)(b) GDPR.
We will keep the data we process within the customer care center feature for the duration of the statutory limitation periods for legal claims in your jurisdiction (which might range from three to up to six years).
Once your order has been delivered, you can rate and review the vendor you have ordered from. In this case, your first name will be displayed on our platform next to the content of your review. For this purpose, your account data and the content of your review will be processed.
The legal basis for this processing is "consent" under Art. 6(1)(a) GDPR.
We will keep your reviews for as long as you choose to share it with us. If you no longer wish your review to be available, you can delete it at any time.
We may send you in-app or push notifications, as well as newsletters via email, or text messages informing you about new restaurants, offers and promotions on our platform. We use a range of criteria to ensure that the content we provide is similar to the products you have previously ordered. As such, these communications may emphasize specific products or cuisines, such as sushi deals, or vegan products.
To make this possible, we use your account data, location data, as well as order and delivery data. This information enables us to promote products and services available on our platform.
You are always free to opt out from such communications. To ensure we comply with your choice to opt out, we will keep your contact details on a separate list of customers who prefer not to receive direct marketing communications. In this case, we will unsubscribe you from customized communications and you will not receive such communications in the future.
The legal basis for this processing of your data for the purpose of sending app notifications and email/SMS newsletters is "legitimate interest" under Art. 6(1)(f) GDPR in conjunction with the exception under EU ePrivacy laws for promoting similar goods and services to the one you have already ordered from our platform.
The data we process for this purpose will be processed for the duration of you having an account with us. The information if you have opted in to or out of receiving such communications, we will store for the duration of the statutory limitation periods for legal claims in your jurisdiction (which might range from three to up to six years).
We use a variety of incentives to make our platform more attractive to you and to ensure that you enjoy all the advantages that our platform has to offer. These incentives include customer referral program (i.e., Invite Friends), vouchers, customer competitions, and bonus programs.
When you use vouchers on our platform, we may process your account data, and the associated discount or promotion. We process this data to apply the voucher to your order and ensure the proper functioning of this feature.
Our "Invite Friends" program allows you to invite your friends to our platform and earn rewards. As part of this program, we may process your account data, the associated discount or promotion, and a record of the connection between participants.
When you participate in user competitions or bonus programs on our platform, we may process your account data and data relevant to the program, including your status, points and rewards earned. This data is processed to administer those programs and grant you prizes or discounts.
The legal basis for these processing activities is "performance of a contract" under Art. 6(1)(b) GDPR. We use this data for the purpose of providing you with discounts and promotions as part of our services.
If you participate in incentives (e.g., bonus programs) offered by third parties, your data might be passed onto them. In such cases, processing of your data is based on your ‘consent’ under Art. 6(1)(a) GDPR.
We store this personal data as long as you remain our customer and in the ordinary course of things, we delete it when you close your account, or after three years of inactivity, unless statutory legal requirements mandate longer retention.
We utilize marketing processes to reach as many potential customers as possible. These processes encompass a range of marketing strategies, including targeted advertisements, both on our own platform, or on online media properties (e.g., websites, social platforms) owned and operated by third-party publishers.
For this purpose, we process account data, location data, order and delivery data, and device data such as session information, your configuration settings, platform interactions such as items added to the cart, and data obtained through web-trackers (e.g., cookies, SDKs, pixels).
When we perform targeted advertisements for our platform, we use customer segmentation based on the data we collect from you. This segmentation may include predictions about our users’ demographics (e.g., age, gender) or consumption preferences. These insights are typically aggregated and pseudonymized, which means that we cannot identify you individually. We use these insights when defining our online marketing strategies. To perform customer segmentation, we sometimes use third party services.
Your prior explicit "consent" under Art. 6(1)(a) GDPR is requested to show you our online targeted advertisements. If you do not consent to personalized online advertisements, please note that you may still receive ads related to our service and products. However, these ads will be generic and not result from specific targeting processes.
We will keep this personal information for as long as you choose to share it with us but in any case, we will delete the data we process within this purpose after deletion of your account.
We display various types of advertisements on our platform. Our objective is to provide you with advertisements that are truly relevant to your interests and that add value to your online experience. For this purpose, we process account data, location data, order and delivery data, and device data.
To ensure the relevance of ads, we may use user segmentation involving automated processing of your personal data. Additionally, we may make predictions about your demographics (e.g., age, gender) or your consumption preferences. These processes will not have a legal or similarly significant effect on you. The only result of this process will be that you will receive advertisements that match your interests and food preferences.
Using these insights, our platform may display both our own ads and ads from third parties (such as restaurants and food brands). These ads may take the form of standard display ads, 'sponsored’ vendors that appear on top of a list, or special promotions that offer you limited time deals.
We do not share your personal data with third parties who promote their products on our platform. However, in some cases, we can share advertising performance insights to these third parties. These insights are typically aggregated and anonymized, ensuring that your personal data remains protected. These insights may relate to the effectiveness of their advertisements, such as the number of clicks or engagement metrics.
We ask your "consent" under Art. 6(1)(a) GDPR in order to show you personalized advertisements. If you do not consent to personalized advertisements, please note that you will still receive ads, however, they will not be tailored to your personal interests.
We will keep this personal information for as long as you choose to share it with us but in any case, we will delete the data we process within this purpose after deletion of your account.
We maintain profiles on various social media platforms through which we advertise our products and engage with customers. When you visit our pages on social media platforms such as Facebook and Instagram, the operators of these platforms process your personal data, as explained in their own privacy statements. For Facebook and Instagram the data controller is Meta Ireland Ltd. ("Meta")
Meta provides us with aggregated statistics and insights about our social media pages, allowing us to understand the types of actions users take on their pages. Please be informed, however, that we at no point can attribute any page visit or other interaction to individual social media profiles.
In terms of collecting your personal data on our social media pages and analyzing the user interactions, both we and the respective operators of the social media platforms (such as Meta) act as joint controllers. To formalize this arrangement, we have entered into joint controller agreements with these operators.
For Facebook and Instagram, the following links will show you exactly which data is collected by Meta and how you can exercise your data subject rights in connection with the user insights: Meta Privacy Policy Meta Controller Addendum
The legal basis for processing of your data for the purpose of engaging with users and utilizing user insights is "legitimate interest" under Art. 6(1)(f) GDPR.
We use state of the art servers, network equipment and cloud services to deliver our platform, to ensure high performance and uninterrupted service. All types of personal information you provide and the information we collect about you is stored and protected within the secure environment of our platform. We also use tools such as two-factor authentication, endpoint security detection, traffic monitoring, backup systems and data loss prevention solutions to keep your data secure.
The legal basis for processing your data for the purposes of hosting and ensuring the security of your personal data is "legitimate interest" under Art. 6(1)(f) GDPR.
We delete daily backups after 90 days.
One of our main priorities is to provide you with a secure platform and a safe ordering experience. Part of achieving this goal involves implementing proactive measures to detect and prevent fraudulent activity.
For this purpose, we process your account data, payment data, location data, device data, and order and delivery data such as invoices, order IDs, successful orders, and canceled orders.
To achieve effective fraud detection and prevention, we use this data to apply state-of-the-art fraud detection and prevention measures, which may include algorithmic decision making and machine learning processes. These measures include fraud scoring and flagging, transaction analysis, user behavior modeling, and, in confirmed cases, automated account suspension and blocking. Our fraud assessments will be based on your previous behavior and also sometimes information obtained from third parties (e.g., when you use a credit card which has been reported as stolen by its owner).
If any such decision (i) results in a negative, legally binding outcome for you, (ii) similarly significantly affects, or (iii) you believe there has been an error, you can contact our customer care team. In this case, we will individually assess the circumstances of your case.
The legal basis for processing your data for the purposes of fraud detection and prevention is "legitimate interest" under Art. 6(1)(f) GDPR.
We will keep the data we process within fraud detection and prevention purposes for the duration of your account and, after closure, for as long as it is required to clarify if your account is linked to any other fraudulent activity on our platform. This time period will vary depending on the activity in your account. If you are a trusted customer, we will delete your data, as it is no longer required.
We always aim to improve our services, and your valuable feedback is an important part of that process. As such, we sometimes include surveys in our newsletters, asking for your feedback or inviting you to a user experience interview.
For the purposes of user surveys and interviews we process your account data, order and delivery data, device data, and the content of your feedback. We also record your usage behavior as part of the user interviews.
Participation in the surveys and interviews require your "consent" under Art. 6(1)(a) GDPR. After you provide your consent to participate in our user surveys, we will contact you through your preferred communication channels, which may include email, SMS, or social communication platforms such as WhatsApp.
If you have already given your consent and would like to revoke it for the future, please let us know by contacting us. In this case we will exclude you from participating in interviews and ensure that you don't receive any further invitations.
We will keep the data we process within user surveys and interviews for as long as you grant us consent to do so. At the latest, when you delete your account, we will consider your declaration of consent to have been withdrawn.
We perform data analytics to improve our platform in terms of user experience, product development, pricing, promotions, and customer engagement. For instance, to analyze and optimize our user experience, we may show our customers different versions of our platform interface in the context of so-called A/B testing. Analyzing how users interact with different versions enables us to define which version performs better. Similarly, by analyzing customer responses to different pricing models, we can determine the right pricing strategies.
To achieve this, we process order and delivery data, and device data. These insights are typically aggregated (meaning processing fully anonymously, so you can never be identified as a person by anybody) or pseudonymized (meaning it will be very hard to identify you as a person).
The legal basis for processing your data for this purpose is "legitimate interest" under Art. 6(1)(f) GDPR.
We process customer data in an aggregated form to identify market trends and make informed decisions about our market strategy. This analysis involves processing various types of data, including account data, device data, as well as order and delivery data.
Utilizing this data, we create statistical reports at group level, such as our market statements and trading updates. Creating business insights and statistical reports allows us to draw meaningful conclusions from a wide range of customer interactions.
Similarly, as part of our business intelligence, we provide our vendors (e.g., restaurants, shops) with access to certain general information regarding sales and engagement rates (so-called vendor insights). These insights are generated by aggregated analysis of the order and delivery data and device data of our users. The purpose of this analysis is to provide vendors with recommendations to improve their services. For instance, vendor insights provide information on potential reasons why users might have chosen a different vendor. The insights are aggregated and anonymized, which means that vendors cannot identify users individually.
The legal basis for processing your data for this purpose is "legitimate interest" under Art. 6(1)(f) GDPR.
As with any organization, there are instances when we are required to share personal data with public authorities. Additionally, there might be instances where we have to process your personal data to initiate or defend legal claims and uphold our rights and interests. For this purpose, we may disclose and process certain data we hold about you, to the extent strictly necessary to conclude these legal proceedings and investigations.
The legal basis for processing your data for complying with public authority requests is "legal obligation" under Art. 6(1)(c) GDPR; and for initiating and defending legal claims is "legitimate interest" under Art. 6(1)(f) GDPR.
We retain this information for as long as necessary to comply with legal obligations related to ongoing proceedings and investigations. After the final closing of the respective legal proceedings, we will delete your data immediately.
Data protection laws grant you various legal rights. We are committed to always respecting them. When you exercise these rights, we must process your data to effectively address your request. For instance, if you choose to exercise your right to access, we need to gather all the information we hold about to meet our obligation to provide a response. To achieve this, we may process any type of data we hold about you, only to the extent necessary to comply with our obligations.
The legal basis for processing your data for complying with data subject requests is "legal obligation" under Art. 6(1)(c) GDPR.
We retain this information for as long as necessary to comply with our legal obligations.
Under various regulatory frameworks in the EU such as financial services regulations, antitrust and competition laws, the Digital Services Act (DSA) or the Platform-to-Business Regulation we are required to share certain aggregated data with the parties specified in these laws (for example, the vendors on our platform, or the regulating bodies under the DSA). While this data will originate from personally identifiable customer data, we are generally not required to share personal data with third parties under these laws. The processing of personal data is based on the legal basis of "legal obligation" under Art. 6(1)(c) GDPR.
You can trust that, within our company, only those staff members will receive access to your personal data who need them to fulfill their professional duties, such as providing you with a great online experience, or looking into your support request. In certain scenarios, we also need to share your personal data with recipients outside of our company. Please be assured that your data is shared with these recipients only to the extent necessary for the specified purposes and only as we are legally permitted to do so.
In addition to sharing data with the parties already specified above, we will only share your data as follows:
We are part of an international group of companies with legal entities in many parts of the world, including our group’s headquarters located with Delivery Hero SE in Berlin, Germany. In order to utilize our resources efficiently and ensure that our business processes function properly, we utilize our group-wide shared technological support services that sometimes necessitate sharing personal data with our parent company, Delivery Hero SE, or with the locations of our global tech hubs. In certain situations, we might also share limited data with other group companies, for example, to assist with payment collection or to implement platform security measures.
Delivery Hero group companies are bound by strict intra-group data transfer agreements ascertaining compliance with data protection requirements whenever sharing personal data with group companies.
We use various third-party service providers to perform our operations. Many of these providers process your personal data as so-called "data processors". This means they are only allowed to process your personal data under our instructions and have no claims whatsoever to process your personal data for their own, independent purposes. Our processors are strictly monitored, and we only engage processors who meet our high data protection standards. The main data processor for cloud technology on our platform is our group’s headquarters located with Delivery Hero SE in Berlin. Delivery Hero SE provides us with a wide range of services of technology, such as cloud hosting, platform security, marketing, or customer relationship management tools.
Delivery Hero SE will also use data processors (as so-called sub-processors), as follows:
Our user platforms and databases run on cloud resources provided by the EU subsidiaries of Google Cloud Platform and Amazon Web Services. We use marketing and communications tools by companies such as Salesforce or Braze. Our finance and accounting platforms are provided by SAP. If you would like to request the full list of recipients of your personal data, you are free to do so at any point in time.
In addition to data processors, we also work with third parties, to whom we share your personal data, but who are not bound by our instructions and instead will process your data independently. These may be our consultants, lawyers or accountants who receive your data from us under a contract and process your personal data for legal reasons, or to protect our own interests. Under no circumstances will we sell or rent your personal information to third parties without your explicit, informed consent.
In the event of a merger with, or acquisition by, another company or group of undertakings, we may need to disclose limited information to that company and their advisors who are under professional obligations to maintain the confidentiality of your personal data. This may occur in circumstances such as mutual due diligence assessments and regulatory disclosures.
In any event, we will ensure that we only disclose the minimum amount of information necessary to conduct the transaction, while also carefully considering the feasibility of removing or anonymizing any data that could identify individuals.
From time to time, we may be requested to disclose personal data to public authorities. In some circumstances, we may disclose personal data with public bodies to bring or defend legal claims, to protect our rights and interests, or to address security concerns.
Examples of such situations include cooperating in the detection and prevention of crime, responding to legal processes such as court orders or subpoenas, or sharing data with tax authorities for tax-related purposes. The public authorities involved in these scenarios may include law enforcement agencies, courts, tax authorities, or other government bodies.
We and the parties we share your personal data with may transfer personal data to countries other than the country in which you use our services. Where such transfers take place, we take appropriate measures to ensure that your data is always afforded an adequate level of protection in the countries to which it is transferred.
For example, if we transfer your personal data from a country within the European Economic Area (EEA) to a country outside of the EEA, we take appropriate safeguards to ensure that these transfers provide a level of protection that complies with data protection requirements. If there are specific further requirements of the law of the country in which you use our services, we will abide by them as well. Specifically, as far as transfers from the EEA to countries outside the EEA are concerned, we rely on a number of appropriate safeguards:
If you would like to receive a copy of the appropriate safeguards securing the data transfer, please contact us.
Under the data protection laws, you are entitled to the following rights:
Right to access You have the right to access your personal data and obtain additional information on how we process it. You may also request a copy of your personal data.
Right to rectification If you notice that your personal data is incorrect, you can always request that we correct it.
Right to erasure You have the right to ask us to delete your personal data. Please note that even if you exercise this right, we may be required to retain some of your information if we process it as part of our legal obligations, or in pursuit of our own (or a third party’s legitimate interests) such as the assertion of, or defense against legal claims, concluding customer care inquiries, preventing fraud, or protecting ourselves or others against abusive behavior.
Right to restriction of processing If you have requested the deletion of your personal data, but we are legally prevented from immediately deleting it, we will store your data in our archives and retain them for the sole purpose of meeting our legal obligations. However, you will not be able to use our services during this time, as this would require us to de-archive your personal data.
Right to data portability You can ask us to provide you or another data controller with your personal data in a machine-readable format. However, please note that this right only applies to data that we process based on your consent.
Right to object You have the right, for reasons arising from your particular situation, to object at any time to any processing of your personal data, which is processed on the basis of our legitimate interests. If you object, we will no longer process your personal data unless we can prove compelling grounds for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise, or defend against legal claims.
You also have the right to object at any time, without giving any explanations, to the process of your personal data for the purposes of direct marketing (including any associated profiling).Right of complaint You can raise a complaint about our processing with the data protection authority in the country of your habitual residence, place of work, or the place where you think a violation of data protection laws has occurred. In the case of cross-border data processing, you can also lodge a complaint with our lead supervisory authority in Berlin, Germany.
Right not to be subject to a decision based solely on automated processing You have the right to object to a fully automated decision (i.e., without any human intervention in the decision-making process) that has legal effects or significantly affects you.
To exercise your rights, we encourage you to use the functions available in your account at any time. For example, if you would like to delete your data, or receive a copy of it, you can directly do so by following the relevant steps in your profile. These self-service methods are designed to expedite the process of fulfilling your rights. Alternatively, you can also reach out to our customer care team to assist you.
We retain your personal data for as long as it is necessary to achieve the purposes we described above. The duration for which we retain your personal data is determined by factors such as the scope, nature, and purposes of the personal data processing, and whether we have legitimate interests or legal obligations that require us to retain your personal data.
Some of our processes include the use of algorithmic decision making and machine learning. We consistently strive to implement methods that ensure a significant level of human oversight in the decision-making process, enabling us to modify or reverse decisions as needed.
In many cases, the algorithmic decision-making processes without human oversight will not have legal or similar significant effects on you. Where they do, we will ensure that you have the right not to be subject to the algorithmic decision-making processes, unless those processes are authorized by applicable law or are necessary for the entering into or performance of a contract. In these cases, you can always oppose the decision and request for a human evaluation by contacting us.
For detailed information about the specific instances in which algorithmic decision-making processes are used, please visit the sections above that explain how we use your personal information.
We may update this Privacy Statement from time to time to reflect our new processes, new technologies, and legal obligations. We are committed to keeping you informed of any changes to our privacy practices, so we encourage you to review this privacy statement to keep updated.
Last modified on 24 April 2024