Privacy policy

1. Controller

The controller responsible for processing personal data within the meaning of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (Datenschutzgesetz — DSG) is:

2. Scope

This privacy policy applies to the website phils.at and the related Next.js web application of Phil's American Diner GmbH ("we"), including the online area under “/bestellen”.

The applicable version is this privacy policy as amended from time to time and—where processors are used—their contractual and privacy information.

3. Purposes and legal bases

We process personal data only to the extent necessary to operate the website, process orders, and comply with legal obligations.

Performance of a contract (Art. 6(1)(b) GDPR): If you place an order via our website, we process the data you provide (for example name, pickup or delivery address, phone number, email address, order contents, and payment information only to the extent required for processing the payment and as processed by our payment service provider) in order to perform and handle the contract with you.

Legitimate interests (Art. 6(1)(f) GDPR): Processing technically necessary cookies or similar technologies, as well as server log files, serves the secure and stable operation of our online service, IT security, and the detection of abuse. Our legitimate interest lies in the availability and integrity of our service.

Legal obligation (Art. 6(1)(c) GDPR): Where we are legally obliged to retain and document information—in particular under the Austrian Commercial Code (Unternehmensgesetzbuch — UGB) and the Austrian Federal Fiscal Code (Bundesabgabenordnung — BAO)—we process data to the extent required for that purpose.

4. Hosting and delivery

The website is hosted and delivered by Vercel Inc., Covina, CA, USA (“Vercel”). Personal data such as IP address and time of access may be processed; this may include transfers of data to the USA. Where required, Vercel provides adequacy decisions and/or appropriate safeguards within the meaning of Art. 44 et seq. GDPR (including the EU Standard Contractual Clauses).

Further details are available in Vercel’s privacy policy.

vercel.com/legal/privacy-policy

5. Database and authentication (Supabase)

We use Supabase Inc., with its head office in Singapore (“Supabase”), for managed database and authentication functions. The region we use for storage is the EU region Frankfurt am Main; technical provision is by Supabase in accordance with its product configuration.

Depending on your use, we process in particular data related to orders and customer accounts. The legal basis for processing in the ordering process is Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR may apply to operational and security logs.

supabase.com/privacy

6. Online ordering

In the “/bestellen” area we collect the personal data required to perform the contract. Transmission is encrypted using TLS/SSL.

Without the required mandatory information, placing an order is generally not possible.

7. Payment processing

Payments are processed by Stripe Payments Europe Ltd., with its registered office in Dublin, Ireland (“Stripe”). We do not store full card data; payment data is processed by Stripe in accordance with Stripe’s privacy information.

The legal basis is Art. 6(1)(b) GDPR (performance of a contract) and, where applicable, Art. 6(1)(c) GDPR for statutory retention and documentation duties.

stripe.com/privacy

8. Email communication and order confirmations

For each completed online order on our website (delivery or pickup) we send you an order confirmation email. Transactional emails of this type are sent via Brevo (Sendinblue SAS, 7 rue de Madrid, 75008 Paris, France). In particular, we process recipient address, your name from the order, order contents (line items and amounts, and delivery/contact details you supplied for the order), payment method chosen, and technical sending metadata.

The legal basis for order confirmation emails is Art. 6(1)(b) GDPR (performance of a contract). System emails relating to authentication are covered by the providers described separately (e.g. Supabase authentication emails).

Brevo privacy policy

9. Newsletter (Brevo)

For our newsletter we use Brevo (Sendinblue SAS, 7 rue de Madrid, 75008 Paris, France).

When you sign up we process the following data:

• Email address
• Language preference (DE/EN)
• IP address and time of sign-up and confirmation (to demonstrate consent)

We use double opt-in: after you sign up you receive a confirmation email with a confirmation link. Only after you click that link are you actually registered for the newsletter.

Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time with effect for the future, either via the unsubscribe link in every newsletter email or by contacting office@phils.at.

Brevo processes data within the European Union. We have a data processing agreement with Brevo pursuant to Art. 28 GDPR.

Brevo privacy policy

10. Cookies and tracking

This website uses two categories of cookies:

Necessary cookies: Required to operate the site, particularly for orders (Stripe), language and security settings. These are set without consent (Art. 6(1)(f) GDPR; Austrian Telecommunications Act (TKG) §165(3)(5)).

Marketing cookies (Meta Pixel): We use Meta Pixel (Facebook/Instagram) to measure the effectiveness of our advertising and to show you relevant ads. Tracking occurs only after you give explicit consent. You may withdraw consent at any time via “Cookie settings” in the footer.

Data recipient: Meta Platforms Ireland Limited (Ireland)—data transfers to the United States may occur (Art. 49(1)(a) GDPR).

11. Analytics and tracking

Unless you consent, we do not use Meta Pixel for reach/advertising measurement. Once you accept marketing cookies, Meta Ireland may process personal data; see “Cookies and tracking” for detail.

You can adjust your cookie choice at any time under “Cookie settings” in the footer.

12. Fonts

Fonts are provided via Next.js; where possible, they are self-hosted locally so that, as a rule, no separate transmission to font providers occurs for that purpose.

13. Contact for privacy

For questions about data protection and to exercise your rights as a data subject, please contact:

office@phils.at

14. Processors

To the extent processing on our instructions occurs, we use the following categories of processors (Art. 28 GDPR):

• Vercel Inc. (Covina, CA, USA) — hosting and delivery of the Next.js application
• Supabase Inc. (head office Singapore) — database and authentication; EU region Frankfurt am Main as used by us
• Stripe Payments Europe Ltd. (Dublin, Ireland) — payment processing
• Brevo (Sendinblue SAS, France) — transactional email, in particular order confirmations; also newsletter services including double opt-in as referenced in this policy
• Meta Platforms Ireland Limited (Ireland) — see “Cookies and tracking” / “Analytics and tracking”

15. Storage period

We store personal data only as long as required for the respective purposes or as mandated by law; thereafter data is deleted or anonymised unless a retention duty applies.

We may retain order data and related records for up to seven years where required under the UGB and the BAO.

Server log files are usually deleted after 14 days unless longer storage is required for justified security or evidence-related reasons.

16. Your rights

Subject to the statutory requirements, you have in particular the following rights:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)
• Withdrawal of consent with future effect, where processing is based on consent (Art. 7(3) GDPR)

17. Complaint to a supervisory authority

You have the right to lodge a complaint with a supervisory authority. In Austria, this is in particular the Austrian Data Protection Authority:

dsb.gv.at — Members and contacts of the European Data Protection Board

18. Security

We use TLS/SSL encryption for encrypted transmission of data between your browser and our systems.

Passwords are stored as a hash and not in plain text.