Privacy Policy

Privacy Policy for the Choco App

Status: 14 April 2022

Status: 14 April 2022

Preamble

This service (hereinafter "App") is provided by Choco Communications GmbH, with legal seat in Hasenheide 54, 10967 Berlin, Germany, email address: legal@choco.com (hereinafter “Choco”, "we"or "us") as the controller within the meaning of the applicable data protection law according to the General Data Protection Act (hereinafter GDPR). The use of the services offered by Choco requires that the users register in the App or via the Web Interface and accept our General Terms and Conditions, also available at the following link: https://choco.com/de/en/pages/terms-and-conditions.

The Choco App provides its users with access to messaging and ordering services, which may allow commercial customers from the gastronomy and food sector (hereinafter the "Gastronomes") to communicate directly with their suppliers (hereinafter the "Suppliers") and place orders, which are directly received by the Suppliers and bundled in digital form without any time delay. For more detailed information about the services offered by Choco, please refer to section 4 of our General Terms and Conditions.

When using the App, we process personal data about you. Personal data means any information relating to an identified or identifiable natural person (data subject). The protection of your privacy when using the app is important to us, therefore we would like to inform you especially about the scope, the legal basis, data subject rights and the personal data which we process when you use the app.

You can access this privacy policy at any time under the entry "settings" within the app.

1. Information on the processing of your data

Certain information is already processed automatically as soon as you use the app. We have listed exactly which personal data is processed for you below:

1.1 Information collected during download

When downloading the app, Choco does not require nor collect any personal data of yours, nevertheless, we would like to inform you that certain required information might be requested by the App Store selected by you (e.g Google Play or Apple App Store). The processing of this data takes place exclusively by the respective App Store, is beyond our control, and we reject any responsibility for damages that occurred to you arising from the data processing carried out solely by the App Store you have selected for the download of the App.

1.2 Information collected automatically

As part of your use of the App, we automatically collect certain data that is necessary for the use of the App. These include: info of your device, version of your operating system, type of device you use, time of access, and IP address.

This data is automatically transmitted to us, and stored in our servers, (1) to provide you with the Service and related features; (2) to improve the functions and performance features of the App and (3) to prevent and to remove misuse and malfunctions. This data processing is based on the fact that the processing is necessary for the performance of the services foreseen in the General Terms and Conditions between you as the data subject and us in accordance with Art. 6 paragraph 1 sentence 1 lit. b GDPR [regarding 1.2 (1)]. We also have a legitimate interest in ensuring the functionality and error-free operation of the App and being able to offer a service in line with the market and interests, which here outweighs your rights and interests in the protection of your personal data within the meaning of Art. 6 paragraph 1 sentence 1 lit. f GDPR [regarding 1.2 (2) and (3)].

1.3 Creation of a user account (registration) and login

For the creation of a user account, you are required to complete a registration form in the App and accept the General Terms and Conditions, for this purpose information marked as mandatory in the registration form shall be filled in. For your user account or log-in, we use your telephone number to grant you access to and manage your user account ("Mandatory Information"). Mandatory information (user name, telephone number, business name, and business address) is required for completing the registration form in the App, together with the acceptance of the General Terms and Conditions. If you do not provide this data, you will not be able to create a user account.

We use the mandatory information to authenticate you when you log in. In that case, on the login page of the App, you may indicate your telephone number and request to receive an automatic four-digit code (the “Code”), at the provided telephone number, via SMS. After you will receive the Code, you will be required to promptly digit the Code on the login page of the App. We would like to inform you that the Code is temporary and has limited validity, if you will not digit the Code on the login page of the App within 60 seconds, you will need to request a new Code for completing the login authentication. Please note that you are fully responsible for the confidentiality of the Code which is strictly personal and should not be shared with unauthorized persons. The data entered by you during registration or log in will be processed and used by us (1) to verify your authorization to manage the user account; (2) to enforce the terms of use of the App and all associated rights and obligations and (3) to contact you in order to be able to send you technical or legal notices, updates, security messages or other messages concerning the administration of the user account.

Furthermore, you can provide the following voluntary information during registration: email address, and nickname.

In addition, you can provide the following voluntary information after the registration on the App:

  • Contact details of your Suppliers (ONLY if you are a Gastronome): You have the option of entering lists of the products that you usually order from your Suppliers (hereinafter "Lists"), or to ask Choco to enter them on the basis of the documents you provide to us. Aiming to facilitate the placing of your orders, you may provide us with the contact details of your Suppliers and the desired Lists, or you may request us to set up the account with the contact details of your Suppliers and the Lists.
  • Financial information: You have the option of uploading on the App pictures and screenshots containing financial information with the scope of simplifying the placing of your orders, moreover, the financial information, you may voluntary share on the App, may consist of the following data: Invoices of your order containing payment information; the content of your order’s invoice, such as bank account numbers of Gastronomes and Suppliers, Gastronomes and Suppliers tax ID; and eventual annexes attached to your invoices.

We will process the voluntary information based on your consent which you can withdraw at any time with effect for the future, Art. 6 paragraph 1 sentence 1 lit. a GDPR.

This data processing is justified by the fact that [regarding 1.3 (1)] the processing is necessary for the performance of the contract between you as the data subject and us in accordance with Art. 6 paragraph 1 sentence lit. b GDPR for the use of the App, or [regarding 1.3 (2) and (3)] we have a legitimate interest in ensuring the functionality and error-free operation of the App, which here outweighs your rights and interests in the protection of your personal data within the meaning of Art. 6 paragraph 1 sentence 1 lit. f GDPR.

1.4 Use of the App

As part of the App, you can enter, manage and edit various information, tasks and activities. This information includes, in particular, data related to the communications that the Gastronomes send together with their orders to their Suppliers which are directly received by the latter and bundled in digital form without any time delay.

You can also activate the following functions:

  • Internet access: This is required to store your entries on our servers.
  • Camera access: This access is required for communications between Gastronomes and Suppliers which allows you to include pictures and/or screenshots of placed orders and invoices of those orders and store them in the App and on our servers. By giving access to your camera, you agree that Choco will have access to your pictures and media contents, thus this data processing in this context is based on your consent. Furthermore, we would like to inform you that currently the pictures and/or screenshots, you may voluntarily upload to the App, will not be automatically deleted from the App. Nevertheless, if you wish to delete your uploaded pictures and/or screenshots, you may forward your request to the Choco Legal Team, using the following email address: . Please note that we cannot accept any responsibility for the content of the data that you voluntarily upload to the App, therefore, you are fully liable for any shared additional information on the App, not required for the purpose of processing personal data, which infringes the applicable laws and/or any third parties rights.

The processing of the above-mentioned data is based on your consent which you can withdraw at any time with effect for the future, Art. 6 paragraph 1 sentence 1 lit. a GDPR.

2. Disclosure and transfer of data

We transfer your personal data to recipients on the condition a legal basis exists and/ or you gave your

consent to the data process. Moreover, we process your personal data to service providers as our data

processors.

We transfer your data to the following recipients:

2.1 The data provided by you during registration will be passed on within the Choco Group for internal administrative purposes, including joint customer support, as far as necessary. Please note that Choco Group means the worldwide Choco group of companies of which Choco Communications GmbH is the parent company with legal seat in Hasenheide 54, 10967 Berlin, Germany. The Choco Group is composed of other companies owned or controlled by Choco, present in different Member States of the European Union and the United States of America, and other companies owned by or under common ownership as Choco, which also includes our subsidiaries (i.e., any organization we own or control), particularly when we collaborate in providing the App.

2.2 We may share your personal data with our business partners, such as Gastronomes or Suppliers and delivery partners, as well as third parties with whom we partner to provide contests, joint promotional activities or co-branded services, and such disclosure is necessary to fulfill requests or applications.

2.3 Please note, that if you are using the App in connection with your role as an employee or contractor of a company or other legal entity, we may share your information with such entity.

2.4 We share your personal data with third parties who assist us in providing our customer services and facilitating our communications with individuals that submit inquiries. We engage third-party service providers that perform business or operational services for us or on our behalf, such as website hosting, infrastructure provisioning, IT services, analytics services, administrative services.

2.5 We may disclose your personal data only to third parties, described in clause 4 of this privacy policy, who use this information to provide information or marketing messages about products or services of interest, in accordance with their own privacy policies and terms.

Please note that Choco has entered into data processing agreements, or joint controllerships (depending on the case) and standard contractual clauses with service providers, that act as data processors, or joint controllers, with regard to the processing of your personal data, as applicable to the case. 2.6 If it is necessary to clarify an illegal or abusive use of the App or for legal prosecution, personal data will be forwarded to the law enforcement authorities or other authorities and, if necessary, to injured third parties or legal advisors. However, this only happens if there are indications of unlawful or abusive behavior. A transfer may also take place if this serves the enforcement of terms of use or other legal claims. We are also legally obliged to provide information to certain public bodies upon request. These are law enforcement authorities, authorities that prosecute administrative offenses that have been proven to be fined, and the tax authorities.

Any disclosure of the personal data is justified by the fact that (1) the processing is necessary to fulfill a legal obligation to which we are subject in accordance with Art. 6 paragraph 1 sentence 1 lit. c GDPR in the national legal requirements for the disclosure of data to law enforcement authorities or (2) we have a legitimate interest in using the data in the presence of evidence of abusive behavior or to enforce our terms of use, of other conditions or legal claims to the aforementioned third parties and your rights and interests in the protection of your personal data within the meaning of Art. 6 paragraph 1 sentence 1 lit. f GDPR do not prevail.

2.7. In the context of the further development of our business, the structure of our company may change by changing the legal form, subsidiaries, parts of companies or components being founded, bought or sold. In such transactions, the customer information may be shared together with the part of the company to be transferred. Each time personal data is passed on to third parties to the extent described above, we shall ensure that this is done in accordance with this data protection declaration and the applicable data protection law.

Any disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances if necessary and your rights and interests in the protection of your personal data within the meaning of Art. 6 paragraph 1 sentence 1 lit. f GDPR do not prevail.

3. Data transfer to third countries

We would like to inform you that the EU-US Privacy Shield (adequacy decision) has been declared invalid and that in case of data transfers to insecure third countries (here: USA), there is no adequate level of data protection according to EU standards. In particular, there is a risk that your data may be processed by U.S. authorities, for control and for monitoring purposes, possibly also without any legal remedy. In the case of data processing in the context of the use of analysis tools, the data processing is based on your consent which you can revoke at any time with effect for the future, Art. 49 paragraph 1 lit. a GDPR. Furthermore, we concluded with service providers which are based in third countries either a data processing agreement according to Art. 28 GDPR or a joint controllership according to Art. 26 GDPR as well as standard contractual clauses, depending on the contractual constellation.

4. Analyze and marketing tools

4.1 Analyze tools

In order to improve our App, we use tools for the statistical recording and analysis of general usage behavior on the basis of access data ("analysis tools"), and other operational tasks aiming to ensure the functionality of the App (“other tools”). We also use analysis services to evaluate the use of our various marketing channels.

Unless otherwise stated, the legal basis for the analysis tools and other tools is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

In the event that personal data is transferred to the USA or other third countries, your consent expressly extends to the transfer of data (Art. 49 paragraph 1 sentence 1 lit.a GDPR). The associated risks can be found in section 3 (“Data transfer to third countries'').

4.1.1 Amplitude, Inc.

  • Address: 201 3rd Street, Suite 200, San Francisco, CA 94103, United States;
  • Personal data processed: Username, Phone number, IP Address, Device Info, (email address, only when previously provided by the user).
  • Storage Information: Personal Data is logically separated using multiple techniques. All data is stored in an Amazon Web Services in the US region. We require this provider’s service for operational reasons, namely, to reach out to the users who are affected by an incident which impedes the correct functionality of the App.

4.1.3 Epsagon LLC.

  • Address: 54 W 21st St, 5th Floor, New York, NY 10010, United States;
  • Personal data processed: Username, Phone number, Business Address, IP Address, Device Info, (email address, birth date only when previously provided by the user).
  • Storage Information: The servers storing your personal data are located in Ireland. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.

4.1.4 Google Ireland Limited

  • Address: Gordon House, Barrow Street, Dublin 4, Ireland;
  • Personal data processed: Username, Phone number, IP Address, Device Info, (email address, only when previously provided by the user).
  • Storage Information: The servers storing your personal data are located in Dublin, Ireland. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.

4.1.6 Dovetail Research Pty. Ltd.

  • Address: Level 1, 276 Devonshire Street, Surry Hills, 2010, NSW, Australia;
  • Personal data processed: Username, Email address (only when previously provided by the user).
  • Storage Information: The servers storing your personal data are located in AWS us-east-1 region located in North Virginia, United States. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.

4.1.7 Intercom, Inc.

  • Address: 3rd Floor, Stephens Ct., 18-21 St. Stephen’s Green, Dublin 2, Ireland;
  • Personal data processed: Name, Phone number, IP Address, Email, Device info.
  • Storage Information: The servers storing your personal data are located in the Amazon Web Services (AWS) facilities in Dublin, Ireland (eu-west-1). Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.

4.1.8 Lobster DATA GmbH

  • Address: Hindenburgstraße 15, 82343 Pöcking, Germany;
  • Personal data processed: Address, Email, Fax Number, Phone number, Name.
  • Storage Information: The servers storing your personal data are located in Germany. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.

4.1.9 The Rocket Science Group LLC d/b/a Mailchimp

  • Address: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 3030, United States;
  • Personal data processed: Username, Phone number, IP Address, Device Info, (email address, only when previously provided by the user);
  • Storage Information: Mailchimp provides an email service, automation and marketing platform and other related services. The servers storing your personal data are located in the United States of America. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.

4.1.10 Sentry, owned by Functional Software, Inc.

  • Address: Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, United States;
  • Personal data processed: Birth date, Address, Fax Number, Name, Device info, Email, Phone number, IP Address.
  • Storage Information: The servers storing your personal data are located in Iowa, USA. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.

4.1.11 Segment.io, Inc.

  • Address: 100 California St, Suite 700, San Francisco,CA 94103, United States;
  • Personal data processed Username, Phone number, IP Address, Device Info, (email address, only when previously provided by the user):
  • Storage Information: The servers storing your personal data are located in S3 AWS Dublin, Ireland. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.

4.2 Marketing tools

We also use tools for advertising purposes ("marketing tools"), and other administrative/operational tasks (“additional tools”). By analyzing and evaluating access data during the use of our website, we are able to present you with personalized advertising, i.e. those that meet your actual interests and needs on our website and on the websites of other providers.

The legal basis for the marketing tools and additional tools is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. In the event that personal data is transferred to the USA or other third countries, your consent expressly extends to the transfer of data (Art. 49 para. 1 sentence 1 lit. a GDPR). The associated risks can be found in section 3 (Data transfer to third countries).

4.2.1 Salesforce.com Germany GmbH

  • Address: Erika-Mann-Str. 31, 80636 Munich, Germany;
  • Personal data processed: Username, and Phone number (email address, only when previously provided by the user), User Data regarding Physical, Social and Cultural identity.
  • Storage Information: The servers storing your personal data are located in Frankfurt am Main, Germany, and Paris, France. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.

4.2.2 Aircall SAS

  • Address: 11 Rue Saint-Georges,75009 Paris, France;
  • Personal data processed: Username, phone number, and email address, only when previously provided by the user.
  • Storage Information: The servers storing your personal data are located in the Amazon Web Services US West servers in Oregon, USA. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.

4.2.3 Outreach Corporation

  • Address: 333 Elliott Ave W #500, Seattle, WA 98119, United States;
  • Personal data processed: Username, phone number, and email address, only when previously provided by the user.
  • Storage Information: The servers storing your personal data are located in the Amazon Web Services in the United States of America. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services and will be deleted within 60 days from the Services termination.

4.2.4 Talend Stitch Inc.

  • Address: 1339 Chestnut St #1500, Philadelphia, Pennsylvania 19107, United States;
  • Personal data processed: Username, Phone number, IP Address, Device Info, (email address, only when previously provided by the user):
  • Storage Information: The servers storing your personal data are located in Frankfurt am Main, Germany, in the AWS eu-central-1 servers. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.

5. Storage duration

We delete your personal data as soon as the purposes for which we collected or processed it, in accordance with the preceding paragraphs, are achieved, and no statutory requirements require us to continue storing it for a longer period. We delete your personal data as soon as you submit to us your request for the cancellation of your user account, for the purposes for which we collected or used it in accordance with the preceding paragraphs. Please note that in case of cancellation of your user account, your personal data stored within the App will be deleted.

6. Hyperlink

Our App contains so-called hyperlinks to websites of other providers. If these hyperlinks are activated, you will be redirected from our App directly to the website of the other providers. You can recognize this, among other things, by changing the URL. We cannot accept any responsibility for the confidential handling of your data on these third-party websites, as we have no influence on the fact that these companies comply with the data protection regulations. Please inform yourself about the handling of your personal data by these companies directly on these websites.

7. Your rights as a data subject

As data subjects you are entitled to the following rights according to Art. 15 – 21, 77 GDPR:

  • The Right of access by the data subject (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (“right to be forgotten, Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

In case the data processing is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

In case the data processing is based on our legitimate interest (Art. 6 paragraph 1 sentence 1 lit. f GDPR), you have the right to object, on grounds relating to your situation, at any time.

Your requests for the assertion of data protection rights and our answers to them will be kept for documentation purposes for a period of up to three years and, in individual cases, for the establishment, exercise or defense of legal claims even beyond. The legal basis is Art. 6 paragraph 1 sentence 1 lit. f GDPR, based on our legitimate interest in defending against any civil law claims pursuant to Art. 82 GDPR, the avoidance of fines pursuant to Art. 83 GDPR and the fulfillment of our accountability under Art. 5 para. 2 GDPR.

As a data subject you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR-regulations.

8. Data Protection Officer and contact details:

If you have any questions or comments about our handling of your personal data, or if you wish to exercise your data subject rights, please contact Choco Legal Team using the following contact details:

Furthermore, you are welcome to direct your data protection concerns to our Data Protection Officer by sending an email to the above-mentioned email address. Please note that not only our Data Protection Officer will get your request. If you wish to contact solely our Data Protection Officer and/ or if you wish to send confidential information, please refer in your email to the Data Protection Officer and please ask for contacting you.

9. Changes to this Privacy Policy

We always keep this privacy policy up to date. Therefore, we reserve the right to change them from time to time and to maintain changes in the collection, processing or use of your data. The current version of the data protection declaration is always available under the entry “settings” within the App.