Privacy Policy
The German version of this Privacy Policy is the legally binding version. This English version is provided for informational purposes only.
General notes
The following notes give an overview of what happens to your personal data when you visit this website or use our restaurant ordering platform. Personal data is any data with which you can be personally identified.
This policy covers both the website at gastrohub.dev and the ordering platform operated by GastroHub that restaurant operators use on their end.
Controller
The data controller for the purposes of the GDPR is:
Osama Farroukh
c/o MDC#samsphere
Welserstraße 3
87463 Dietmannsried
Germany
Email: kontakt@gastrohub.dev
Phone: +49 179 1600038
Hosting
Marketing website (gastrohub.dev): The marketing website is hosted via GitHub Pages (GitHub, Inc., 88 Colin P Kelly Jr St, San Francisco, CA 94107, USA). When the website is accessed, your browser automatically transmits technical data (for example IP address, browser type, time of access) to GitHub's servers. The legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest in technically faultless provision). Transfer to the USA takes place on the basis of the EU-US Data Privacy Framework. GitHub is DPF-certified.
Ordering platform: Ordering-platform application data is processed exclusively on servers in Germany (Frankfurt) by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Purpose: application hosting and data storage. DPA concluded under Art. 28 GDPR. No transfer to third countries.
Contact
If you contact us by email or via the mailto link offered on the website, we process your details (name, email address, content of the message) exclusively to handle your enquiry. The legal basis is Art. 6 para. 1 lit. b GDPR (pre-contractual measures) or Art. 6 para. 1 lit. f GDPR (legitimate interest in answering enquiries).
Contact enquiries are deleted at the latest after 12 months, unless statutory retention obligations require otherwise.
Restaurant operators as customers
When you book our platform as a restaurant operator, we process your master data for contract performance and invoicing:
- Business name and address
- Contact person, email, phone
- VAT ID, where available
- Stripe Connect Account ID (see section "Payment processing via Stripe Connect")
The legal basis is Art. 6 para. 1 lit. b GDPR (performance of contract). Retention duration follows the commercial and tax-law retention periods (generally 10 years under §147 AO of the German Fiscal Code).
Data of restaurant end customers
End customers who order at a restaurant via the platform provided by GastroHub enter personal data (name, delivery address, email, phone number, order details). The primary controller for this data is the restaurant operator. GastroHub processes this data as a processor within the meaning of Art. 28 GDPR, exclusively on the instructions of and as directed by the restaurant operator.
A Data Processing Agreement (DPA) under Art. 28 GDPR is concluded with each restaurant operator, setting out the obligations and guarantees. The DPA is concluded before the first processing of end-customer personal data begins. The data is processed exclusively on European servers and is not passed on to third parties, except to the payment service providers named in the section "Payment processing via Stripe Connect".
Payment processing via Stripe Connect
For payment processing, the restaurant uses its own Stripe Connect account. Stripe is an independent controller for the processing of payment data within the meaning of Art. 4 No. 7 GDPR. GastroHub provides the technical integration with Stripe Connect and processes only operational transaction metadata: transaction ID, payment status, amount and currency, timestamp, retained application fee, the restaurant's connected-account ID, and internal order reference. This data is used to update the order status in the restaurant's dashboard and for billing and accounting documentation. Full card data or personal end-customer data is not transmitted to GastroHub by Stripe. The contractual relationship and data processing conditions between the restaurant and Stripe arise from the Stripe Services Agreement and Stripe's privacy policy. Stripe is certified under the EU-US Data Privacy Framework. Standard Contractual Clauses under Art. 46 para. 2 lit. c GDPR apply insofar as data is transferred to third countries.
Further information on data processing by Stripe is available at stripe.com/privacy.
Google Business Profile
We operate a public business profile on Google Business Profile (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). When you visit our profile or interact with it (for example reviews, questions), Google processes personal data as an independent controller. We have no influence on the nature and scope of this processing. The legal basis for our operation of the profile is Art. 6 para. 1 lit. f GDPR (legitimate interest in external representation and customer communication).
Google's privacy notice: https://policies.google.com/privacy
Social media
We currently do not maintain profiles on social media platforms. If this changes, we will update this privacy policy accordingly.
Electronic commerce
The ordering platform constitutes an electronic commerce platform within the meaning of §312i BGB (German Civil Code). The requirements of the Button-Lösung (button solution) under §312j para. 3 BGB are implemented in the checkout flow.
Cookies and browser storage
gastrohub.dev uses technically necessary storage and, only after your explicit consent, Google Ads conversion cookies. These help us measure how successful our ads are, for example whether a visit from an ad leads to a demo request. The provider is Google Ireland Limited. On your first visit a cookie banner is shown; without your consent no marketing or tracking cookies are set. We use Google Consent Mode v2, which defaults to 'denied' until you agree. Legal basis: § 25(1) TTDSG and Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time with future effect by clearing your browser's local storage for this site.
We only store your chosen display language (German or English) in your browser's Local Storage under the key "gh:lang", so you do not have to make that choice again on later visits. No personal data is stored. Storage duration: until you delete it yourself. Legal basis: § 25 para. 2 no. 2 TTDSG (technically necessary storage) in conjunction with Art. 6(1)(f) GDPR (legitimate interest). You can delete the entry at any time in your browser settings. Additionally, we store your cookie choice (accepted or rejected) under the key 'gh:consent' so the banner does not reappear on every visit.
Server log files
Each time the website is accessed, technical access data (server log files) is automatically recorded by the hosting provider. This includes IP address, date and time, the URL accessed, transferred data volume, referrer URL, user agent. This data is processed exclusively to ensure faultless operation and to fend off misuse, and is deleted within 90 days at the latest. The legal basis is Art. 6 para. 1 lit. f GDPR.
Data security
We apply technical and organisational measures to protect your data against loss, manipulation and unauthorised access. The connection to the website is SSL/TLS-encrypted. Access to the platform is password-protected and logged.
Notification of data breaches
In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours in accordance with Art. 33 GDPR. Where the breach is likely to result in a high risk to affected individuals, they will be informed without undue delay in accordance with Art. 34 GDPR.
No automated decision-making
No automated decision-making, including profiling within the meaning of Art. 22 GDPR, takes place.
Your rights
You have the following rights vis-à-vis us regarding your personal data:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object to processing (Art. 21 GDPR)
- Right to withdraw a given consent (Art. 7 para. 3 GDPR)
To exercise your rights, please email kontakt@gastrohub.dev.
Right to complain to the supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data. The competent supervisory authority for GastroHub is:
State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Königstraße 10a
70173 Stuttgart, Germany
https://www.baden-wuerttemberg.datenschutz.de
Retention periods overview
- Contact enquiries: 12 months
- Server log files: maximum 90 days
- Contract and master data of restaurant customers: 10 years (§147 AO)
- Invoice-related transaction metadata: 10 years (§147 AO)
- End-customer data on the ordering platform: as instructed by the restaurant operator in the DPA
- Local Storage entry "gh:lang" (language preference): until deleted by the user
Changes to this privacy policy
We reserve the right to update this privacy policy if legal changes or adjustments to our services make this necessary. The respective current version is always available on this page.
Status: June 2026