This Privacy Notice gives you an overview of the processing of your personal data in the context of the use of the offers and online services within the “Quandoo” website on www.quandoo.co.uk and related mobile app (in the following, when the word “Platform” is used, this refers both to the website as well as the mobile app). This Privacy Notice also informs you about your rights and the possibilities you have to control your personal data and to protect your privacy.
- Who is responsible for the data processing and whom can I contact?
Responsible for the data processing is Quandoo UK Ltd. This company is also meant if the terms “we” or “us” are used in the following.
You can contact our data protection officer at:
- Which personal data do we process and from which sources do these data come from?
When we provide our Platform to you for use, we process personal information from various sources. On the one hand, this is data that we automatically collect when you use the Platform. However, this may also be data that you have voluntarily provided to us or that we receive from our partners.
- Data that we automatically collect when you use our Platform
As soon as you visit the website or open the app, you send technical information to our web servers. This happens regardless of whether or not you make a booking with a restaurant or whether or not you subsequently register with an account with us to use the Platform. In any case we will collect the following access and web-access data (that we call “Access Data”):
- Date and time of the visit and the duration of use of the Platform
- The IP address of your device
- The referral URL (the website from which you may have been redirected)
- The visited subsites of the website or subsections of the app; and
- More information about your device (type of device, browser type and version as well as settings, installed plug-ins, operating system)
We process Access Data to allow you and other users to use the Platform and to ensure the functionality of the Platform. We also process Access Data to perform analyses on the performance of the Platform, to continuously improve the Platform and correct errors; to ensure IT security and operation of our systems as well as in order to prevent or uncover abuse, particularly fraud. Further, we process Access Data to customize the Platform to your needs (personalization). For this purpose, we will also assign you a so-called “Unique User ID”. This Unique User ID allows us to assign your bookings and other interactions.
- Data which you yourself transmit to us
In addition to the data we receive from all visitors, we also process other data. The exact amount of this data depends on how you use the Platform. You can use the Platform with and without creating a user account.
If you decide to create a user account and fill out the registration form, we will process your:
- Name and surname
- Email address
- Your login password
- Phone number (optional)
You can also use the social log-in functions offered on our Platform to create your user account. If you choose this function, you send us your username on the social network of your choice (i.e., Facebook or Google), the email address you use to log on to the social network and, if applicable, the mobile phone number provided to the social network.
The data entered during registration will be used for the purpose of providing the Platform and to notify you by email on any information relevant to the Platform or registration, such as modification to the scope of the Platform or to the technical circumstances.
Booking and reservation data
If you make a booking or reservation, we will further process your:
- Email address
- Name and surname
- Phone number (optional)
- The restaurant you are making the booking for
- Party size
- Time of the reservation
- Special preferences
Please note that, if you fill out the text box indicating your dining/special preference, this might reveal certain sensitive personal information, e.g. food allergies or physical disabilities. If you would not like this data to be processed, please leave the respective field blank.
We process this data to secure your reservation, to inform you about the status of your reservation and also to customize the Platform to your needs based on your previous reservations and bookings.
Ratings and reviews
The Platform gives you the possibility to use certain social functions: you can submit reviews and ratings for restaurants. You can also subscribe to comments and reviews by other users.
If you use these functions, your IP address will be stored when you submit a comment or rating. This is a safeguard measure for us for cases where someone posts illegal content, comments and/or contributions (insults, prohibited political propaganda, etc.). We need to be able to determine the identity of the author in such cases, as legal action may arise based on the content in the comments or post.
If you opt to subscribe to successor comments, a confirmation email will be sent to verify that you are actually the owner of the email address entered. Subscriptions to comments can be cancelled at any time. The confirmation email will contain the relevant instructions in this respect.
Loyalty Points and Smart Offers
In case you wish to participate in our Loyalty Point program, additional data will need to be processed in order to bring this service to you. For this purpose, we will process your reservation and booking history in order to manage your Loyalty Points and provide you with bonus offers and other bargains.
Equally, where you purchase a Smart Offer using our platform, we will process the specific terms of this Smart Offer purchased by you (such as the restaurant that the Smart Offer is valid for, the term of the offer and the services included). You will be informed of the terms of each Smart Offer before you purchase it. When you purchase a Smart Offer we will further receive a confirmation from the restaurant that you have honored the reservation and actually claimed the Smart Offer.
We do not process any sensitive card payment details ourselves, but use secure payment providers to do so for us. Any payment data you input is encrypted in your browser by the payment provider in a way that only they can access, whereas we receive only non-sensitive data (payment token) and references confirming that you have made a payment. We do not store further payment related information in our system.
Newsletter & sending of advertising by email
If you want to receive the Newsletter, we require a valid email address and information that enables us to verify that the subscriber is the owner of the email address or that the respective owner of the email address used for the subscription, agrees to receive the Newsletter. No further information is collected. This data will solely be used for the purposes of sending the Newsletter.
Upon subscription to the Newsletter, we will store the IP address of the respective user and the date of subscription. The storage of this data serves solely the purpose of proof in cases, where a third party abuses an email address and subscribes to the Newsletter without the knowledge of the owner of the respective email address.
Customer support requests
You might wish to make a request for assistance to our customer support team or submit a complaint. In this case, in order to react to your request, we will process your IP address and contact data as well as the contents of your request.
- Data we receive from partners
Due to our Platform serving as an intermediary between you and the restaurant you are making the reservation with, we will also process data that we receive from our partner restaurants. This data includes:
- Your Email-address
- Your Name
- Your Phone Number (optional)
- Size of the Party
- Specific Preferences
- For what other purposes do we process your data?
In addition, we might process your data for additional purposes. These include:
- Disclosing your personal data to third parties if we are legally obliged to do so;
- Asserting legal claims and to defend against legal disputes;
- Complying with legal requirements for data retention due to tax legislation etc.
- What is the legal basis of the processing?
When processing your personal data, we rely on various legal bases according to the so-called Basic Data Protection Ordinance, an EU-wide legal framework for the standardization of data protection law (“GDPR” for short). Here we refer in detail to the following legal bases:
Consent (Article 6 (1) a GDPR)
Since you have given us your consent to process personal data for the specific purposes explained above, this consent ensures the legality of the processing. By registering with your account data or making a booking, you expressly agree the data processing as described in detail in this Privacy Notice by ticking the box before sending the registration or reservation form: If we process your data, it is because you have expressly allowed and requested us to do so when you use the Platform. Thus, your consent represents the most important legal basis for the processing of your personal data by us.
Performance of our contractual obligations towards you (Article 6 (1) b GDPR)
At the same time, the processing takes for the provision of the Platform in the context of the performance of our contract with you. Accordingly, in most cases, the processing is not only justified by your consent, but also because it is necessary to fulfil our contract with you. For example, if you make a booking with a restaurant using the Platform, it will be required to process the booking data to secure your booking.
Our legitimate interests (Article 6 (1) f GDPR)
There are also some cases in which we would be entitled to process your data even without your consent because it is necessary to protect our legitimate interests (or the interests of third parties). In this respect, the purposes described above for which we process your data also, in many cases, represent legitimate interests. This means that we are allowed to process the data necessary to guarantee the safety of our IT systems in any case, even if you have not given or withdrawn your consent to this processing. This also relates to preventing abuse of our platform or personalizing ads to your interests (so-called direct marketing).
Legal requirements (Article 6 (1) c GDPR) or in the public interest (Article 6 (1) e GDPR)
In addition, we are legally obliged to provide certain information to criminal prosecution or tax authorities in individual cases upon request.
- To whom do we transmit your data?
We treat your personal data with care and confidentially and will only pass them on to third parties to the extent described below and not beyond. We transmit data to public authorities only in the case of a legal obligation based on a request for information from the respective authority.
Outside of legal obligations towards public authorities, we only transmit your data to other users of the platform, to our third-party providers who help us provide the platform or within the Quandoo group of companies:
Other users of the platform
We transmit booking and reservation data to our partner restaurants using the Platform to facilitate reservations at their restaurants. We also share with the restaurants your Loyalty Point and Smart Offer data to enable a smooth functioning of these programs. The restaurants will receive your account data (with the exception of your password) as well as any reviews or ratings about them that you might enter into the system of the Platform. Reviews and ratings will also be published on the Platform for all remaining users (including visitors without an account on the Platform) to be seen.
Other Third Parties
Within the Quandoo group of companies
We are part of a global group of affiliated companies owned by Quandoo GmbH, Sonnenburger Str. 73, 10437 Berlin, Germany (“Quandoo DE”). Quandoo DE is itself owned by Recruit Holdings Co., Ltd, 8-4-17 Ginza, Chuo-ku, Tokyo 104-0061 Japan (“Recruit”). Accordingly, we are required to submit certain data to Quandoo DE or Recruit either due to statutory reporting obligations or within the ordinary course of business as a global enterprise. All business intelligence data will generally be anonymized to ensure that your right to data protection is respected. However, Quandoo DE or Recruit might have access also to personal, non-anonymized data under certain circumstances such as an internal revision or business audit requested by public authorities.
- Do we transfer your data to countries outside the EU or the EEA?
We generally do not transfer your data to countries outside the EEA (so-called “Third Countries”). We do not host your data in Third Countries and all our servers are located in the EEA (Ireland, to be exact). In some events, however, we transfer your data to Third Countries. Specifically, this concerns third-party Platforms provided by entities based in the United States and transfers to Recruit in Japan. Both these countries do not provide an adequate level of protection for the purposes of the GDPR. However, we will ensure that an adequate level of data protection is guaranteed at any time. In this regard, we will ensure that the data recipients are either certified under the so-called “Privacy Shield” (as in the case of Google and Facebook), the “Binding Corporate Rules” or that the EU Standard Contractual Clauses are entered into by any other recipient to ensure the security of the processing and an adequate level of data protection.
- How long will my data be stored?
We process and store your personal data as long as it is necessary for the fulfilment of our contractual or legal obligations. Thus, we store the data as long as our contractual relationship with you exists and after termination only to the extent and for as long as the laws of England and Wales require this. All other data will be deleted immediately when you unsubscribe from the Platform. If the remaining data are no longer required for the fulfilment of such obligations, they will be regularly deleted, unless their further processing is necessary for the preservation of evidence or to prevent legal claims from becoming time-barred.
- Do you create a user profile with my personal data?
We use your data to optimize your Quandoo browsing experience. This means that we use your data to provide you with a personalized Platform based on your personal preferences and interests and to make tailor-made offers based on your previous behavior. For example, the IP-address of your computer will be used in order to identify your geographical location and in order to offer a you localized content in your local language. We might make suggestions and offers for new restaurants based on the restaurants you have previously viewed and/or made a booking with using our Platform. However, we will never process and analyze your personal data in the context of profiling in such a way that this leads to an automated decision that has a legal effect on you or significantly impairs you in a similar way.
- Is there an obligation for me to provide data? What happens if I do not provide my data or no longer do so?
You are not required by law to provide us with the personal data as indicated by this Privacy Notice. In particular, the contractual relationship that you have entered into with us by agreeing to our terms and conditions does not imply any obligation to provide your personal data. However, the transmission of the contract information provided by you to us is a basic prerequisite for concluding a contract with us. In addition, you cannot use the Platform or only to a limited extent if you do not provide us with certain data or object to the use of these data.
- What rights do I have with regard to the processing?
You can assert the following rights against us under the GDPR:
- Your right to information under Article 15 GDPR
- Your right to correction under Article 16 GDPR
- Your right to cancellation under Article 17 GDPR
- Your right to limitation of processing under Article 18 GDPR
- Your right to data transferability under Article 20 GDPR
- In addition, you have a right of appeal to the responsible data protection supervisory authority (Article 77 GDPR in conjunction with § 19 BDSG).
You can revoke your consent to the processing of your personal data at any time. This also applies to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before 25 May 2018. However, this revocation is only effective for the future. Processing that took place before the revocation is not affected by this.
Information about your right of objection under Article 21 GDPR
- Right of objection in individual cases
- The right to object to the processing of data for advertising purposes
You also have the right to object at any time to the processing of personal data concerning you for the purpose of direct marketing (including any subscription to our newsletter); this also applies to profiling, insofar as it is associated with such direct marketing. If you object, we will no longer process your personal data in the future.
The objection can be made form-free and should be addressed to:
- Modification of The Privacy Notice at Hand
To keep this information up to date, this Privacy Notice will be modified if the underlying data processing is modified. We will not constrain your rights under this Privacy Notice without your prior written consent. We will publish all intended modifications to the Privacy Notice at hand on the QUANDOO website and in the app. In the event that such modifications should be substantial, we shall provide a clear notification (including, in the case of certain Platforms, a notification by email stating the modifications to the data privacy statement at hand). We will also archive older versions of the data privacy statement for future reference.
Quandoo UK Ltd.
London, May 2018
This information supplements the Quandoo Privacy Notice (which is available here).
Below we provide you with a list of all cookies and other web-tracking tools on our Platform that are provided either by us or by third parties.
- Quandoo’s own cookies (so-called “First-Party Cookies”):
|AID||Browser Session||Partner allocation|
|T||30 days from last modification||Channel allocation|
|sem_attributes||Browser Session||SEM Tracking|
|quandooUserGeoData||24h||Saves the user location based on the IP address used|
|quandooUserLanguage||Session||Saves the language selected by the user|
|quandooUserSearchDestination||Session||Saves the default search area of the user|
|ut||Session or 90 days||User session token|
We use these cookies to analyse web traffic, customise services, content and advertising, measure the effectiveness of advertising campaigns, and promote trust and security of the platform. We continue to use first-party cookies to be able to differentiate users from each other and, in conjunction with the log files from our web server, to determine the total number of people who visit the platform. The web usage data collected in this way helps us obtain the feedback we need to continually improve the platform and provide better service to users.
Users can prevent the acceptance of first-party cookies by adjusting their browser settings so that no cookies are accepted at all. However, if you configure this setting in this way, you may not be able to use certain current or future elements of our website.
- Cookies and plug-ins provided by others (so-called “Third-Party Cookies”):
In addition to first-party cookies, we also use the following third-party cookies and plug-ins provided on our website by the following parties:
|Name of operator||Address||Data protection information|
|Facebook, Inc. (“Facebook”)||1601 South California Avenue, Palo Alto, California 94304, USA||Facebook data privacy statement;|
|Google, Inc. (“Google”)||1600 Amphitheatre Parkway Mountain View, California 94043, USA||https://policies.google.com/privacy|
|Twitter, Inc. (“Twitter”)||795 Folsom St., Suite 600, San Francisco, California 94107, USA||Twitter data privacy statement|
|Instagram, Inc. (“Instagram”)||1601 Willow Road, Menlo Park, California 94025, USA||Instagram data privacy statement|
|Pinterest, Inc. (“Pinterest”)||635 High Street, Palo Alto, California 94301, USA||Pinterest data privacy statement|
|Segment.io, Inc. („Segment“)||101 15th St, San Francisco, CA 94103, USA||https://segment.com/docs/legal/privacy/|
|Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399 USA||https://privacy.microsoft.com/en-us/privacystatement|
|Wisepops||Wisepops SAS 49 rue Jean de La Fontaine, 75016 Paris, France||https://support.wisepops.com/more-info/data-and-cookie-policy|
|New Relic, Inc
|188 Spear St., Suite 1200
San Francisco, CA USA 94105
|Hotjar Ltd.||Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta||https://www.hotjar.com/legal/policies/privacy|
(“Visual Website Optimizer”)
|14th Floor, KLJ Tower North, Netaji Subhash Place, Pitampura, Delhi 110034, India||https://vwo.com/privacy-policy/|
|zenloop GmbH, Brunnenstrasse 196, 10119 Berlin||https://www.zenloop.com/en/legal/privacy|
Google Analytics and Google Tag Manager
Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and abbreviated there. Google will use this information on behalf of us to evaluate your use of the Platform, in order to compile reports about the Platform activities and to render further services to us connected with the use of the Platform and internet use. The IP address transmitted by your browser within the framework of Google Analytics and Google Tag Manager will not be merged with other data from Google.
You can prevent the storage of cookies by configuring your browser software or mobile device OS settings accordingly; however, pleased note that in this case you may not be able to use all functions of our Platform to the full extent. Furthermore, you can prevent the collection of the data generated by the cookie related to your use of our Platform (incl. IP address) by Google as well as the processing of these data by Google, by downloading and installing the browser plugin available via the following link: http://tools.google.com/dlpage/gaoptout
We use Google Maps to display maps and show you the location of our partner restaurants. Evaluations posted by you on our Platform as well as the username stated in such context may be published on Google Maps.
Google AdWords & Google Remarketing
Google Marketing Platform
Facebook plugins are integrated into our platform. You can recognize the Facebook plugins by the Facebook logo or the “Like button” on our page. An overview of Facebook plugins available can be found here: http://developers.facebook.com/docs/plugins/.
When you visit our platform, a direct connection is established between your device and the Facebook server. Facebook receives the information that you have visited our platform with your IP address. If you click the Facebook “Like” button while logged into your Facebook account, you can link the content of our platform to your Facebook profile. This allows Facebook to assign the visit to our platform to your user account. Please note that as the provider of the platform, we do not receive any information about the content of the transmitted data or its use by Facebook. However, if you are not a Facebook member, your IP address and information will be stored when you visit these websites and apps, including device information (operating system, hardware version, device settings, file and software names and types, battery and signal strength, device identifiers, device locations, including specific geographic locations, such as GPS, Bluetooth or WiFi signals, connection information such as the name of your mobile operator or ISP, browser type, language and time zone, mobile phone number) and information about your activity. According to Facebook, only an anonymous IP address is processed.
Facebook user-defined target groups
Facebook users should be aware that this website also uses the Facebook communication tool Website Custom Audiences.
Twitter plugins are integrated on our Platform. By using Twitter and the “re-tweet” function, the websites visited by you are linked to your Twitter account and announced to other users. Data are thereby also transmitted to Twitter.
You can change your Twitter privacy settings in the account settings at http://twitter.com/account/settings.
Instagram plugins are integrated in our Platform. If you are logged into your Instagram account, you can link the contents of our Platform with your Instagram profile by clicking on the Instagram button. Thereby, Instagram can associate the visit to our Platform with your user account. We hereby point out that as provider of the Platform, we do not receive any information on the contents of the data transmitted and their use by Instagram.
If you do not want Pinterest to personalise your experience in this way, you can access your account settings and deactivate personalisation on Pinterest. You can also change the “Do not track” feature of your browser or device to prevent Pinterest from using this information.
We cooperate with various affiliation networks that allow us to display various advertising materials such as banners or other promotional content on so-called publisher websites. Cookies are used to record which users came to our site via the respective advertising medium clicked on and then made a reservation. These cookies do not contain any personal data, but only a pseudonymous user and reservation ID, which makes it possible to assign them to the respective network. This information is required for the purpose of payment processing with the relevant network. If you do not agree to such processing, you have the option to prevent the storage of cookies by changing a setting in your Internet browser.
We also use Segment for data analysis and to create a customer profile for food preferences and intentions. Segment helps us to collect and analyse the technical usage data resulting from the use of our platform and to evaluate and use such data for optimization with the aid of the analysis tools described in this statement. The collected usage data is processed in pseudonymised form, IP addresses are truncated accordingly after collection and the data is only linked to user profiles with your personal data if a reservation is made on our consumer portal or if you provide access data to your account. As a rule, the information about the use of our website is transferred to Segment servers in the USA and stored there as well as in our own data warehouse (EU). You can object to the collection of data for these purposes by preventing the storage of cookies via your browser settings.
We cooperate with Wisepops, 49 rue Jean De La Fontaine, 75016 Paris, France. Wisepops is a provider that allows us to play pop-ups based on the user’s surfing behaviour. To this end, Wisepops collects surf data and plays out popups accordingly. Cookies are set for this purpose. Further information can be found at https://support.wisepops.com/more-info/data-and-cookie-policy.
Bing Universal Event Tracking
We use Bing Ads to advertise our business online. In order to market our product or service more effectively, we allow Bing to set a cookie to record your visit to our website and to record the completion of a transaction. Bing Ads does not collect any personally identifiable information that could be used to identify you.
You can object to the collection of data for these purposes by preventing the storage of cookies for the bing.com domain via your browser settings. Further information on data collection by Microsoft can be found here: https://privacy.microsoft.com/en-gb/privacystatement.
You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by visiting: https://www.hotjar.com/opt-out.
VWO / Visual Website Optimizer
We use Visual Website Optimizer (“VWO”) to better understand the needs of our users and to optimise our services. VWO is an A/B test and conversion optimisation platform with which we can present different variants of elements on the website to different users (e.g. different colour keys, different on-page elements). VWO is provided and hosted by Wingify Ltd and is used to collect, test and analyse information about the use of the platform, also by placing cookies on the user’s devices. The information collected by VWO may contain your IP address.
Wingify publishes a privacy statement that governs how it collects and uses user information that is available at https://vwo.com/privacy-policy/. Information on the cookies used by VWO can be found at https://vwo.com/knowledge/cookies-used-by-vwo/.
You can deactivate VWO tracking using the Wingify Opt-Out tool available at https://vwo.com/opt-out/. When you log off, a cookie is stored on your device that is valid for up to ten years (unless previously deleted) and signals to VWO not to collect any information about your use of the website.
We use the services of zenloop GmbH. zenloop is a business-to-business software-as-a-service platform that enables us to collect and analyse feedback from our customers via various channels. This enables us to tailor and improve our services to the needs of our customers, which constitutes a legitimate interest within the meaning of Article 6 (1) f GDPR.
If you participate in the survey, we will also send your e-mail address to Zenloop. The reason for this is that if you inform us of problems within this survey (e.g. in the reservation process), we may contact you to find a solution together. Your e-mail address helps us to identify you here.
Special remarks for the use of the Quandoo App
You can opt-out of the data collection by all tools mentioned below by disabling the respective slider in the Quandoo app.
For data analysis and personalised customer contact within our app, we also use the services of Leanplum, Inc., 1550 Bryant Street, Ste. 545 San Francisco, California 94103, United States. The collected usage data is processed in pseudonymised form, IP addresses are deleted after their collection and the data is internally linked to your personal data only if you have registered using the app. The information about the use of our app is usually transferred to Leanplum servers in the USA and stored there as well as in our own data warehouse (EU).
Furthermore, we use the technologies of Firebase Analytics (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) in order to analyse the use of our app. Firebase collects several data, such as your device’s Advertising ID. You can find a full list of the data collected here: https://firebase.google.com/support/privacy#data_processing_information.
London, May 2019