1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is the entity named above. We determine the purposes and means of processing personal data.

2. What Data Do We Collect?

Order Data

• First and last name
• Delivery address
• Email address
• Phone number
• Order details (dishes, quantity, price, special requests)

Payment Data

• Selected payment method
• Transaction IDs (no complete credit card numbers)

Customer Account (optional)

• Username, encrypted password
• Saved addresses, order history, favourites

Technical Data

• IP address, browser type, operating system
• Access time, pages visited

3. Legal Basis for Processing

We process your personal data on the following legal bases:

• Art. 6(1)(b) GDPR – Performance of contract: order processing, delivery, payment
• Art. 6(1)(a) GDPR – Consent: customer account, analytics cookies, newsletter
• Art. 6(1)(c) GDPR – Legal obligation: tax law, bookkeeping obligations
• Art. 6(1)(f) GDPR – Legitimate interest: system security, fraud prevention, support

4. Purpose of Processing

• Order processing and delivery
• Payment processing via external service providers
• Customer account management (upon registration)
• Customer support and complaint handling
• System security, error analysis and fraud prevention
• Compliance with statutory retention obligations

5. Recipients of Your Data

Restaurant

Your name, address, phone number, order and special requests are shared with the respective restaurant for preparation and delivery. The restaurant is independently responsible for its own data processing.

Payment Service Providers

Payment data is transmitted to the following service providers:

• Stripe – Credit card payments (data processing agreement under Art. 28 GDPR, Standard Contractual Clauses for USA)
• PayPal – PayPal payments (data processing agreement under Art. 28 GDPR)
• Iyzico – Additional payment methods (data processing agreement under Art. 28 GDPR)

We have concluded data processing agreements with all payment service providers. Complete credit card numbers are not stored by us.

IT Service Providers and Hosting

To provide our services, we use IT service providers who act as data processors under Art. 28 GDPR.

Public Authorities

Data is only shared with public authorities (e.g. tax office) when we are legally obliged to do so.

6. Storage Duration

• Order data: 10 years (statutory retention obligation under Section 147 AO, Section 257 HGB)
• Customer account: As long as active; reminder after 24 months of inactivity, automatic deletion after 36 months
• Technical logs: 12 months
• Contact enquiries: 12 months after resolution

7. Your Rights under the GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): You may request information about your stored data.
• Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
• Right to erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligations apply.
• Right to restriction (Art. 18 GDPR): You may request the restriction of processing.
• Right to data portability (Art. 20 GDPR): You may receive your data in a commonly used format.
• Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests.
• Withdrawal of consent (Art. 7(3) GDPR): You may withdraw any consent given at any time with effect for the future.

To exercise your rights, please contact us at: info@4unit.com

8. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The supervisory authority responsible for us is:

9. SSL/TLS Encryption

Our website uses SSL/TLS encryption for the secure transmission of all data. You can recognise this by the padlock symbol in your browser and the address bar beginning with "https://".

10. Cookies

Technically Necessary Cookies

We use technically necessary cookies (session, login, language). These are required for the operation of the website and are set on the basis of Art. 6(1)(f) GDPR.

Analytics Cookies

Analytics cookies are only set with your explicit consent (Art. 6(1)(a) GDPR). You may withdraw your consent at any time via the cookie settings.

11. Changes

We reserve the right to amend this privacy policy to reflect changes in the legal situation or changes to our service. In the event of material changes, we will inform you by email.

Last updated: February 2026