The purpose of this document is to ensure the company’s compliance with Dutch, European and international requirements and legislation.
Specifically, this policy aims to ensure compliance with the EU General Data Protection Regulation (GDPR).
This document applies to all GonnaOrder systems, processes and people, including board members, directors, employees, suppliers and other third parties who have access to the company’s information systems.
1.2. Intended Audience
The contents of this document are not technical and they do not assume any previous knowledge of specific technologies. As such, it can be reviewed and consulted by a number of actors:
The company’s teams relating to the processes in scope.
GonnaOrder Top Management, as well as any other legally involved person, authority and/or organization.
1.3. Roles and Responsibilities
The company’s Top Management is responsible for the implementation and review of this policy.
1.4. Terms and Abbreviations
The abbreviations, terms, and definitions used in this document are depicted in the table below.
|Terms / Abbreviations||Definitions|
|Availability||Ensuring timely and reliable access to and use of information.|
|Breach||An event that affects one or more of the following features: authenticity, availability, confidentiality, integrity, validity.|
|Confidentiality||Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.|
|Consent||“The consent of the data subject” means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.|
|Controller||The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws. Depending on the facts, the same entity can be a controller in respect of some processing activities and a processor in respect of other processing activities. It is possible for an organization to be both a controller and a processor.|
|Data Breaches||A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.|
|GDPR||General Data Protection Regulation|
|Incident||A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.|
|Information Security||Preservation of Confidentiality, Integrity and Availability of information as well as of authenticity, accountability, non-repudiation and reliability.|
|Integrity||The property that data has not been modified or deleted in an unauthorized and undetected manner.|
|Personal Data||Any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.|
|Processing||Any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.|
|Processor||A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. Depending on the facts, the same entity can be a controller in respect of some processing activities and a processor in respect of other processing activities. It is possible for an organization to be both a controller and a processor.|
|Profiling||Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.|
|Validity||Absolute accuracy and completeness of information.|
2. Purpose and Scope
The purpose of this policy is to put in place a compliance framework that includes appropriate technical and organizational measures, in order to ensure that data processing is performed in compliance with the GDPR. The main objective is to protect the confidentiality, integrity, availability, authenticity and resilience of processing systems and services.
Our company focuses in providing quality services that meet every time our very strict requirements and exceed our client’s specifications. As a result, we will continue to invest in our security infrastructure and work with third-party vendors to ensure we have the appropriate contractual terms in place.
Thus, this policy applies to:
- All employees of GonnaOrder. This category consists of regular and temporary employees, trainees and interns.
- Contractual third parties of GonnaOrder with any form of access to the company’s information and information systems.
- All hardware and software systems of GonnaOrder.
“Controller” refers to the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. For the purposes of this policy, the “Controller” as a term refers specifically to GonnaOrder.
“Processor” refers to a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. For the purposes of this policy, the “Processor” as a term refers specifically to GonnaOrder.
“Website/Application User” refers to individuals who use our Website/Application in order to submit an order.
“Store Owner” refers to entities (restaurant, café-bar, self-service or takeaway, hotel) who have registered with GonnaOrder in order to use (or potentially use) our services.
“Affiliate or Partners” refers to partners that register on our website with the purpose promote our services to stores or provide additional services to them.
“Personal Data” refers to any information relating to an identified or identifiable natural person.
“Processing” refers to any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Please note that for the provision of our services, data processing is considered to be a legal requirement (as described in articles 6(b) and 6(f) of the GDPR).
3.3.Information We Collect and Process
We collect and process the following types of personal data.
3.3.1. Website/Application Users’ Data
When you use our website/application as a store owner’s customer, we may collect your name, home address, phone number and email in order for you to submit your order, and for the store owner to be able to provide the requested service.
Additionally, we might collect some collective order data that are anonymous and they are used to provide basic statistics to the store owners (e.g. regarding total number of menu viewings per month, total number of orders per month, etc.).
In any case, Your data are not further processed by GonnaOrder, and they are not transferred to any other entity.
GonnaOrder will never deliberately collect the personal data of children under the age of 18. Our Website/Application is not intended for use by anyone under the age of 18.
3.3.2. Store Owners’ Data
Store Owner’s personal data is provided voluntarily by the user upon registration and/or modification of a user profile. In particular, the following information is collected and stored: email, first name, last name, country, phone number, password (encrypted). Some additional information is provided for the stores (as legal entities) upon registration, including the following: name, description, alias, country, address, post code, language.
The above data are used for contractual purposes related to the provision of our services (e.g. optimize a dedicated website on our platform, issuing an invoice, etc.).
Your data are stored by an external provider. This is currently OVH in Frankfurt, Germany.
3.3.3. Affiliates’ Data
Affiliate’s personal data is provided voluntarily by the user upon registration and/or modification of a user profile. In particular, the following information is collected and stored: email, first name, last name, country, phone number, password (encrypted), bank account details and/or PayPal ID.
The above data are used for contractual purposes related to the provision of our services (e.g. payments, etc.).
Your data are stored by an external provider. This is currently OVH in Frankfurt, Germany.
3.4. Purposes of Processing your Personal Data
We process your personal data in the following ways.
We use the information we collect in order to improve our services and to remain in compliance with our customers’ requirements. Additionally, we comply with all legislative and regulatory requirements.
- Website/Application Users’ data are collected and processed to provide our services in connection with your orders.
- Store Owners’ data and Affiliates’ data are collected and processed explicitly for contract-related purposes, as defined each time.
3.4.2. Functionality of the Website/Application
When you visit, register, or login in our Website/Application, we collect the following data: IP address, web browser, duration of your visit and current location. This information is used in the following ways:
- To improve our website in order to better serve you.
- To resolve any technical issues that may arise and to improve access to certain parts of the Website.
- To provide our Services by ensuring that the application runs correctly.
- To provide you with the correct and latest version of the Application.
You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser (like Internet Explorer) settings. Each browser is a little different, so look at your browser’s Help menu to learn the correct way to modify your cookies.
Please note that we may use trusted third-party services that track this information on our behalf, like Google Analytics, but all data used will be anonymized.
We do not collect or store any credit card details. We use mainly two (2) payment integrators (Stripe and PayPal), who are solely responsible for all the security issues relating to the processing of credit card details.
GonnaOrder may use Store Owners’ and/or Affiliates’ contact data to send important announcements only and not use it for marketing. Store owners and affiliates can subscribe to receiving marketing information via a newsletter. They can unsubscribe from these messages at any time.
3.5. Third-party Disclosure
Store Owners’ and/or Affiliates’ Personal Data may be transferred outside EU to call center support partners if required. These third parties may have access to your personal data and process it in order to carry out specific tasks for us, such as analysis of issues and problems.
3.6. Data Retention Period
Personal data collected by GonnaOrder from Website/Application Users of our website are kept in order to provide the required service (if any). Once the service has been completed all information is destroyed.
Personal data collected by GonnaOrder from Store Owners and Affiliates are kept as long as the aforementioned users retain their accounts. Once an account is deleted, GonnaOrder deletes all the related data.
3.7. Your Rights
The GDPR provides the following rights for all data subjects:
- Right to be informed: You have the right to be informed about the collection and use of your personal data, including details regarding the purposes for processing your personal data, the retention periods for that personal data, and who it will be shared with.
- Right of access: You have the right to access your personal data by making a request verbally or in writing.
- Right to rectification: You have the right to have inaccurate personal data rectified, or completed if it is incomplete.
- Right to erasure: You have the right to request the erasure of your personal data without prejudice to GonnaOrder’s obligations and legal rights.
- Right to restriction: You have the right to request the restriction or suppression of the processing of your personal data without prejudice to GonnaOrder’s obligations and legal rights.
- Right to data portability: You have the right to obtain and reuse your personal data for your own purposes across different services by moving, copying or transferring personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
- Right to object: You have the right to object to the processing of your personal data, particularly for marketing reasons, or in any other case without prejudice to GonnaOrder’s obligations and legal rights.
- Rights in relation to automated decision making and profiling: Your data are processed by automated means, however, GonnaOrder does not carry out solely automated decision-making and profiling that has legal or similarly significant effects on you.
- GonnaOrder must respond to the relevant requests within the time limits set by the relevant legislation, as long as there is no other legal issue preventing us from handling your request.
For any questions or suggestions or statements related to these issues, please contact us by contacting us via https://www.gonnaorder.com/contact
3.8. Information Security
Your personal information is contained within secured networks, and is only accessible by a limited number of persons who have special access rights to such systems.
We implement a variety of security measures when a user enters, submits, or accesses the information to maintain the safety of your personal data.
We work hard to protect you from unauthorized access to data or unauthorized alteration or disclosure of information we hold. We aim to maintain our services in a manner that protects information from accidental or malicious destruction. In particular:
- We implement encryption controls.
- We review on a regular basis our processes to ensure that there is not any unauthorized access to systems.
- We have a password policy in place for all users of the Application.
- We aim to detect and prevent any security events that could lead to data breaches. An information security incident can be a standalone result of an action or the combination of many factors such as external malicious attacks, employees’ negligence and systems’ corruption. Depending on the attack, the authorities and/or the data subjects will be notified.