Privacy policy

The controller in the sense of the General Data Protection Regulation (GDPR) is:

Marner Softwareentwicklung UG (haftungsbeschränkt)
Hundestraße 63
23552 Lübeck
Germany
Email: info@gastrotodo.de

You can reach our data protection officer at:

Maximilian Marner
Hundestraße 63
23552 Lübeck
Germany
Email: max@gastrotodo.de

The following information explains how personal data is processed when you use our website. Personal data is any data that can be used to identify you personally.

As a data subject you have the following rights:

• Right of access to your personal data (Art. 15 GDPR)
• Right to rectification of inaccurate or incomplete data (Art. 16 GDPR)
• Right to erasure of your personal data (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to object to processing (Art. 21 GDPR)
• Right to data portability (Art. 20 GDPR)

If you have given us consent, you may withdraw it at any time with effect for the future. The withdrawal or objection can be addressed informally to the data protection officer named above.

You also have the right to lodge a complaint with a competent data protection supervisory authority about the processing of your personal data. An overview of the German supervisory authorities is available at bfdi.bund.de/Anschriften_Links.

Our website is hosted by:

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany

When you visit our website, the hosting provider automatically processes so-called log files. These contain in particular:

• IP address
• Date and time of the request
• The page or file requested
• HTTP status code
• Amount of data transferred
• Referrer URL
• Information about the browser and operating system

The processing of this data is necessary in order to provide the website technically and to ensure its stability and security. The legal basis is Art. 6(1)(f) GDPR (legitimate interest).

Hetzner Online GmbH acts as a processor under Art. 28 GDPR. A corresponding data processing agreement has been concluded. The log data is only stored for as long as is necessary to ensure security and stability.

You can find more information about data processing by Hetzner at hetzner.com/legal/privacy-policy.

If you contact us by email, the personal data you transmit (e.g. name, email address, phone number) will be processed for the purpose of handling your request. The data will be deleted as soon as it is no longer required for processing, unless statutory retention periods apply.

When you use our contact form, we process the following personal data:

Mandatory information

• Name
• Email address
• Subject
• Message

Additionally processed data

• Company (optional)
• Time of submission
• IP address

The processing serves exclusively to handle your request. Legal basis for general inquiries: Art. 6(1)(f) GDPR. Legal basis for product- or service-related inquiries: Art. 6(1)(b) GDPR. Your data is deleted once the request has been handled, unless statutory retention periods apply.

Our website uses cookies. Cookies are small text files stored on your device that do not contain malware. We distinguish the following cookie types:

• Technically necessary cookies required for the operation of the website
• Optional cookies, in particular for statistics and analysis

Optional cookies are only set after your express consent. You can withdraw or adjust your consent at any time via the cookie settings. You'll find more information on the cookies used, their purpose and storage duration in the cookie settings on our website.

Our website uses Google Analytics, a web analytics service provided by Google LLC, USA. Google Analytics is only activated after your explicit consent via the cookie banner. The legal basis is Art. 6(1)(a) GDPR.

We have enabled IP anonymisation. Your IP address is therefore truncated within the European Union or the European Economic Area before being transmitted to the USA. Google processes the collected data on our behalf in order to evaluate the use of our website and to compile reports on website activity.

Further information is available at google.com/analytics/terms and policies.google.com/privacy.

Our website uses Microsoft Clarity, an analytics service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. We use Clarity to understand how visitors interact with the site — in particular through aggregated click and scroll data ("heatmaps") and anonymised session replays. This helps us see which content is clear and where visitors get stuck, so we can improve the site.

Clarity is only activated after your explicit consent via the cookie banner (category "statistics/measurement"). The legal basis is Art. 6(1)(a) GDPR. Until you grant consent, no Clarity script is loaded and no data is transmitted to Microsoft.

The following data may be processed:

• IP address (anonymised by Microsoft)
• Browser, device and operating system information
• Referrer URL and pages visited on our website
• Mouse movements, clicks and scroll behaviour
• Timestamps of interactions

Microsoft Clarity masks input fields and sensitive on-screen content by default, so text you type (e.g. names or email addresses) is not visible in session recordings. There is no cross-site tracking and the data is not sold to third parties for advertising purposes.

Microsoft processes the data on our behalf under a data processing agreement pursuant to Art. 28 GDPR. For transfers to the USA, Microsoft uses EU standard contractual clauses (SCCs) together with supplementary technical and organisational measures.

You can withdraw your consent at any time, with effect for the future, through the cookie settings on our website.

Further information is available at clarity.microsoft.com and in the Microsoft privacy statement.

We use the following payment service provider for processing payments:

Stripe
Legal Process, 510 Townsend St.
San Francisco, CA 94103
USA

As part of payment processing, the following data is transmitted to Stripe — to the extent necessary:

• Cardholder name
• Email address
• Customer and order number
• Bank or credit card details
• Transaction date and amount

The legal basis is Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in secure payment processing). Stripe acts either as controller or as processor depending on the processing operation. For international data transfers, Stripe uses EU standard contractual clauses (SCCs).

You can find more information at stripe.com/privacy-center/legal.

Team leads can optionally enable our AI assistant ("Radish") for their team in the app settings. The assistant is only switched on after explicit consent by the team lead; the feature can be revoked at any time from the same place.

When the assistant is active and a team member talks to it, the following data is sent to our processor OpenAI, L.L.C., 1455 3rd Street, San Francisco, CA 94158, USA in order to answer the request:

• The question or message that the team member sends to Radish.
• Excerpts from the team's knowledge sources that are relevant to the answer: documents and knowledge articles, task titles and task descriptions, training content, and product/equipment manuals.
• The language and team configuration related to tasks (shifts, departments) so Radish can give matching suggestions.

The following are explicitly not transmitted: real names of individual employees, their calendar entries, personal shift schedules, or individual completions.

Processing takes place under a data processing agreement pursuant to Art. 28 GDPR. Legal basis is Art. 6(1)(a) GDPR (consent of the team lead) and Art. 6(1)(b) GDPR (performance of the contract with the team). OpenAI processes the transmitted content exclusively to answer the request and does not use it to train its models ("API data usage" policy). For international data transfers, OpenAI uses EU standard contractual clauses (SCCs).

gastrotodo itself does not permanently store or analyse the chat content; gastrotodo staff also have no access to the conversation histories of teams.

You can find more information at openai.com/policies/privacy-policy and openai.com/enterprise-privacy.