Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “Online Offering”).

The terms used are not gender-specific.

Last updated: 23 September 2025

Table of Contents

  • Preamble
  • Controller
  • Overview of Processing Activities
  • Applicable Legal Bases
  • Security Measures
  • Transfer of Personal Data
  • International Data Transfers
  • General Information on Data Storage and Deletion
  • Rights of Data Subjects
  • Provision of the Online Offering and Web Hosting
  • Use of Cookies
  • Social Media Presences
  • Plugins and Embedded Functions and Content
  • Amendment and Update

Controller

Moodi Foodi Berlin
Hossein Ali Roushankar und Olaf Saumer GbR
Salvador-Allende-Straße 76G
12559 Berlin, Germany

Email address: moodifoodiberlin@gmail.com

Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes of processing, and refers to the affected data subjects.

Types of data processed:

  • Contact data
  • Content data
  • Usage data
  • Meta, communication, and procedural data
  • Log data

Categories of data subjects

  • Users

Purposes of processing

  • Communication
  • Security measures
  • Reach measurement
  • Tracking
  • Conversion measurement
  • Audience formation
  • Server monitoring and error detection
  • Feedback
  • Marketing
  • Profiles with user-related information
  • Provision of our online offering and user-friendliness
  • Information technology infrastructure
  • Public relations

Applicable Legal Bases

Applicable legal bases under the GDPR: Below you will find an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. If more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6(1)(a) GDPR):
    The data subject has given consent to the processing of personal data concerning them for one or more specific purposes.
  • Legitimate interests (Art. 6(1)(f) GDPR):
    Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data.

National data protection regulations in Germany:
In addition to the GDPR, national data protection regulations apply in Germany, in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains, among other things, specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transfers as well as automated decision-making in individual cases, including profiling. State-level data protection laws of the German federal states may also apply.

Notice regarding the applicability of the GDPR and the Swiss FADP:
These data protection notices serve to provide information in accordance with both the Swiss Federal Act on Data Protection (FADP) and the GDPR. For this reason, please note that, due to the broader territorial scope and comprehensibility, the terminology of the GDPR is used. In particular, instead of the terms used in the Swiss FADP such as “processing” of “personal data,” “overriding interest,” and “particularly sensitive personal data,” the GDPR terms “processing” of “personal data,” “legitimate interest,” and “special categories of data” are used. However, the legal meaning of these terms continues to be determined in accordance with the Swiss FADP where applicable.

Security Measures

In accordance with the legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to data, as well as access, input, disclosure, availability assurance, and separation of data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data breaches. We also take data protection into account as early as the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.

Securing online connections using TLS/SSL encryption technology (HTTPS):
To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. A website secured by an SSL/TLS certificate is indicated by “HTTPS” in the URL, serving as an indicator to users that their data is transmitted securely and in encrypted form.

Transfer of Personal Data

In the course of processing personal data, it may be transferred to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of such data may include, for example, IT service providers or providers of services and content integrated into a website. In such cases, we comply with the statutory requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to ensure its protection.

International Data Transfers

Data processing in third countries:
If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the context of using third-party services or disclosing or transferring data to other persons, entities, or companies (which may be evident from the provider’s address or explicit references to third-country transfers in this privacy policy), this is always carried out in compliance with the statutory requirements.

For data transfers to the United States, we primarily rely on the Data Privacy Framework (DPF), which has been recognized as an adequate legal framework by an adequacy decision of the European Commission dated 10 July 2023. In addition, we have concluded Standard Contractual Clauses with the respective providers in accordance with the requirements of the European Commission.

This dual safeguard ensures comprehensive protection of your data: the DPF forms the primary level of protection, while the Standard Contractual Clauses serve as an additional safeguard. Should changes occur within the scope of the DPF, the Standard Contractual Clauses will apply as a reliable fallback mechanism.

For each service provider, we inform you whether they are certified under the DPF and whether Standard Contractual Clauses are in place. Further information on the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce.

For data transfers to other third countries, appropriate safeguards apply, in particular Standard Contractual Clauses, explicit consent, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found in the information provided by the European Commission.

General Information on Data Storage and Deletion

We delete personal data processed by us in accordance with the statutory provisions as soon as the underlying consent is revoked or no further legal basis for processing exists. This applies in cases where the original purpose of processing no longer applies or the data is no longer required. Exceptions apply where statutory obligations or special interests require longer retention or archiving of data.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal enforcement or the protection of the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that applies specifically to certain processing operations.

Where multiple retention periods or deletion deadlines are specified, the longest period shall apply. Data that is no longer processed for its original purpose but is retained due to legal requirements or other reasons is processed exclusively for the purposes justifying its retention.

Retention and deletion periods under German law:

  • 10 years: Accounting records, annual financial statements, inventories, management reports, opening balance sheets, and related documentation (§ 147(1) no. 1 AO, § 14b(1) UStG, § 257(1) no. 1 HGB).
  • 8 years: Accounting vouchers, such as invoices and expense receipts (§ 147(1) nos. 4 and 4a AO, § 257(1) no. 4 HGB).
  • 6 years: Other business records, including commercial correspondence and documents relevant for taxation (§ 147(1) nos. 2, 3, 5 AO, § 257(1) nos. 2 and 3 HGB).
  • 3 years: Data required for potential warranty or damage claims and similar contractual claims, based on statutory limitation periods (§§ 195, 199 BGB).

Rights of Data Subjects

Under the GDPR, data subjects have the following rights, in particular pursuant to Articles 15 to 21 GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you carried out on the basis of Article 6(1)(e) or (f) GDPR, including profiling. If personal data is processed for direct marketing purposes, you have the right to object at any time to such processing, including profiling related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw any consent given at any time.
  • Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed and to obtain access to such data and further information, as well as a copy of the data, in accordance with the statutory requirements.
  • Right to rectification: You have the right to request the rectification of inaccurate personal data concerning you or the completion of incomplete data.
  • Right to erasure and restriction of processing: You have the right to request the erasure of personal data concerning you or, alternatively, the restriction of processing in accordance with statutory requirements.
  • Right to data portability: You have the right to receive personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format or to request its transfer to another controller.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement, if you believe that the processing of personal data concerning you violates the GDPR.

Provision of the Online Offering and Web Hosting

We process users’ data in order to provide our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or end device.

  • Types of data processed: Usage data (e.g. page views and duration of visits, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons); log data (e.g. log files relating to logins, data retrieval, or access times); content data (e.g. textual or visual messages and contributions and related information such as authorship or time of creation).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing:
    Provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices such as computers and servers); security measures; reach measurement (e.g. access statistics, recognition of returning visitors); conversion measurement (measurement of the effectiveness of marketing measures); server monitoring and error detection.
  • Retention and deletion: Deletion in accordance with the information provided in the section “General Information on Data Storage and Deletion”.
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

  • Provision of the online offering on rented hosting infrastructure:
    For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a server provider (“web hoster”); legal basis: legitimate interests (Art. 6(1)(f) GDPR).
  • Collection of access data and log files:
    Access to our online offering is logged in so-called “server log files.” These may include the address and name of accessed websites and files, date and time of access, amounts of data transferred, notification of successful access, browser type and version, operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider.
    Server log files are used, on the one hand, for security purposes (e.g. to prevent server overload in the event of abusive attacks such as DDoS attacks) and, on the other hand, to ensure server utilization and stability; legal basis: legitimate interests (Art. 6(1)(f) GDPR).
    Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained for evidentiary purposes is excluded from deletion until the respective incident has been fully clarified.
  • Content Delivery Network (CDN):
    We use a content delivery network (CDN). A CDN is a service that enables faster and more secure delivery of content of an online offering, particularly large media files such as graphics or program scripts, via regionally distributed servers connected over the Internet; legal basis: legitimate interests (Art. 6(1)(f) GDPR).
  • Squarespace:
    Squarespace provides software as a service for the creation and hosting of websites; service provider: Squarespace Ireland Ltd., Le Pole House, Ship Street Great, Dublin 8, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: www.squarespace.com; privacy policy: www.squarespace.com/privacy; data processing agreement: www.squarespace.com/dpa.
    Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses.
  • Instart:
    Content Delivery Network (CDN); service provider: Instart Logic, Inc., 450 Lambert Avenue, Palo Alto, CA 94306, USA; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: www.instart.com; privacy policy: www.instart.com/company/legal/privacy-policy.

Use of Cookies

The term “cookies” refers to functions that store information on users’ end devices and read information from them. Cookies may be used for various purposes, such as ensuring functionality, security, and convenience of online offerings, as well as analyzing visitor flows.

We use cookies in accordance with statutory provisions. Where required, we obtain users’ prior consent. Where consent is not required, we rely on our legitimate interests, in particular where the storage and reading of information is essential to provide expressly requested content and functions. This includes, for example, storing settings and ensuring the functionality and security of our online offering. Consent may be withdrawn at any time. We clearly inform users about the scope of consent and the cookies used.

Notes on data protection legal bases:
Whether we process personal data using cookies depends on consent. If consent is given, it constitutes the legal basis. Without consent, processing is based on our legitimate interests, as explained above and in connection with the respective services and procedures.

Storage duration:
With regard to storage duration, the following types of cookies are distinguished:

  • Temporary cookies (session cookies):
    Temporary cookies are deleted at the latest when a user leaves an online offering and closes their end device (e.g. browser or mobile application).
  • Permanent cookies:
    Permanent cookies remain stored even after the end device is closed. For example, login status may be stored or preferred content displayed directly when the user revisits a website. Usage data collected via cookies may also be used for reach measurement. If no explicit information on cookie type and storage duration is provided, users should assume that cookies are permanent and may be stored for up to two years.

General information on withdrawal and objection (opt-out): Users may withdraw consent at any time and object to processing in accordance with statutory requirements, including via their browser’s privacy settings.

  • Types of data processed:
    Meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
  • Data subjects:
    Users (e.g. website visitors, users of online services).
  • Legal bases:
    Legitimate interests (Art. 6(1)(f) GDPR); consent (Art. 6(1)(a) GDPR)

Further information on processing operations and procedures: We use a consent management solution to obtain, document, manage, and revoke users’ consent to the use of cookies and comparable technologies. Consent declarations are stored in order to avoid repeated requests and to provide proof of consent in accordance with legal requirements. Storage may be server-side and/or in a cookie (“opt-in cookie”) or by comparable technologies. Consent may be stored for up to two years; legal basis: consent (Art. 6(1)(a) GDPR).

Social Media Presences

We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to provide information about us.

Please note that user data may be processed outside the European Union. This may entail risks for users, as the enforcement of user rights may be more difficult.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles may be created based on usage behavior and resulting interests. These profiles may be used to display advertisements within and outside the networks that presumably correspond to users’ interests. Cookies are generally stored on users’ devices for this purpose. In addition, data may be stored in usage profiles independently of the devices used, particularly if users are members of the respective platforms and logged in.

For a detailed description of processing activities and opt-out options, please refer to the privacy policies of the respective network operators.

Requests for information and the assertion of data subject rights are most effectively addressed directly to the providers, as they have access to the relevant data and can take appropriate measures. If you require assistance, you may contact us.

  • Types of data processed:
    Contact data; content data; usage data.
  • Data subjects:
    Users.
  • Purposes of processing:
    Communication; feedback; public relations.
  • Legal basis:
    Legitimate interests (Art. 6(1)(f) GDPR).

Service used:

Plugins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (“third-party providers”), such as graphics, videos, or maps.

Integration requires that third-party providers process users’ IP addresses, as otherwise content cannot be delivered to the browser. The IP address is therefore required for display. We endeavor to use only content whose providers use IP addresses solely for delivery purposes. Third-party providers may also use pixel tags (web beacons) for statistical or marketing purposes, allowing information about visitor traffic to be evaluated. Pseudonymous information may be stored in cookies and may include technical information about browsers, operating systems, referrer websites, visit times, and usage behavior, potentially combined with data from other sources.

Legal basis notes:
If we request user consent for the use of third-party providers, consent constitutes the legal basis. Otherwise, processing is based on legitimate interests (efficient, economic, and user-friendly services).

  • Types of data processed:
    Usage data; meta, communication, and procedural data; contact data; content data.
  • Purposes of processing:
    Provision of the online offering; reach measurement; tracking; audience formation; marketing; creation of user profiles.
  • Retention and deletion:
    Deletion in accordance with the section “General Information on Data Storage and Deletion.” Cookies may be stored for up to two years unless otherwise specified.
  • Legal bases:
    Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Services used:

YouTube videos:
Within our online offering, videos are embedded that are stored on YouTube. The integration of these YouTube videos is carried out via a special domain using the component “youtube-nocookie” in the so-called “enhanced privacy mode.”

In “enhanced privacy mode,” until the video is started, only information including your IP address and information about the browser and your end device may be stored on your end device in cookies or by comparable procedures, which YouTube requires for the provision, control, and optimization of video playback.

As soon as you play the videos, additional information may be processed for the analysis of usage behavior as well as for storage in the user profile and for the personalization of content and advertisements by YouTube.

The storage period for cookies may be up to two years; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: consent (Art. 6(1)(a) GDPR); website: https://www.youtube.com; privacy policy: https://policies.google.com/privacy; basis for third-country transfers: Data Privacy Framework (DPF).

Further information:
https://support.google.com/youtube/answer/171780?hl=en#zippy=%2Cturn-on-privacy-enhanced-mode%2Cactivate-enhanced-privacy-mode

Amendment and Update

We ask that you regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes to our data processing activities make this necessary. We will inform you if changes require your cooperation (e.g. consent) or other individual notification.

Where addresses and contact details of companies and organizations are provided in this privacy policy, please note that addresses may change over time and we recommend verifying the information before contacting them.

Created with the free Datenschutz-Generator.de by Dr. Thomas Schwenke

Get

in

TOUCH

with

us

Illustration einen Sandwitches in grün auf gelben Hintergrund

2025 ©  Moodi Foodi Berlin. all rights reserved

ImprintPrivacy Policy
Site by ffine