This Privacy Notice gives you an overview of the processing of your personal data in the context of the use of the offers and online services within the “Quandoo” website on www.quandoo.co.uk and related mobile app (in the following, when the word “Platform” is used, this refers both to the website as well as the mobile app). This Privacy Notice also informs you about your rights and the possibilities you have to control your personal data and to protect your privacy.
- Who is responsible for the data processing and whom can I contact?
Responsible for the data processing is Quandoo UK Ltd. This company is also meant if the terms “we” or “us” are used in the following.
You can contact our data protection officer at:
- Which personal data do we process and from which sources do these data come from?
When we provide our Platform to you for use, we process personal information from various sources. On the one hand, this is data that we automatically collect when you use the Platform. However, this may also be data that you have voluntarily provided to us or that we receive from our partners.
- Data that we automatically collect when you use our Platform
As soon as you visit the website or open the app, you send technical information to our web servers. This happens regardless of whether or not you make a booking with a restaurant or whether or not you subsequently register with an account with us to use the Platform. In any case we will collect the following access and web-access data (that we call “Access Data”):
- Date and time of the visit and the duration of use of the Platform
- The IP address of your device
- The referral URL (the website from which you may have been redirected)
- The visited subsites of the website or subsections of the app; and
- More information about your device (type of device, browser type and version as well as settings, installed plug-ins, operating system)
We process Access Data to allow you and other users to use the Platform and to ensure the functionality of the Platform. We also process Access Data to perform analyses on the performance of the Platform, to continuously improve the Platform and correct errors; to ensure IT security and operation of our systems as well as in order to prevent or uncover abuse, particularly fraud. Further, we process Access Data to customize the Platform to your needs (personalization). For this purpose, we will also assign you a so-called “Unique User ID”. This Unique User ID allows us to assign your bookings and other interactions.
- Data which you yourself transmit to us
In addition to the data we receive from all visitors, we also process other data. The exact amount of this data depends on how you use the Platform. You can use the Platform with and without creating a user account.
If you decide to create a user account and fill out the registration form, we will process your:
- Name and surname
- Email address
- Your login password
- Phone number (optional)
You can also use the social log-in functions offered on our Platform to create your user account. If you choose this function, you send us your username on the social network of your choice (i.e., Facebook or Google), the email address you use to log on to the social network and, if applicable, the mobile phone number provided to the social network.
The data entered during registration will be used for the purpose of providing the Platform and to notify you by email on any information relevant to the Platform or registration, such as modification to the scope of the Platform or to the technical circumstances.
Booking and reservation data
If you make a booking or reservation, we will further process your:
- Email address
- Name and surname
- Phone number (optional)
- The restaurant you are making the booking for
- Party size
- Time of the reservation
- Special preferences
Please note that, if you fill out the text box indicating your dining/special preference, this might reveal certain sensitive personal information, e.g. food allergies or physical disabilities. If you would not like this data to be processed, please leave the respective field blank.
We process this data to secure your reservation, to inform you about the status of your reservation and also to customize the Platform to your needs based on your previous reservations and bookings.
Ratings and reviews
The Platform gives you the possibility to use certain social functions: you can submit reviews and ratings for restaurants. You can also subscribe to comments and reviews by other users.
If you use these functions, your IP address will be stored when you submit a comment or rating. This is a safeguard measure for us for cases where someone posts illegal content, comments and/or contributions (insults, prohibited political propaganda, etc.). We need to be able to determine the identity of the author in such cases, as legal action may arise based on the content in the comments or post.
If you opt to subscribe to successor comments, a confirmation email will be sent to verify that you are actually the owner of the email address entered. Subscriptions to comments can be cancelled at any time. The confirmation email will contain the relevant instructions in this respect.
Loyalty Points and Smart Offers
In case you wish to participate in our Loyalty Point program, additional data will need to be processed in order to bring this service to you. For this purpose, we will process your reservation and booking history in order to manage your Loyalty Points and provide you with bonus offers and other bargains.
Equally, where you purchase a Smart Offer using our platform, we will process the specific terms of this Smart Offer purchased by you (such as the restaurant that the Smart Offer is valid for, the term of the offer and the services included). You will be informed of the terms of each Smart Offer before you purchase it. When you purchase a Smart Offer we will further receive a confirmation from the restaurant that you have honored the reservation and actually claimed the Smart Offer.
We do not process any sensitive card payment details ourselves, but use secure payment providers to do so for us. Any payment data you input is encrypted in your browser by the payment provider in a way that only they can access, whereas we receive only non-sensitive data (payment token) and references confirming that you have made a payment. We do not store further payment related information in our system.
Newsletter & sending of advertising by email
If you want to receive the Newsletter, we require a valid email address and information that enables us to verify that the subscriber is the owner of the email address or that the respective owner of the email address used for the subscription, agrees to receive the Newsletter. No further information is collected. This data will solely be used for the purposes of sending the Newsletter.
Upon subscription to the Newsletter, we will store the IP address of the respective user and the date of subscription. The storage of this data serves solely the purpose of proof in cases, where a third party abuses an email address and subscribes to the Newsletter without the knowledge of the owner of the respective email address.
Customer support requests
You might wish to make a request for assistance to our customer support team or submit a complaint. In this case, in order to react to your request, we will process your IP address and contact data as well as the contents of your request.
- Data we receive from partners
Due to our Platform serving as an intermediary between you and the restaurant you are making the reservation with, we will also process data that we receive from our partner restaurants. This data includes:
- Your Email-address
- Your Name
- Your Phone Number (optional)
- Size of the Party
- Specific Preferences
- For what other purposes do we process your data?
In addition, we might process your data for additional purposes. These include:
- Disclosing your personal data to third parties if we are legally obliged to do so;
- Asserting legal claims and to defend against legal disputes;
- Complying with legal requirements for data retention due to tax legislation etc.
- What is the legal basis of the processing?
When processing your personal data, we rely on various legal bases according to the so-called Basic Data Protection Ordinance, an EU-wide legal framework for the standardization of data protection law (“GDPR” for short). Here we refer in detail to the following legal bases:
Consent (Article 6 (1) a GDPR)
Since you have given us your consent to process personal data for the specific purposes explained above, this consent ensures the legality of the processing. By registering with your account data or making a booking, you expressly agree the data processing as described in detail in this Privacy Notice by ticking the box before sending the registration or reservation form: If we process your data, it is because you have expressly allowed and requested us to do so when you use the Platform. Thus, your consent represents the most important legal basis for the processing of your personal data by us.
Performance of our contractual obligations towards you (Article 6 (1) b GDPR)
At the same time, the processing takes for the provision of the Platform in the context of the performance of our contract with you. Accordingly, in most cases, the processing is not only justified by your consent, but also because it is necessary to fulfil our contract with you. For example, if you make a booking with a restaurant using the Platform, it will be required to process the booking data to secure your booking.
Our legitimate interests (Article 6 (1) f GDPR)
There are also some cases in which we would be entitled to process your data even without your consent because it is necessary to protect our legitimate interests (or the interests of third parties). In this respect, the purposes described above for which we process your data also, in many cases, represent legitimate interests. This means that we are allowed to process the data necessary to guarantee the safety of our IT systems in any case, even if you have not given or withdrawn your consent to this processing. This also relates to preventing abuse of our platform or personalizing ads to your interests (so-called direct marketing).
Legal requirements (Article 6 (1) c GDPR) or in the public interest (Article 6 (1) e GDPR)
In addition, we are legally obliged to provide certain information to criminal prosecution or tax authorities in individual cases upon request.
- To whom do we transmit your data?
We treat your personal data with care and confidentially and will only pass them on to third parties to the extent described below and not beyond. We transmit data to public authorities only in the case of a legal obligation based on a request for information from the respective authority.
Outside of legal obligations towards public authorities, we only transmit your data to other users of the platform, to our third-party providers who help us provide the platform or within the Quandoo group of companies:
Other users of the platform
We transmit booking and reservation data to our partner restaurants using the Platform to facilitate reservations at their restaurants. We also share with the restaurants your Loyalty Point and Smart Offer data to enable a smooth functioning of these programs. The restaurants will receive your account data (with the exception of your password) as well as any reviews or ratings about them that you might enter into the system of the Platform. Reviews and ratings will also be published on the Platform for all remaining users (including visitors without an account on the Platform) to be seen.
Other Third Parties
Within the Quandoo group of companies
We are part of a global group of affiliated companies owned by Quandoo GmbH, Sonnenburger Str. 73, 10437 Berlin, Germany (“Quandoo DE”). Quandoo DE is itself owned by Recruit Holdings Co., Ltd, 8-4-17 Ginza, Chuo-ku, Tokyo 104-0061 Japan (“Recruit”). Accordingly, we are required to submit certain data to Quandoo DE or Recruit either due to statutory reporting obligations or within the ordinary course of business as a global enterprise. All business intelligence data will generally be anonymized to ensure that your right to data protection is respected. However, Quandoo DE or Recruit might have access also to personal, non-anonymized data under certain circumstances such as an internal revision or business audit requested by public authorities.
- Do we transfer your data to countries outside the EU or the EEA?
We generally do not transfer your data to countries outside the EEA (so-called “Third Countries”). We do not host your data in Third Countries and all our servers are located in the EEA (Ireland, to be exact). In some events, however, we transfer your data to Third Countries. Specifically, this concerns third-party Platforms provided by entities based in the United States and transfers to Recruit in Japan. Both these countries do not provide an adequate level of protection for the purposes of the GDPR. However, we will ensure that an adequate level of data protection is guaranteed at any time. In this regard, we will ensure that the data recipients are either certified under the so-called “Privacy Shield” (as in the case of Google and Facebook), the “Binding Corporate Rules” or that the EU Standard Contractual Clauses are entered into by any other recipient to ensure the security of the processing and an adequate level of data protection.
- How long will my data be stored?
We process and store your personal data as long as it is necessary for the fulfilment of our contractual or legal obligations. Thus, we store the data as long as our contractual relationship with you exists and after termination only to the extent and for as long as the laws of England and Wales require this. All other data will be deleted immediately when you unsubscribe from the Platform. If the remaining data are no longer required for the fulfilment of such obligations, they will be regularly deleted, unless their further processing is necessary for the preservation of evidence or to prevent legal claims from becoming time-barred.
- Do you create a user profile with my personal data?
We use your data to optimize your Quandoo browsing experience. This means that we use your data to provide you with a personalized Platform based on your personal preferences and interests and to make tailor-made offers based on your previous behavior. For example, the IP-address of your computer will be used in order to identify your geographical location and in order to offer a you localized content in your local language. We might make suggestions and offers for new restaurants based on the restaurants you have previously viewed and/or made a booking with using our Platform. However, we will never process and analyze your personal data in the context of profiling in such a way that this leads to an automated decision that has a legal effect on you or significantly impairs you in a similar way.
- Is there an obligation for me to provide data? What happens if I do not provide my data or no longer do so?
You are not required by law to provide us with the personal data as indicated by this Privacy Notice. In particular, the contractual relationship that you have entered into with us by agreeing to our terms and conditions does not imply any obligation to provide your personal data. However, the transmission of the contract information provided by you to us is a basic prerequisite for concluding a contract with us. In addition, you cannot use the Platform or only to a limited extent if you do not provide us with certain data or object to the use of these data.
- What rights do I have with regard to the processing?
You can assert the following rights against us under the GDPR:
- Your right to information under Article 15 GDPR
- Your right to correction under Article 16 GDPR
- Your right to cancellation under Article 17 GDPR
- Your right to limitation of processing under Article 18 GDPR
- Your right to data transferability under Article 20 GDPR
- In addition, you have a right of appeal to the responsible data protection supervisory authority (Article 77 GDPR in conjunction with § 19 BDSG).
You can revoke your consent to the processing of your personal data at any time. This also applies to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before 25 May 2018. However, this revocation is only effective for the future. Processing that took place before the revocation is not affected by this.
Information about your right of objection under Article 21 GDPR
- Right of objection in individual cases
- The right to object to the processing of data for advertising purposes
You also have the right to object at any time to the processing of personal data concerning you for the purpose of direct marketing (including any subscription to our newsletter); this also applies to profiling, insofar as it is associated with such direct marketing. If you object, we will no longer process your personal data in the future.
The objection can be made form-free and should be addressed to:
- Modification of The Privacy Notice at Hand
To keep this information up to date, this Privacy Notice will be modified if the underlying data processing is modified. We will not constrain your rights under this Privacy Notice without your prior written consent. We will publish all intended modifications to the Privacy Notice at hand on the QUANDOO website and in the app. In the event that such modifications should be substantial, we shall provide a clear notification (including, in the case of certain Platforms, a notification by email stating the modifications to the data privacy statement at hand). We will also archive older versions of the data privacy statement for future reference.
Quandoo UK Ltd.
London, May 2018
This information supplements the Quandoo Privacy Notice (which is available here).
Below we provide you with a list of all cookies and other web-tracking tools on our Platform that are provided either by us or by third parties.
- Quandoo’s own cookies (so-called “First-Party Cookies”):
|AID||Browser Session||Partner Attribution|
|T||30 days from last modification||Channel Attribution|
|sem_attributes||Browser Session||SEM Tracking|
|quandooUserGeoData||24h||Persists user location based on IP|
|quandooUserLanguage||Session||Persists user selected language|
|quandooUserSearchDestination||Session||Persists users default search location|
|ut||Session or 30 days||User session token|
We use these cookies to analyze the web traffic, to adapt services, content and adverts, to measure the effectiveness of advertising campaigns and to promote the confidence in and the safety of the Platform. We further use First-Party Cookies to distinguish one user from another and, in conjunction with the log files from our web server, to calculate the total number of people, visiting the Platform. The thus collected web usage data help us to obtain the feedback required for constantly improving Platform and to better serve the users.
Users can prevent the acceptance of First-Party Cookies by adjusting the browser settings to not accept cookies at all. However, if this setting is made, you may not be able to use certain present or future elements of our site.
- Cookies and plug-ins provided by others (so-called “Third-Party Cookies”):
In addition to First-Party Cookies we also use the following Third-Party Cookies and plugins provided on our website by the following parties:
|Name of operator||Address||Privacy information|
|Facebook, Inc. (“Facebook”)||1601 South California Avenue, Palo Alto, California 94304, USA||Facebook data privacy statement;|
|Google, Inc. (“Google”)||1600 Amphitheatre Parkway Mountain View, California 94043, USA||https://policies.google.com/privacy|
|Twitter, Inc. (“Twitter”)||795 Folsom St., Suite 600, San Francisco, California 94107, USA||Twitter data privacy statement|
|Instagram, Inc. (“Instagram”)||1601 Willow Road, Menlo Park, California 94025, USA||Instagram data privacy statement|
|Pinterest, Inc. (“Pinterest”)||635 High Street, Palo Alto, California 94301, USA||Pinterest data privacy statement|
|Segment.io, Inc. („Segment“)||101 15th St, San Francisco, CA 94103, USA||https://segment.com/docs/legal/privacy/|
|1 – 5 – 1 Nishi Gotanda Shinagawa-Ku, Tokyo 141 – 0031 AF||https://karte.io/karte-policy.html|
|Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399 USA||https://privacy.microsoft.com/en-us/privacystatement|
|New Relic, Inc
|188 Spear St., Suite 1200
San Francisco, CA USA 94105
|Hotjar Ltd.||Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta||https://www.hotjar.com/legal/policies/privacy|
(“Visual Website Optimizer”)
|14th Floor, KLJ Tower North, Netaji Subhash Place, Pitampura, Delhi 110034, India||https://vwo.com/privacy-policy/|
Use of Google Analytics and Google Tag Manager on our Platform
Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and abbreviated there. Google will use this information on behalf of us to evaluate your use of the Platform, in order to compile reports about the Platform activities and to render further services to us connected with the use of the Platform and internet use. The IP address transmitted by your browser within the framework of Google Analytics and Google Tag Manager will not be merged with other data from Google.
You can prevent the storage of cookies by configuring your browser software or mobile device OS settings accordingly; however, pleased note that in this case you may not be able to use all functions of our Platform to the full extent. Furthermore, you can prevent the collection of the data generated by the cookie related to your use of our Platform (incl. IP address) by Google as well as the processing of these data by Google, by downloading and installing the browser plugin available via the following link: http://tools.google.com/dlpage/gaoptout
Use of Google Maps
We use Google Maps to display maps and show you the location of our partner restaurants. Evaluations posted by you on our Platform as well as the username stated in such context may be published on Google Maps.
Google AdWords & Google Remarketing
DoubleClick by Google
DoubleClick by Google allows its users to display adverts on their websites, lets advertisers control how often, when and for how long adverts appear in a browser, and allows for behavioral targeting by using cookies which tell what sections of a website you are browsing. Your browser will be assigned a pseudonymized identification number to check which adverts are displayed and have been accessed in your browser. The cookies do not contain any personal data.
Use of Facebook plugins
Facebook plugins are integrated in our Platform. You can recognize the Facebook plugins from the Facebook logo or the “Like button” on our page. You can find an overview of the Facebook plugins here: http://developers.facebook.com/docs/plugins/.
If you visit our Platform, a direct connection will be established between your device and the Facebook server. Facebook thereby receives the information that you have visited our Platform with your IP address. If you click on the Facebook “Like button” while you are logged into your Facebook account, you can link the contents on our Platform to your Facebook profile. Thereby, Facebook can associate the visit to our Platform with your user account. Please note that as provider of the Platform, we do not receive any information on the contents of the data transmitted or their use by Facebook. However, if you are not a member of Facebook, will still obtain and store your IP address as well as receives information when you visit those sites and apps, including device information (operating system, hardware version, device settings, file and software names and types, battery and signal strength, device identifiers, device locations, including specific geographic locations, such as through GPS, Bluetooth, or WiFi signals, connection information such as the name of your mobile operator or ISP, browser type, language and time zone, mobile phone number) and information about your activity. According to Facebook, only an anonymized IP address will be processed.
Facebook Custom Audiences
Facebook users should note that this website also uses Facebook’s communication tool Website Custom Audiences.
For this purpose, so-called Facebook pixels are integrated into our websites, which mark you as a visitor to our website in anonymous form, i.e. without identifying you as a person. If you log in to Facebook later, a non-reversible and thus non-personal checksum (profile) from your usage data is transmitted to Facebook for analysis and marketing purposes. For further information about the purpose and scope of data collection and the further processing and use of the data by Facebook as well as your setting options for the protection of your privacy, please refer to Facebook’s data protection guidelines, which can be found at https://www.facebook.com/ads/website_custom_audiences/ and https://www.facebook.com/privacy/explanation, among others. If you wish to object to the use of Facebook Website Custom Audiences, you can do so at https://www.facebook.com/ads/website_custom_audiences/.
Use of Twitter
Twitter plugins are integrated on our Platform. By using Twitter and the “re-tweet” function, the websites visited by you are linked to your Twitter account and announced to other users. Data are thereby also transmitted to Twitter.
You can change your Twitter privacy settings in the account settings at http://twitter.com/account/settings.
Use of Instagram
Instagram plugins are integrated in our Platform. If you are logged into your Instagram account, you can link the contents of our Platform with your Instagram profile by clicking on the Instagram button. Thereby, Instagram can associate the visit to our Platform with your user account. We hereby point out that as provider of the Platform, we do not receive any information on the contents of the data transmitted and their use by Instagram.
If you don’t want Pinterest to personalize your experience in this way you can go to your account settings and turn off Personalization on Pinterest. You can also change your browser’s or end-device’s Do Not Track feature to keep Pinterest from using this info.
We also use Segment for data analysis and for building a customer profile of dining preferences and intent. Segment helps us to collect and analyze the technical usage data arising from the use of our platform and to evaluate and use it for optimization with the help of the analysis tools described in this statement. The collected usage data will be processed pseudonymized, IP addresses will be shortened accordingly after their collection and the data will only be linked to user profiles with your personal data when a reservation is made on our consumer product offering or when you provide credentials to your account. The information about the use of our website is usually transferred to Segment servers in the USA and stored both there and in our own Data Warehouse (EU). You can object to the collection of data for these purposes by preventing the storage of cookies via browser settings.
We use Karte for re-engaging users as they browse our platform, We build a customer profile of search behaviour and then based on this activity we may activate reservation booking promotions during the same browsing session or in a further session directly on our platform. We don’t pass personal user data to Karte and only after a reservation is made is the association of your activity on our platform connected with your customer identifier (id).
You can object to the collection of data for these purposes by preventing the storage of cookies for the karte.io domain via browser settings.
We use Bing Ads to promote our business online. To more effectively market our product or service, we allow Bing to set a cookie to record your visit on our website as well as to record the completion of a transaction. Bing Ads does not collect any personally identifiable information that could be used to identify you.
You can object to the collection of data for these purposes by preventing the storage of cookies for the bing.com domain via browser settings.
We use New Relic to collect metrics and errors on both a server level and browser based performance error. For example if our platform experiences an error in your browser then we receive a notification on the type of error and where in the code it was experienced. We also keep track of metrics like server response codes and the time the platform renders in your browser. Only anonymised non-identifiable data is stored by New Relic.
You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by visiting: https://www.hotjar.com/opt-out
VWO/Visual Website Optimizer
We use Visual Website Optimizer (“VWO”) in order to better understand our users’ needs and to optimise our service offering. VWO is a A/B testing and conversion optimization platform that let’s us present different variations of elements on the website to different users (e.g. Different color buttons, different on-page elements). Visual Website Optimizer (“VWO”) is provided and hosted by Wingify Ltd and is used to collect information about, test and analyze usage of the platform, including by depositing cookies on user’s devices. Information collected by VWO may include your IP address.
You may opt-out of any tracking by VWO through the opt-out tool provided by Wingify, available at https://vwo.com/opt-out/. By opting out, a cookie will be placed on your device which will last for up to ten years (unless deleted earlier) and which signals VWO not to collect information about your use of the Site.
Quandoo UK Ltd
London, May 2018