Privacy Policy

The controller responsible for processing personal data under the GDPR is:

Velobites
Sole proprietorship (Einzelunternehmen)
Proprietor: Justin Milaszewski
Krümmeweg 46
38518 Gifhorn
Germany

Email: [email protected]

No data protection officer has currently been appointed. Based on our current assessment, there is no statutory obligation to appoint one. If you have any questions about data protection, you can contact us at any time at [email protected].

We process personal data only to the extent necessary to provide a functional website, our platform or app, and the content and services you request. Processing is carried out in accordance with applicable data protection law.

For reach and performance measurement we use cookieless Vercel Web Analytics and Speed Insights (details in section 10). We do not integrate optional analytics, reach measurement, or marketing tools from third parties in the browser (e.g. Google Analytics, PostHog or Meta Pixel). Accordingly, we do not use a cookie consent banner for optional analytics or marketing cookies, because we do not set such cookies. Storage on your device (cookies, localStorage, sessionStorage, IndexedDB) occurs only where technically necessary for operation or where you actively use a feature (e.g. saved preferences for future push notifications, where offered).

We process data, among other things, to operate the platform, to conclude and perform contracts, to communicate with users, for marketing (where you have consented or where otherwise permitted by law, e.g. future push notifications where offered), and to maintain IT security and stable operation.

Legal bases may include in particular:

• Art. 6(1)(a) GDPR (consent)
• Art. 6(1)(b) GDPR (performance of a contract or pre-contractual steps)
• Art. 6(1)(c) GDPR (legal obligation)
• Art. 6(1)(f) GDPR (legitimate interests, e.g. security and abuse prevention)

For pilot and partner requests (restaurant onboarding), we use OpenPLZ (openplzapi.org) to validate address data (postal code, locality, street). Requests are routed via our servers, not directly from your browser. Search parameters and technical connection data (e.g. IP address on the server side) may be processed. The legal basis is usually Art. 6(1)(b) GDPR (pre-contractual steps). This does not apply to the end-customer checkout flow; address search there is described in section 14 (Photon/Komoot).

When you use the platform or place orders, we may process data such as your name, email address, delivery or billing address, payment data (as required), and order history. The purpose is to perform our contract with you, process payments, and provide customer support.

Data relating to a specific restaurant order (e.g. contact, delivery and line-item data) is shared with the respective restaurant partner where necessary to fulfil the order. The restaurant partner is an independent controller for its own processing; you should obtain information directly from the restaurant where needed (e.g. via its imprint or on request). For end customers, the platform often provides a combined imprint for restaurant and platform at the /impressum route when a restaurant is selected.

In the menu you may optionally set allergen filters (standardised EU allergen codes, e.g. to hide certain dishes). This is a display preference for ordering — not health diagnostics. The legal basis is usually Art. 6(1)(b) and/or (f) GDPR. See section 13 for technical details.

You may optionally add order notes in checkout (e.g. delivery instructions). Please do not include unnecessary sensitive health information; allergen labelling on the menu and the restaurant partner's responsibilities apply for allergies and intolerances.

If you create a permanent account, we process the data required for registration and account management (e.g. login credentials, profile and settings) to provide your user profile and personalized features.

Restaurant favourites: Without an account, favourites are stored only in the current browser tab (see section 13). With a permanent account, we store favourites in our database (Supabase, table restaurant_favorites) linked to your account — until you remove the favourite or delete your account. The legal basis is usually Art. 6(1)(b) GDPR.

Some orders are possible as a guest without full registration; this may create technically bound session data and the contact and order information required for that transaction (e.g. a guest session tied to your browser or device). We retain such data only as long as needed for order processing, evidence/tax requirements, fraud prevention and operation of the platform; upgrading a guest session to a permanent profile happens only when you actively choose the offered option.

We use Supabase for authentication. You may also sign in via OAuth providers (e.g. Google and Apple), who may transfer information needed to complete sign-in. The legal basis is typically Art. 6(1)(b) GDPR. For more information, see Supabase's privacy policy: supabase.com/privacy.

Payments are processed by Stripe. Card data and payment information required to complete transactions are processed by Stripe as an independent controller — not on behalf of Velobites or the restaurant partner. Velobites and the restaurant partner do not receive full card data in this context.

Velobites and the restaurant partner each process order and settlement data for their own purposes in connection with payments (e.g. amount, status, transaction IDs). For details, see Stripe's privacy policy: stripe.com/privacy.

Our website and parts of our infrastructure are hosted on Vercel. Database and backend services may be provided via Supabase and Render. For abuse prevention and rate limiting (e.g. pilot requests and security reports), we use Upstash Redis as managed storage; this may involve short-lived counters and a client identifier (e.g. IP address). Personal data may be processed on the providers' systems. Privacy information for Vercel, Supabase, Render, and Upstash: vercel.com/legal/privacy-policy, supabase.com/privacy, render.com/privacy, upstash.com/trust/privacy.pdf. Vercel also provides cookieless Web Analytics and Speed Insights; details in the following section.

To evaluate use of our website and improve loading performance, we use cookieless Web Analytics and Speed Insights from our hosting provider Vercel (Vercel Inc., USA).

Web Analytics collects aggregated usage statistics such as pages viewed, referrer, approximate country of origin and device type. No analytics cookies are set; there is no cross-site tracking and no advertising or marketing profiles are created.

Speed Insights measures Core Web Vitals and load times for technical optimisation of the platform, also without marketing profiling.

The legal basis is Art. 6(1)(f) GDPR (legitimate interests in operating, stabilising and improving the platform). You may object under Art. 21 GDPR on grounds relating to your particular situation (contact: [email protected]). Processing in third countries (in particular the United States) may occur; see section 17.

We do not use optional third-party analytics or marketing trackers in the browser (e.g. Google Analytics, PostHog or Meta Pixel). Server-side evaluations (e.g. menu search telemetry or upsell signals on our servers) are separate and described in the relevant sections.

Further information: vercel.com/legal/privacy-policy.

We send transactional emails (e.g. order confirmations, invitations, reservation notices) via Google Workspace. Depending on the contractual and service configuration, Google Ireland Limited and/or Google LLC may be involved. Delivery uses SMTP technically. This involves processing your email address, message content, and sending metadata. We send marketing emails only if you have consented; a stored newsletter preference is used only once sending begins. Processing may occur in third countries (in particular the United States); see section 17. Further information: policies.google.com/privacy.

Where push notifications are offered, a device token may be processed after your consent to deliver notifications. The legal basis is your consent under Art. 6(1)(a) GDPR where consent is required. Until full rollout, the interface may store preferences only without notifications being sent yet.

We use cookies and similar technologies only where technically necessary to operate the platform — without optional tracking or marketing cookies. A separate cookie consent banner for optional analytics or marketing cookies is therefore not required, because we do not set such cookies; cookieless reach and performance measurement via Vercel (section 10) does not require such a banner. The legal basis for this storage is usually Section 25(2) no. 2 TDDDG (strictly necessary) as well as Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(f) GDPR (legitimate interest in stable operation). This includes in particular:

• Session cookies (Supabase Auth, e.g. sb-*-auth-token) for login, guest sessions, and security — duration per Supabase session or until logout
• sessionStorage for table sessions, checkout progress, short-lived navigation state during an order, and session-based settings (e.g. search radius, guest favourites in the current browser tab without an account, optional allergen filters under lcAllergenExclude) — usually until the tab is closed; filter choices may be sent to our backend to adjust the menu and suggestions
• localStorage for cart backups before redirecting to the payment provider and, after you enter an address, saved delivery/location addresses — until you delete them or the purpose expires
• IndexedDB for an offline queue of pending orders when connectivity fails — until successful submission

Optional third-party services (e.g. Mapbox or geocoding) are loaded only when you actively use the respective feature; see section 14.

Where we offer interactive maps (e.g. via Mapbox), map data is loaded only after you actively show the map. Address search may use a geocoding service (e.g. Photon / Komoot) once you start a search. Your IP address and search term may be transmitted to the respective provider.

To operate and secure the platform, we process operationally necessary data — for example when using the table menu (session and activity events for order processing and abuse prevention) on our servers. This processing is first-party and not via external tracking SDKs.

When you use our systems, technical information such as IP address, browser type, and access time may be processed in log files. To detect security violations, we may receive Content Security Policy (CSP) violation reports to our infrastructure. To limit abuse (e.g. CSP reports and pilot requests), we may use Upstash Redis and process a client identifier (e.g. IP address) in short-lived counter data. Purposes include security (e.g. abuse detection), stable operation, and error analysis. The legal basis may be Art. 6(1)(f) GDPR.

When you use the menu search, we may store the search term in normalised form and technical metadata (e.g. result count, restaurant reference, food/drinks scope) on our servers. The purpose is menu improvement and analytics for the restaurant partner. Please do not enter unnecessary personal data in search. The legal basis is usually Art. 6(1)(f) GDPR.

To protect the public contact form and the pilot request (restaurant partner onboarding) from automated abuse, we use Cloudflare Turnstile (bot detection). In particular, technical data (e.g. IP address, browser characteristics) may be transmitted to Cloudflare, Inc. when you use the contact form or submit a pilot request. The legal basis is Art. 6(1)(f) GDPR (legitimate interests in providing a secure communication channel and preventing abuse). See Cloudflare's own information for further details.

We generally share data only with processors we select carefully and bind by contract, and where we are legally required to disclose data or disclosure is necessary to assert legal claims.

Restaurant partners process the data they need to fulfil your order as an independent controller in their own responsibility; a restaurant is not our processor merely because you placed the order through our platform. Where we act exclusively as a processor for a partner in a specific case (e.g. limited technical processes), we regulate this contractually pursuant to Art. 28 GDPR.

For administration features used by restaurants (e.g. AI-assisted menu editing in the partner dashboard), menu content may be transmitted to our AI service provider OpenRouter (OpenRouter, Inc., USA), which forwards requests to connected AI model providers. This generally does not include guest order or account data; the restaurant partner is responsible for content entered there. Details for partners are in the partner terms.

If data is transferred to countries outside the EU/EEA (e.g. the United States), we ensure an adequate level of data protection as required, for example through EU Commission adequacy decisions or appropriate safeguards (such as EU Standard Contractual Clauses) pursuant to Art. 44 et seq. GDPR.

We retain personal data only as long as necessary for the respective purposes or as required by statutory retention periods. After that, data is deleted or anonymized. In particular:

• Order and payment data: for contract performance and customer support; thereafter under statutory retention obligations (e.g. tax and commercial law for up to 10 years where applicable)
• Account data and favourites (with account): until you delete your account, remove a favourite, or we no longer need the data for the purpose
• Guest sessions, sessionStorage and localStorage: usually until the tab is closed, logout, or the purpose expires (see section 13)
• Server log files, table event logs and abuse prevention (e.g. IP-based rate limits): usually up to 30 days, unless longer retention is required to investigate security incidents
• CSP security reports: as long as needed to analyse security violations, usually up to 90 days
• Vercel Web Analytics and Speed Insights: retention as stated by Vercel (see section 10 and provider information); aggregated evaluations without personal reference may be kept longer
• Menu search telemetry: as long as needed for analytics and product improvement, then deletion or aggregation
• Upsell and usage signals: for product improvement and quality assurance; personal session references (e.g. client_session_id) are anonymised after the evaluation period or upon request under statutory obligations

Where the platform offers this, we may process ratings or other user-generated content in connection with completed orders or other interactions (e.g. text, stars, pseudonym or first name, reference to order or time). The purpose is to operate the platform, quality assurance and documentation vis-à-vis the restaurant partner. The legal basis is usually Art. 6(1)(b) GDPR (order/platform use), supplemented by Art. 6(1)(f) GDPR (legitimate interest in review traceability and abuse prevention). Deletion requests for individual ratings are reviewed under statutory obligations and our moderation rules.

If we offer a loyalty, bonus or voucher programme, we process the data required for it (e.g. account identifier, transaction linkage, points balance, activation and expiry dates, and where applicable rewards partners). The legal basis is usually Art. 6(1)(b) GDPR (programme as an agreed ancillary feature), or Art. 6(1)(a) GDPR for purely optional marketing incentives. Disclosure to external rewards or payment service providers occurs only where necessary for delivery of the programme and as explained in the programme information.

In particular based on ordering and usage signals, distance, availability, technical performance data and aggregated context information, we may apply ranking and recommendation logic (e.g. ordering of restaurants, suggestions in menu areas, add-on items). Personal profiles support platform personalisation; there is no solely automated decision within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you (in particular no automated acceptance or rejection of consumer-law relevant individual decisions without human reviewability in this sense).

Legal bases are usually Art. 6(1)(b) GDPR and/or (f) GDPR (operationally necessary design, abuse prevention, product improvement). Further transparency is also provided in the end-customer terms of use regarding organic ranking and sponsored listings.

Subject to applicable law, you have in particular the following rights:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)

Where we process personal data on the basis of Art. 6(1)(f) GDPR, you may object to such processing at any time on grounds relating to your particular situation. Send your objection to [email protected]. We will review your objection and cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights and freedoms.

Where we rely on your consent, you may withdraw it at any time with effect for the future. This does not affect the lawfulness of processing carried out before withdrawal.

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement.

Based on our assessment, the authority likely competent for Velobites is:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5
30159 Hannover
Germany
Phone: +49 511 120-4500
Email: [email protected]

We do not use solely automated decision-making within the meaning of Art. 22 GDPR that independently produces legal effects concerning you or similarly significantly affects you, apart from integration of such mechanisms into the technical operation of the platform (e.g. sorting or suggestions). Profiling in a broader sense (e.g. personalised orderings or recommendations) may occur; see section 21 and our terms of use.

We may update this privacy policy to reflect legal requirements or changes to our services. The version published at the time of your visit applies.