Privacy Statement
Issue date: 24.05.2018
1. General
Thank you for your interest in VAPIANO. In accordance with Article 13 of the EU General Data Protection Regulation (GDPR), we would like to inform you below about how VAPIANO processes your data.
Data Controller
The entity responsible for data processing is VAPIANO SE, Im Zollhafen 2-4, D–50678 Köln (VAPIANO).
Storage Period
Your data will generally only be stored for as long as necessary to fulfil a specific purpose and deleted as soon as this purpose no longer exists. Alternatively, your data shall be deleted at the end of any statutory retention periods.
Transfer of Data to Third Parties
Your data shall be transferred within our corporate group to departments like VAPIANO International Marketing GmbH (VIM), which is responsible for marketing and the PEOPLE programme. In such cases, your data shall either be transferred with your permission in accordance with Article 6.1 a) of the GDPR, on the basis of a legitimate interest in accordance with Article 6.1 f) of the GDPR, or on the basis of Article 28 of the GDPR. In order to run the VAPIANO PEOPLE programme, your data shall be transferred to all participating restaurants and subsidiaries within Germany in accordance with Article 6.1 b) of the GDPR. VAPIANO shall only share your personal data with third parties like tax authorities, banks, courts and law enforcement agencies if we are obliged to do so to fulfil statutory requirements in accordance with Article 6.1 c) of the GDPR, if this is necessary for the performance of an employment relationship in accordance with Section 26 of the German Data Protection Law (BDSG), if you have given us your consent in accordance with Article 6.1 a) of the GDPR, or if VAPIANO has a legitimate interest in doing so.
If our service providers are commissioned to process data, this shall only be transferred to them in accordance with Article 28 of the GDPR, so that we may provide our services.
Visitor details shall not be forwarded to address brokers or other organisations for promotional purposes.
Transfer of Data to Third Countries
We shall transfer some personal data to third countries outside the EU; when doing so, we must ensure an appropriate level of data protection:
We ensure an appropriate level of data protection by observing the EU-US Privacy Shield (Article 45.1 of the GDPR), concluding EU standard contractual clauses and acknowledging the EU resolution for an appropriate level of data protection.
Your Rights
If the relevant requirements are met, you shall be entitled to request information from VAPIANO regarding the personal data we hold on you; you shall also have the right to rectification and erasure, the right to restrict processing, the right to object to the processing of your data and the right to data portability.
Once you have given us your consent, you may revoke this at any time. Your data shall be processed legally until you revoke your consent.
You have the right to lodge a complaint with a supervisory authority.
Provision of Personal Data
You are neither legally nor contractually obliged to provide personal data; however, your personal data may be required in individual cases to conclude a contract, receive a service or participate in schemes like the PEOPLE programme. You are not obliged to provide personal data, but you may not be able to receive certain services if you opt against doing so.
Online Applications
You personally define the scope of data you wish to forward to us during your online application. Online applications are forwarded electronically to our HR department, where they are processed as quickly as possible and exclusively for the selection of candidates in accordance with Section 26 of the BDSG (new). Applications are usually forwarded to the head of the relevant specialist departments within our company. Your details shall not be disclosed in any other way. Your details shall be treated confidentially within our company. If your application is unsuccessful, your documents shall be deleted three months afterwards. In some cases (e.g. settlement of travel expenses), your personal data may be stored for a greater amount of time in accordance with the data retention periods stipulated by German tax laws. The length of the storage period shall be based on statutory retention periods stipulated by such laws as the German Tax Code and the German Commercial Code (6-10 years). If you would like us to consider your application for other job postings in the future, we kindly ask you to note this on your application (consent pursuant to Article 6.1 a) of the GDPR), or we shall ask your permission.
Newsletter
You have the option of subscribing to our free newsletter on our website. Our newsletter informs you about the latest offers, exciting specials and news from the world of VAPIANO and may contain vouchers. If you are not yet a VAPIANO PEOPLE member but have subscribed to the VAPIANO newsletter, we will process your name and email address if you provide us with these details during registration. If you are a VAPIANO PEOPLE member and have subscribed to the newsletter, we will process your name and email address. Once you submit the registration form, you will receive a confirmation email from us. Your subscription will only be activated once you have clicked on the link in the confirmation email. Data shall be processed with your consent in accordance with Article 6.1 a) of the GDPR.
By signing up to our newsletter, you acknowledge that we shall process and analyse the time you open links and which features you view, in order to constantly improve the newsletter and tailor it to your needs.
In addition to the newsletter subscription, we occasionally let you participate in competitions (see “Competitions” below).
You may unsubscribe from the newsletter at any time by using the unsubscribe function in the PEOPLE area, following the unsubscribe link at the bottom of every email, writing to us at people-support@vapiano.de or sending a letter to VAPIANO International Marketing GmbH, Im Zollhafen 2-4, D–50678 Köln. Your data shall be processed legally until you revoke your consent.
CONTACT
You can get in touch with us on our website www.vapiano.de in the “CONTACT” section, via email at info(at)vapiano.eu, by phone on +49 (0) 221 67001-0 or by post at VAPIANO SE, Im Zollhafen 2-4, D–50678 Köln:
Data Security
We take the necessary technical and organisational measures to protect your data against unwanted access as well as possible. We use encryption for this purpose. Your details will be passed between your computer and our server and vice versa via the Internet using TLS encryption. You will notice this by the lock symbol on your browser status list (which will show as locked) and the address line (which will start with ).
Competitions
Subscribing to our newsletter will give you the chance to win one of our competitions. We shall only use the information you provide in competitions to determine and contact winners (Article 6.1 b) and f) of the GDPR). Winners shall be notified in writing. We shall not use your data for marketing purposes. We shall immediately delete your data once the competition has ended, once the prize has been awarded, or if you object to the use of your data. If you win a competition, we shall only publish your name with your consent in accordance with Article 6.1 a) of the GDPR.
Contact Information of the Data Protection Officer
datenschutz süd GmbH
Wörthstraße 15
D–97082 Würzburg
office(at)datenschutz-sued.de
Tel.: +49 (0)931 30 49 76 0
Changes to the Privacy Statement
VAPIANO reserves the right to amend its Privacy Statement at regular intervals in accordance with its data processing methods. You will be notified of any change to the VAPIANO PEOPLE Privacy Statement via the website, the app or by email.
2. Website – vapiano.com
We would like to inform you below about how we process data on our website.
Storage of IP Addresses
We shall use the information we receive and save when you visit our websites exclusively for internal purposes and to improve the design of our websites. Where necessary to avert attacks that might negatively affect the functionality of our website (hacker attacks, trojans, denial of service attacks, spam), we shall only have access to your computer's IP address for this purpose as a single instance, and our telecommunications service provider shall save this information for seven days for the security reasons defined in Section 100 Clause 1 of the German Telecommunications Act (TKG). The legal grounds for this is Article 6.1 f) of the GDPR.
Usage Data
When you visit our websites, temporary ‘usage data’ is saved as a log on our web server for statistical purposes to improve the quality of our websites. This data set comprises:
- The web page from which the file was requested;
- The file name;
- The date and time of the request;
- The volume of data transferred;
- The access status (file transferred, file not found);
- The description of the type of web browser used;
- The IP address of the computer requesting the file (so-called “access logs”), which is shortened to such an extent that no link can be made to an individual.
This protocol data is stored in an anonymised format.
When you send us an email, our mail server registers:
Your IP address, shortened by the last three characters;
The host name of the mail server and which VAPIANO IP address the email has been sent to;
The time of the connection, sending and transfer.
When you receive an email from us, the host name and IP address of the sender system are recorded.
When the email is accessed, the accessing IP address is recorded.
We use this information to enable access to our website, for the control and administration of our systems, and to improve the design of our websites. The legal grounds for this is Article 6.1 f) of the GDPR. This data is stored in an anonymised format. This does not allow individual user profiles to be created. Data concerning people or their individual behaviour is not collated.
Contact Form
You have the possibility of contacting us through our online form. For you to use our contact form, we need your first name and surname, email address, your message and the VAPIANO restaurant, or we need to know whether your enquiry is about VAPIANO PEOPLE. You may share further information like your address, postcode and town, but this is not compulsory.
Data shall be processed on the basis of Article 6.1 b) of the GDPR for customer enquiries and any questions concerning the PEOPLE programme. Otherwise, data shall be processed on the basis of Article 6.1 f) of the GDPR. Any information you provide voluntarily shall only be processed with your consent in accordance with Article 6.1 a) of the GDPR. Your data shall only be processed to respond to your query or until you revoke your consent or object to data processing, and it shall then be deleted. Your data shall not be passed on to third parties.
Location Request
The first time you visit our website, you will have the option of telling us your current location. This data shall be processed with your consent in accordance with Article 6.1 a) of the GDPR. You can configure your browser so that a ‘Do Not Track’ request is sent when you access a website from your browser. This means your user activity will not be tracked, but you may be asked to confirm your location for each new browser session. If you agree to this request, we will use your location to show you the nearest VAPIANO restaurant, so that you can save time looking for one. Your IP address will be obtained to identify your location if you have given your consent.
You may revoke your consent at any time. Your data shall be processed legally until you revoke your consent. Your deactivation options depend on your browser. For example, you can switch off your location indicator in your browser via the information icon to the left of the URL address. You can find out how to deactivate this in Firefox here. You also need to switch off the localisation function in your browser settings if you do not want to share your location.
Restaurant Finder
You will find the ‘Restaurant Finder’ under the ‘Restaurants’ tab. If you enter a postcode or city, your nearest Vapiano restaurants will be listed. You can also view their location via the ‘Restaurant Finder’. By using the Restaurant Finder, you consent to data processing in accordance with Article 6.1 a) of the GDPR. When you access Google Maps, permanent cookies will be placed on your computer. You can configure your browser so that it advises you when cookies are used, thus making our use of cookies more transparent. If you access Google Maps, information about your use (in particular your computer’s IP address) will be sent to a Google Inc. server in the USA and saved there. VAPIANO has no control over how this data is further processed by Google Inc. We do not use your details to create a profile of you as a user.
If you do not agree to Google Inc. processing your data, please do not permit access to your location, or deactivate the JavaScript function in your browser. Otherwise, your data shall be processed legally. If you would like to use this service, you can find more information in the Google Maps terms of use, which can be downloaded to the bottom right of the Google Maps display.
Cookies
Cookies are small files that are saved on a user’s hard drive. They allow information to be retained for a certain period of time, and the user’s computer to be identified. However, some cookies just contain information on certain impersonal settings. We use permanent cookies and so-called “session cookies” to improve user guidance and adapt the presentation of our website. Session cookies are automatically deleted when you close your browser. The use of cookies represents a legitimate interest described in Article 6.1 f) of the GDPR. You can configure your browser so that it advises you when cookies are used, thus making our use of cookies more transparent.
Important: If you fully disable the use of cookies, you will not be able to log in as a registered user or register for the first time, i.e. the use of this area will be closed to you. As a result, our websites might not be displayed optimally, and some features might be technically unavailable.
Google Analytics
We create pseudonymous user profiles with Google Analytics to tailor our website’s design according to users’ needs. Google Analytics uses so-called “cookies”, or text files, which are saved on your computer to analyse your use of our website. Information generated by cookies on your use of this website is generally forwarded to a Google server in the USA and saved there. As we have activated IP anonymisation on this website, Google will first shorten your IP address within Member States of the European Union or in other Contracting States to the Agreement on the European Economic Area. Only in exceptional cases will your full IP address be sent to a Google server in the USA and abbreviated there. The appropriate level of data protection required in accordance with Article 45.1 of the GDPR is ensured through Google’s involvement in the EU-US Privacy Shield. Google will use this information to analyse your usage of the website, in order to compile reports regarding website activities and provide us with further services in relation to website and Internet usage. One of the reasons we use Google Analytics is to analyse clicks from Google AdWords for purely statistical purposes. We shall use Google Analytics with your consent in accordance with Article 6.1 a) of the GDPR. You can find more information on Google’s use of data at:
https://support.google.com/analytics/answer/6004245?hl=de and
https://www.google.com/policies/privacy/partners/.
You may revoke your consent to the creation of pseudonymous user profiles at any time. There are various ways of doing this:
1.) Depending on the browser you use, you can install a browser plug-in to prevent tracking. To do this, please click here and install the browser plug-in available to download.
2) You can also stop the storage of cookies used to build your profile via the right setting in your browser software.
3.) Another way to stop web analysis by Google Analytics is to insert an opt-out cookie which instructs Google not to use your data for the purposes of web analysis. Please note that if you use this solution, web analysis will be halted only for so long as the browser saves the opt-out cookie. If you would like to install the opt-out cookie now, please click here.
Social Buttons
We place various social buttons on our website in the form of a link: In addition to Facebook buttons for Facebook Inc., 1601 Willow Road, Menlo Park, CA 94025, USA and Twitter buttons for Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA, we also maintain Instagram buttons for Instagram, LLC ATTN, 1601 Willow Road, Menlo Park, CA 94025, USA.
When you visit our website, no data is forwarded to these social media services. Third parties are therefore unable to create a profile. However, we do not want to deny these opportunities to users who wish to use social buttons. We therefore offer the chance to use social buttons in various areas of our website. You have the opportunity to use social buttons to access our social media sites, e.g. to share articles with other people. Please note that by clicking on a social button, certain details may be forwarded to social media services, for example:
- The VAPIANO website where you found the social button;
- The date and time you click on a social button;
- Information about the browser and operating system used;
- Your current IP address.
By clicking on a button, you shall allow the social media service to process your data with your consent in accordance with Article 6.1 a) of the GDPR. If you are already logged in to the social media service when you click on a social button, the social media service may also use this data to identify your user name and possibly even your real name. The social media service may also process these details in countries outside the European Union. We have no control over the extent, nature and purpose of such data processing by social media services. Please note that social media services are perfectly capable of using this data to create pseudonymised and even individualised user profiles.
You can find more information about data protection on Facebook at https://www.facebook.com/policy.php, on Twitter at https://twitter.com/privacy?lang=de and on Instagram at https://help.instagram.com/155833707900388.
Google Retargetting
We use Google’s cross-device remarketing technology, so that you can receive targeted ads on other Internet pages based on your visit to our website. Your data shall be processed with your consent in accordance with Article 6.1 a) of the GDPR.
How does remarketing work?
When you visit our website, Google may request recognition features for your browser or device (e.g. a so-called “browser fingerprint”), analyse your IP address or save a recognition feature on your device in the form of a small text file (e.g. so-called “third-party” cookies”). Google may also save your visit to our website and link it to one or more of these recognition features, in order to show you our ads on other websites.
These recognition features are pseudonymised and may be used by Google to recognise your device on other websites. For example, if you visit a site in Google’s Display Ad network (i.e. a website that displays ads on Google’s behalf), Google may recognise your device and browser using these features.
We may also place so-called “remarketing tags” on our website. In other words, we might add keywords to our website that contain statements on its contents (e.g. product and service categories). The keywords we use shall not contain any personal or sensitive information. Google shall receive and save these keywords to the recognition features mentioned above. In other words, if you visit a page containing a keyword on a particular product category, Google will save this keyword and assign it to your recognition features.
This allows us to ask Google to activate relevant ads on other sites according to the pages you have visited on our website. If you visit another website in Google’s Display Ads network, Google may use its recognition features and associated keywords to calculate whether you should receive our ads and, if so, which ones.
You can find more detailed information on the way Google’s remarketing technology works at https://www.google.com/policies/technologies/ads/.
What does “cross-device remarketing” mean?
If you log in to Google services with your own credentials or have one or more personal Google accounts, Google may link the recognition features it holds for various browsers and devices. If Google has generated a separate recognition feature for your laptop, desktop PC, smartphone and/or tablet, these recognition features can be linked to one another as soon as you use a Google service with your log-in details. This allows Google to run our marketing campaigns across multiple devices in a targeted manner. However, this will only be done if you have given your consent for Google to process your data in the past.
You can always change your ad settings and object to this form of advertising by deactivating personalised ads at https://support.google.com/ads/answer/2662922. Please note these settings may not affect all devices and browsers. You can also find more detailed information at https://support.google.com/ads/answer/2662922.
Google Tag Manager
We also use Google Tag Manager on our website to provide personalised online ads based on your interests and location.
When running marketing campaigns for our products, Google Tag Manager allows us to reach out to people who have visited our website by placing targeted ads on the websites of our advertising partners. This form of advertising is anonymised. Advertising is displayed on our partners’ websites via Google Tag Manager, which bases its results on cookie technology (“DoubleClick cookies”) and your previous visit to our website. Your data shall be collected and stored by Google. Our advertising partners shall not receive any information about the data stored on cookies. Cookies store the IP address of your computer and an ID number used by Google to calculate how often you have visited each page. No other personal data shall be stored alongside your IP address. Data stored on cookies shall not be combined with other personal data to create user profiles. This data shall be processed with your consent in accordance with Article 6.1 a) of the GDPR. You can manage your Google ad settings at support.google.com/ads/answer/7395996. Your data shall be processed legally until you revoke your consent.
Encryption
To protect your data against unwanted access, we use encryption on some of our sites. Your details will then be passed between your computer and our server and vice versa via the Internet using 128-Bit TLS encryption (Transport Layer Security). You will notice this by the lock symbol on your browser status list (which will show as locked) and the address line (which will start with ). We will not use encryption if you only exchange generally available information with us.
3. VAPIANO PEOPLE Programme
Purpose of Data Processing
VAPIANO shall process the personal data you provide in the registration form:
- To process your registration for the VAPIANO PEOPLE programme and set up a corresponding customer account;
- To facilitate your participation in the VAPIANO PEOPLE programme in all participating restaurants worldwide;
- To give you access to your customer profile and offers available on the www.vapiano-people.com website;
- To send you a birthday email with a birthday gift;
- To send anonymous surveys to enable us to respond better to our customers’ needs;
- To contact you if you have any queries regarding your VAPIANO PEOPLE customer account;
- To inform you via email about changes to this Privacy Statement, changes to our general terms of business, or to your VAPIANO PEOPLE membership due to organisational reasons;
- To identify you at the till in our restaurants;
- To provide you with further information if you have expressly requested this from VAPIANO;
- To provide the VAPIANO app for you to find your nearest VAPIANO restaurant;
- To provide the payment function (not available in all participating countries);
- To send our newsletter to subscribers;
- To send you information about vouchers, upcoming deals and special offers at VAPIANO;
- To tell you about VAPIANO PEOPLE prize draws and winners;
- For other legally permitted purposes.
In order to run the PEOPLE programme, we shall process your name, address, date of birth (to verify you are over 16), email address, VAPIANO PEOPLE membership number and password. This data shall be processed on the basis of Article 6.1 b) of the GDPR; if you give your consent to data processing, it shall be processed on the basis of Article 6.1 a) of the GDPR; and if this data processing represents another legitimate interest, it shall be carried out on the basis of Article 6.1 f) of the GDPR. Your data shall be stored for the duration of your PEOPLE membership.
Identification at the Till
If you use your VAPIANO PEOPLE card or the Vapiano app at one of our restaurants, we shall process your first name at the till to identify you as the card holder or authorised guest.
Collection of Bonus Points and Reward Points
When you collect bonus and reward points, we will process the following information via participating VAPIANO restaurants for internal statistical purposes:
- Date and time of visit;
- Restaurant location;
- Total revenue (items and dishes sold);
- Total number of visits;
- Redeemed bonus points or birthday gifts.
Global Use
If necessary for you to enjoy the benefits of the VAPIANO PEOPLE programme and app in participating restaurants around the world, Vapiano shall transfer your first name, surname, date of birth, number of points, PEOPLE status and email address to participating restaurants and national subsidiaries.
Security of the VAPIANO PEOPLE Card
A pseudonymous participant number will be saved as a QR code to your VAPIANO PEOPLE card. PEOPLE points, status points and any personal data you provide will only be saved on the system to ensure that no personal details are lost or become accessible to third parties if your VAPIANO PEOPLE card ever gets lost.
Consent to Use the PEOPLE Programme
By signing up to the VAPIANO PEOPLE programme, you shall allow Vapiano International Marketing GmbH (VIM) to create a personal user profile with your consent in accordance with Article 6.1 a) of the GDPR.
This means VAPIANO will merge your registration details from when you register in the app or on the VAPIANO PEOPLE website with the usage and transaction data from any visit you make to a VAPIANO restaurant. If you log in at any of the participating Vapiano restaurants using the Vapiano app, Vapiano will gather usage data (e.g. what food and drinks you have ordered, favourites you have saved, how long you spend in the restaurant).
By participating in the PEOPLE programme, you shall be giving us your consent (in accordance with Article 6.1 a) of the GDPR) to process your basic data, any information you provide voluntarily, and any data associated with the use of your personal PEOPLE QR code or the PEOPLE app. We shall process this data to optimise our services for you. If you have given us your consent separately via the cookie banner at https://www.vapiano-lieferservice.de/, we shall also process this data to recommend things like special products. This data shall be collected to award bonus and status points, to create customer satisfaction surveys and improve our service, and to send you advertising tailored to your personal interests based on your previous visits to our restaurants (e.g. information on products and deals at VAPIANO restaurants) via newsletters, push notifications and in-app messages, provided you have separately requested this and given us your consent.
You may revoke your consent with future effect at any time, but this will mean you can no longer access the PEOPLE programme. Your personal data shall be fully anonymised, unless there are statutory retention periods. Your data shall be processed legally until you revoke your consent. You should address any revocation requests to Vapiano International Marketing GmbH, Im Zollhafen 2 - 4, D–50678 Köln, or people-support(at)vapiano.de.
4. VAPIANO App
Vapiano International Marketing GmbH (VIM) has a mobile app. You can use the app to place orders in a restaurant, find information about our products, use the mobile payment function, use the personal QR code in the app to identify yourself as a VAPIANO PEOPLE member at the till in participating Vapiano restaurants, and enjoy all the functions of the VAPIANO PEOPLE programme without having to use your VAPIANO PEOPLE card. This data shall be processed with your consent in accordance with Article 6.1 a) of the GDPR (you can find more information at the bottom of Section 3, “VAPIANO PEOPLE”).
Vapiano Finder
You can use the ‘Vapiano Finder’ in the app to locate your nearest Vapiano restaurant. For this, we need your current location, or you can enter this in the app yourself. In both cases, data shall be processed with your consent in accordance with Article 6.1 a) of the GDPR. If you have activated location services on your mobile phone, VIM will only process your GPS data to locate your nearest Vapiano restaurant. This data will not be used to monitor your movements. You can revoke your consent by deactivating location services. Otherwise, your data shall be processed legally.
Use at Restaurants
We shall store your first name and VAPIANO PEOPLE number and display this data in our checkout system for the duration of your stay at one of our restaurants, so that you still enjoy the benefits of the VAPIANO PEOPLE programme if your smartphone runs into technical issues or has low battery. This means these details will still be accredited to you and your VAPIANO PEOPLE account in unforeseen circumstances. This data processing represents our legitimate interest (pursuant to Article 6.1 of the GDPR) in providing you with an uninterrupted service in such circumstances.
Mobile Payment
Mobile payment is an additional voluntary service. As such, the following descriptions and permissions shall only apply if you wish to use mobile payment.
Mobile payment is a process that allows registered users to make cashless payments with their smartphones in participating restaurants. Users can register at restaurants using a dynamic QR code in the VAPIANO PEOPLE app. When using the payment feature, all transactions must also be authorised via the user’s PIN (which can be freely selected) or fingerprint.
If you use mobile payment within the VAPIANO app, VAPIANO will process the following personal data:
- User name;
- Password;
- Customer number (PEOPLE ID);
- App version and operating system;
- Payment details;
Name;
Address;
Email address.
In order to process payment, the following personal data shall be transferred for processing to our payment service provider, BS Payone GmbH, Lyoner Straße 9, D–60528 Frankfurt am Main (hereinafter referred to as “BS Payone GmbH”):
- Name;
- Credit card information (number, expiry date, security code).
If you would like to process payment via PayPal, the following personal data shall be transferred for processing to PayPal (Europe) S.à r.l. & Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as “PayPal”):
- The VAPIANO restaurant you have visited;
- The amount due;
- Reference on your PayPal account.
If you have saved your PayPal account with VAPIANO, we will also have access to the email address on your PayPal account (via PayPal/Braintree).
Following authorisation, BS Payone GmbH or PayPal shall be authorised to charge the user the amount owed for the products and/or services purchased at Vapiano restaurants; this amount shall be payable via the payment method saved in the Vapiano app (credit card or PayPal). Data shall be transferred for payments in accordance with Article 6.1 b) of the GDPR.
More Information
Setting up a payment method
When you set up a payment method (e.g. credit card or PayPal) for use in the Vapiano app, a so-called “alias” (a random and unique sequence of characters) is generated and saved for your payment method. This alias is transferred to BS Payone GmbH, where it is stored alongside your payment details. The alias is then be used as a “substitute” for your concrete payment details (e.g. credit card number) in communication with BS Payone GmbH, so that your card information does not have to be transferred every time.
Checking in
When you check in at a restaurant with your VAPIANO app, an ID is generated on your smartphone. This is the virtual card number that is saved and accessible in your app. This virtual card number is made up of your PEOPLE ID and a randomly generated sequence of characters. It replaces the card that you would otherwise receive at the till. This ID can be used to match orders and payments to your account. The shopping cart (items and price) is displayed in your app. The SEPA mandate is sent to you and saved in our system.
Creating a token
When you log in, a token is created and used for authentication purposes. This token is encrypted and saved in the VAPIANO app. Encryption is carried out with your personal four-character PIN or, if available, the fingerprint sensor on your smartphone. In both cases, the PIN is encrypted and stored in a safe area of the operating system that is not accessible without your PIN or fingerprint. The PIN is only known to you.
This token is stored in an encrypted format within the VAPIANO app and in an unencrypted format in our system. This token is required for payment-related communication between the VAPIANO app and ourselves, and to generate a check-out QR code.
The token is decrypted on your smartphone with your PIN or fingerprint. The token allows the VAPIANO app to generate a code used to check out.
This code contains the following information:
- Your PEOPLE ID;
- Your app installation ID;
- A time stamp;
- The virtual card number;
- The payment method to be used (not the specific card details, but an ID).
The ID can be used to identify the payment details stored on the system.
All this information is encrypted with the token. The till scans this code and sends it to us. We decrypt the QR code and transfer the relevant data (amount, receipt no., payment method alias) in an encrypted format to our payment service provider, BS Payone GmbH, so that payment can be processed. The payment method alias allows BS Payone GmbH to match the saved payment information. The token and/or the encrypted contents and the shopping cart shall not be transferred to BS Payone GmbH. BS Payone GmbH shall verify the information provided and process payment.
Processing Payment
Information on credit card payments with Visa and Mastercard
The first time you set up a credit card in the application, your credit card information (number, expiry date, security code, name) will be transferred to BS Payone GmbH directly from the app via HTTPS. Your credit card information will then no longer be needed to process payments; the aforementioned alias will be used on its own.
Information on PayPal
PayPal is operated by its responsible entity, PayPal (Europe) S.à r.l. & Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. If you have selected the PayPal payment methods of “direct debit” or “credit card”, the following personal data must be transferred to PayPal (Europe) S.á.r.l. & Cie, S.C.A. to process your payment:
- The VAPIANO restaurant you have visited;
- The amount due;
- Reference on your PayPal account.
If you have saved your PayPal account with VAPIANO, we will also have access to the email address on your PayPal account (via PayPal/Braintree).
You can find more information on PayPal’s data protection at https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE. Otherwise, you can get in touch directly with PayPal (Europe) S.à r.l. & Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.
Log-in Data
Using the VAPIANO app enables you to stay permanently logged in. To enable this, VIM and its authorised service providers use cookies and other similar technologies to offer you a faster and better user experience. To this end, we save your access data (email address and password), so that you do not need to enter them again every time you open the VAPIANO PEOPLE app.
5. Vapiano Take Away & Home Delivery
The website https://www.vapiano-lieferservice.de/ offers you the possibility to order food and drink and either collect it yourself (Take Away) or have it delivered to your home (Home Delivery). If you are not a VAPIANO PEOPLE member, the personal data you provide when placing your order shall be automatically deleted within 8 weeks at the latest.
You can also order food and drink through delivery services at www.lieferando.de, www.foodora.de and https://deliveroo.de/de/ or by phoning a restaurant directly. The use of this service and provision of your personal data is voluntary.
In order to carry out your order with the respective VAPIANO restaurant, your first name and surname, address, date of birth, payment details, phone number, email address and PEOPLE ID shall be processed in accordance with Article 6.1 b) of the GDPR.
Once your order has been received for the delivery or collection of goods to be consumed outside a restaurant, VAPIANO shall immediately write to you on behalf of the respective VAPIANO restaurant (i.e. in its name and for its account) to confirm the receipt of your order; this confirmation shall either be sent via email or as a notification in the VAPIANO app (hereinafter referred to as the “confirmation email”).
This data shall only be accessed by the respective restaurant, the delivery service and banks (to process payment), as well as by VIM for the administration of your PEOPLE account.
PayPal
PayPal is operated by its responsible entity, PayPal (Europe) S.à r.l. & Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. If you have selected the PayPal payment methods of “direct debit” or “credit card”, the following personal data must be transferred to PayPal (Europe) S.á.r.l. & Cie, S.C.A. to process your payment:
- The VAPIANO restaurant you have visited;
- The amount due;
- Reference on your PayPal account.
If you have saved your PayPal account with VAPIANO, we will also have access to the email address on your PayPal account (via PayPal/Braintree).
You can find more information on PayPal’s data protection at https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE. Otherwise, you can get in touch directly with PayPal (Europe) S.à r.l. & Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.
6. Corporate Facebook Page
We run an official Facebook page at https://de-de.facebook.com/Vapiano/ on the basis of Article 6.1 f) of the GDPR. We shall never collect, save or process the personal data of our page users, nor shall we process any other data or arrange for this to be done. Any information you share on our Facebook page (e.g. comments, videos or pictures) shall never be used or processed by us for other purposes.
Facebook uses so-called “web-tracking methods” on this page. Please be informed that Facebook may use your profile data to analyse your habits, personal relationships and preferences, etc. We have no control over how Facebook processes your personal data. You can find more information at https://de-de.facebook.com/policy.php.