Data protection

This privacy policy informs you about the nature, scope, and purpose of the processing of personal data (hereinafter referred to as "data") within our online services, associated websites, functions, and content, as well as external online presences, such as our social media profiles (collectively referred to as "online service"). With regard to the terminology used, such as "processing" or "controller," we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

​

Responsible Party:

Ghost Kitchen Event Catering Consulting UG (limited liability)
Hofweg 20
22085 Hamburg
Germany

​

Managing Director:
Marvin Pascal Paz Carvajalino

Email: hey@the-secret.restaurant
Website: www.the-secret.restaurant

​

Types of processed data:

• Inventory data (e.g., names, addresses)

• Contact data (e.g., email, phone numbers)

• Content data (e.g., text input, photographs, videos)

• Usage data (e.g., visited websites, interest in content, access times)

• Meta/communication data (e.g., device information, IP addresses)

​

Purpose of Processing:

• Providing the online service, its functions, and content

• Responding to contact inquiries and communication with users

• Security measures

• Reach measurement/marketing

​

Used Terminology

"Personal data" refers to all information that relates to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is considered one who can be identified, directly or indirectly, especially by means of assigning to an identifier such as a name, identification number, location data, online identifier (e.g., cookie), or one or more specific characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

"Processing" refers to any operation or series of operations performed on personal data, with or without the aid of automated processes. The term is broad and includes practically any handling of data.

The "controller" refers to the natural or legal person, authority, institution, or other body that alone or jointly with others determines the purposes and means of processing personal data.

​

Applicable Legal Grounds

In accordance with Article 13 of the GDPR, we inform you about the legal grounds of our data processing. If the legal basis is not stated in the privacy policy, the following applies: The legal basis for obtaining consent is Article 6(1)(a) and Article 7 GDPR, the legal basis for processing to fulfill our services and contractual measures and for responding to inquiries is Article 6(1)(b) GDPR, the legal basis for processing to fulfill our legal obligations is Article 6(1)(c) GDPR, and the legal basis for processing to safeguard our legitimate interests is Article 6(1)(f) GDPR. In cases where the processing of personal data is required to protect vital interests of the data subject or another natural person, Article 6(1)(d) GDPR serves as the legal basis.

​

Security Measures

We ask you to regularly review the content of our privacy policy. We will adjust the privacy policy as soon as the changes in the data processing we conduct make it necessary. We will inform you as soon as changes require an action on your part (e.g., consent) or other individual notifications.

​

Collaboration with Processors and Third Parties

If we disclose data to other persons and companies (processors or third parties) as part of our processing, transmit them to these parties, or otherwise grant access to the data, this is done only on the basis of a legal permission (e.g., if the transmission of data to third parties, such as payment service providers, is required for the fulfillment of a contract under Article 6(1)(b) GDPR), if you have consented, if a legal obligation requires it, or based on our legitimate interests (e.g., when using agents, web hosts, etc.).

If we commission third parties to process data on the basis of a so-called "data processing agreement," this is done in accordance with Article 28 GDPR.

​

Transfers to Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs as part of using third-party services or disclosure or transmission of data to third parties, it will only be done if it is necessary to fulfill our (pre)contractual obligations, based on your consent, due to a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we process or allow the data to be processed in a third country only when the special conditions of Articles 44 et seq. GDPR are met. This means that the processing will occur based on special guarantees, such as the officially recognized determination of an adequate level of data protection (e.g., for the USA through the "Privacy Shield") or by observing officially recognized special contractual obligations (so-called "standard contractual clauses").

​

Rights of the Data Subjects

You have the right to request confirmation as to whether your data is being processed, and to obtain information about these data and further information and a copy of the data as per Article 15 GDPR.

You have the right to request the completion of your data or the correction of inaccurate data concerning you, in accordance with Article 16 GDPR.

​

You have the right, in accordance with Article 17 GDPR, to request that your data be erased without undue delay, or alternatively, to request the restriction of processing of the data in accordance with Article 18 GDPR.

You have the right to request that the data concerning you, which you have provided to us, be received in accordance with Article 20 GDPR and to request its transmission to other controllers.

​

Furthermore, you have the right to lodge a complaint with the competent supervisory authority in accordance with Article 77 GDPR.

​

Right to Withdraw Consent

You have the right to withdraw your consent given in accordance with Article 7(3) GDPR with effect for the future.

​

Right to Object

You can object to the future processing of your data in accordance with Article 21 GDPR at any time. The objection can especially be made against the processing for direct marketing purposes.

​

Cookies and Right to Object to Direct Marketing

"Cookies" refer to small files that are stored on users' devices. Different information can be stored within the cookies. A cookie primarily serves to store information about a user (or the device on which the cookie is stored) during or after visiting an online service. Temporary cookies, or "session cookies" or "transient cookies," are cookies that are deleted after a user leaves an online service and closes their browser. For example, the content of a shopping cart in an online shop or a login status can be stored in such a cookie. "Permanent" or "persistent" cookies are cookies that remain stored even after closing the browser. For example, the login status can be saved when users visit the site after several days. Such a cookie can also store users' interests, which are used for reach measurement or marketing purposes. "Third-party cookies" refer to cookies that are offered by providers other than the controller operating the online service (otherwise, if it is only their cookies, they are called "first-party cookies").

​

We may use temporary and permanent cookies and inform you about this in our privacy policy.

If users do not want cookies to be stored on their device, they are asked to disable the relevant option in their browser's system settings. Stored cookies can be deleted in the browser's system settings. Excluding cookies may lead to functional restrictions on this online service.

​

A general objection to the use of cookies for online marketing purposes can be declared with a variety of services, especially in the case of tracking, via the U.S. website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be prevented by deactivating them in the browser settings. Please note that this may prevent you from using all the features of this online service.

​

Data Deletion

The data we process will be deleted or restricted in its processing in accordance with Articles 17 and 18 GDPR. Unless expressly stated otherwise in this privacy policy, the data stored with us will be deleted once they are no longer necessary for the purpose they were collected for and no legal retention obligations prevent their deletion. If the data are not deleted because they are required for other legally permissible purposes, their processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be kept for commercial or tax law reasons.

​

Business-related Processing

In addition, we process:

• Contract data (e.g., contract subject, duration, customer category)

• Payment data (e.g., bank details, payment history)
  from our customers, prospects, and business partners for the purpose of providing contractual services, customer care, marketing, advertising, and market research.

​

Hosting

The hosting services we use provide the following services: infrastructure and platform services, computing capacity, storage space, database services, security services, and technical maintenance services, which we use for the operation of this online service.

Here, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, and meta/communication data from customers, prospects, and visitors of this online service based on our legitimate interest in an efficient and secure provision of this online service in accordance with Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (conclusion of a data processing agreement).

​

Collection of Access Data and Logfiles

We, or our hosting provider, collect data about every access to the server on which this service is hosted, based on our legitimate interests according to Art. 6 para. 1 lit. f. GDPR (so-called server logfiles). The access data includes the name of the retrieved webpage, file, date and time of retrieval, transferred data volume, message of successful retrieval, browser type and version, the user’s operating system, referring URL (the previously visited page), IP address, and the requesting provider.

​

Logfile information is stored for security reasons (e.g., to investigate misuse or fraud) for a maximum of 7 days and then deleted. Data that is required for evidence purposes will be excluded from deletion until the respective incident is resolved.

​

Provision of Contractual Services

We process inventory data (e.g., names, addresses, and contact data of users), contract data (e.g., services used, names of contact persons, payment information) in order to fulfill our contractual obligations and services in accordance with Art. 6 para. 1 lit. b. GDPR. The information marked as mandatory in online forms is necessary for the conclusion of the contract.

In the context of using our online services, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests, as well as the user's interest in protection against misuse and other unauthorized use. We do not generally share this data with third parties, unless it is necessary for the enforcement of our claims or there is a legal obligation to do so according to Art. 6 para. 1 lit. c GDPR.

​

We process usage data (e.g., the pages visited on our online offer, interest in our products) and content data (e.g., entries in the contact form or user profile) for advertising purposes in a user profile, to display, for example, product suggestions based on their previously used services.

​

Data will be deleted after the expiry of legal warranty and similar obligations. The necessity of data retention is reviewed every three years; in the case of legal archiving obligations, deletion occurs after their expiration. Information in a potential customer account remains until the account is deleted.

​

Contacting Us

When contacting us (e.g., via contact form, email, phone, or social media), the user’s details will be processed for the purpose of handling the contact request and its processing in accordance with Art. 6 para. 1 lit. b) GDPR. The user's details may be stored in a customer relationship management system ("CRM system") or similar inquiry organization.

We delete the inquiries when they are no longer required. We check the necessity every two years; furthermore, the legal archiving obligations apply.

​

Google Analytics

We use Google Analytics, a web analysis service of Google LLC ("Google"), based on our legitimate interests (i.e., the interest in analyzing, optimizing, and operating our online offer economically in accordance with Art. 6 para. 1 lit. f. GDPR). Google uses cookies. The information generated by the cookie about the user’s use of the online offer is usually transmitted to a Google server in the USA and stored there.

​

Google is certified under the Privacy Shield Agreement, providing a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

​

Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on activities within this online offer, and to provide additional services related to the use of this online offer and internet usage. Pseudonymous user profiles may be created from the processed data.

​

We use Google Analytics only with IP anonymization enabled. This means that the user’s IP address will be shortened by Google within the member states of the European Union or other contracting states of the agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and then shortened.

​

The IP address transmitted by the user's browser will not be merged with other Google data. Users can prevent the storage of cookies by adjusting their browser settings accordingly. Furthermore, users can prevent the collection of data generated by the cookie and related to their use of the online offer by Google, as well as the processing of these data by Google, by downloading and installing the browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

​

For more information on Google’s data usage, setting options, and objection opportunities, please refer to Google’s privacy policy (https://policies.google.com/technologies/ads) and the settings for the display of Google advertising (https://adssettings.google.com/authenticated).

​

The personal data of users will be deleted or anonymized after 14 months.

​

Integration of Third-Party Services and Content

We use third-party content or services in our online offer based on our legitimate interests (i.e., the interest in analyzing, optimizing, and operating our online offer economically in accordance with Art. 6 para. 1 lit. f. GDPR), in order to embed their content and services, such as videos or fonts (collectively referred to as “content”).

​

This always requires that the third-party providers of this content perceive the user’s IP address, as they could not send the content to the user’s browser without the IP address. The IP address is thus required for the display of these contents. We strive to use only such content, the respective providers of which use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. These pixel tags enable the evaluation of visitor traffic on the pages of this website. Pseudonymous information may also be stored in cookies on the user's device, including technical information about the browser and operating system, referring websites, visit time, and further data about the use of our online offer, and can be linked with information from other sources.

​

Google Maps

We integrate the maps from the service “Google Maps” of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data may include IP addresses and location data of the users, which, however, are not collected without their consent (usually carried out in the settings of their mobile devices). The data may be processed in the USA. Privacy policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.

​

Created with Datenschutz-Generator.de by RA Dr. Thomas Schwenke