foody
EN

Privacy policy

Last modified: 9 October 2024

This Privacy Statement aims to clarify what personal data we process, why we process it, who receives your data and how you can exercise your legal rights.

In this Privacy Statement, “personal data” means any information which directly identifies you as a person (like the combination of your full name and address), or can be used to identify you as a person (like a user ID connected to your identity). Similarly, “processing” refers to any operation performed on your personal data, for example the collection, storage, use, disclosure, or destruction of your personal data.

Who are we and how can you reach us?

We are Delivery Hero (Cyprus) Ltd. but usually we just use the name Foody and we are located at Esperidon 5, Strovolos, 2001, Nicosia/Cyprus.

With regard to your privacy, it is us who decide how and for what purposes your personal data is processed. In data protection language that makes us a so-called “data controller” (the party responsible for how your personal data is processed).

If you have any questions related to how your personal data is processed, you can contact our data protection team at [email protected].

What categories of personal data do we process?

When you use our platform, we process personal data actively provided by you, collected from your device when you interact with us or obtained from third parties. Broadly speaking we will process the following categories of personal data:

Account data

including your account name, email address, password, telephone number, country, user ID, language and other profile settings

Order and delivery data

including delivery details (e.g., delivery address, date and time of the delivery, type of collection), order IDs, order history, product names and quantities

Location data

including address, postcode, city, country, longitude and latitude

Device information

including device ID, IP address, session information, device configuration settings, operating system, platform interactions such as items added to the cart, and other data obtained through web-trackers (e.g. cookies, SDKs, pixels)

Payment data

including payment method data, payment amount, payment recipient details, refund details, and bank receipts

Customer support data

including content of your customer support requests, response from our customer care teams and images or files attached

You can find all details about how we process your personal data below.

What do we do with your personal data?

A. When you create an account

Account Creation

When creating a user account we need to process your account data such as your name, email address, password, telephone number, country, and language. Once you have created an account, we will assign you a unique user ID. This measure will allow us to recognize you in our system without needing to use all of your account-related information. This ID cannot be used by any outside parties.

The information we request during the account creation process is necessary to take the first step in establishing a customer relationship with you so that we can provide you with our services.

The legal basis for this processing is therefore ‘entering into or performance of a contract’ under Art. 6(1)(b) GDPR.

We store this personal data as long as you remain our customer and in the ordinary course of things we delete it when you delete your account, or after 3 years of inactivity, unless statutory legal requirements mandate longer retention.

Single-Sign-On (“SSO”) Options

We offer you the option to register on our platform by using one of the commonly used social networking systems such as Facebook, Google, or Apple. If you already have an account with any of these services, you can sign up and log in to our platform using your user data from those identity management providers.

When logging in with the SSO option, we may get access to SSO data such as your name, email address, telephone number, country, user ID, and in your date of birth, if you have shared this data with the SSO provider.

This information is necessary for initiating our customer relationship and entering into a contract with you. We never receive or store the password you use for these systems.

Information on third-party SSO providers can be found here:

Facebookhttps://www.facebook.com/privacy/explanation
Googlehttps://support.google.com/accounts/answer/112802
Applehttps://support.apple.com/en-us/HT204053

The legal basis for this processing is “entering into or performance of a contract” under Art. 6(1)(b) GDPR.

We process this personal data as long as you remain our customer, or until you delete your account with the SSO provider.

Managing Your Profile

You can access your profile at any time to make changes, provide additional information about yourself, or view your previous orders. Your data is also processed to administer your profile, which includes tasks such as ensuring the accuracy of your personal details, processing any modifications you make, and managing technical issues you might have.

The information we process about you for this purpose includes account data, order and delivery data, payment data, and device information.

Managing and administering your profile is a fundamental function of our platform. Without this process, we cannot provide our services to you. Therefore, the legal basis for this processing is “performance of a contract” under Art. 6(1)(b) GDPR.

We store this personal data as long as you remain our customer and in the ordinary course of things we delete it when you close your account, or after 3 years of inactivity, unless statutory legal requirements mandate longer retention.

B. When you browse our platform

Cookies and Web Tracking Technologies

We use web tracking technologies (e.g., cookies, SDKs, measuring pixels) when you browse our platform, whether you are a customer or a visitor. These technologies enable us to facilitate the functioning of our platform, improve its performance and security, or understand how our users interact with our platform. In addition, these technologies allow us to deliver customized content or targeted advertising to our users.

Cookies and web tracking technologies may be used to collect data that we classify as device information, including your device ID, IP address, session information, preferences such as language settings, platform interactions such as items added to the cart, platform performance analytics, and crash reporting.

You can find more information on these technologies (including on retention periods and the applicable legal basis) in our Cookies Policy and in our consent management banner.

Personalized Content and Suggestions

When you browse our platform, we show you a variety of vendors and products. We may customize the content on our platform so that you are shown vendors who are close to you, who you have ordered from in the past, or products we believe may be of interest to you. To make this feature available, we need your account data, location data, order and delivery data, and device information.

This process may involve customer segmentation based on the data we collect from you. Additionally, we can make predictions about our customers’ demographics (e.g., age, gender) or consumption preferences. As a result, our suggestions may highlight specific products or cuisines, such as Italian restaurants, or vegan products.

Please note that these processes will not have a legal or similar significant effect on you. The only result of this process will be that you will receive suggestions about products or vendors that match your interests and food preferences.

Our activities within personalized content and suggestions form the core of our platform, without which we could not offer you relevant products and therefore we would be unable to facilitate a ground for entering into a contract with you. We would like to highlight that personalized content that is shared in this context is separate from the marketing initiatives carried out on our platform.

The legal basis for processing your data for the purpose of suggesting products and vendors is ‘performance of a contract’ under Art. 6(1)(b) GDPR. Additionally, we rely on ‘legitimate interest’ under Art. 6(1)(f) GDPR for customer segmentation.

We will process the data for this purpose for the same duration as your other account data.

C. When you place an order

Shopping Cart and Storing the Added Items for Later

Once you login to your profile and select items, they will be saved in your cart. Even if you close your browser or app, you can continue your order from where you left off. To make this feature available on our platform, we process your account data, device information, and order and delivery data.

The shopping cart function is essential to our platform as it enables us to receive and process your order. Without it, we would not be able to enter into a contract with you.

The legal basis for this processing is ‘entering into or performance of a contract’ under Art. 6(1)(b) GDPR.

This data is deleted as soon as we no longer need it, such as once you place your order or soon after you have removed everything from your shopping cart.

Order Processing

Once you have successfully registered to our platform, you can place your order. To process the order you placed on our platform, we need to receive your personal data.

To process your order, we need your account data as well as your order and delivery data including your address, postcode, city, country, longitude and latitude, order ID, your order instructions, product names and quantities.

This information is necessary for us to forward your order for the following steps to ensure the successful delivery of your order. Without this information, we would be unable to take necessary steps to fulfill our contractual obligations to you.

The legal basis for this processing is ‘performance of a contract’ under Art. 6(1)(b) GDPR, and ‘consent’ under Art. 9(2)(a) GDPR for health related data.

We will process the data for this purpose for the same duration as your other account data.

Invoicing

If you decide to proceed with your order, we will need to receive the payment for the items you have selected.

When you place an order and select a payment provider, your information will be shared with your selected payment provider to initiate the payment process. As a customer of these payment providers, you can find information on their privacy practices in their separate privacy statements.

Following the payment for your order, we are legally required to provide you with an invoice for the services provided by Foody. To fulfill this requirement and to facilitate your payment, we need to process your account data, order and delivery data, and payment data including payment method data, payment amount, payment recipient details and refund details.

In all cases, the vendor (e.g. restaurant, shop) that receives your order is responsible for issuing an invoice to you for the products you have ordered. In this case, personal information necessary to meet the invoicing requirements under applicable law is shared with the vendor for the sole purpose of issuing an invoice.

The legal basis for this processing is ‘legal obligation’ under Art. 6(1)(c) GDPR.

We store this personal data for at least 5 years after the invoice date.

Saving your Payment Methods

In order to make the ordering process even more convenient for you, our platform offers you the option to save your preferred payment method. This means that, if you choose to save your payment method, you will not have to re-enter your payment details the next time you need to make payments on our platform.

The information you can save within this feature is payment data including cardholder name, payment method data.

The legal basis for this processing is ‘consent’ under Art. 6(1)(a) GDPR.

We will keep this personal information for as long as you choose to share it with us.

When you subscribe for Foody pro, we will request to store your payment data to enable regular billing in accordance with your subscription. As maintaining a regular payment process for your subscription plan is a fundamental part of this service, the legal basis for this processing is ‘performance of a contract’ under Art. 6(1)(b) GDPR.

D. When we deliver your order

Preparing Your Order

After receiving your order, we share your order data with the vendor (e.g. restaurants, shops) preparing your order. We minimize the information we share with our vendors so that they only see the information necessary to process your order and hand the order over to couriers. The data we share with the vendors include order and delivery related data. In addition, vendors may call you by phone to contact you in exceptional cases such as if the items you ordered are out of stock.

As the preparation of your order is a fundamental part of the services provided on our platform, the legal basis for this processing is ‘performance of a contract’ under Art. 6(1)(b) GDPR.

Delivering Your Order

Once your order has been prepared by the vendor, it is handed over to couriers (also called “riders”) who are responsible for delivering your order. In order to enable the delivery of your order, and thus fulfill our contractual obligations to you, we need to process your personal data and share some of that data with the rider who will deliver your order.

This data includes your delivery related data such as your name, telephone number, and delivery address. In addition, riders may call you by phone to contact you if there are any exceptional delivery-related issues such as if the rider needs assistance during the delivery process. We will always ascertain that the rider receives as little information about you as possible.

As the delivery of your order is a fundamental part of the services provided on our platform, the legal basis for this processing is ‘performance of a contract’ under Art. 6(1)(b) GDPR.

We will process the data for this purpose for the same duration as your other account data.

Customer Care

In case you have questions or issues regarding your order, depending on the nature of your request, we will need your account data, order and delivery data, delivery related data, payment method, and the data you share with us when submitting your request. This information allows us to understand the specifics of your order, enabling us to provide you with relevant and accurate assistance.

As part of our customer care service, we may use automation for certain functions. For example, actions such as canceling your order or changing delivery instructions may be automated. In addition, our support agents may utilize algorithmic decision making processes for the purpose of calculating compensation for any issues you may experience, and for issuing a refund or voucher.

We may use artificial intelligence technology such as chatbots powered by large language models as part of our customer care processes. When we do so, we will ensure that we remain the controller of your data and that your data is not shared with third parties to train their AI models.

As resolving your issues is an essential part of the complete fulfillment of the service we provide to you, the legal basis for processing your data for this purpose is ‘performance of a contract’ under Art. 6(1)(b) GDPR.

We will keep the data we process within the customer care center feature for the duration of the statutory limitation periods for legal claims in your jurisdiction (which might range from 3 up to 6 years).

Call Center

If you contact us by phone, we will process your account data, order and delivery data and/or Customer support data and store the conversation for quality assurance purposes. In individual cases, we also use the recordings for quality improvements in our customer service, i.e. for training purposes (coaching) of our employees. The content of the information we store depends on the information you provide to us as part of our communications. The stored telephone calls are deleted after thirty (30) days at the latest.

The legal basis is ‘consent’ under Art. 6(1)(a) GDPR.

User Reviews

Once your order has been delivered, you can rate and review the vendor you have ordered from. For this purpose, your account data will be processed.

The legal basis for this processing is ‘legitimate interest’ under Art. 6(1)(f) GDPR.

E. When we promote our platform or vendor services

App Notifications and Email Newsletters

We may send you in-app or push notifications, as well as newsletters via email, informing you about new restaurants, offers and promotions on our platform. We use a range of criteria to ensure that the content we provide is similar to the products you have previously ordered. As such, these communications may emphasize specific products or cuisines, such as sushi deals, or vegan products.

To make this possible, we use your account data, location data, as well as order and delivery data. This information enables us to promote products and services available on our platform. You are always free to opt-out from such email communications. To ensure we comply with your choice to opt-out, we will keep your contact details and your choice on a separate list of customers who prefer not to receive direct marketing communications. In this case, we will unsubscribe you from customized communications and you will not receive such communications in the future.

The legal basis for this processing of your data for the purpose of sending app notifications and email newsletters is ‘legitimate interest’ under Art. 6(1)(f) GDPR in conjunction with the exception under EU ePrivacy laws for promoting similar goods and services to the one you have already ordered from our platform.

We will process the data within this purpose for the duration of your account with us. The information if you have opted in to or out of receiving such communications we will store for the duration of the statutory limitation periods for legal claims in your jurisdiction (which might range from 3 up to 6 years).

Incentives

We use a variety of incentives to make our platform more attractive to you and to ensure that you enjoy all the advantages that our platform has to offer. These incentives include vouchers, customer competitions, student discounts and bonus programs.

When you use vouchers on our platform, we may process your account data, and the associated discount or promotion. We process this data to apply the voucher to your order, and ensure the proper functioning of this feature.

When you participate in user competitions or bonus programs on our platform, we may process your account data, data relevant to the program, including your status, points and rewards earned. This data is processed to administer those programs and grant you prizes or discounts.

The legal basis for these processing activities is 'performance of a contract' under Art. 6(1)(b) GDPR. We use this data for the purpose of providing you with discounts and promotions as part of our services.

We store this personal data as long as you remain our customer and in the ordinary course of things we delete it when you close your account, or after 3 years of inactivity, unless statutory legal requirements mandate longer retention.

Online Marketing

We utilize marketing processes to reach as many potential customers as possible. These processes encompass a range of marketing strategies, including targeted advertisements, both on our own platform, or on online media properties (e.g, websites, social platforms) owned and operated by third-party publishers.

For this purpose, we process account data, location data, order and delivery data, and device information such as session information, your configuration settings, platform interactions such as items added to the cart, and data obtained through web-trackers (e.g. cookies, SDKs, pixels).

When we perform targeted advertisements for our platform, we use customer segmentation based on the data we collect from you. This segmentation may include predictions about our users’ demographics (e.g., age, gender) or consumption preferences. These insights are typically aggregated and pseudonymized, which means that we cannot identify you individually. We use these insights when defining our online marketing strategies.

Your prior explicit ‘consent’ under Art. 6(1)(a) GDPR is requested to show you our online targeted advertisements. If you do not consent to personalized online advertisements, please note that you may still receive ads related to our service and products. However, these ads will be generic and not result from specific targeting processes.

We will keep this personal information for as long as you choose to share it with us but in any case we will delete the data we process within this purpose after deletion of your account.

Targeting

In principle, targeting means simply showing online advertisements (e.g. by showing banners on websites, or delivering ads on social media service timelines) tailored to specific target groups. We strive to deliver to you only advertisements that are in fact relevant for your interests and bring added value to your online experience.

In our targeting process, as a first step, we define a target group based on certain criteria such as location, age or meal preferences and, secondly, we commission our service providers to show our advertising to the defined target group, both on our own websites as well as on online properties owned and operated by third-party publishers. To better define the intended target groups, we segment customer types and place different ads on different portals. We will use pseudonymous data for this purpose only. That means we will not be able to identify individual persons within the defined target groups.

The legal basis for these processing activities is 'consent' under Art. 6(1)(a) GDPR, via our cookie banner.

Retargeting

Once you have visited our website and, for example, have already placed a product in your shopping cart for ordering, we store this information in cookies. If you continue to browse other websites, our advertising partners will remind you on our behalf that you have not yet completed your order. We don't want you to miss out on a great customer experience. You can disable retargeting by installing the appropriate add-ons for your browser. In addition, you can and should also regularly delete the cookies that are stored in your browser.

Helping Business Advertising Partners Promote Their Goods and Services on Our Platform

We display various types of advertisements on our platform. Our objective is to provide you with advertisements that are truly relevant to your interests and that add value to your online experience. For this purpose, we process account data, location data, order and delivery data, and device information.

To ensure the relevance of ads, we may use user segmentation involving automated processing of your personal data. Additionally, we may make predictions about your demographics (e.g., age, gender) or your consumption preferences. These processes will not have a legal or similarly significant effect on you. The only result of this process will be that you will receive advertisements that match your interests and food preferences.

Using these insights, our platform may display both our own ads and ads from third parties (such as restaurants and food brands). These ads may take the form of standard display ads, 'featured restaurants' that appear on top of a list, or special promotions that offer you limited time deals.

We do not share your personal data with third parties who promote their products on our platform. However, in some cases, we can share advertising performance insights to these third parties. These insights are typically aggregated and anonymized, ensuring that your personal data remains protected. These insights may relate to the effectiveness of their advertisements, such as the number of clicks or engagement metrics.

We ask your “consent” under Art. 6(1)(a) GDPR in order to show you personalized advertisements. If you do not consent to personalized advertisements, please note that you will still receive ads, however, they will not be tailored to your personal interests.

We will keep this personal information for as long as you choose to share it with us but in any case we will delete the data we process within this purpose after deletion of your account.

Social Media Pages

We maintain profiles on various social media platforms through which we advertise our products and engage with customers. When you visit our pages on social media platforms such as Facebook and Instagram, the operators of these platforms process your personal data, as explained in their own privacy statements. For Facebook and Instagram the data controller is Meta Ireland Ltd. (“Meta”).

Meta provides us with aggregated statistics and insights about our social media pages, allowing us to understand the types of actions users take on their pages. Please be informed, however, that we at no point can attribute any page visit or other interaction to individual social media profiles.

In terms of collecting your personal data on our social media pages and analyzing the user interactions, both we and the respective operators of the social media platforms (such as Meta) act as joint controllers. To formalize this arrangement, we have entered into joint controller agreements with these operators.

For Facebook and Instagram, the following links will show you exactly which data is collected by Meta and how you can exercise your data subject rights in connection with the user insights:

Meta Privacy Policy
Meta Controller Addendum

Besides Meta, we maintain profiles on various other social media platforms through which we advertise our products and engage with customers. Such social media platforms include TikTok, X, Youtube and Linkedin. For Tiktok the data controller is TikTok Technology Limited. For X the data controller is Twitter International Unlimited Company. For Youtube the data controller is Google Ireland Limited, and for Linkedin the data controller is LinkedIn Ireland Unlimited Company a subsidiary of Microsoft.

For TikTok, X, Youtube and Linkedin, the following links will show you exactly which of your data is collected and how you can exercise your data subject rights in connection with the user insights:

TikTok Privacy Policy
X Privacy Policy
Youtube Help Center
Linkedin Privacy Policy

The legal basis for processing of your data for the purpose of engaging with users and utilizing user insights is ‘legitimate interest’ under Art. 6(1)(f) GDPR.

F. When we ensure the security of our platform

IT Infrastructure, Database Hosting, and Systems Security

We use state of the art servers, network equipment and cloud services to deliver our platform, to ensure high performance and uninterrupted service. All types of personal information you provide and the information we collect about you is stored and protected within the secure environment of our platform. We also use tools such as, endpoint security detection, traffic monitoring, backup systems and data loss prevention solutions to keep your data secure at all times.

The legal basis for processing your data for the purposes of hosting and ensuring the security of your personal data is ‘legitimate interest’ under Art. 6(1)(f) GDPR.

Fraud Detection and Prevention

One of our main priorities is to provide you with a secure platform and a safe ordering experience. Part of achieving this goal involves implementing proactive measures to detect and prevent fraudulent activity.

For this purpose, we process your account data, payment data, location data, device information, and order and delivery data such as invoices, order IDs, successful orders and canceled orders.

To achieve effective fraud detection and prevention, we use this data to apply state-of-the-art fraud detection and prevention measures, which may include algorithmic decision making and machine learning processes. These measures include fraud scoring and flagging, transaction analysis, user behavior modeling, and, in confirmed cases, account suspension and blocking. Our fraud assessments will be based on your previous behavior and also sometimes information obtained from third parties (e.g. when you use a credit card which has been reported as stolen by its owner).

If any such decision (i) results in a negative, legally binding outcome for you, (ii) similarly significantly affects, or (iii) you believe there has been an error, you can contact our customer care team. In this case, we will individually assess the circumstances of your case.

The legal basis for processing your data for the purposes of fraud detection and prevention is ‘legitimate interest’ under Art. 6(1)(f) GDPR.

We will keep the data we process within fraud detection and prevention purposes for the duration of your account and, after closure, for as long as it is required to clarify if your account is linked to any other fraudulent activity on our platform. This time period will vary depending on the activity in your account. If you are a trusted customer, we will delete your data, as it is no longer required.

G. When we improve our services

User Surveys and Interviews

We are always aiming to improve our services, and your valuable feedback is an important part of that process. As such, we sometimes include surveys in our newsletters, asking for your feedback or inviting you to a user experience interview.

For the purposes of user surveys and interviews we process your account data, order and delivery data, device information, and the content of your feedback. We also record your usage behavior as part of the user interviews.

Participation in the surveys and interviews require your ‘consent’ under Art. 6(1)(a) GDPR. After you provide your consent to participate in our user surveys, we will contact you through your preferred communication channels, which may include email, telephone, or social communication platforms.

If you have already given your consent and would like to revoke it for the future, please let us know by contacting us. In this case we will exclude you from participating in interviews and ensure that you don't receive any further invitations.

We will keep the data we process within user surveys and interviews for as long as you grant us consent to do so. At the latest, when you delete your account, we will consider your declaration of consent to have been withdrawn.

Data Analytics

We perform data analytics to improve our platform in terms of user experience, product development, pricing, promotions, and customer engagement. For instance, to analyze and optimize our user experience, we may show our customers different versions of our platform interface in the context of so-called A/B testing. Analyzing how users interact with different versions enables us to define which version performs better. Similarly, by analyzing customer responses to different pricing models, we are able to determine the right pricing strategies.

To achieve this, we process order and delivery data, and device information. These insights are typically aggregated (meaning process fully anonymously, so you can never be identified as a person by anybody) or pseudonymized (meaning it will be very hard to identify you as a person).

The legal basis for processing your data for this purpose is ‘legitimate interest’ under Art. 6(1)(f) GDPR.

Business Intelligence, Insights & Group-level Statistics Reporting

We process customer data in an aggregated form to identify market trends, and make informed decisions about our market strategy. This analysis involves processing various types of data, including account data, device information, as well as order and delivery data.

Utilizing this data, we create statistical reports at group level, such as our market statements and trading updates. Creating business insights and statistical reports allows us to draw meaningful conclusions from a wide range of customer interactions.

Similarly, as part of our business intelligence, we provide our vendors (e.g., restaurants, shops) with access to certain general information regarding sales and engagement rates (so-called vendor insights). These insights are generated by aggregated analysis of the order and delivery data and device information of our users. The purpose of this analysis is to provide vendors with recommendations to improve their services. For instance, vendor insights provide information on potential reasons why users might have chosen a different vendor. The insights are aggregated and anonymized, which means that vendors cannot identify users individually.

The legal basis for processing your data for this purpose is ‘legitimate interest’ under Art. 6(1)(f) GDPR.

H. When we are required to comply with laws and regulations

Legal Proceedings and Authority Requests

As with any organization, there are instances when we are required to share personal data with public authorities. Additionally, there might be instances where we have to process your personal data to initiate or defend legal claims and uphold our rights and interests. For this purpose, we may disclose and process certain data we hold about you, to the extent strictly necessary to conclude these legal proceedings and investigations.

The legal basis for processing your data for complying with public authority requests is ‘legal obligation’ under Art. 6(1)(c) GDPR; and for initiating and defending legal claims is ‘legitimate interest’ under Art. 6(1)(f) GDPR.

We retain this information for as long as necessary to comply with legal obligations related to ongoing proceedings and investigations. After the final closing of the respective legal proceedings we will delete your data immediately.

Responding to Data Subject Requests

Data protection laws grant you various legal rights. We are committed to respecting them at all times. When you exercise these rights, we must process your data to effectively address your request. For instance, if you choose to exercise your right to access, we need to gather all of the information we hold about to meet our obligation to provide a response. To achieve this, we may process any type of data we hold about you, only to the extent necessary to comply with our obligations.

The legal basis for processing your data for complying with data subject requests is ‘legal obligation’ under Art. 6(1)(c) GDPR.

We retain this information for as long as necessary to comply with our legal obligations.

Regulatory Compliance in the EU

Under various regulatory frameworks in the EU such as financial services regulations, antitrust and competition laws, the Digital Services Act (DSA) or the Platform-to-Business Regulation we are required to share certain aggregated data with the parties specified in these laws (for example, the vendors on our platform, or the regulating bodies under the DSA). While this data will originate from personally identifiable customer data, we are generally not required to share personal data with third parties under these laws. The processing of personal data is based on the legal basis of ‘legal obligation’ under Art. 6(1)(c) GDPR.

Who will receive your data and under what circumstances?

You can trust that, within our company, only those staff members will receive access to your personal data who need them in order to fulfill their professional duties, such as providing you with a great online experience, or looking into your support request. In certain scenarios, we also need to share your personal data with recipients outside of our company. Please be assured that your data is shared with these recipients only to the extent necessary for the specified purposes and only as we are legally permitted to do so.

In addition to sharing data with the parties already specified above, we will only share your data as follows:

A. Delivery Hero group companies

We are part of an international group of companies with legal entities in many parts of the world, including our group’s headquarters located with Delivery Hero SE in Berlin, Germany. In order to utilize our resources efficiently and ensure that our business processes function properly, we utilize our group-wide shared technological support services that sometimes necessitate sharing personal data with our parent company, Delivery Hero SE, or with the locations of our global tech hubs. In certain situations, we might also share limited data with other group companies, for example, to assist with payment collection or to implement platform security measures.

Delivery Hero group companies are bound by strict intra-group data transfer agreements ascertaining compliance with data protection requirements whenever sharing personal data with group companies.

B. Data processors

We use various third-party service providers to perform our operations. Many of these providers process your personal data as so-called “data processors”. This means they are only allowed to process your personal data under our instructions and have no claims whatsoever to process your personal data for their own, independent purposes. Our processors are strictly monitored and we only engage processors who meet our high data protection standards. The main data processor for cloud technology on our platform is our group’s headquarters located with Delivery Hero SE in Berlin. Delivery Hero SE provides us with a wide range of services of technology, such as cloud hosting, platform security, marketing or customer relationship management tools.

Delivery Hero SE will also use data processors (as so-called “sub-processors”), as follows:
Our user platforms and databases run on cloud resources provided by the EU subsidiaries of Google Cloud Platform and Amazon Web Services. We use marketing and communications tools by companies such as SalesForce or Braze. Our finance and accounting platforms are provided by SAP. If you would like to request the full list of recipients of your personal data, you are free to do so at any point in time.

C. Other third parties and service providers

In addition to data processors, we also work with third parties, to whom we share your personal data, but who are not bound by our instructions and instead will process your data independently. These may be our consultants, lawyers or accountants who receive your data from us under a contract and process your personal data for legal reasons, or to protect our own interests. Under no circumstances will we sell or rent your personal information to third parties without your explicit, informed consent.

D. Mergers & acquisitions, change of ownership

In the event of a merger with, or acquisition by, another company or group of undertakings, we may need to disclose limited information to that company and their advisors who are under professional obligations to maintain the confidentiality of your personal data. This may occur in circumstances such as mutual due diligence assessments and regulatory disclosures.

In any event, we will ensure that we only disclose the minimum amount of information necessary to conduct the transaction, while also carefully considering the feasibility of removing or anonymising any data that could identify individuals.

E. Prosecuting authorities, courts and other public authorities

From time to time we may be requested to disclose personal data to public authorities. In some circumstances, we may disclose personal data with public bodies in order to bring or defend legal claims, to protect our rights and interests, or to address security concerns.

Examples of such situations include cooperating in the detection and prevention of crime, responding to legal processes such as court orders or subpoenas, or sharing data with tax authorities for tax-related purposes. The public authorities involved in these scenarios may include law enforcement agencies, courts, tax authorities, or other government bodies.

How do we transfer your personal data to other countries?

We and the parties we share your personal data with may transfer personal data to countries other than the country in which you use our services. Where such transfers take place, we take appropriate measures to ensure that your data is always afforded an adequate level of protection in the countries to which it is transferred.

For example, if we transfer your personal data from a country within the European Economic Area (EEA) to a country outside of the EEA, we take appropriate safeguards to ensure that these transfers provide a level of protection that complies with data protection requirements. If there are specific further requirements of the law of the country in which you use our services, we will abide by them as well. Specifically, as far as transfers from the EEA to countries outside the EEA are concerned, we rely on a number of appropriate safeguards:

  • Adequacy decisions by the EU Commission (also including the United States, to the extent recipients have certified under EU-US Privacy Framework, or other applicable mutual agreement between the EU and the US);
  • Standard contractual clauses mutually agreed in our contract with the data recipient (including any supplementary measures, if required).
  • Further appropriate safeguards in accordance with Art. 46 GDPR (for example binding corporate rules).

If you would like to receive a copy of the appropriate safeguards securing the data transfer, please contact us.

What are your legal rights?

Under the data protection laws, you are entitled to the following rights:

Right to access

You have the right to access your personal data and obtain additional information on how we process it. You may also request a copy of your personal data.

Right to rectification

If you notice that your personal data is incorrect, you can always request that we correct it.

Right to erasure

You have the right to ask us to delete your personal data. Please note that even if you exercise this right, we may be required to retain some of your information if we process it as part of our legal obligations, or in pursuit of our own (or a third party’s legitimate interests) such as the assertion of, or defense against legal claims, concluding customer care inquiries, preventing fraud or protecting ourselves or others against abusive behavior.

Right to restriction of processing

If you have requested the deletion of your personal data, but we are legally prevented from immediately deleting it, we will store your data in our archives and retain them for the sole purpose of meeting our legal obligations. However, you will not be able to use our services during this time, as this would require us to de-archive your personal data.

Right to data portability

You can ask us to provide you or another data controller with your personal data in a machine-readable format. However, please note that this right only applies to data that we process based on your consent.

Right to object

You have the right, for reasons arising from your particular situation, to object at any time to any processing of your personal data, which is processed on the basis of our legitimate interests. If you object, we will no longer process your personal data unless we can prove compelling grounds for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise, or defend against legal claims.

You also have the right to object at any time, without giving any explanations, to the process of your personal data for the purposes of direct marketing (including any associated profiling). You can do so, through your Foody account settings.

Right of complaint

You can raise a complaint about our processing with the data protection authority in the country of your habitual residence, place of work, or the place where you think a violation of data protection laws has occurred. In the case of cross-border data processing, you can also lodge a complaint with our lead supervisory authority in Berlin, Germany.
The Supervisory Authority responsible for Cyprus is:
Office of the Commissioner for Personal Data Protection
E-mail: [email protected]

Right not to be subject to a decision based solely on automated processing

You have the right to object to a fully automated decision (i.e. without any human intervention in the decision-making process) that has legal effects or significantly affects you.

To exercise your rights, we encourage you to use the functions available in your account at any time. For example, if you would like to delete your data you can directly do so by following the relevant steps in your profile. These self-service methods are designed to expedite the process of fulfilling your rights. Alternatively, you can also reach out to us by email at [email protected] to further assist you.

How long do we keep your data?

We retain your personal data for as long as it is necessary to achieve the purposes we described above. The duration for which we retain your personal data is determined by factors such as the scope, nature and purposes of the personal data processing, and whether we have legitimate interests or legal obligations that require us to retain your personal data.

How do we use algorithmic decision making?

Some of our processes include the use of algorithmic decision making and machine learning. We consistently strive to implement methods that ensure a significant level of human oversight in the decision making process, enabling us to modify or reverse decisions as needed.

In many cases, the algorithmic decision making processes without human oversight will not have legal or similar significant effects on you. Where they do, we will ensure that you have the right not to be subject to the algorithmic decision making processes, unless those processes are authorized by applicable law or are necessary for the entering into or performance of a contract. In these cases, you can always oppose the decision and request for a human evaluation by contacting us.

For detailed information about the specific instances in which algorithmic decision making processes are used, please visit the sections above that explain how we use your personal information.

Changes to this Privacy Statement

We may update this Privacy Statement from time to time to reflect our new processes, new technologies, and legal obligations. We are committed to keeping you informed of any changes to our privacy practices, so we encourage you to review this privacy statement to keep updated.