Privacy Policy

1. Data Controller

Ordernova UG (haftungsbeschränkt) Flugplatzstraße 11 55126 Mainz Germany Phone: +49 176 432 59 263

2. Scope and Roles

This Privacy Policy applies to ordernova.de, our contact and demo forms, the Ordernova platform, restaurant webshops and apps, order management, admin, POS and API features, and integrations with external ordering, delivery and payment services where a restaurant uses or activates those features. Depending on the context, we process data as a controller in our own right or as a service provider for a restaurant. Restaurants remain responsible in particular for their menus, prices, availability, preparation, delivery, pickup, customer communication and their own legal obligations. If an external channel such as Uber Eats, Wolt or Lieferando is connected, the privacy information of that provider also applies.

3. Data We Collect

We may process in particular the following data: • Contact and demo requests: name, company, email address, phone number, message and communication history • Account data: username, email address, roles, permissions, login and security information • Restaurant and location data: restaurant name, address, opening hours, delivery areas, logos, menus, prices, tax rates, availability and settings • Customer and order data: name, contact details, delivery or pickup information, ordered items, prices, discounts, payment method, payment and order status, notes and support history • POS, cash register and device data: receipts, voids, refunds, tax and closeout data, device identifiers, printer and terminal status and technical logs • Integration data: store, venue, restaurant and order IDs, OAuth or API connection data, webhook events, menu and availability data, acceptance, rejection, cancellation and status messages from external channels • Usage, log and security data: IP address, timestamps, browser and device information, app version, error messages, session data, consent status and security-relevant events

4. Purposes of Processing

We process data to provide our website, our platform and the activated restaurant services. This includes in particular: • Responding to contact, demo and support requests • Providing restaurant webshops, apps and direct ordering under the restaurant's brand • Receiving, managing, updating and accounting for orders from the restaurant's own store and from activated external channels • User management, authentication, roles and access control • Payment processing, refunds, payouts, invoices, receipts, fiscalization and legally required records • Synchronizing menus, availability, restaurant status, order status and operational data with connected services such as Uber Eats, Wolt or Lieferando where activated • Platform security, abuse prevention, error analysis, maintenance and improvement of our services • Compliance with legal, commercial, tax and retention obligations

5. Legal Bases

We process personal data on the following legal bases under the GDPR: • Art. 6(1)(b) GDPR – performance of a contract or pre-contractual steps, for example demo requests, platform use, order processing, payments and support • Art. 6(1)(c) GDPR – legal obligations, for example accounting, tax records, cash register and retention duties • Art. 6(1)(f) GDPR – legitimate interests, for example secure platform operation, fraud and abuse prevention, technical error analysis, product improvement and traceability of integration events • Art. 6(1)(a) GDPR – consent, especially for optional cookies, analytics and marketing technologies or certain communication channels where consent is required

6. External Ordering and Delivery Channels

If a restaurant activates external channels, Ordernova may exchange data with those services so that orders can be processed in restaurant operations. This may include Uber Eats, Wolt, Lieferando / Just Eat Takeaway.com or comparable future platforms. Depending on the activated integration, restaurant or store IDs, menu and availability data, opening hours, orders, ordered items, prices, customer and delivery information, status messages, acceptances, rejections, cancellations, refunds, webhook events and technical logs may be processed. External platforms may act as independent controllers. Their own processing is additionally governed by their privacy information, contractual terms and platform rules.

7. Payments, POS and Fiscalization

For online paid orders, on-site payments, refunds, payouts, accounting, receipts, daily closeouts and tax records, we may process payment, order, tax, POS and transaction data. Depending on the activated feature, payment providers such as Stripe or Adyen, fiscalization services such as Fiskaly, banking and settlement partners or technical service providers may be involved. This processing is used for payment handling, fraud prevention, traceability, accounting, tax compliance and restaurant settlement. Legally relevant receipt, POS, tax and accounting data may be subject to longer statutory retention periods.

8. Recipients and Service Providers

We disclose personal data only where this is necessary for the purposes described, where a legal basis exists or where a legal obligation applies. Recipients may include in particular: • Hosting, database, API, monitoring, security and email service providers • Payment, settlement, banking and fiscalization providers • App, push, update and device infrastructure, for example for restaurant apps and order management devices • Activated external ordering and delivery platforms such as Uber Eats, Wolt and Lieferando / Just Eat Takeaway.com • Restaurants, franchise or location operators where data is required for operations, fulfillment, support or settlement • Tax advisors, authorities, courts or other bodies where we are legally required to disclose data Where service providers process personal data on our behalf, we enter into appropriate data processing agreements. For transfers to countries outside the EU or EEA, we rely on a suitable legal basis, such as adequacy decisions, standard contractual clauses or other permitted safeguards.

9. Data Retention

We retain personal data only for as long as necessary for the relevant purposes or where statutory retention periods apply. Contact and support data is generally stored for the duration of the request and subsequent documentation or limitation periods. Technical logs are generally stored for shorter periods unless needed for security, error analysis or traceability. Order, payment, settlement, POS and tax-relevant data may typically be retained for up to 10 years under German commercial and tax law. After that, we delete or anonymize data unless another legal basis applies.

10. Your Rights

Under the GDPR, you have in particular the following rights: • Access to the data processed about you • Rectification of inaccurate or incomplete data • Erasure of personal data unless statutory retention duties or another legal basis prevent deletion • Restriction of processing • Data portability • Objection to processing based on legitimate interests • Withdrawal of consent with effect for the future • Complaint with a data protection supervisory authority To exercise your rights, you can use our email contact or the contact form. If data is processed on behalf of a restaurant, we may forward the request to the relevant restaurant or handle it together with that restaurant.

11. Cookies & Analytics

Our website may use technically necessary cookies or similar technologies to provide the service and store your cookie choices. We use Google Tag Manager and optional marketing or analytics features such as Meta Pixel only where the required consent has been given. You can manage cookie preferences via the cookie banner on our website. Restaurant apps, order management, admin and POS features typically use technical app, device, session and security identifiers instead of website cookies where required for login, operation, support and security.

12. Data Security

We use technical and organizational measures to protect personal data. These include encrypted data transmission (HTTPS/TLS), access controls, role-based permissions, secure authentication, logging of security-relevant events, backups, monitoring and regular review of our systems. The measures are developed further according to risk, state of the art and type of processing.

13. Changes to This Privacy Policy

We may update this Privacy Policy when our services, integrations, providers, legal requirements or technical processes change. The latest version is always available at ordernova.de/privacy-policy. Where required, we will inform you about material changes through appropriate channels.

14. Contact