Privacy Policy

Dear Customer,
We are pleased that you are interested in data protection. We would like to give you an easily
understandable overview of our data protection process.

Our goal is to provide you with an amazing customer experience that also means that you can
always trust us, that we are always transparent and honest to you. Your trust in our product is
the reason why we can provide you with an amazing customer experience. We would like to
thank you for this cooperation.

Who we are

We are the Delivery Hero Bulgaria Ltd., but usually we just use the name foodpanda. You can
always contact us via the following methods:
Sofia, 2 Srebarna
Poste code 1000
E-mail address: [email protected]

While visiting our website, registering or placing orders, you agree to this privacy policy.

As data controller, we determine how we process your personal data, for what purposes and by
what means. While we are required by law to provide you with all of the following information,
we do so primarily out of the belief that a partnership should always be honest.

As data controller we are responsible that all our processing activities are in accordance with
legal requirements but also you may reasonably expect these processing of your personal data
(link to "legitimate interests").

If you have any questions about data protection at foodpanda, you can also contact our data
protection officer at any time by sending an email to [email protected]

We have a global Corporate Privacy Officer as we are also a member of the large and
fascinating family of the Delivery Hero Group.

As a family, we make certain decisions together. Both our parent company, Delivery Hero SE,
Oranienburger Straße 70, 10117 Berlin and we jointly decide which means we will use to
process your personal data and which purposes we consider to be appropriate.

We will continue to be your point of contact if you have any questions about data protection.

Privacy is your right and you have the choice

As a customer you have the choice which information you would like to share with us. Of course
we need some information for the fulfillment of our contract. However, this does not always
require all the data which you can make available to us.

You can take the following steps to disclose less information about yourself:

Cookies: You can install additional add-ons in your browser that block unnecessary cookies. By
doing so, you will not see any interest-based advertisements.

Advertising: If you do not want to receive newsletters from us, you can unsubscribe at any
time. In this case, we will not be able to send you any cool offers.

No data sharing: If you don't want to share any information with us at all, that's a shame. In this
case we can't convince you how great our products are.

You can also make use of the following rights at any time:

Right to access
You have the right to be informed which data we store about you and how we process this data.

Right to rectification
If you notice that stored data is incorrect, you can always ask us to correct it.

Right to erasure
You can ask us at any time to delete the data we have stored about you.

Right to restriction of processing
If you do not wish to delete your data, but do not want us to process it further, you can ask us to
restrict the processing of your personal data. In this case, we will archive your data and only
reintegrate it into our operative systems if you so wish. However, during this time you will not be
able to use our services, otherwise we will process your data again.

Right to data portability
You can ask us to transmit the data stored about you in a machine-readable format to you or to
another responsible person. In this context, we will make the data available to you in JSON
format.

Right to object to the processing of your data

You can revoke your consent at any time or object to the further processing of your data. This
also includes objecting to our processing, which we process without your consent but based on
our legitimate interest. This applies, for example, to direct marketing. You can object to
receiving further newsletters at any time.

If you do not agree with one of our processing purposes based on our legitimate interest or wish
to object to it, you may object to the processing at any time on grounds relating to his or her
particular situation. Please write an email to [email protected] In this case we will review
the processing activity again and either stop processing your data for this purpose or explain to
you our reasons worth protecting and why we will continue with the processing.

Automated decision making
We also process your personal data in the context of algorithms in order to simplify our
processes. Of course, you have the right not to be subject to decisions based solely on
automated processing. If you believe that we have denied your access in an unjustified way,
you can always contact us at [email protected] In this case, we will examine the case
separately and decide on a case-by-case basis.

Right of complaint
If you believe that we have done something wrong with your personal data or your rights, you
can complain to the appropriate supervisory authority at any time.

The supervisory authority responsible for us is:

Commission for Personal Data Protection
Address : 2 prof. Tsvetan Lazarov Blvd.
Postcode City : Sofia 1592
Email Address : [email protected]
To exercise your rights, you can contact [email protected] at any time.

What data we process

In the following description of our processing activities, we refer in each case to categories of
personal data. A category includes several personal data, which are usually processed together
for the purposes.

Personal data is information that can identify you or even make you identifiable.
We generally process the following categories of personal data for the following reasons:

Icon Contact Information:
Name, address, telephone number, email address, your ID from any social media

Reason:

If you contact us, we collect this data because we need to know who we are talking to and what
we have been talking about so that we can help you with your reason for contacting us. This
also applies if you leave comments on social media on our fan pages. We do not combine this
data with your profile data on our platform, but we can still identify you by your social media ID.

Icon Location data:
Address, Postcode, City, Country, Longitude, Latitude

Reason:

We need these data to be able to deliver your orders. We create the longitude and latitude
automatically in order to be able to process your delivery address in our other linked systems,
such as our Rider app, and to display your address to our riders.

Icon profile data (master data):
Name, email address, password, telephone number, delivery addresses, interests, demographic
data (age, delivery address)

Reason:

This data is your master data, which we absolutely need for our services. Without an email
address / telephone number and a password, you cannot create a profile. Together with your
name, this is your master data. We need your age to ensure that you are not a minor.

Icon device information and access data:
Device ID, device identification, operating system and corresponding version, time of access,
configuration settings, information on Internet connection (IP address)

Reason:

With each access this information is stored by us for technical reasons. We also use parts of
this information to detect suspicious behaviour at an early stage and to avert damage.

Icon Order information:
Order history, selected restaurants, invoices, order ID, comments on orders, information on
payment method, delivery address, successful orders and cancelled orders

Reason:

Each time you place an order, this information will be added to your profile. You can view all this
information in your profile at any time. The information should give you an overview of your own
interests and previous orders. We will also use the same information to improve our services. In
addition, we will anonymize this information when you request a deletion or when your profile
becomes inactive in order to continue to use this information in an anonymized form to optimize
our services.

Icon Communication data

Name, email address, telephone number, device ID

Reason:

If you would like to receive a newsletter, an SMS or an in-app push notification from us, we
need certain information to send you the messages. Instead of addressing you with "Hey You",
we find it more customer friendly to address you with your name. This category of personal
information is also used by us to contact you, for example, if a product cannot be delivered and
we want to offer you an alternative instead.

Icon Payment information:

Payment method, pseudonymized credit card information

Reason:

We need this information to track your payments and assign them to the orders you have
placed.

Delivery information:

Name, delivery address, phone number, order ID

Reason:

In accordance with the principle of data minimization, we only provide our riders and restaurants
with the information that they need from you to prepare and deliver your order.

For which purposes we process data

We process your personal data only in accordance with the strict legal requirements. We pay
particular attention to the fact that all principles for the processing of personal data are taken
into account. The Delivery Hero Group pays great attention to transparency. Therefore, we only
process your data if this is lawful and you can reasonably expect it to be processed. If, in the
course of our evaluation, we come to the conclusion that the processing cannot reasonably be
expected, we will only carry out the processing with your express consent.

Account creation, SSO registration, administration of your profile

In order to be able to offer you our services, the processing of your personal data is essential.
Much of this data you transmit to us and other parts of the data we collect automatically when
using our platforms. Nevertheless, we endeavour to keep the amount of data as small as
possible. You can help us by only sharing necessary data with us that we need to fulfill our
contractual obligations.

Account creation

When creating a customer account you will be asked to enter your master data. This is
absolutely necessary, as we cannot create a customer profile without this data. Your email
address and telephone number are particularly important, as we can use this information to
identify you in our system the next time you want to log in again. Furthermore, we would like to
ask you to choose your password carefully. Do not use the same password on multiple
websites. Your password should also be at least 12 characters long, at least one lowercase
letter, one uppercase letter, one special character (!?#,%& etc.) and one digit.

Categories of personal data:

Profile data (master data)
Device information and access data

Legal basis:
Art. 6 para. 1 (b) GDPR, performance of contract

Login

If you already have an existing customer account, you will need to enter your email address and
password to log in. If we detect irregularities during registration, such as entering the wrong
password several times, we will take appropriate measures to prevent damage to you and us.

Categories of personal data:

Profile data (master data)

Legal basis:

Art. 6 para. 1 (b) GDPR, fulfilment of contract for registration;
Art. 6 para. 1 (f) GDPR, for the security measures

Single-Sign-On with Facebook

If you have a Facebook profile, you can register on our website to create a customer account or
to register using the social plugin "Facebook Connect" of the social network Facebook, which is
operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA ("Facebook"), within
the framework of the so-called Single Sign On technology. You can recognize the social plugins
of "Facebook Connect" on our website by the blue button with the Facebook logo and the
inscription "Log in with Facebook" or "Connect with Facebook" or "Log in with Facebook" or
"Sign in with Facebook".

If you call up a page of our website that contains such a plugin, your browser establishes a
direct connection to the Facebook servers. The content of the plugin is transmitted directly from
Facebook to your browser and integrated into the page. Through this integration, Facebook
receives the information that your browser has called up the corresponding page of our website,
even if you do not have a Facebook profile or are not logged on to Facebook. This information

(including your IP address) is transmitted directly from your browser to a Facebook server in the
USA and stored there. These data processing operations are carried out in accordance with Art.
6 Para. 1 (f) GDPR on the basis of Facebook's legitimate interest in the display of personalised
advertising on the basis of surfing behaviour.

By using this "Facebook Connect" button on our website, you can also log in or register on our
website using your Facebook user data. Only if you give your express consent in accordance
with Art. 6 Para. 1 (a) GDPR prior to the registration process on the basis of a corresponding
note on the exchange of data with Facebook, will we receive the general and publicly accessible
information stored in your profile when using the Facebook "Facebook Connect" button on
Facebook, depending on your personal data protection settings on Facebook. This information
includes user ID, name, profile picture, age and gender.

We would like to point out that after changes have been made to Facebook's data protection
conditions and terms of use, your profile pictures, the user IDs of your friends and the friends list
may also be transferred if they have been marked as "public" in your Facebook privacy settings.
The data transmitted by Facebook is stored and processed by us for the creation of a user
account with the necessary data, if this has been released by you on Facebook (title, first name,
surname, address data, country, e-mail address, date of birth). Conversely, we can transfer data
(e.g. information on your surfing behaviour) to your Facebook profile on the basis of your
consent.

The consent given can be revoked at any time by sending a message to us.
Facebook Inc., headquartered in the USA, is certified for the us European data protection
agreement "Privacy Shield", which guarantees compliance with the data protection level
applicable in the EU.

Categories of personal data:
Profile data (master data)
Contact Information
Facebook profile information
Legal basis:
Art. 6 para. 1 (a) GDPR, Consent

Managing your profile

You can log in to your profile at any time and change your personal data, such as name, email
address or telephone number. You can also view your previous orders.

Categories of personal data:

Profile data, location data
Order information
Device information and access data
Order information

Communication data
Payment information

Legal basis:
Art. 6 para. 1 (b) GDPR, performance of contract

Order processing

Once you have successfully registered and decided to place your order, we will store this
information in your profile and process it in further processes so that you can submit your order
to us. When you submit your order, your personal data is transferred to our backend where it is
transferred to other systems for further processing.

Categories of personal data:

Contact Information
Location data
Device information and access data

Legal basis:

Art. 6 para. 1 (b) GDPR, fulfilment of contract

Buffering

After you have logged in to your profile and made your selection, the products will be saved in
your profile. If you accidentally close your browser or app, you can continue to the last point of
your order. The last information is stored in a cookie.

Categories of personal data:

Profile data (master data)
Device information and access data
Order information

Legal basis:

Art. 6 para. 1 (f) GDPR, legitimate interest
The legitimate interest is to provide you with a better ordering experience where you can
conveniently continue your order with browsers or apps that are accidentally closed.

Delivery

Once you have successfully placed your order, a number of processes are running in the
background to ensure that your order is delivered quickly.

The following processing activities describe how and why your data is processed for the
respective purposes.

Transfer to Riders and Restaurants

We use different riders for delivery. These can be permanent employees, freelancers or third
parties who provide us with riders on the basis of a data processing agreement when we deliver
our orders. In all these cases we send your personal data to the riders so that they can deliver
your order quickly.

Categories of personal data:

Delivery information

Legal basis:

Art. 6 para. 1 (b) GDPR, performance of contract

Calls from riders or restaurants

If a product of your choice is not available for delivery or our riders cannot reach you at the
delivery address you provided, they have received instructions from us to call you so that the
problem can be solved easily.

Categories of personal data:

Delivery information

Legal basis:

Art. 6 para. 1 (b) GDPR, contract performance on call by the rider
Art. 6 para. 1 (f) GDPR, legitimate interest when called by the restaurant. The restaurants have
no claim whatsoever to your personal data and under no circumstances may they use it for their
own purposes. If you should nevertheless be contacted by a restaurant without your prior
consent, we ask you to report this to us by e-mail to [email protected]

Saved payment methods

In order to make the ordering process even more convenient for you, we offer to save your
preferred payment method. This means that you don't have to enter your payment details again
the next time you place an order. The storage of this data requires your prior consent. You can
save your payment data by clicking on the consent field. You can revoke your consent for the
future at any time by deactivating the consent field again or by informing us of this by e-mail to
[email protected]

Categories of personal data:
Payment data

Legal basis:
Art. 6 para. 1 (a) GDPR, consent

Advertising and marketing

Direct marketing

Newsletter

If you have provided us with your email address when purchasing goods or services, we reserve
the right to send you regular offers of similar goods or services to those already purchased from
our range by email.

Not only do the contents of our newsletters vary, but so do the technologies and criteria we use
to design our newsletters and segment customer groups. For example, a group of customers
may receive a special newsletter promoting special deals from restaurants where customers
have ordered. Other newsletters may refer to specific products that relate to a particular flavour,
such as sushi, Indian delicacies or pizza.

We use different information from your order history and delivery addresses.
This is a profiling process in which we automatically process your data. The specific customer
segmentation can have a legal effect on you or can have a significant effect on you in other
ways if you receive certain newsletters and are not included in other campaigns.
If automated decision making leads to a negative result for you and you do not agree with this,
you can contact us at [email protected] In this case, we will individually assess the
circumstances of your case.

Categories of personal data:

Contact Information
Location data
Order information

Legal basis:

Data processing in this respect takes place solely on the basis of our legitimate interest in
personalised direct advertising pursuant to Art. 6 Para. 1 lit. f GDPR. If you have initially
objected to the use of your email address for this purpose, we will not send you an email. You
are entitled to object to the use of your email address for the aforementioned advertising
purposes at any time with effect for the future by notifying the person responsible named at the
beginning. For this purpose you only incur transmission costs according to the basic tariffs.
Upon receipt of your objection, the use of your email address for advertising purposes will be
discontinued immediately.

NPS

We are constantly striving to improve our services. Your constructive feedback is very important
to us. Therefore we will occasionally send you customer surveys and ask you to give us your
opinion. If you do not wish to receive customer surveys, you can unsubscribe at any time. For
any customer survey request you can click "unsubscribe" below and we will not contact you
again.

Categories of personal data:
Communication data

Legal basis:
Art. 6 para. 1 (f) GDPR, legitimate interest.
Our legitimate interest is the purpose described above.

App

We have a strong interest in informing you about new restaurants or deals when using our app.
We are always working to give you an amazing customer experience. To achieve this, we
negotiate very good deals for you with our restaurant partners. To inform you about these deals,
we send you in our Apps in-app-notification or push-notification. It is imperative that you have
activated this in your end devices.

Categories of personal data:

Location data
Profile data (master data)
Order information

Legal basis:

If processing takes place with your consent, the legal basis is Art. 6 Para. 1 (a) GDPR, namely
your consent. Otherwise, the processing is based on our legitimate interest pursuant to Art. 6
para. 1 (f) GDPR. Our legitimate interest lies in the aforementioned purpose.

SMS

Besides other means we continue to use SMS to inform you about new deals in your area. You
will only receive an SMS from us if you have given your consent. You can revoke your consent
at any time for the future. Please send us an e-mail to [email protected] The registration
as well as the cancellation is free of charge for you.
Categories of personal data:
Contact Information
Order information

Legal basis:

Art. 6 para. 1 (a) GDPR, consent

Online marketing

Our service is based to a large extent on convincing potential customers that we offer an
amazing customer experience and that every visit to our platform is worthwhile. In order to
reach as many potential customers as possible, we are very active in the field of online
marketing. It is just as important to win the trust of potential customers and to strengthen the
trust of our existing customers. Therefore, we would like to present you our processes as
transparent as possible.

Targeting

In principle, targeting means the switching and fading in of advertising banners on websites that
are tailored to specific target groups. The aim is to display the most attractive banners as
individually as possible for the user and potential customer. Firstly, we define a target group and
secondly, we commission our service providers to show our advertising to the defined target
group. We do not process any personal data, as these are initially made anonymous. To better
define the target group, we segment customer types and place different ads on different portals.

Retargeting

As soon as you have visited our website and, for example, have already placed an order in your
shopping cart, we store this information in cookies. If you continue to surf other websites, our
advertising partners will remind you on our behalf that you have not yet completed your order.
We don't want you to miss out on our amazing customer experience.
You can disable retargeting by installing appropriate add-ons for your browser. Furthermore,
you can and should also regularly delete the cookies stored in the browser you are using.

Categories of personal data:

Contact Information

Legal basis:

Art. 6 para. 1 (f) GDPR, legitimate interest.
Our legitimate interest is the purpose described above.

Cookies

In order to make the visit of our website/app attractive and to enable the use of certain
functions, we use so-called cookies on various pages. These are small text files that are stored
on your device. Some of the cookies we use are deleted after the end of the browser session,
i.e. after closing your browser (so-called session cookies). Other cookies remain on your device

and allow us or our affiliate to recognize your browser on your next visit (persistent cookies).
You can set your browser so that you are informed about the setting of cookies and individually
decide on their acceptance or exclude the acceptance of cookies for specific cases or in
general. Failure to accept cookies may limit the functionality of our website/app.

Categories of personal data:

Legal basis:

If processing takes place with your consent, the legal basis is Art. 6 Para. 1 (a) GDPR, namely
your consent. Otherwise, the processing is based on our legitimate interest pursuant to Art. 6
para. 1 (f) GDPR. Our legitimate interest lies in the aforementioned purpose.
 

Because of the site characteristics, we aren't unable to visualise the whole Privacy Policy, but you can see the full document here.