Data protection

Data protection information

For website users and customers of VAP Restaurants GmbH:

The following information serves to clarify the nature, scope and purpose of the collection and use of personal data and also informs you about your rights in the collection and processing of your personal data. This information is provided in accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR).

This data protection information is aimed at (i) users of the website www.vapiano.at, (ii) subscribers to the newsletter, and (iii) customers who order food and drinks for self-collection ("take-away customers").

1. who is responsible for data processing and who can you contact if you have any questions?

The controller of the data processing is:

VAP Restaurants GmbH FN 436137 d Karl-Popper-Straße 2b/Top 9, 6th floor A-1100 Vienna (hereinafter referred to as "VAP Restaurants")

2. what data is processed and where does this data come from?

We process your data in different ways and for different purposes, depending on whether you are (i) a user of the website, (ii) a subscriber to the newsletter or (ii) a take-away customer.

If you are a user of the Website:

When using the Website (even without registration), cookies (or as we call them: Cantuccini) and Google Analytics are used. You can find more information under point 6.

If you are a take-away customer:

If you order food and drinks for take away, the personal data you provide as part of the initiation of the contractual relationship will be processed. This includes first name, surname, email address and telephone number. Payment is processed via the payment service provider "Stripe" Stripe Payments Europe Ltd (1 Grand Canal Street Lower Grand Canal Dock Dublin, Ireland). You can find Stripe's data protection information here.

3. on what legal basis and for what purposes is data processing carried out?

If you are a user of the website:

We process your personal data

(1) on the basis of your consent (Article 6(1)(a) GDPR): (i) Restaurant Finder for the purpose of identifying all nearby VAPIANO restaurants, and (ii) tracking of user behavior on the Website (for more information on Google Analytics and cookies, see point 6.). You have the right to withdraw this consent at any time. This does not affect the lawfulness of the data processing carried out up to this point in time.

(2) to fulfill legal obligations (Article 6 (1) (c) GDPR): Personal data is also processed for the purpose of fulfilling various legal obligations, such as our legal obligation under Section 96 (3) TKG and for the purpose of providing information to law enforcement authorities and courts in cases of necessity.

(3) on the basis of legitimate interests, provided that your right to the confidentiality of this data does not outweigh our interest in processing it (Article 6(1)(f) GDPR). Our legitimate interests lie in ensuring the security of website operation, improving and analyzing our website and increasing user-friendliness. You can object to the processing of personal data for advertising purposes at any time (for more information on Google Analytics and cookies, see section 6).

If you are a Take Away customer:

We process your personal data to fulfill (pre-)contractual obligations (Article 6(1)(b) GDPR), in particular to fulfill our (pre-)contractual obligations under the contractual relationship, such as the performance of (pre-)contractual duties of protection, care and information, the provision of services and the handling of claims under the contract, invoicing, etc. Without this data, we cannot fulfill the contract with you.

4 Who will your data be passed on to?

The relevant data in individual cases is transmitted on the basis of the statutory provisions or contractual agreement and - if necessary - for the execution of contracts to the following parties, among others:

If you are a user of the website:

• Courts and law enforcement authorities;
• Other authorities;
• Legal representatives or lawyers and third parties involved in legal services.

If you are a Take Away customer:

• Administrative authorities (tax office, etc.);
• Courts and law enforcement authorities in case of cause;
• Other authorities;
• Legal representatives or lawyers and third parties involved in legal services.

If the above-mentioned recipients of your personal data are located outside the EEA and the EU Commission has not determined that the country in question has an adequate level of data protection, we will ensure that your personal data is transferred to a country outside the EEA.we ensure that the transfer takes place on the basis of standard contractual clauses (standard contractual clauses in accordance with Implementing Decision (EU) 2021/914) or otherwise in accordance with Articles 46, 47 or 49 GDPR.

All processors are contractually obliged to treat your data confidentially and to process it only within the scope of our assignment.

5 How long will your data be processed and stored?

We process your personal data for as long as necessary. In the case of Take Away customers, personal data is stored for 18 months. As soon as your data is no longer required, it will be anonymized.

We store the personal data necessary for the fulfillment of the contract for the duration of the entire business relationship and beyond in accordance with the statutory retention and documentation obligations (e.g. according to the Austrian Commercial Code or the Federal Fiscal Code). In addition, we take into account the statutory limitation periods, which can be up to 30 years in certain cases according to the General Civil Code (ABGB).

6. data processing in connection with the use of the website

Cookies

Our website uses so-called cookies (or as we call them: Cantuccini), provided you have given your consent (Article 6 (1) (a) GDPR). These are small text files that are temporarily stored on your end device with the help of the browser and saved by your browser. They do not cause any damage, but make website use more user-friendly. Some cookies remain stored on your device until you delete them. They enable us to recognize your browser on your next visit. If you do not want this, you can set up your browser so that it informs you about the setting of cookies and you only allow this in individual cases. If you deactivate cookies, the functionality of our website may be restricted.

Google Analytics

Our website uses the web analysis service Google Analytics 4 (GA4) from Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, on the basis of your express consent in accordance with Art. 6 para. 1 lit. a GDPR.

Google Analytics 4 enables us to statistically analyze the use of our website and to continuously improve our online offering.

Among other things, the following data is processed

• abbreviated IP address
• Device and browser information
• Interactions on the website
• page views
• Length of visit
• Origin of the visitor (referrer)

Google Analytics 4 uses cookies and similar technologies to recognize users.

There is no direct personal reference for us. The IP address is shortened by Google within the EU/EEA. However, the transmission of data to Google LLC servers in the USA cannot be ruled out.

Data is transferred to the USA on the basis of the EU-US Data Privacy Framework and - if necessary - the standard contractual clauses in accordance with Implementing Decision (EU) 2021/914.

The storage period of the data processed by Google Analytics is generally 14 months (default setting).

You can revoke your consent at any time via the cookie settings.

You can find more information on data protection at Google at:S
https://policies.google.com/privacy

Information about Google Analytics:
https://support.google.com/analytics

Matomo (data protection-friendly web analysis)

We use Matomo for the statistical analysis of our website.

Matomo is operated without cookies. The IP address is immediately anonymized so that no personal reference can be made.

The processing is based on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR to improve our online offer technically and in terms of content.

The data collected is stored exclusively on servers within the European Union. It is not passed on to third parties.

You can object to the processing at any time.

Cookiebot

A web service of the company Cybot A/S, Havnegade 39, 1058 Copenhagen (hereinafter: cookiebot.com) is loaded on our website. We use this data to ensure the full functionality of our website. In this context, your browser may transmit personal data to cookiebot.com. The legal basis for the use of Cookiebot is Art. 6 para. 1 lit. c GDPR in conjunction with Art. 7 GDPR, as we are legally obliged to document consents in a verifiable manner. The legitimate interest lies in the error-free functioning of the website. The data is deleted as soon as the purpose of its collection has been fulfilled. Further information on the handling of the transferred data can be found in cookiebot.com's privacy policy: www.cookiebot.com/de/privacy-policy/. You can prevent the collection and processing of your data by cookiebot.com by deactivating the execution of script code in your browser or by installing a script blocker in your browser (you can find this at www.noscript.net or www.ghostery.com, for example).

The following information is stored in our Cookiebot account:

• The IP address of the user in anonymized form (the last three digits are set to "0").
• Date and time of consent.
• The user's browser.
• The URL from which the consent was sent.
• An anonymous, random and encrypted key value.
• The user's consent state, which serves as proof of consent.

The key and the consent state are also stored in the user's browser in the cookie "CookieConsent", so that the website can automatically read and respect the user's consent in all subsequent page requests and future user sessions for up to 12 months. You can view and change your level of consent at any time. You will find this further down on this page.

On this website there's Cantuccini. This website uses cookies - or as we call them: Cantuccini. When you visit this website, personal data is therefore processed and Cantuccini is stored on your end device. Our Cantuccini, which are absolutely necessary for the provision of the functions of the website, are set in any case when you use the website. Third-party cookies (for analysis or tracking purposes or for calling up the restaurant finder) are only activated if you click on "Allow Cantuccini". A transfer to the USA takes place on the basis of the EU-US Data Privacy Framework or suitable guarantees in accordance with Art. 46 GDPR. Your data may be subject to access by US authorities and no effective legal remedies may be available against this. You can withdraw your consent at any time. You can find out more about this (including the option to withdraw your consent) in our privacy policy or in the legal notice.

Cookies are small text files used by websites to make the user experience more efficient.

By law, we can store cookies on your device if they are absolutely necessary for the operation of this site. For all other types of cookies, we need your permission.

This site uses different types of cookies. Some cookies are placed by third parties that appear on our pages.

You can change or withdraw your consent at any time from the cookie statement on our website.

Find out more about who we are, how you can contact us and how we process personal data in our Privacy Policy.

Please provide your consent ID and date when you contact us regarding your consent.

Your consent applies to the following domains: www.vapiano.at

Your current status: Decline.

Change consent

The cookie declaration was last updated on 13.01.26 by Cookiebot:

Necessary (3)

Necessary cookies help to make a website usable by enabling basic functions such as page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Statistics (6)

Statistics cookies help website owners understand how visitors interact with websites by collecting and reporting information anonymously.

Social buttons

We use various social buttons on our website in the form of a link: Facebook, Instagram and Spotify. When you visit our site, no data is transmitted to the social media services. Profiling by third parties is therefore excluded. However, we do not want to deny those visitors who would like to use social buttons these options. We therefore offer you the option of using social buttons in various places on our website. This gives you the opportunity to reach our social media presence via the social buttons or to share content, e.g. posts, with others. Please note that clicking on the social button may result in certain data being transmitted to the social media service (e.g. the VAPIANO website on which the social button is located; the date and time you clicked on the social button; information about the browser and operating system you are using; your current IP address).

By clicking on the button, you give your consent (Article 6(1)(a) GDPR) to the social media service for data processing. If you are already logged in to the social media service at the time you click the social button, it will also be able to determine your user name and possibly even your real name from the above-mentioned data. This data may also be processed by the social media service in countries outside the European Union. We have no influence on the scope, type and purpose of data processing by the social media service. Please note that the social media service is able to create pseudonymized and even individualized user profiles with the above-mentioned data.

You can find more information on data protection for Facebook here, for Instagram here and for Spotify here.

Meta Pixel (Facebook Pixel)

Our website uses the so-called Meta Pixel of Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland - on the basis of your express consent pursuant to Art. 6 para. 1 lit. a GDPR.

The meta pixel enables us to

• track the behavior of website visitors (conversion tracking)
• analyze the effectiveness of meta ads,
• display personalized advertising (remarketing).

The following data may be processed:

• IP address
• device information
• browser information
• pages visited
• Time of the visit
• Interactions on the website

The data collected is anonymous to us. However, Meta can link this data to your Meta account and also use it for its own advertising purposes.

A transfer of personal data to the USA cannot be ruled out. The data transfer takes place on the basis of the standard contractual clauses in accordance with Implementing Decision (EU) 2021/914.

The meta pixel is only activated if you have given your consent to marketing cookies in the cookie banner.

You can withdraw your consent at any time by changing your cookie settings.

You can find more information at
https://www.facebook.com/privacy/policy/

For processing in the context of the Meta Pixel, there is joint responsibility pursuant to Art. 26 GDPR with Meta Platforms Ireland Ltd. The joint responsibility agreement is available at
https://www.facebook.com/legal/controller_addendum

7. data processing in connection with the newsletter subscription

We use a double opt-in procedure so that you can subscribe to our newsletter. This means that you must first expressly confirm to us that you wish to receive our newsletter and that you consent to the associated processing of your personal data when you register for the newsletter. You will then receive a notification email from us with a link to confirm your registration for the newsletter.

8 What rights do you have?

Right to information

If we process your personal data, you have the right to information about the processing purposes, the categories of personal data processed, the recipients of this personal data, the storage period, the rights to which you are entitled, the origin of the personal data and the existence of automated decision-making.

Rectification and erasure

You are entitled to request the rectification of incorrect or incomplete personal data concerning you. You are entitled to request the erasure of personal data concerning you, provided that the processing of the data is not lawful and there are no legal obligations on our part to prevent erasure.

Restriction of processing

You are entitled to request the restriction of the processing of your data in certain cases.

Data portability

You have the right to request the transfer of the data you have provided to us in a structured, commonly used and machine-readable format. You have the right to have the personal data transmitted directly from us to a controller, insofar as this is technically feasible.

Objection

You are entitled to object to the processing of personal data concerning you at any time for reasons arising from your particular situation. If you object, we will no longer process personal data concerning you unless we can prove that our reasons for processing outweigh your interests.

Complaint

If you believe that the processing of your data violates data protection law or your data protection rights have otherwise been violated in any way, you can complain to the supervisory authority. In Austria, this is the data protection authority(www.dsb.gv.at).

Contact us

To exercise your rights in relation to your data processed by us, please contact

VAP restaurants GmbH FN 436137 d Karl-Popper-Straße 2b/Top 9, 6th floor A-1100 Vienna info@vapiano.at

Definitions

Definitions of the terms used (e.g. "personal data" or "processing") can be found in Article 4 GDPR.