Legal
Privacy policy
This page summarizes the key points of our privacy policy. Published changes are reflected here.
Last updated: January 25, 2026
1. Controller
- Dominic Mueller – BuffIt, Tannenbergstrasse 7, 38442 Wolfsburg, Germany
- Contact for privacy requests: [email protected]
2. Processing purposes
- Operation and provision of platform features for guests and restaurant partners
- Analytics, error diagnostics and performance measurement (only with voluntary analytics consent)
- Fraud prevention, security monitoring and abuse detection (legitimate interest)
- Communication, support and contract handling (for example wallet, campaigns and invoicing)
3. Legal bases
- Art. 6(1)(a) GDPR: voluntary consent (analytics and marketing cookies, newsletter, optional tracking metadata)
- Art. 6(1)(b) GDPR: performance of a contract and pre-contractual measures (for example account setup and restaurant management)
- Art. 6(1)(f) GDPR: legitimate interest in fraud prevention, stability and security logging
- UK GDPR / Data Protection Act 2018 and US state privacy law (for example CCPA/CPRA) are considered for international users
4. Recipients and third parties
- Google Maps Platform and Google Firebase (EU and USA) – maps, authentication and hosting of serverless functions
- Google reCAPTCHA – abuse detection for forms and trackers
- Mailjet – transactional emails and system notifications
- Stripe (optional) – payment processing and PCI-compliant handling
- Cloud and infrastructure partners within the EU (for example database/storage)
- Meta Platforms (Instagram) and TikTok/ByteDance – embedded content or video players (only when you open such content; data such as IP address and browser information may be transmitted to those providers)
5. Embedded third-party content (for example Instagram or TikTok)
- Some pages may contain embedded third-party content (for example social media videos). When this content loads, your browser establishes a direct connection to the servers of the relevant providers.
- Depending on the provider and your device settings, cookies or similar technologies may be used and data may be transferred to countries outside the EU.
- If you want to avoid this, use the cookie settings, browser blockers or do not open the relevant content.
6. Retention and anonymization
- Site visit data (site_visit_events): personal fields are automatically anonymized after 30 days, complete deletion after 365 days (configurable via site-visits.retention.*).
- Contract and billing data: retained in line with legal obligations.
- Support and communication history: usually 24 months after completion of the case.
7. Data subject rights
- Access, rectification, erasure, restriction of processing, objection and data portability
- Withdrawal of consent at any time with effect for the future
- Please send requests to [email protected]; the usual response period is within one month
8. Withdrawal and cookie settings
- Analytics and marketing cookies can be withdrawn at any time via “Cookie settings” in the footer or directly on the cookie page.
- After withdrawal, new page visits are stored only without optional tracking metadata; existing records are anonymized or deleted in line with the retention policies above.
- Additional opt-outs for personalized Google advertising are available at https://adssettings.google.com and https://optout.aboutads.info.
9. Right to complain
- You have the right to lodge a complaint with a supervisory authority. One relevant authority for us is the Berlin Commissioner for Data Protection and Freedom of Information.
- For users in the United Kingdom and the USA, the relevant local authorities apply (ICO, State Attorney General, etc.).
Cookie and consent settings
You can change your decision on analytics and marketing cookies at any time. Changes apply immediately to future tracking events.
Questions about privacy?
Our privacy team will be happy to answer your request. For access or deletion requests, please include the email address or Firebase account you used so we can identify you clearly.