Privacy Statement

Last modified June 2024. Please find our terms in pdf to be downloaded here

Reading length: approx. 49 000 characters – 30 minutes

This Privacy Statement aims to clarify what personal data We (see definition below) process, why We process it, who receives our customer/users (“You, Your”) data and how You can exercise Your legal rights.

In this Privacy Statement, “personal data” means any information which directly identifies You as a person (like the combination of Your full name and address), or can be used to identify You as a person (like a user ID connected to Your identity). Similarly, “processing” refers to any operation performed on Your personal data, for example the collection, storage, use, disclosure, or destruction of Your personal data.

  1. WHO ARE WE AND HOW CAN YOU REACH US?

We are Foodora AB, reg. no. 559007-5643, located at Fleminggatan 20 in Stockholm, Sweden (“foodora, We, Us, Our”), and constitute a part of the Delivery Hero group.

With regard to Your privacy, it is Us who decide how and for what purposes Your personal data is processed. In data protection language that makes Us a so-called “data controller”, i.e. the party responsible for how Your personal data is processed. 

If You have any questions related to how Your personal data is processed, You can contact Us at [email protected]. If You would like to reach Our data protection officer, please contact [email protected].

  1. WHAT CATEGORIES OF PERSONAL DATA DO WE PROCESS?

When You use Our online platform (the “Platform”), We process personal data that is actively provided by You, collected from Your device when You interact with Us or obtained from third parties. Broadly speaking, We will process the following categories of personal data:

“Account data” including Your name, email address, password to Your account, telephone number, country of residence, user ID, language settings, communication, and other profile settings.
“Order and delivery data” including delivery details (e.g., delivery address, date and time of the delivery), order IDs, order history, product names and quantities.
“Location data” including address, postcode, city, country, longitude and latitude.
“Device data” including device ID, IP address, session information, device configuration settings, operating system, platform interactions such as items added to the cart, and other data obtained through web-trackers (e.g. cookies, Software Development Kits (“SDK”) and pixels).
“Payment data” including bank account details, credit card data, tax ID (personal identity number and coordination number), payment method data, payment amount, payment recipient details, refund details, and receipts.
“Customer support data” including content of Your customer support requests, response from Our customer care or support teams and images attached.

The mentioned categories of personal data are mainly processed in connection of Your usage of Our services, e.g. when You create an account, when You search for and purchase products, and when You get those products delivered. The processing is also performed for analytic and marketing purposes to enhance Your experience on the Platform. You can find all details about how We process Your personal data below.

  1. HOW DO WE PROCESS YOUR PERSONAL DATA?

3.1. When You create an account

3.1.1 Account creation

When You create a customer account on the Platform, We need to process Your account data such as Your name, email address, password, telephone number, country of residence, and language settings. Once You have created an account, We will assign You a unique user ID. This measure will allow Us to recognize You in Our system without needing to use all of Your account-related information. The user ID cannot be used by any outside or third parties.

The information We request during the account creation process is necessary to take the first step in establishing a customer relationship with You so that We can provide You with Our services. The legal basis for this processing is therefore ‘entering into or performance of a contract’ under Art. 6(1)(b) of the General Data Protection Regulation (“GDPR”).

We store this personal data as long as You remain Our customer and in the ordinary course of things We delete it when You close Your account, or after three (3) years of inactivity, unless statutory legal requirements mandate longer retention.

3.1.2. Single-Sign-On (“SSO”)

We offer You the option to register on the Platform by using one of the commonly used social networking systems such as Facebook, Google, or Apple. If You already have an account with any of these SSO providers, You can sign up and log in to the Platform using Your user data from them (this is called SSO).

When logging in with the SSO option, We may get access to so called SSO data such as Your name, email address, telephone number, country of residence, user ID, and Your date of birth, if You have shared this data with the SSO provider.

This SSO data is necessary for entering into a contract with You. We never receive or store the password You use for the SSO provider’s system. 

Information on SSO from third-party SSO providers can be found here:

The legal basis for this processing is “entering into or performance of a contract” under Art. 6(1)(b) GDPR.

We process this personal data as long as You remain Our customer, or until You delete Your account with the SSO provider.

3.1.3. Managing Your profile

After creating You account on the Platform, You can access Your profile at any time to make changes, provide additional information about Yourself, or view Your previous orders. In addition to creating Your account, Your data is also processed to administer Your profile, which includes tasks such as ensuring the accuracy of Your personal details, processing any modifications You make, and managing technical issues You might have.

The information We process about You for this purpose includes Account data, Order and delivery data,Payment data, and Device data. 

Managing and administering Your profile is a fundamental function of Our operations. Without this process, We cannot provide Our services to You. Therefore, the legal basis for this processing is “performance of a contract” under Art. 6(1)(b) GDPR.

We store this personal data as long as You remain Our customer and in the ordinary course of things We delete it when You close Your account, or after three (3) years of inactivity, unless statutory legal requirements mandate longer retention.

3.1.4. foodora Business

The Platform offers a service called “foodora Business” that allows businesses to enable their employees to make orders from a company account. Employees can also be provided with vouchers, gift cards, or allowances via foodora Business. To ensure You get access to your foodora Business account, We receive Your name, email address and telephone number from the business granting You access to foodora Business.

As the data mentioned above is necessary for Us to ensure that You are able to access foodora Business, the legal basis for this processing is “entering into or performance of a contract” under Art. 6(1)(b) GDPR.
We store Your personal data for this purpose as long as you remain Our customer and in the ordinary course of things We delete it when you close Your account, or after three (3) years of inactivity, unless statutory legal requirements mandate longer retention.

For more information on how Your data is handled by the business granting You access to foodora Business, please see the privacy statement provided by this business. 

3.2. When You browse the Platform

3.2.1. Cookies and other web tracking technologies

We use web tracking technologies (e.g., cookies, SDK’s and measuring pixels) when You browse the Platform, whether You are a registered customer or a visitor. These technologies enable Us to facilitate the functioning of the Platform, improve its performance and security, and/or understand how Our users interact with the Platform. In addition, these technologies allow Us to deliver customized content or targeted advertising to Our users.

Cookies and other web tracking technologies may be used to collect data that We classify as Device information, including Your device ID, IP address, session information, preferences such as language settings, platform interactions such as items added to the cart, platform performance analytics, and crash reporting.

You can find more information on these technologies (including on retention periods and the applicable legal basis) in our Cookies, SDK’s and Web-Tracking Policy and in our consent management banner. The consent management banner appears the first time You log in to Your account but You can always access it and adjust Your settings via the “Terms & conditions, policys etc.” tab in the app.

3.2.2. Personalized content and suggestions

When You browse the Platform, We show you a variety of restaurants and stores (“Vendors”) and products. We may customize the content on the Platform so that You are shown Vendors who are close to You or that You have ordered from in the past, or products We believe may be of interest to You. To make this feature available, We need Your Account data, Location data, Order and delivery data, and Device data.

This process may involve customer segmentation based on the data We collect from You. Additionally, We can make predictions about Our customers’ demographics (e.g., age or gender) or consumption preferences. As a result, Our suggestions may highlight specific products or cuisines, such as vegan products or Italian restaurants.

Please note that these processes will not have a legal or similarly significant effect on You. The only result of this process is that You will receive suggestions about products or Vendors that match Your food preferences.

Managing personalized content and suggestions form the core of the Platform and it is necessary for Us to be able to offer You relevant products or facilitate a ground for entering into a contract with You. We would however like to highlight that personalized content that is shared in this context is separate from the marketing initiatives carried out on the Platform.

The legal basis for processing Your data for the purpose of suggesting products and Vendors is ‘performance of a contract’ under Art. 6(1)(b) GDPR. Additionally, We rely on ‘legitimate interest’ under Art. 6(1)(f) GDPR for customer segmentation.

The data We process for this purpose will be processed for the same duration as Your other account data.

3.3. When You place an order

3.3.1. Shopping cart and storing added products for later

Once You login to Your profile and select products, they will be saved in Your shopping cart. Even if You close Your browser or app, You can continue Your order later on from where You left off. To make this feature available on the Platform, We process Your Account data, Device information, and Order anddelivery data.

The shopping cart function is essential to the Platform as it enables Us to receive and process Your order. Without it, We would not be able to enter into a contract with You.

The legal basis for this processing is ‘entering into or performance of a contract’ under Art. 6(1)(b) GDPR.

This data is deleted as soon as We no longer need it, such as once You place Your order or shortly after You have removed all products from Your shopping cart.

3.2.2. Order processing

Once You have successfully registered to the Platform, You can place orders. To process Your orders, We need Your Account data as well as Your Order and delivery data including Your address, postcode, city, country of residence, longitude and latitude of Your location, order ID, Your order instructions, product names and quantities. 

This data is necessary for Us to forward Your order and to ensure the successful delivery of Your order. Without this information, We would be unable to take necessary steps to fulfill Our contractual obligations to You.

The legal basis for this processing is ‘performance of a contract’ under Art. 6(1)(b) GDPR.

The data We process for this purpose will be processed for the same duration as Your other account data.

3.3.3. Payment process and receiving a receipt

If You decide to proceed with Your order, We will receive the payment for the products You have selected. 

When You place an order and select a payment provider, Your data will be shared with Your selected payment provider to initiate the payment process. You can find information on the payment providers’ privacy practices in their respective privacy statements.

Following the payment for Your order, You are entitled to receive a receipt. To fulfill this requirement and to facilitate Your payment, We need to process Your Account data, Order and delivery data, and Payment data including payment method data, payment amount, payment recipient details, refund details, and bank receipts. 

The legal basis for this processing is ‘legal obligation’ under Art. 6(1)(c) GDPR.

We store this personal data for seven (7) years after the date of issuance of the receipt.

3.3.4. Saving Your payment methods

In order to make the ordering process even more convenient for You, We offer You the option to save Your preferred payment method. This means that if You choose to save Your payment method, You will not have to re-enter Your payment details the next time You make payments on the Platform. Similarly, our Platform offers a ‘wallet’ feature called foodora wallet that allows you to store credits for future orders. You can read more about foodora wallet in our General Terms and Conditions. You can always change Your preferred payment method.

The data You can save via this feature is Payment data including Your name, bank account details, credit card data, tax ID (personal identity number and coordination number), payment method data, payment amount, payment recipient details, refund details, and bank receipts.

To enable these features, we process your Account data, Order details and Payment data.The legal basis for this processing is ‘consent’ under Art. 6(1)(a) GDPR.

We will keep this personal information for as long as You choose to share it with us.

When you subscribe for Foodora Pro, we will request to store your payment data to enable regular billing in accordance with your subscription. As maintaining a regular payment process for your subscription plan is a fundamental part of this service, the legal basis for this processing is ‘performance of a contract’ under Art. 6(1)(b) GDPR. 

3.4. Delivering Your order

3.4.1. Preparing Your order

After receiving Your order, We share Your Order data with the Vendor (e.g. restaurant or store) preparing Your order. We minimize the data We share so that the Vendor only sees the information necessary to process Your order and, when applicable, to hand it on to a courier. The data We share with the Vendors include Account data such as Your name and telephone number and in some cases Your Delivery data when the Vendor is to carry out the delivery. In addition, Vendors may use the Platform’s chatfeature or, in exceptional cases, call you by phone to contact You in case of any issues, e.g. if the products You ordered are out of stock. 

As the preparation of Your order is a fundamental part of the services provided on the Platform, the legal basis for this processing is ‘performance of a contract’ under Art. 6(1)(b) GDPR. 

3.4.2. Delivering Your order 

Once Your order has been prepared by the Vendor it is, when applicable, handed over to the courier who is responsible for delivering Your order. In order to deliver Your order, and thus fulfill Our contractual obligations to You, We need to process Your personal data and share some of that data with the courier who, when applicable, will deliver Your order. 

This data includes Your Order and delivery data such as Your name, telephone number, and delivery address. In addition, the courier may use the Platform’s chatfeature or call You by phone to contact You if there are any delivery-related issues such as if the courier needs Your assistance during the delivery process. We will always make sure that the courier receives as little information about You as possible.

As the delivery of Your order is a fundamental part of the services provided on the Platform, the legal basis for this processing is ‘performance of a contract’ under Art. 6(1)(b) GDPR. 

In some cases, couriers will be asked to provide proof of delivery. This proof of delivery may include details such as the time and date of delivery, Your name, and in some cases, a signature or photo as evidence. In case of any disputes or issues, having this information helps us investigate and resolve matters efficiently, providing You with a higher level of customer satisfaction.

The legal basis for proof of delivery is ‘legitimate interest’ under Art. 6(1)(f) GDPR. 

The data We process for this purpose will be processed for the same duration as Your other account data.

3.4.3. Customer support

In case You have questions or issues regarding Your order, depending on the nature of Your request, We will need Your Account data, Order and delivery data, Delivery data, Payment data, and the data You share with us when submitting Your request. This information allows Us to understand the specifics of Your order, enabling Us to provide You with relevant and accurate assistance. 

As part of Our customer support service, We may use automation for certain functions. For example, actions such as canceling Your order or changing delivery instructions may be automated. In addition, Our customer support agents may utilize algorithmic decision making processes for the purpose of calculating compensation for any issues You may have experienced, and for issuing a refund or voucher.

We may use artificial intelligence technology such as chatbots powered by large language models as part of Our customer support processes. When We do so, We will ensure that We remain the controller of Your data and that Your data is not shared with third parties to train their AI models.

As resolving Your issues is an essential part of the complete fulfillment of the service We provide to You, the legal basis for processing Your data for this purpose is ‘performance of a contract’ under Art. 6(1)(b) GDPR. 

We will keep the data We process within the customer support feature for the duration of the statutory limitation periods for legal claims in Your jurisdiction (which might range from three up to six years).

3.4.4. Customer reviews

Once Your order has been delivered, You can rate and review the Vendor you have ordered from. In this case, Your first name will be displayed on the Platform next to the content of Your review. For this purpose, Your Account data and the content of Your review will be processed.

The legal basis for this processing is ‘consent’ under Art. 6(1)(a) GDPR. 

We will keep Your reviews for as long as You choose to share it with Us. If You no longer wish Your review to be available, You can delete it at any time.

3.5. When We promote the Platform or Vendors’ services

3.5.1. App notifications and newsletters via e-mail/SMS

We may send notifications in the app or through push notifications, as well as newsletters via email or text messages to inform You about new Vendors, offers and/or promotions on the Platform. We use a range of criteria to ensure that the content is interesting to You. 

To make this possible, We use Your Account data, Location data, as well as Order and delivery data. This information enables Us to promote products and services that are available on the Platform.

You are always free to opt-out from this kind of communications. In case You opt-out from it, We will unsubscribe Your from receiving customized communications. In order to ensure that You do not receive any further communications of this kind, We will move Your contact details to a separate list of customers who prefer not to receive direct marketing communications.

The legal basis for processing of Your data for the purpose of sending in-app notifications and newsletters via e-mail/SMS is ‘legitimate interest’ under Art. 6(1)(f) GDPR in conjunction with the exception under EU ePrivacy laws for promoting similar goods and services to the ones You have already ordered from the Platform.

The data We process for this purpose will be processed for the duration of You having an account on the Platform. The information of Your opting in to or opting out of receiving such communications will be stored by Us for the duration of the statutory limitation periods for legal claims in Your jurisdiction (which might range from three up to six years).

3.5.2. Incentives

We use a variety of incentives to make the Platform more attractive to You and to ensure that You enjoy all the advantages that the Platform has to offer. These incentives include customer referral program (i.e. “Refer a Friend”), vouchers, customer competitions, and Our bonus program. 

When You use vouchers on the Platform, We may process Your Account data, and the associated discount or promotion. We process this data to apply the voucher to Your order, and ensure the proper functioning of this feature.

Our “Refer a Friend” program allows You to invite Your friends to the Platform and earn rewards. As part of this program, We may process Your Account data, the associated discount or promotion, and a record of the actual reference taking place.

When You participate in user competitions or Our bonus program, We may process Your Account data and data relevant to the bonus program, including Your status, points and rewards earned. This data is processed to administer these incentives and grant You prizes or vouchers.

The legal basis for this processing is ‘performance of a contract’ under Art. 6(1)(b) GDPR. We use this data for the purpose of providing You with discounts and promotions as part of Our services.

If You participate in incentives (e.g. competitionsbonus programs) offered by third parties, Your data might be passed onto them. In such cases, processing of Your data is based on Your ‘consent’ under Art. 6(1)(a) GDPR.

We store this personal data as long as You remain Our customer and in the ordinary course of things We delete it when You close Your account, or after three (3) years of inactivity, unless statutory legal requirements mandate longer retention.

3.5.3. Online marketing and other marketing

We utilize marketing processes to reach as many potential customers as possible. These processes encompass a range of marketing strategies, including targeted advertisements, both on the Platform, or on online media properties (e.g, websites, social platforms) owned and operated by third-party publishers. We also utilize physical marketing by sending marketing material by post to Our customers.

For this purpose, We process Account data, Location data, Order and delivery data, and Device data such as session information, Your configuration settings, platform interactions such as products added to the shopping cart, and data obtained through web-trackers (e.g. cookies, SDK’s and pixels). 

When We perform targeted advertisements for the Platform, We use customer segmentation based on the data We collect from You. This segmentation may include predictions about Our users’ demographics (e.g., age, gender) or consumption preferences. These insights are typically available on an aggregated level or pseudonymized, which means that we cannot identify you individually. We use these insights when defining our online marketing strategies. To perform different kinds of customer segmentation We sometimes use third party services. 

Your prior explicit ‘consent’ under Art. 6(1)(a) GDPR is requested to show You our online targeted advertisements. If You do not consent to personalized online advertisements, please note that You may still receive ads related to Our service and products. However, these ads will be generic and not result from specific targeting processes. 

The legal basis for Our processing of personal data in connection with postal marketing is ‘legitimate interest’ under Art. 6(1)(f) GDPR. You are always free to opt-out from this kind of communications. In order to ensure that You do not receive any further communications of this kind, We will move Your contact details to a separate list of customers who prefer not to receive postal marketing communications.

We will keep personal data for as long as You choose to share it with Us but in any case We will delete the after deletion of Your account.

3.5.4. Helping business advertising partners promote their goods and services on the Platform

We display various types of advertisements on the Platform. Our objective is to provide You with advertisements that are truly relevant to You and that add value to Your online experience. For this purpose, We process Account data, Location data, Order and delivery data, and Device data.

To ensure the relevance of ads, We may use user segmentation involving automated processing of Your personal data. Additionally, We may make predictions about Your demographics (e.g., age, gender) or Your consumption preferences. These processes will not have a legal or similarly significant effect on You. The only result of this process will be that You will receive advertisements that match Your interests and food preferences. 

Using these insights, the Platform may display both Our own ads and ads from third parties such as Vendors. These ads may take the form of standard display ads, ‘featured’ offers that are ranked higher or special promotions that offer You time-limited deals.

We do not share Your personal data with third parties who promote their products on the Platform. However, in some cases We can share advertising performance insights to these third parties regarding the number of clicks or engagement metrics on the third party’s ads. This aggregated data is anonymized, ensuring that Your personal data remains protected.

We ask for Your “consent” under Art. 6(1)(a) GDPR in order to show You personalized advertisements. Please note that if You do not consent to personalized advertisements, You will still receive ads but they will not be tailored to Your personal interests.

We will keep this personal information for as long as You choose to share it with Us but in any case We will delete the data We process within this purpose after deletion of Your account.

3.5.5. Social media

We maintain profiles on various social media platforms through which We advertise Our products and engage with customers. When You visit Our pages on social media platforms such as Facebook and Instagram, the operators of these platforms process Your personal data, as explained in their own privacy statements. For Facebook and Instagram the data controller is Meta Ireland Ltd. (“Meta”)

Meta provides Us with aggregated statistics and insights about Our social media pages, allowing Us to understand the types of actions users take on these pages. Please be informed, however, that We at no point can attribute any page visit or other interaction to individual social media profiles.

In terms of collecting Your personal data on Our social media pages and analyzing the user interactions in order to engage with You, both We and the respective operators of the social media platforms (such as Meta) act as joint controllers. To formalize this arrangement, We have entered into joint controller agreements with these operators.

For Facebook and Instagram, the following links will show You exactly which data is collected by Meta and how You can exercise Your data subject rights in connection with the user insights:

The legal basis for processing of Your data for the purpose of engaging with users and utilizing user insights is ‘legitimate interest’ under Art. 6(1)(f) GDPR.

3.6. When We ensure the security of the Platform

3.6.1. IT infrastructure, database hosting, and systems security

We use state of the art servers, network equipment and cloud services to deliver the Platform and to ensure high performance and uninterrupted service. All types of personal information You provide and the information We collect about You is stored and protected within the secure environment of the Platform. We also use tools such as two-factor authentication, endpoint security detection, traffic monitoring, backup systems and data loss prevention solutions to keep Your data secure at all times.

The legal basis for processing Your data for the purposes of hosting and ensuring the security of Your personal data is ‘legitimate interest’ under Art. 6(1)(f) GDPR. 

We delete daily backups after 90 days.

3.6.2. Fraud detection and prevention

One of Our main priorities is to provide You with a secure platform and a safe ordering experience. Part of achieving this goal involves implementing proactive measures to detect and prevent fraudulent activity.

For this purpose, We process Your Account data, Payment data, Location data, Device data, and Order and delivery data such as invoices, order ID’s, successful orders and canceled orders. 

To achieve effective fraud detection and prevention, We use this data to apply state of the art fraud detection and prevention measures, which may include algorithmic decision making and machine learning processes. These measures include fraud scoring and flagging, transaction analysis, user behavior modeling, and, in confirmed cases, automated account suspension and blocking. Our fraud assessments will be based on Your previous behavior and sometimes information obtained from third parties as well (e.g. when You use a credit card which has been reported as stolen by its owner).

If any such decision results in a negative, legally binding outcome for You or similarly significantly affects You, or if You believe there has been an error, You can contact Our customer support team. In this case, We will individually assess the circumstances of Your case. 

The legal basis for processing Your data for the purposes of fraud detection and prevention is ‘legitimate interest’ under Art. 6(1)(f) GDPR.

We will keep the data We process for fraud detection and prevention purposes for the duration of Your account and, after closure, for as long as it is required to clarify if Your account is linked to any other fraudulent activity on the Platform. This time period will vary depending on the activity on Your account. If You are a trusted customer, We will delete Your data, as it is no longer required.

3.7. When We improve Our services

3.7.1. User surveys and interviews

We are always aiming to improve Our services, and Your feedback is an important and valuable part of that process. As such, We sometimes include surveys in Our newsletters, asking for Your feedback or inviting You to a user experience interview. 

For the purposes of user surveys and interviews We process Your Account data, Order and delivery data, Device data, and the content of Your feedback. We also record Your usage behavior as part of the user interviews. 

Participation in the surveys and interviews require Your ‘consent’ under Art. 6(1)(a) GDPR. After You provide Your consent to participate in Our user surveys, We will contact You through Your preferred communication channels, which may include e-mail, SMS, or social communication platforms such as Whatsapp.

If You have already given Your consent and would like to revoke it for the future, please let Us know by contacting Us. In this case We will exclude You from participating in interviews and ensure that You don’t receive any further invitations.

We will keep the data We process within user surveys and interviews for as long as You grant Us consent to do so. At the latest, when You delete Your account, We will consider Your declaration of consent as having been withdrawn.

3.7.2. Data analytics

We perform data analytics to improve the Platform in terms of user experience, product development, pricing, promotions, and customer engagement. For instance, to analyze and optimize the Platform’s user experience of the Platform, We may show Our customers different versions of the Platform interface in the context of so-called A/B testing. Analyzing how users interact with different versions enables Us to define which version performs better. Similarly, by analyzing customer responses to different pricing models, We are able to determine the right pricing strategies. 

To achieve this, We process Order and delivery data, and Device data. These insights are typically aggregated or pseudonymized.

The legal basis for processing Your data for this purpose is ‘legitimate interest’ under Art. 6(1)(f) GDPR.

3.7.3. Business intelligence, insights & group-level statistics reporting

We process customer data in an aggregated form to identify market trends, and make informed decisions about our market strategy. This analysis involves processing various types of data, including Account data,Device data, as well as Order and delivery data.

Utilizing this data, We create statistical reports at group level, such as our market statements and trading updates. Creating business insights and statistical reports allows Us to draw meaningful conclusions from a wide range of customer interactions. 

Similarly, as part of our business intelligence, We provide Our Vendors with access to certain general information regarding sales and engagement rates (so-called vendor insights). These insights are generated by aggregated analysis of the Order and delivery data and Device data of Our users. The purpose of this analysis is to provide Vendors with recommendations to improve their services. For instance, vendor insights provide information on potential reasons why users might have chosen a different Vendor. The insights are aggregated and anonymized, which means that Vendors cannot identify users individually.

The legal basis for processing Your data for this purpose is ‘legitimate interest’ under Art. 6(1)(f) GDPR.

3.8. When We are required to comply with laws and regulations

3.8.1. Legal proceedings and authority requests

As with any organization, there are instances when We are required to share personal data with public authorities. Additionally, there might be instances where We have to process Your personal data to initiate or defend legal claims and uphold Our rights and interests. For this purpose, We may disclose and process certain data We hold about You, to the extent strictly necessary to conclude these legal proceedings and investigations. 

The legal basis for processing Your data for complying with public authority requests is ‘legal obligation’ under Art. 6(1)(c) GDPR; and for initiating and defending legal claims is ‘legitimate interest’ under Art. 6(1)(f) GDPR.

We retain this information for as long as necessary to comply with legal obligations related to ongoing proceedings and investigations. After the final closing of the respective legal proceedings We will delete Your data immediately.

3.8.2. Responding to data subject requests

As a “data subject”, data protection laws grant You various legal rights concerning the protection of personal data and We are committed to respecting these rights at all times. When You exercise these rights, We must process Your data to effectively address Your request. For instance, if You choose to exercise Your right to access, We need to gather all of the information We hold about You to meet Our obligation to provide a response. To achieve this, We may process any type of data We hold about You, only to the extent necessary to comply with Our obligations.

The legal basis for processing Your data for complying with data subject requests is ‘legal obligation’ under Art. 6(1)(c) GDPR.

We retain this information for as long as necessary to comply with Our legal obligations. 

3.8.3 Regulatory compliance in the EU

Under various regulatory frameworks in the EU such as financial services regulations, antitrust and competition laws, the Digital Services Act (DSA) or the Platform-to-Business Regulation (P2B), We are required to share certain aggregated data with the parties specified in these laws (for example, the Vendors on the Platform, or the regulating bodies under the DSA). While this data will originate from personally identifiable customer data, We are generally not required to share personal data with third parties under these laws. 

The processing of personal data is based on the legal basis of ‘legal obligation’ under Art. 6(1)(c) GDPR.

  1. WHO WILL RECEIVE YOUR DATA AND UNDER WHAT CIRCUMSTANCES?

You can trust that, within Our company, only those staff members will receive access to Your personal data who need it in order to fulfill their professional duties, such as providing You with a great customer experience, or looking into Your support request. In certain scenarios, We also need to share Your personal data with recipients outside of Our company. Please be assured that Your data is shared with these recipients only to the extent necessary for the specified purposes and only as We are legally permitted to do so. 

In addition to sharing data with the parties already specified above, We will only share Your data as follows:

4.1. Companies within the Delivery Hero group

We are part of an international group of companies with legal entities in many parts of the world, including our group’s headquarters located with our parent company Delivery Hero SE in Berlin, Germany. In order to utilize Our resources efficiently and ensure that Our business processes function properly, We utilize Our group-wide shared technological support services that sometimes necessitate sharing personal data with Our parent company or with the locations of Our global tech hubs. In certain situations, We might also share limited data with other group companies, for example, to assist with payment collection or to implement platform security measures.

Companies within the Delivery Hero group are bound by strict intra-group data transfer agreements ascertaining compliance with data protection requirements whenever sharing personal data with group companies.

4.2. Data processors

We use various third-party service providers to perform Our operations. Many of these providers process Your personal data as so-called “data processors”. This means they are only allowed to process Your personal data according to Our instructions and have no claims whatsoever to process Your personal data for their own, independent purposes. Our processors are strictly monitored and We only engage processors who meet Our high data protection standards. The main data processor for cloud technology on the Platform is our parent company. Our parent company provides Us with a wide range of services of technology, such as cloud hosting, platform security, marketing or customer relationship management tools. 

Our parent company will also use data processors (so-called “sub-processors”), as follows:

Our user platforms and databases run on cloud resources provided by the EU subsidiaries of Google Cloud Platform and Amazon Web Services. We use marketing and communications tools by companies such as SalesForce and Braze. Our finance and accounting platforms are provided by SAP. If You would like to request the full list of recipients of Your personal data, You are free to do so at any point in time, see Our contact details in section 1 above.

4.3. Other third parties and service providers

In addition to data processors, We also work with third parties, to whom We share Your personal data, but who are not bound by Our instructions and instead will process Your data independently. Such third parties may be Our consultants, lawyers or accountants who receive Your data from Us under an agreement and process Your personal data for legal reasons, or to protect Our interests. Certain Vendors may also request to receive Your data when You place an order with them. Under no circumstances will We sell or rent Your personal information to third parties without Your explicit, informed consent.

4.4. Mergers & acquisitions, change of ownership

In the event of a merger with, or acquisition by, another company or group of undertakings, We may need to disclose limited data to that company and their advisors who are under professional obligations to maintain the confidentiality of Your personal data. This may occur in circumstances such as mutual due diligence assessments and regulatory disclosures.

In any event, We will ensure that We only disclose the minimum amount of information necessary to conduct the transaction, while also carefully considering the feasibility of removing or anonymising any data that could identify individuals.

4.5. Prosecuting authorities, courts and other public authorities

From time to time We may be requested to disclose personal data to public authorities. In some circumstances, We may disclose personal data with public bodies in order to bring or defend legal claims, to protect Our rights and interests, or to address security concerns.

Examples of such situations include cooperating in the detection and prevention of crime, responding to legal processes such as court orders or subpoenas, or sharing data with tax authorities for tax-related purposes. The public authorities involved in these scenarios may include law enforcement agencies, courts, tax authorities, or other government bodies.

  1. HOW DO WE TRANSFER YOUR PERSONAL DATA TO OTHER COUNTRIES?

We and the parties We share Your personal data with may transfer personal data to countries other than the country in which You use Our services. Where such transfers take place, We take appropriate measures to ensure that Your data is always afforded an adequate level of protection in the countries to which it is transferred. 

For example, if We transfer Your personal data from a country within the European Economic Area (EEA) to a country outside of the EEA, We take appropriate safeguards to ensure that these transfers provide a level of protection that complies with data protection requirements. If there are specific further requirements of the law of the country in which You use Our services, We will abide by them as Well. Specifically, as far as transfers from the EEA to countries outside the EEA are concerned, We rely on a number of appropriate safeguards:

  • Adequacy decisions by the EU Commission (also including the United States, to the extent recipients have been certified under EU-US Data Privacy Framework, or other applicable mutual agreement between the EU and the US);
  • Standard contractual clauses mutually agreed in Our contract with the data recipient (including any supplementary measures, if required).
  • Further appropriate safeguards in accordance with Art. 46 GDPR (for example binding corporate rules).

If You would like to receive a copy of the appropriate safeguards securing the data transfer, please contact Us.

  1. WHAT ARE YOUR LEGAL RIGHTS?

Under the data protection laws, You are entitled to the following rights:

 

Right to access You have the right to access Your personal data and obtain additional information on how We process it. You may also request a copy of Your personal data.
Right to rectification If you notice that Your personal data is incorrect, You can always request that We correct it.
Right to erasure You have the right to ask Us to delete Your personal data. Please note that even if You exercise this right, We may be required to retain some of Your information if We process it as part of Our legal obligations, or in pursuit of Our own (or a third party’s) legitimate interests such as the assertion of, or defense against legal claims, concluding customer support inquiries, preventing fraud or protecting ourselves or others against abusive behavior.
Right to restriction of processing If You have requested the deletion of Your personal data, but We are legally prevented from immediately deleting it, We will store Your data in Our archives and retain them for the sole purpose of meeting Our legal obligations. However, You will not be able to use Our services during this time, as this would require Us to de-archive Your personal data.
Right to data portability You can ask Us to provide You or another data controller with Your personal data in a machine-readable format. However, please note that this right only applies to data that We process based on Your consent.
Right to object  You have the right, for reasons arising from Your particular situation, to object at any time to any processing of Your personal data, which is processed on the basis of Our legitimate interests. If You object, We will no longer process Your personal data unless We can prove compelling grounds for the processing that outweigh Your interests, rights and freedoms or if the processing serves to assert, exercise, or defend Us against legal claims. 

You also have the right to object at any time, without giving any explanations, to the process of Your personal data for the purposes of direct marketing (including any associated profiling).

Right of complaint You can raise a complaint about Our processing of Your personal data with the Swedish Authority for Privacy Protection (IMY) or other supervisory authority concerned in the country of Your habitual residence or in the country where You think a violation of data protection laws has occurred. In the case of cross-border data processing, You can also lodge a complaint with Our lead supervisory authority in Berlin, Germany.
Right not to be subject to a decision based solely on automated processing You have the right to object to a fully automated decision (i.e. decisions made without any human intervention in the decision-making process) that has legal effects or significantly affects You.

To exercise Your rights, We encourage You to use the functions available in Your account at any time. For example, if You would like to delete Your data, or receive a copy of it, You can directly do so by following the relevant steps in Your profile. These self-service methods are designed to expedite the process of fulfilling Your rights. Alternatively, You can reach out to our customer support team to assist You. 

  1. HOW LONG DO WE KEEP YOUR DATA FOR?

We retain Your personal data for as long as it is necessary to achieve the purposes We have described above. The duration for which We retain Your personal data is determined by factors such as the scope, nature and purposes of the personal data processing, and whether We have legitimate interests or legal obligations that require Us to retain Your personal data.

  1. HOW DO WE USE ALGORITHMIC DECISION MAKING?

Some of Our processes include the use of algorithmic decision making and machine learning. We consistently strive to implement methods that ensure a significant level of human oversight in the decision making process, enabling Us to modify or reverse decisions as needed.

In many cases, the algorithmic decision making processes without human oversight will not have a legal or similarly significant effect on You. Where they do, We will ensure that You have the right not to be subject to the algorithmic decision making processes, unless those processes are authorized by applicable law or are necessary for the entering into or performance of a contract. In these cases, You can always oppose the decision and request for a human evaluation by contacting Us.

For detailed information about the specific instances in which algorithmic decision making processes are used, please visit the sections above that explain how We use Your personal information.

  1. CHANGES TO THIS PRIVACY STATEMENT

We may update this Privacy Statement from time to time to reflect Our new processes, new technologies, and/or new legal obligations. We are committed to keeping You informed of any changes to Our privacy practices, so We encourage You to review this Privacy Statement on a regular basis to stay updated.

Last modified: October 2024