Contracts
Terms & Conditions - Choco Communications UK Ltd
Effective August 24, 2022
DownloadTable of Contents
Terms & Conditions
1. Subject matter of the contract
1.1 Choco Communications UK Limited (hereinafter "CHOCO") has developed an app and a web interface (hereinafter collectively the "App") through and via which commercial customers from the gastronomy, drink and food sector (hereinafter a "Gastronomer") can communicate and send their orders to their suppliers (hereinafter a "Supplier").
1.2 These General Terms and Conditions (hereinafter "General Terms and Conditions" or “GTC”) apply to the use of the App. For the free download of the App, the general terms and conditions of the Apple App Store or Google Play Store shall apply in addition to these GTC and any section of those general terms and conditions shall take precedence over any section in these GTC in the event of inconsistency. However, an account (in accordance with section 3.1) is required to use the App after download; downloading the app alone does not entitle a User to use the App. In addition, CHOCO may offer to integrate the App into the corporate software of a Supplier. This integration and the use of the integrated App is subject to separate terms and conditions and is not the subject of these GTC.
1.3 The object of these GTC is to set out the terms and conditions under which CHOCO grants a licence for the Gastronomers and Suppliers who use the App (each a "Company"). By using the App, the Company confirms that it accepts these GTC and that it agrees to comply with them. If the Company does not agree to these GTC, it must not use the App.
1.4 The provisions of these GTC shall prevail over any other general or specific terms and conditions of the Company. These GTC may be supplemented by CHOCO, where appropriate, by specific terms of use for certain aspects of the App, which shall supplement these GTC and shall prevail over them in the event of any conflict.
2. Use of the App
2.1 CHOCO grants to Company a non-exclusive, revocable, non-sublicensable, personal and non- transferable licence to use the App (in executable code) solely for the Company's internal business operations in the United Kingdom. For the avoidance of doubt, this licence also covers the use of the App by such individual Users (as defined in section 3.6 below) as the Company may designate. The source code of the App and other CHOCO software is not subject to these GTC and CHOCO reserves all rights thereto.
2.2 The App is designed and intended for professional use and is aimed exclusively at business customers, in particular the catering trade, the food industry and the food trade. Consumers are not permitted the use the App.
3. Registration and Account access Account creation and conclusion of contract
3.1 The use of the App requires that the Company registers in the App and accepts these GTC. For this purpose, a registration form is available in which all information marked as mandatory must be filled in. Before submitting the form, the Company can correct any errors directly by correcting the respective information in the form. CHOCO will not activate incomplete registrations.
3.2 The Company may access, save and print the current GTC on the website at any time. CHOCO does not store the text of the contract after it has been concluded.
3.3 Upon receipt of the Company's application for registration, CHOCO may then open an account in the Company's name (hereinafter the "Account"), which enables it to use the App.
3.4 The Company warrants, represents and undertakes that all information provided in the registration form is accurate, up-to-date, truthful and not misleading.
3.5 The Company undertakes to update the information relating to its Account immediately in the event of any changes, so that it always complies with the above criteria.
User Assignment
3.6 The Company shall ensure that any person ("User") who uses the App, or creates an Account, for or on behalf of a Company or assigns himself or herself to an existing Company Account is authorised to accept these GTC and to (in relation to the Gastronomer) place binding orders with Suppliers or to (in relation to the Supplier) receive and fulfil orders from Gastronomers.
3.7 CHOCO may technically enable a Company to create additional User profiles. The Company shall not permit any third party competing with CHOCO to (directly or indirectly) have access to the App.
3.8 The Company undertakes to ensure that Users do not allow any third party to use the App in their place or on their behalf.
3.9 The Company is responsible for ensuring that all Users are aware of these GTC and other applicable terms and conditions, and that they comply with them and the Company shall be liable for the acts and omissions of its Users.
Access data
3.10 The Company undertakes to maintain the security and confidentiality of the data it uploads to the App ("Access Data") and, where applicable, to impose the same obligations on Users associated with its Account.
3.11 Any access to the Account using the Company's Access Data shall be deemed to have been made by the Company. The Company shall immediately notify CHOCO if it becomes aware that its Account has been used without its knowledge. The Company acknowledges that CHOCO has the right to take all appropriate measures in such cases, in particular to temporarily block the Account to prevent misuse. CHOCO shall not be responsible for any loss, destruction, alteration or disclosure of Access Data.
4. Features and functionality of the App
4.1 The App contains a messaging service (the "Messaging Service") which enables: (a) the Gastronomer to communicate directly with its Suppliers and place orders; or (b) the Supplier to receive orders from the Gastronomer directly and bundled in digital form.
4.2 Conversations via the Messaging Service take place between two Companies, including at least one Gastronomer.
4.3 The Gastronomer may only start a conversation with Suppliers (i) whose contact details have been added to the Gastronomer's Account at the Gastronomer's initiative or (ii) whom the Gastronomer has invited to participate in its use of the App and who have accepted this invitation. CHOCO does not allow the Gastronomer or the Supplier to view the List (as defined in section 4.5) of all Suppliers / Gastronomers using the App or to compare their characteristics.
4.4 The App includes an optional feature that enables Gastronomers to voluntarily include the estimated price for products (the "My Price Feature"). The My Price Feature enables Gastronomers to calculate the estimated cost of their order via the App. The Company acknowledges that CHOCO does not control or alter the information transmitted via the My Price Feature (the "My Price Feature Information"), and they may change from time to time subject to the specific information that Gastronome may voluntarily insert therein. By using the App and submitting the My Price Feature Information, each Gastronome and Supplier agrees to the use of My Price Feature via the App. The My Price Feature Information cannot be seen by any other than the Gastronomer to which the My Price Feature Information relates. Please note that we cannot accept any responsibility for the content of the data that you voluntarily upload to the App, therefore, you are fully liable for any shared information on the App which may infringe any applicable laws and/or any third parties right.
4.5 In order to facilitate the placing of the order, the Gastronomer shall also have the option of entering lists of the products that it usually orders from the relevant Supplier (hereinafter "Lists") or to ask CHOCO to enter them on the basis of the documents provided by the Gastronomer. By selecting a List, the Gastronomer only needs to specify the desired quantities in order to place an order with the relevant Supplier.
4.6 To use the functionality set out in section 4.5 above: (a) the Gastronomer shall provide CHOCO with the contact details of its suppliers and the desired Lists; and (b) upon receipt of the information at section 4.6(a), CHOCO may set up the Account with the contact details of the Suppliers and the Lists requested by the Gastronomer.
4.7 The content on the App that CHOCO provides is provided for general information only. It is not intended to amount to advice on which the Company should rely. Although CHOCO makes reasonable efforts to update the information it provides on the App, it makes no promises and provide no assurances that that content on the App is accurate, complete or up to date.
5. Suspension / withdrawal of the App
5.1 CHOCO does not guarantee that the App, or any content, will always be available or be uninterrupted. CHOCO may suspend or withdraw or restrict the availability of all or any part of the App for business and operational reasons. CHOCO will use reasonable endeavours to give the Company reasonable notice of any suspension or withdrawal (via the App or otherwise).
5.2 CHOCO reserves the right to offer other additional functionality in the App that it deems appropriate, in a form and according to the functionalities and technical means that it deems most suitable for the relevant functionality. CHOCO also reserves the right to modify the App (or any functionality of the App) or to remove certain functionality or other information to which a Company has access (such as a Supplier's product list).
6. Free service
6.1 CHOCO shall not charge the Gastronomer any commission or other costs for the provision of access to the App. CHOCO may charge the Supplier a fee for the provision of access to the App and such fee will be highlighted to the Supplier during the registration process.
6.2 The contract for the use of the App shall run for an indefinite period.
6.3 The Company may terminate the contract on the use of the Services at any time with 7 days' notice by sending a corresponding message by e-mail to CHOCO at the contact details stated at the beginning of these General Terms and Conditions. The termination shall result in the automatic deletion of the Company Account.
6.4 CHOCO may terminate the contract properly and close a Company's Account for any reason, subject to at least 30 days' notice.
6.5 In addition, the contract may also be terminated in writing by CHOCO without notice for good cause. Good cause entitling CHOCO to terminate the contract shall be deemed to exist in particular if the Company has breached Sections 2, 7, 10, 13 or 14 of these General Terms and Conditions and has not remedied this breach within seven days of receipt of a notification in text form by e-mail.
6.6 In any case, CHOCO also reserves the right to close and delete an Account that has remained inactive for a continuous period of six months.
7. Duties of the Company
Without prejudice to the other obligations provided for herein, the Company, the Gastronomer and/or the Supplier shall comply with the following obligations (as applicable):
7.1 The Gastronomer undertakes to ensure that orders sent via the App are accurate, true and correct.
7.2 The Supplier undertakes to respond to and fulfil orders placed via the App under the same conditions as other orders received outside the App.
7.3 The Company shall comply with applicable laws and regulations when using the App and shall not violate the rights of third parties or public order.
7.4 The Company shall be solely responsible for proper compliance with any legal requirements, in particular of an administrative, fiscal and/or labour nature, as well as for any payment of taxes or duties of any kind that may be incumbent upon it in connection with its use of the App. CHOCO shall not be held liable in this respect under any circumstances.
7.5 The Company acknowledges that it is aware of the limitations, particularly of a technical nature, of the App.
7.6 The Company undertakes to observe reasonable rules of politeness, courtesy and decency in its exchanges with other Companies.
7.7 The Company shall provide CHOCO with all necessary information and actively cooperate with CHOCO with regard to its use of the App and the proper performance of its obligations under these GTC.
7.8 The Company warrants, represents and undertakes that it is authorised to transmit through the App any content or information (commercial, editorial, graphics, audios, audiovisual or other, including the name and/or image that the Company or a User may have chosen to identify him/her within the App, the names of the Gastronomer and Suppliers and/or their contact details and the Lists of products) that it uses within the framework of the App and, in particular, within the framework of its exchanges with other Companies or that it transmits to CHOCO via the App (hereinafter "Content" and/or "Information").
7.9 The Company grants CHOCO the right to use this Content and Information and warrants, represents and undertakes that it has all the necessary rights required to enable the use, reproduction and dissemination of this Content and Information by CHOCO.
7.10 The Company undertakes to ensure that the said Content or Information is lawful, not contrary to public order, morality or the rights of third parties, whether intellectual property rights or equivalent, personal rights, trade secrets or confidential information, that it is not in breach of any legal or regulatory provisions and, more generally, that it is in no way likely to give rise to any liability on the part of CHOCO.
7.11 The Company shall only transmit Content and/or Information that is appropriate to the purpose of the App and, in particular, shall not transmit the following Content and/or Information through the App (including, for the avoidance of doubt, via the My Price Feature): (a) Content that is not reasonably related to the ordering or execution of contracts between Gastronomer and Supplier (such as political or religious Content); (b) Content that is pornographic, obscene, indecent, shocking or unsuitable for a family audience, defamatory, offensive, violent, racist, xenophobic or revisionist; (c) unlawful Content; (d) Content that violates personal rights; (e) Information that breaches a confidentiality agreement or discloses a trade secret without permission; (f) Content that is false or misleading or promotes illegal, fraudulent or deceptive activities; (g) Content that is harmful to computer systems (such as viruses, worms, Trojan horses, etc.); and (h) in general, any Content that in any way and in any form infringes the rights of third parties or may harm third parties.
7.12 In order to use the App, the Company must be connected to the internet. The Company is solely responsible for the internet connection, and the Company acknowledges that the quality of the App is directly dependent on this.
7.13 The App is subject to continuous development. CHOCO shall inform the Company of any new version or any change to an existing version. The Company acknowledges and accepts that the use of the App requires the use of the latest versions of the App.
7.14 In order to improve and promote the App, CHOCO has the right to get in touch with each User of the App without prior notice to or approval by the Company. This may include the participation of a User in referral programs, sweepstakes and similar promotional activities.
8. Limitation on liability
8.1 CHOCO: (a) does not warrant that: (i) that the App will meet the Company's requirements; or. (ii) the App will be free from viruses or malicious software. (b) is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Company acknowledges that the App may be subject to limitations, delays and other problems inherent in the use of such communications facilities.
8.2 The Company acknowledges and agrees that: (a) the App is provided on an "as is" basis; (b) CHOCO assumes no liability or responsibility whatsoever in connection with any products purchased and sold via the App or the contract or relationship between the Supplier and the Gastronomer, in particular, the Company acknowledges that: (i) CHOCO has no responsibility for the communications between businesses in the App and CHOCO does not moderate, select, routinely review, or control such communications, and acts only as a hosting provider for such communications; (ii) orders for products placed via the App are between the Gastronomer and the Supplier and CHOCO does not check the orders and is not a party to the contract between the Gastronomer and the Supplier; (iii) CHOCO does not control the pricing, payment or delivery of the products, which are agreed directly between the Supplier and the Gastronomer; (iv) CHOCO shall not be a party to disputes of any kind between the Gastronomer and the Supplier, including in relation to the terms and delivery times for products, warranties or guarantees, payment deadlines or payment obligations and other obligations of any kind entered into between the two parties; (v) CHOCO does not carry out any due diligence on the Supplier or Gastronomer; (vi) CHOCO does not carry out, and cannot be held liable for, any verification of the quality or characteristics of the products listed, their compliance with applicable laws and regulations, their storage or delivery conditions, or the financial capacity and solvency of the Gastronomer or Supplier; and. (vii) the App provides an additional, non-exclusive solution for communication and order placement between Gastronomer and Supplier and that this solution is not a substitute for other means that the Company might otherwise use to achieve the same objective; and. (c) all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from these GTC.
8.3 Nothing in these GTC shall limit or exclude either party's liability for: (a) death or personal injury caused by its negligence, or the negligence of its personnel, agents or subcontractors; (b) fraud or fraudulent misrepresentation; and (c) any other liability which cannot be limited or excluded by applicable law.
8.4 Subject to clause 8.3, the maximum aggregate liability of CHOCO arising out of or in connection with these GTC (whether such liability arises in contract, tort (including negligence), misrepresentation, breach of any duty (including strict liability) or otherwise shall be limited to the greater of (i) £100 and (ii) the amount of any fees CHOCO has received from the Company in relation to the provision of access to the App.
8.5 Subject to clause 8.3, CHOCO shall be liable to the other (whether such liability arises on contract or tort (including negligence) for misrepresentation, breach of any duty (including strict liability) or otherwise) for any of the following: (a) indirect or consequential loss or damage; (b) loss of profits; or (c) loss or depletion of goodwill.
9. Indemnification
9.1 The Company shall indemnify and keep indemnified CHOCO against all claims, demands, actions, proceedings, losses, actions, proceedings, fines, penalties, awards, liabilities, damages, compensation, settlements, charges and expenses/costs (including legal costs) suffered by CHOCO or any of its group companies as a result of or in connection with any claim from a third party in relation to the Company's use of the App.
10. Prohibited Conduct
10.1 The Company shall not use the App for the following purposes: (a) to engage in any activity that is illegal, fraudulent or prejudicial to the rights or safety of others; (b) to interfere with public order or to violate applicable laws and regulations; (c) to intrude into a third party's computer system or for any other activity designed to control, interfere with or intercept any Content or breach the integrity or security of all or part of a third party's computer system; (d) for sending unsolicited e-mails and/or sending commercial solicitation or advertising messages; (e) for manipulations aimed at improving the ranking of a third party's website; (f) for disseminating information or links referring to a third party's website; (g) for aiding or abetting in any way, shape or form one or more of the acts and activities described above; and. (h) generally for any activity using the App for purposes other than those for which it was designed.
10.2 The Company shall not (i) engage in any conduct that is likely to interrupt, suspend, slow down or prevent the continuous use of the App by any of CHOCO's customers, (ii) intrude or attempt to intrude into CHOCO's systems, (iii) engage in any improper use of the App's system resources, (iv) engage in any action that is likely to place a disproportionate load on the infrastructure of the App, (v) breach CHOCO or the App's security and authentication measures, or (vi) engage in any act likely to damage the financial, commercial or moral rights and interests of CHOCO, its customers or of the Users of the App.
10.3 The Company shall not monetise, sell or give access to all or part of the App and the information hosted and/or shared on it to third parties.
11. Measures in the event of non-compliance
11.1 In the event of non-compliance by a Company with any of the provisions of these General Terms and Conditions or, more generally, a breach of applicable laws and regulations, without prejudice to its other rights or remedies, CHOCO reserves the right to: (a) suspend or block access to the App of the Company or User who committed or participated in the breach; (b) remove Content posted on the App; (c) publish through the App such information notices as CHOCO deems necessary; (d) notify governmental agencies and authorities; and/or. (e) take legal action of any kind.
12. Intellectual property
12.1 The Company acknowledges and agrees that CHOCO and/or its licensors own all intellectual property rights in the App, and all software, structures, infrastructures, databases and content of any kind (texts, images, graphics, music, logos, trademarks, databases, etc.) used by CHOCO in the context of the App (collectively "CHOCO IPR"). Any unauthorised use without the prior written consent of CHOCO is prohibited. Except as expressly stated herein, these GTC do not grant the Company any rights or licences in respect of the CHOCO IPR.
12.2 The Company is not entitled to reproduce and/or decompile the App in whole or in part.
12.3 The Company expressly authorises CHOCO to use the reproduction of its brand name or logo in the App, in particular to enable a Supplier to designate the brand name or logo on its Product List.
13. Confidentiality
13.1 Each party undertakes to keep strictly confidential the documents, data and Information of the other party which it receives. In the case of CHOCO, the parties expressly agree that this confidentiality obligation extends to the personal data that CHOCO processes in the context of the App for the Company. All such information is hereinafter referred to as "Confidential Information".
13.2 The party receiving Confidential Information undertakes not to disclose it without the prior consent of the other party for a period of five years from the end of the performance of the Services concerned. It may only disclose it to employees, trainees, vicarious agents or consultants if they are subject to professional secrecy or if obligations corresponding to the confidentiality obligations of these General Terms and Conditions have been imposed on them beforehand. Furthermore, the parties shall only disclose the Confidential Information to those employees who need to know it for the performance of this contract and shall also oblige these employees to maintain confidentiality to the extent permitted by labour law for the time after their departure.
13.3 This obligation does not extend to Confidential Information: (a) which was already known to the receiving party or thereafter becomes known to it from a third party without breach of any confidentiality agreement, legal requirements or governmental orders; (b) which are already public at the time of their disclosure or which become public without breach of these conditions;
13.4 which are required to be disclosed by law or by order of a court or governmental authority. To the extent permissible and possible, the recipient obliged to disclose shall notify the other party in advance and give it the opportunity to oppose the disclosure.
14. Publicity
14.1 The Company expressly authorises CHOCO to name it as a reference client and, where appropriate, to use its name, brand or logo for commercial references, including but not limited to at events, in its corporate or promotional materials, in articles, on its website and App, and on professional social networks such as LinkedIn, in any form whatsoever.
15. Amendments
15.1 CHOCO may amend these General Terms and Conditions at any time. CHOCO may notify the Company of any amendments to these General Terms and Conditions, either via e-mail or through an in-app notification. Any such amendments to these GTC shall be deemed to have been accepted by the Company if the Company continues to use the App.
16. General Provisions.
16.1 In these GTC, unless the context otherwise requires the words "includes" or "including" shall be construed as illustrative only and shall not limit the generality of the preceding words.
16.2 CHOCO shall have no liability to the Company if it is prevented from or delayed in performing its obligations under these GTC, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including strikes, lock-outs or other industrial disputes (whether involving the workforce of CHOCO or any other party), failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or sub-contractors.
16.3 No failure or delay by a party to exercise any right or remedy provided under these GTC or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
16.4 Except as expressly provided in these GTC, the rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
16.5 If any provision or part-provision of these GTC is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of these GTC.
16.6 These GTC constitute the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter. Each party acknowledges that in entering into these GTC it does not rely on any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in these GTC. Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in these GTC.
16.7 The Company shall not, without the prior written consent of CHOCO, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under these GTC. CHOCO may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under these GTC.
16.8 Nothing in these GTC is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
16.9 These GTC do not confer any rights on any person or party (other than the parties to these GTC and, where applicable, their successors and permitted assigns) pursuant to the Contracts (Rights of Third Parties) Act 1999 or otherwise.
17. Governing law & Jurisdiction
17.1 These GTC and any dispute or claim arising out of or in connection with them or their subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.
17.2 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with these GTC or their subject matter or formation (including non-contractual disputes or claims).
Privacy Policy - Choco Communications UK Ltd.
Effective September 5, 2023
DownloadTable of Contents
Privacy Policy for the App Users
Preamble
The service consisting of the Choco App, Choco web tool and their ancillary related services (together hereinafter "App") is provided by Choco Communications UK Ltd, a company incorporated in England and Wales with registered number 13937613 whose registered office is at 6th Floor, One London Wall, London, EC2Y 5EB, and Choco Communications GmbH, whose registered office is at Wrangelstraße 100, 10997 Berlin, Germany, both of which may be contacted by email at legal@choco.com, (together hereinafter “Choco”, "we" or "us") as joint controllers within the meaning of the applicable data protection law, namely (i) EU Regulation 2016/679 ("GDPR"); (ii) GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018 ("DPA"); (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time. The terms "data subject", "personal data", "processing", "processor" and "controller" shall have the meanings set out in the DPA.
Choco Communications UK Ltd, and Choco Communications GmbH together determine, within a separate agreement, the purposes and means of the personal data being processed in accordance with Art. 26 of UK GDPR. If you wish to receive an extract of such agreement, please send your request to datenschutz@choco.com.
The App provides its users with access to messaging and ordering services, which may allow commercial customers from the gastronomy and food sector (hereinafter the "Buyers") to communicate directly with their suppliers (hereinafter the "Vendors") and place orders directly receivable by the Vendors and bundled in digital form without any delay.
When operating the App, we process your personal data. The protection of your privacy when using the App is important to us, therefore we would like to inform you especially about the scope, the legal basis, data subject rights and the personal data which we process when you use the App.
1. Information on the processing of your personal data
Certain information is already processed automatically by us as soon as you use the App. The personal data that we may process is indicated in detail below:
1.1 Information collected during download
When downloading the app, Choco does not require nor collect any personal data of yours, nevertheless, we would like to inform you that certain required information might be requested by the App Store selected by you (e.g. Google Play or Apple App Store). The processing of this data, which takes place exclusively by the respective App Store, is beyond our control and we are not responsible for damages that occur to you arising from the data processing which is carried out by the App Store which you selected to download the App from.
1.2 Information collected automatically
As part of your use of the App, we automatically collect certain personal data that is necessary for the use of the App. This includes: device information, the version of your operating system, the type of device you use, your time of access, and your IP address. This data is automatically transmitted to us and stored in our servers, in order to:
(i) Provide the App to you;
(ii) Improve the functions and performance features of the App; and
(iii) Prevent and remove misuse and malfunctions of the App.
With regard to clause 1.2 (i) of this Privacy Policy, we process your personal data on the basis that such processing is necessary for the performance of the services foreseen in the General Terms and Conditions, between you as the data subject and us, in accordance with Article 6.1(b) of UK GDPR.
With regard to clauses 1.2 (ii) and (iii) of this Privacy Policy, we also have a legitimate interest in ensuring the functionality and error-free operation of the App and being able to offer a service in line with the market and your interests. Our legitimate interest here outweighs your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR.
1.3 Creation of a user account (registration) and login
1.3.1 For the creation of a user account, you are required to complete a registration form in the App and accept the General Terms and Conditions, for this purpose information marked as mandatory in the registration form shall be filled in. Mandatory Information means your username, telephone number, email address, business name, and business address. The Mandatory Information is required for completing the registration form in the App, the creation of your user account, and the login, together with the acceptance of the General Terms and Conditions. If you do not provide the Mandatory Information, you will not be able to create a user account.
We process the Mandatory Information to authenticate you when you log in. The data entered by you during the registration, or login will be processed by us to:
(i) Verify your authorization to manage the user account;
(ii) Enforce the terms of use of the App and all associated rights and obligations; and
(iii) Send you technical or legal notices, updates, security messages or other messages concerning the administration of the user account.
The processing of personal data contained within the Mandatory Information is justified by the fact that:
With regard to clause 1.3.1 (i) of this Privacy Policy, the data processing is necessary for the performance of the contract between you, as the data subject, and us, for the proper functioning of the App, in accordance with Article 6.1(b) of UK GDPR; and
With regard to clauses 1.3.1 (ii) and (iii) of this Privacy Policy, we have a legitimate interest in ensuring the functionality and error-free operation of the App as well as in contacting our users for any information relevant to them for the use of the App. Our legitimate interest here outweighs your rights and interests in protecting your personal data within the meaning of Article 6.1(f) of UK GDPR.
1.3.2 Furthermore, you can provide voluntary information during or after the registration on the App. You have the option of uploading pictures, screenshots, and additional text content to the App to simplify the communication and ordering process ("Voluntary Information"). Moreover, the content of the Voluntary Information which you may share with the App may vary depending on the type of data which you voluntarily upload to the App. Please note that we cannot accept any responsibility for any content that you voluntarily upload to the App, therefore, you are fully liable for any Voluntary Information, not required for the purpose of processing personal data, which infringes the applicable laws and/or any third parties' rights.
As per Article 6.1 (a) of UK GDPR, we will process the personal data contained within the Voluntary Information based on your consent which you can withdraw at any time in accordance with Article 7.3 of UK GDPR.
As per Article 6.1 (a) of UK GDPR, we will process the personal data contained within the Voluntary Information based on your consent which you can withdraw at any time in accordance with Article 7.3 of UK GDPR.
1.4 Use of the App
When using the App, you can enter, manage, and edit various information, tasks and activities. This information includes, in particular, data related to the communications that the Buyers send, together with their orders, to their Vendors which are directly received by the latter and bundled in digital form without any delay. For the use of the App, you may be requested to activate the following functions:
(i) Internet access. This is a basic requirement for the use of the App, without access to the Internet you will not be able to communicate with your clients or Vendors, nor store your entries on our servers.
(ii) Camera access. This access is not mandatory for the use of the App, nevertheless it may improve the communications between Buyers and Vendors as well as allow you to include pictures and/or screenshots to simplify the order process and store them in the App and on our servers. By granting access to your camera, you agree that Choco will have access to your pictures and media contents, thus data processing in this context is based on your consent [Article 6.1 (a) of UK GDPR]. Furthermore, we would like to inform you that currently the pictures and/or screenshots, which you may voluntarily upload to the App, will not be automatically deleted from the App. Nevertheless, if you wish to delete your uploaded pictures and/or screenshots, you may forward your request to the Choco Legal Team, using the following email address: datenschutz@choco.com (this does not affect the general rules on the deletion of data in the event of cancellation of your user account according to clause 5 of this Privacy Policy).
The processing of the above-mentioned data is based on your consent, as per Article Article 6.1 (a) of UK GDPR, which you can withdraw at any time, in accordance with Article 7.3 of UK GDPR.
1.5 Vendor’s information obtained from the Buyer
In accordance with this Privacy Policy and our General Terms and Conditions, the Buyer may provide us with the contact details of a Vendor for the purpose of simplifying the placement of its orders. Such contact details may contain the personal data of a Vendor that will be processed by us albeit without being obtained from the data subjects. Pursuant to Article 14 of UK GDPR, please find below the information and the principles regulating the processing of such personal data.
- The identity and the contact details of the data controller of the Vendor’s personal data is indicated in the preamble of this Privacy Policy;
- Please refer to clause 8 of this Privacy Policy for the contact details of the data protection officer;
- Choco will process the Vendor’s personal data in order to allow each Buyer to communicate and/or place orders directly receivable by its Vendors and bundled in digital form without any delay, the data processing will hence based on our legitimate interest to provide the correct functionality of the App which here outweighs your rights and interests in the protection of your personal data within the meaning of Art. 6. 1 (f) of UK GDPR. Please note that as a data subject, you have the right to object at any time;
- Choco may process personal data attributable to the Vendor’s personnel, that may consist of names, email addresses, addresses, and phone numbers;
- Choco may disclose the Vendor’s personal data to the recipient listed within clause 2 of this Privacy Policy;
- Choco may transfer the Vendor’s personal data to recipients located in third countries outside the UK or the European Economic Area ("EEA"), in accordance with clause 3 of this Privacy Policy;
- The Vendor’s personal data will be stored in the same manner described by clause 5 of this Privacy Policy;
- If you are data subject with regard to the Vendor’s personal data, you are entitled to the following rights according to Art. 15 - 21, 77 of UK GDPR, please refer to clause 7 of this Privacy Policy for more information;
- In order to improve our App and your user experience, Choco uses analysis tools, and other operational tasks aiming to ensure the functionality of the App in accordance with clause 4 of this Privacy Policy. Nevertheless, please note that for the processing of your personal data there is NO type of automated decision-making process, pursuant to Art. 22 of UK GDPR.
2. Disclosure and transfer of data
For the data processing during the registration, creation of the user account, and your general use of the App, Choco is the data controller. Nevertheless, we transfer your personal data to recipients on the condition a legal basis exists and/or you gave your consent to the data process. Any third parties with whom we share your personal data are limited (by law and by contract) in their ability to use your personal information. We will ensure that any third parties with whom we share your personal information are subject to privacy and security obligations consistent with this Privacy Policy and applicable laws.
We transfer your data to the following recipients:
2.1 The Choco Group
The data provided by you during registration will be passed on within the Choco Group for internal administrative purposes, including joint customer support, as far as necessary.
2.2 Your Vendors (this section applies to you only if you are a Buyer)
We may share your personal data with the Vendors, with whom you have freely decided to communicate and/or to place your orders via the App. In such case, your Vendors and Choco will act as independent data controllers with regard to the processing of your personal data, hence each data controller is directly responsible to comply with the requirements of the applicable data protection law. The processing of your personal data, carried out by the Vendor in this regard is beyond our control, and we reject any responsibility for damages that occurred to you arising from the data processing carried out solely by the Vendor you have freely selected for your communications or for the placement of your orders.
2.2.1 In connection with our operation of the App and the Vendor’s use thereof, please note that your Vendor may further request Choco to perform integration services for the creation of a technical infrastructure enabling your Vendor to transfer orders digitally from the App directly into its ordering system and to confirm them electronically (hereinafter “Integrated Services”). Only if subject to the Integrated Services, your personal data will be further processed as set out by section 2.2.2 of this Privacy Policy.
2.2.2 Your Vendor and Choco will enter into an agreement as joint controllers within the meaning of Article 26 of UK GDPR, and they will together determine the purposes and means of the personal data being processed only for the performance of the Integrated Services. Please click here for more information about the processing of your personal data pursuant to Art. 13 of UK GDPR, while the essence of such joint controllership agreement is here available.
2.3 Your employer
Please note, that if you are using the App in connection with your role as an employee or contractor of a company or other legal entity, we may share your personal data with such entity.
2.4 Third parties that assist us in providing its services to you
We share your personal data with third parties who assist us in providing our customer services and facilitating our communications with individuals that submit inquiries. We engage third-party service providers that perform business or operational services for us or on our behalf, including infrastructure provisioning, IT services, and administrative services. A list with complete details about the above-mentioned third-party service providers is available in Annex I of this Privacy Policy.
2.5 Third parties that provide us with Analysis Tools
We share your personal data with third parties who assist us with tools for the statistical recording and analysis of general usage behavior on the basis of access data. For more information and the complete list of these companies, please refer to clause 4 (“Analysis tools”) and Annex II of this Privacy Policy.
2.6 Competent authorities
We are under a duty to disclose your personal data in order to comply with any legal obligation or lawful request by a government or law enforcement authority, as such disclosure may be required to meet national security or law enforcement requirements, or to prevent illegal activities. Any disclosure of the personal data will be justified by the fact that the processing is necessary to fulfill a legal obligation to which we are subject in accordance with Article 6.1(c) of UK GDPR in the national legal requirements for the disclosure of data to law enforcement authorities
2.7 Legitimate Third Parties
We may disclose your personal data to third parties in order to enforce the App’s terms of use, our terms and conditions for customers or any other agreement or to respond to any claims, to protect our rights or the rights of a third party, or to protect the safety of any person or to prevent any illegal activity. Any disclosure of the personal data is justified by the fact that we have a legitimate interest in using the data in the presence of evidence of abusive behavior or to enforce our terms of use, of other conditions or legal claims to the aforementioned third parties and your rights and interests in relation to the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
2.8 New entities as a result of corporate restructuring
In the context of the further development of our business, the structure of our company may change by changing the legal form, founding, acquiring, or transferring subsidiaries, parts of companies or components. In accordance with such operations, the customer information may be shared together with the part of the company to be transferred. Each time personal data is transferred to third parties to the extent described above, we shall ensure that this transfer is done in accordance with this Privacy Policy and the UK GDPR. Any disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances if necessary, and your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
3. Data transfer to third countries
3.1 We may share your personal data to members of the Choco Group or third party service providers who are outside the UK or the EEA. If we provide any personal data about you to any such non-UK and non-EEA members of our group or suppliers, we will take appropriate measures to ensure that the recipient protects your personal data adequately in accordance with this Privacy Policy.
3.2 In particular, we would like to inform you that the EU-US Privacy Shield (adequacy decision) has been declared invalid and that in case of data transfers to insecure third countries (here, the USA), there is no adequate level of data protection according to EU and UK standards. In particular, there is a risk that your data may be processed by U.S. authorities, for control and for monitoring purposes, possibly also without any legal remedy.
3.3. If we provide any personal data about you to any such non-UK and non-EEA members of our group or suppliers, we will take appropriate measures to ensure that the recipient of your personal data protects it adequately in accordance with this Privacy Policy. We have concluded with service providers based in third countries, depending on the contractual constellation, either a data processing agreement according to Art. 28 of UK GDPR or a joint controllership agreement according to Art. 26 of UK GDPR, moreover, we ensure that the recipient of your personal data may adequately protect it, namely by:
(a) Ensuring that there is an adequacy decision by the UK Government in the case of transfers out of the UK, or by the European Commission in the case of transfers out of the EEA, which means that the recipient country is deemed to provide adequate protection for such personal data;
(b) Where we have in place standard model contractual arrangements with the recipient which have been approved by the European Commission or the UK Government for transfers outside the UK. These model contractual clauses include certain safeguards to protect the personal data.
3.4 In case of data processing in the context of the use of analysis tools, clause 4 of this Privacy Policy, the data processing is based on your consent which you can revoke at any time with effect for the future, Art. 49.1 (a) of UK GDPR.
4. Analysis tools
In order to improve our App and your user experience, we use tools for the statistical recording and analysis of general usage behavior on the basis of access data ("Analysis tools"). Please note that for the processing of your personal data, there is NO type of automated decision-making process, pursuant to Art. 22 of UK GDPR. Unless otherwise stated, the legal basis for the Analysis tools is your consent in accordance with Art. 6.1 (a) of UK GDPR. In the event that personal data is transferred to the USA or other third countries, your consent expressly extends to the transfer of data [Art. 49.1 (a) of UK GDPR]. The associated risks can be found in clause 3 of this Privacy Policy. For the complete list of the third-party providers of Analysis tools used by Choco, please refer to Annex II of this Privacy Policy.
5. Storage duration
We delete your personal data as soon as the purposes for which we processed it, in accordance with the preceding paragraphs, are achieved, and no statutory requirements require us to continue storing it for a longer period of time. We delete your personal data as soon as you submit to us your request for the cancellation of your user account, for the purposes for which we collected or used it in accordance with the preceding paragraphs. Please note that in case of cancellation of your user account, your personal data stored within the App will be deleted insofar as there are no statutory requirements which require us to continue storing it for a longer period of time.
6. Hyperlink
Our App contains hyperlinks to third-party websites. If these hyperlinks are activated, you will be redirected from our App directly to the websites of third-party service providers. You can recognize this, amongst other things, by the changing URL. We cannot accept any responsibility for the confidential handling of your data on these third-party websites, nor for their compliance with the UK GDPR, which is beyond our control. Please refer directly to those websites for information about their handling of your personal data.
7. Your rights as a data subject
7.1 In accordance with Articles 15 to 21 (inclusive) and 77 of UK GDPR, as data subjects you have the following rights:
- Right of access by the data subject (Article 15 of UK GDPR)
- Right to rectification (Article 16 of UK GDPR)
- Right to erasure "right to be forgotten" (Article 17 of UK GDPR)
- Right to restriction of processing (Article 18 of UK GDPR)
- Right to data portability (Article 20 of UK GDPR)
- Right to object (Article 21 of UK GDPR)
- Right not to be subject to a decision based solely on automated processing (Article 22 of UK GDPR)
- Right to lodge a complaint with a supervisory authority (Article 77 of UK GDPR).
7.2 In case the data processing is based on your consent, you have the right to withdraw your consent at any time, in accordance with Article 7.3 of UK GDPR. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In case the data processing is based on our legitimate interest [Article 6.1(f) of UK GDPR], you have the right to object, on grounds relating to your situation, at any time.
7.3 Your requests for the assertion of data protection rights and our answers to them will be kept for documentation purposes for a period of up to three (3) years and, in individual cases, for longer periods for the establishment, exercise or defense of legal claims in accordance with Article 6.1(f) of UK GDPR, which is based on our legitimate interest in:
(i) Defending against any civil law claims pursuant to Article 82 of UK GDPR;
(ii) The avoidance of fines pursuant to Article 83 of UK GDPR; and
(iii) The fulfillment of our accountability under Article 5.2 of UK GDPR.
7.4 As a data subject you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the UK GDPR. The data protection authority responsible for Choco's processing of personal data in the UK is the Information Commissioner's Office.
8. Data Protection Officer and contact details
8.1 If you have any questions, comments or complaints about our handling of your personal data, or if you wish to exercise your data subject rights, please contact the Choco Legal Team using the following contact details: datenschutz@choco.com.
8.2 Furthermore, you are welcome to direct your data protection concerns to our Data Protection Officer by sending an email to the above-mentioned email address. Please note that emails to the above email address will not solely be received by our Data Protection Officer as this is a generic email for the Choco Legal Team. If you solely wish to contact our Data Protection Officer and/or if you wish to send confidential information, please refer to the Data Protection Officer in the subject line or body of your email and please ask for them to contact you directly to further discuss your data protection concerns.
9. Changes to this Privacy Policy
We always keep this privacy policy up to date. Therefore, we reserve the right to update or change it from time to time and to maintain these changes in the processing of your personal data.
Annex I
Third-party service providers Performing business or operational services, infrastructure provisioning, IT services, and administrative services for Choco or on Choco’s behalf.
Aircall SAS
- Address: 11 Rue Saint-Georges, 75009 Paris, France.
- Personal data processed: Username, phone number, and Email Address.
- Storage Information: The servers storing your personal data are located in the Amazon Web Services US West servers in Oregon, USA. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Amazon Web Services, Inc.
- Address: 410 Terry Avenue North, Seattle, WA 98109, United States of America.
- Personal data processed: Username, Phone number, Business Address, IP Address, Device Info, and Email Address.
- Storage Information: The servers storing your personal data are located in Ireland. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Dovetail Research Pty. Ltd.
- Address: Level 1, 276 Devonshire Street, Surry Hills, 2010, NSW, Australia.
- Personal data processed: Username, and Email address.
- Storage Information: The servers storing your personal data are located in AWS us-east-1 region located in North Virginia, United States. Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco.
Google Ireland Limited (reCAPTCHA Enterprise)
- Address: Gordon House, Barrow Street, Dublin 4, Ireland.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email Address.
- Storage Information: The servers storing your personal data are located in Dublin, Ireland. Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco. Google Ireland Limited may transfer personal data to Google Inc, their parent company in the USA.
Intercom, Inc.
- Address: 3rd Floor, Stephens Ct., 18-21 St. Stephen’s Green, Dublin 2, Ireland.
- Personal data processed: Username, Phone number, IP Address, Email Address, and Device info.
- Storage Information: The servers storing your personal data are located in the Amazon Web Services (AWS) facilities in Dublin, Ireland (eu-west-1). Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Invisible Technologies, Inc.
- Address: 548 Market Street #85820 San Francisco, CA, USA.
- Personal data processed: Username, Phone number, Email Address, Address, and Financial Info.
- Storage Information: The servers storing your personal data are within the Amazon Web Services (AWS) us-east-1 region located in North Virginia, United States, and the Google Cloud Platform facilities of Mountain View, California, USA (us-west-1). Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Lobster DATA GmbH
- Address: Hindenburgstraße 15, 82343 Pöcking, Germany.
- Personal data processed: Address, Email address, Fax Number (only when previously provided by the user), Phone number, and Username.
- Storage Information: The servers storing your personal data are located in Germany. Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco.
Salesforce.com Germany GmbH
- Address: Erika-Mann-Str. 31, 80636 Munich, Germany.
- Personal data processed: Username, Address, Phone number, and Email Address.
- Storage Information: The servers storing your personal data are located in Frankfurt am Main, Germany, and Paris, France. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Sentry, owned by Functional Software, Inc.
- Address: Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, United States.
- Personal data processed: Username, Address, Device info, Email address, Phone number, and IP Address.
- Storage Information: The servers storing your personal data are located in Iowa, USA. Your Personal Data will be stored by the service provider as long as necessary for the provision of the services to Choco.
Talend Stitch Inc.
- Address: 1339 Chestnut St #1500, Philadelphia, Pennsylvania 19107, United States.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email Address.
- Storage Information: The servers storing your personal data are located in Frankfurt am Main, Germany, in the AWS eu-central-1 servers. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
The Rocket Science Group LLC d/b/a Mailchimp
- Address: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 3030, United States.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email address.
- Storage Information: Mailchimp provides an email service, automation and marketing platform and other related services. The servers storing your personal data are located in the United States of America. Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco.
Annex II
The third-party providers of Analysis tools which are used by Choco are as follows:
Amplitude, Inc.
- Address: 201 3rd Street, Suite 200, San Francisco, CA 94103, United States.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email address.
- Storage Information: Personal data is logically separated using multiple techniques. All data is stored in an Amazon Web Services in the US region. We require this provider’s service for operational reasons, namely, to reach out to the users who are affected by an incident which impedes the correct functionality of the App.Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco.
Google Cloud EMEA Limited (Looker)
- Address: 70 Sir John Rogerson’s Quay, Dublin 2, Ireland.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email address.
- Storage Information: The servers storing your personal data are located in the EEA. Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco. Google Cloud EMEA Limited may transfer personal data to Google LLC, its parent company in the USA.
Google Ireland Limited (Google Analytics)
- Address: Gordon House, Barrow Street, Dublin 4, Ireland.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email address.
- Storage Information: The servers storing your personal data are located in Dublin, Ireland.Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco. Google Ireland Limited may transfer personal data to Google LLC, its parent company in the USA.
Segment.io, Inc.
- Address: 100 California St, Suite 700, San Francisco, CA 94103, United States.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email address.
- Storage Information: The servers storing your personal data are located in S3 AWS Dublin, Ireland. Your Personal Data will be stored by the service provider as long as necessary for the provision of the services to Choco.
Effective April 21, 2023 to September 5, 2023
DownloadTable of Contents
Privacy Policy for the App Users
Preamble
The service consisting of the Choco App, Choco web tool and their ancillary related services (together hereinafter "App") is provided by Choco Communications UK Ltd, a company incorporated in England and Wales with registered number 13937613 whose registered office is at 6th Floor, One London Wall, London, EC2Y 5EB, and Choco Communications GmbH, whose registered office is at Hasenheide 54, 10967 Berlin, Germany, both of which may be contacted by email at legal@choco.com, (together hereinafter “Choco”, "we" or "us") as joint controllers within the meaning of the applicable data protection law, namely (i) EU Regulation 2016/679 ("GDPR"); (ii) GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018 ("DPA"); (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time. The terms "data subject", "personal data", "processing", "processor" and "controller" shall have the meanings set out in the DPA.
Choco Communications UK Ltd, and Choco Communications GmbH together determine, within a separate agreement, the purposes and means of the personal data being processed in accordance with Art. 26 of UK GDPR. If you wish to receive an extract of such agreement, please send your request to datenschutz@choco.com.
The App provides its users with access to messaging and ordering services, which may allow commercial customers from the gastronomy and food sector (hereinafter the "Buyers") to communicate directly with their suppliers (hereinafter the "Vendors") and place orders directly receivable by the Vendors and bundled in digital form without any delay.
When operating the App, we process your personal data. The protection of your privacy when using the App is important to us, therefore we would like to inform you especially about the scope, the legal basis, data subject rights and the personal data which we process when you use the App.
1. Information on the processing of your personal data
Certain information is already processed automatically by us as soon as you use the App. The personal data that we may process is indicated in detail below:
1.1 Information collected during download
When downloading the app, Choco does not require nor collect any personal data of yours, nevertheless, we would like to inform you that certain required information might be requested by the App Store selected by you (e.g. Google Play or Apple App Store). The processing of this data, which takes place exclusively by the respective App Store, is beyond our control and we are not responsible for damages that occur to you arising from the data processing which is carried out by the App Store which you selected to download the App from.
1.2 Information collected automatically
As part of your use of the App, we automatically collect certain personal data that is necessary for the use of the App. This includes: device information, the version of your operating system, the type of device you use, your time of access, and your IP address. This data is automatically transmitted to us and stored in our servers, in order to:
(i) Provide the App to you;
(ii) Improve the functions and performance features of the App; and
(iii) Prevent and remove misuse and malfunctions of the App.
With regard to clause 1.2 (i) of this Privacy Policy, we process your personal data on the basis that such processing is necessary for the performance of the services foreseen in the General Terms and Conditions, between you as the data subject and us, in accordance with Article 6.1(b) of UK GDPR.
With regard to clauses 1.2 (ii) and (iii) of this Privacy Policy, we also have a legitimate interest in ensuring the functionality and error-free operation of the App and being able to offer a service in line with the market and your interests. Our legitimate interest here outweighs your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR.
1.3 Creation of a user account (registration) and login
1.3.1 For the creation of a user account, you are required to complete a registration form in the App and accept the General Terms and Conditions, for this purpose information marked as mandatory in the registration form shall be filled in. Mandatory Information means your username, telephone number, email address, business name, and business address. The Mandatory Information is required for completing the registration form in the App, the creation of your user account, and the login, together with the acceptance of the General Terms and Conditions. If you do not provide the Mandatory Information, you will not be able to create a user account.
We process the Mandatory Information to authenticate you when you log in. The data entered by you during the registration, or login will be processed by us to:
(i) Verify your authorization to manage the user account;
(ii) Enforce the terms of use of the App and all associated rights and obligations; and
(iii) Send you technical or legal notices, updates, security messages or other messages concerning the administration of the user account.
The processing of personal data contained within the Mandatory Information is justified by the fact that:
With regard to clause 1.3.1 (i) of this Privacy Policy, the data processing is necessary for the performance of the contract between you, as the data subject, and us, for the proper functioning of the App, in accordance with Article 6.1(b) of UK GDPR; and
With regard to clauses 1.3.1 (ii) and (iii) of this Privacy Policy, we have a legitimate interest in ensuring the functionality and error-free operation of the App as well as in contacting our users for any information relevant to them for the use of the App. Our legitimate interest here outweighs your rights and interests in protecting your personal data within the meaning of Article 6.1(f) of UK GDPR.
1.3.2 Furthermore, you can provide voluntary information during or after the registration on the App. You have the option of uploading pictures, screenshots, and additional text content to the App to simplify the communication and ordering process ("Voluntary Information"). Moreover, the content of the Voluntary Information which you may share with the App may vary depending on the type of data which you voluntarily upload to the App. Please note that we cannot accept any responsibility for any content that you voluntarily upload to the App, therefore, you are fully liable for any Voluntary Information, not required for the purpose of processing personal data, which infringes the applicable laws and/or any third parties' rights.
As per Article 6.1 (a) of UK GDPR, we will process the personal data contained within the Voluntary Information based on your consent which you can withdraw at any time in accordance with Article 7.3 of UK GDPR.
As per Article 6.1 (a) of UK GDPR, we will process the personal data contained within the Voluntary Information based on your consent which you can withdraw at any time in accordance with Article 7.3 of UK GDPR.
1.4 Use of the App
When using the App, you can enter, manage, and edit various information, tasks and activities. This information includes, in particular, data related to the communications that the Buyers send, together with their orders, to their Vendors which are directly received by the latter and bundled in digital form without any delay. For the use of the App, you may be requested to activate the following functions:
(i) Internet access. This is a basic requirement for the use of the App, without access to the Internet you will not be able to communicate with your clients or Vendors, nor store your entries on our servers.
(ii) Camera access. This access is not mandatory for the use of the App, nevertheless it may improve the communications between Buyers and Vendors as well as allow you to include pictures and/or screenshots to simplify the order process and store them in the App and on our servers. By granting access to your camera, you agree that Choco will have access to your pictures and media contents, thus data processing in this context is based on your consent [Article 6.1 (a) of UK GDPR]. Furthermore, we would like to inform you that currently the pictures and/or screenshots, which you may voluntarily upload to the App, will not be automatically deleted from the App. Nevertheless, if you wish to delete your uploaded pictures and/or screenshots, you may forward your request to the Choco Legal Team, using the following email address: datenschutz@choco.com (this does not affect the general rules on the deletion of data in the event of cancellation of your user account according to clause 5 of this Privacy Policy).
The processing of the above-mentioned data is based on your consent, as per Article Article 6.1 (a) of UK GDPR, which you can withdraw at any time, in accordance with Article 7.3 of UK GDPR.
1.5 Vendor’s information obtained from the Buyer
In accordance with this Privacy Policy and our General Terms and Conditions, the Buyer may provide us with the contact details of a Vendor for the purpose of simplifying the placement of its orders. Such contact details may contain the personal data of a Vendor that will be processed by us albeit without being obtained from the data subjects. Pursuant to Article 14 of UK GDPR, please find below the information and the principles regulating the processing of such personal data.
- The identity and the contact details of the data controller of the Vendor’s personal data is indicated in the preamble of this Privacy Policy;
- Please refer to clause 8 of this Privacy Policy for the contact details of the data protection officer;
- Choco will process the Vendor’s personal data in order to allow each Buyer to communicate and/or place orders directly receivable by its Vendors and bundled in digital form without any delay, the data processing will hence based on our legitimate interest to provide the correct functionality of the App which here outweighs your rights and interests in the protection of your personal data within the meaning of Art. 6. 1 (f) of UK GDPR. Please note that as a data subject, you have the right to object at any time;
- Choco may process personal data attributable to the Vendor’s personnel, that may consist of names, email addresses, addresses, and phone numbers;
- Choco may disclose the Vendor’s personal data to the recipient listed within clause 2 of this Privacy Policy;
- Choco may transfer the Vendor’s personal data to recipients located in third countries outside the UK or the European Economic Area ("EEA"), in accordance with clause 3 of this Privacy Policy;
- The Vendor’s personal data will be stored in the same manner described by clause 5 of this Privacy Policy;
- If you are data subject with regard to the Vendor’s personal data, you are entitled to the following rights according to Art. 15 - 21, 77 of UK GDPR, please refer to clause 7 of this Privacy Policy for more information;
- In order to improve our App and your user experience, Choco uses analysis tools, and other operational tasks aiming to ensure the functionality of the App in accordance with clause 4 of this Privacy Policy. Nevertheless, please note that for the processing of your personal data there is NO type of automated decision-making process, pursuant to Art. 22 of UK GDPR.
2. Disclosure and transfer of data
For the data processing during the registration, creation of the user account, and your general use of the App, Choco is the data controller. Nevertheless, we transfer your personal data to recipients on the condition a legal basis exists and/or you gave your consent to the data process. Any third parties with whom we share your personal data are limited (by law and by contract) in their ability to use your personal information. We will ensure that any third parties with whom we share your personal information are subject to privacy and security obligations consistent with this Privacy Policy and applicable laws.
We transfer your data to the following recipients:
2.1 The Choco Group
The data provided by you during registration will be passed on within the Choco Group for internal administrative purposes, including joint customer support, as far as necessary.
2.2 Your Vendors (this section applies to you only if you are a Buyer)
We may share your personal data with the Vendors, with whom you have freely decided to communicate and/or to place your orders via the App. In such case, your Vendors and Choco will act as independent data controllers with regard to the processing of your personal data, hence each data controller is directly responsible to comply with the requirements of the applicable data protection law. The processing of your personal data, carried out by the Vendor in this regard is beyond our control, and we reject any responsibility for damages that occurred to you arising from the data processing carried out solely by the Vendor you have freely selected for your communications or for the placement of your orders.
2.2.1 In connection with our operation of the App and the Vendor’s use thereof, please note that your Vendor may further request Choco to perform integration services for the creation of a technical infrastructure enabling your Vendor to transfer orders digitally from the App directly into its ordering system and to confirm them electronically (hereinafter “Integrated Services”). Only if subject to the Integrated Services, your personal data will be further processed as set out by section 2.2.2 of this Privacy Policy.
2.2.2 Your Vendor and Choco will enter into an agreement as joint controllers within the meaning of Article 26 of UK GDPR, and they will together determine the purposes and means of the personal data being processed only for the performance of the Integrated Services. Please click here for more information about the processing of your personal data pursuant to Art. 13 of UK GDPR, while the essence of such joint controllership agreement is here available.
2.3 Your employer
Please note, that if you are using the App in connection with your role as an employee or contractor of a company or other legal entity, we may share your personal data with such entity.
2.4 Third parties that assist us in providing its services to you
We share your personal data with third parties who assist us in providing our customer services and facilitating our communications with individuals that submit inquiries. We engage third-party service providers that perform business or operational services for us or on our behalf, including infrastructure provisioning, IT services, and administrative services. A list with complete details about the above-mentioned third-party service providers is available in Annex I of this Privacy Policy.
2.5 Third parties that provide us with Analysis Tools
We share your personal data with third parties who assist us with tools for the statistical recording and analysis of general usage behavior on the basis of access data. For more information and the complete list of these companies, please refer to clause 4 (“Analysis tools”) and Annex II of this Privacy Policy.
2.6 Competent authorities
We are under a duty to disclose your personal data in order to comply with any legal obligation or lawful request by a government or law enforcement authority, as such disclosure may be required to meet national security or law enforcement requirements, or to prevent illegal activities. Any disclosure of the personal data will be justified by the fact that the processing is necessary to fulfill a legal obligation to which we are subject in accordance with Article 6.1(c) of UK GDPR in the national legal requirements for the disclosure of data to law enforcement authorities
2.7 Legitimate Third Parties
We may disclose your personal data to third parties in order to enforce the App’s terms of use, our terms and conditions for customers or any other agreement or to respond to any claims, to protect our rights or the rights of a third party, or to protect the safety of any person or to prevent any illegal activity. Any disclosure of the personal data is justified by the fact that we have a legitimate interest in using the data in the presence of evidence of abusive behavior or to enforce our terms of use, of other conditions or legal claims to the aforementioned third parties and your rights and interests in relation to the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
2.8 New entities as a result of corporate restructuring
In the context of the further development of our business, the structure of our company may change by changing the legal form, founding, acquiring, or transferring subsidiaries, parts of companies or components. In accordance with such operations, the customer information may be shared together with the part of the company to be transferred. Each time personal data is transferred to third parties to the extent described above, we shall ensure that this transfer is done in accordance with this Privacy Policy and the UK GDPR. Any disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances if necessary, and your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
3. Data transfer to third countries
3.1 We may share your personal data to members of the Choco Group or third party service providers who are outside the UK or the EEA. If we provide any personal data about you to any such non-UK and non-EEA members of our group or suppliers, we will take appropriate measures to ensure that the recipient protects your personal data adequately in accordance with this Privacy Policy.
3.2 In particular, we would like to inform you that the EU-US Privacy Shield (adequacy decision) has been declared invalid and that in case of data transfers to insecure third countries (here, the USA), there is no adequate level of data protection according to EU and UK standards. In particular, there is a risk that your data may be processed by U.S. authorities, for control and for monitoring purposes, possibly also without any legal remedy.
3.3. If we provide any personal data about you to any such non-UK and non-EEA members of our group or suppliers, we will take appropriate measures to ensure that the recipient of your personal data protects it adequately in accordance with this Privacy Policy. We have concluded with service providers based in third countries, depending on the contractual constellation, either a data processing agreement according to Art. 28 of UK GDPR or a joint controllership agreement according to Art. 26 of UK GDPR, moreover, we ensure that the recipient of your personal data may adequately protect it, namely by:
(a) Ensuring that there is an adequacy decision by the UK Government in the case of transfers out of the UK, or by the European Commission in the case of transfers out of the EEA, which means that the recipient country is deemed to provide adequate protection for such personal data;
(b) Where we have in place standard model contractual arrangements with the recipient which have been approved by the European Commission or the UK Government for transfers outside the UK. These model contractual clauses include certain safeguards to protect the personal data.
3.4 In case of data processing in the context of the use of analysis tools, clause 4 of this Privacy Policy, the data processing is based on your consent which you can revoke at any time with effect for the future, Art. 49.1 (a) of UK GDPR.
4. Analysis tools
In order to improve our App and your user experience, we use tools for the statistical recording and analysis of general usage behavior on the basis of access data ("Analysis tools"). Please note that for the processing of your personal data, there is NO type of automated decision-making process, pursuant to Art. 22 of UK GDPR. Unless otherwise stated, the legal basis for the Analysis tools is your consent in accordance with Art. 6.1 (a) of UK GDPR. In the event that personal data is transferred to the USA or other third countries, your consent expressly extends to the transfer of data [Art. 49.1 (a) of UK GDPR]. The associated risks can be found in clause 3 of this Privacy Policy. For the complete list of the third-party providers of Analysis tools used by Choco, please refer to Annex II of this Privacy Policy.
5. Storage duration
We delete your personal data as soon as the purposes for which we processed it, in accordance with the preceding paragraphs, are achieved, and no statutory requirements require us to continue storing it for a longer period of time. We delete your personal data as soon as you submit to us your request for the cancellation of your user account, for the purposes for which we collected or used it in accordance with the preceding paragraphs. Please note that in case of cancellation of your user account, your personal data stored within the App will be deleted insofar as there are no statutory requirements which require us to continue storing it for a longer period of time.
6. Hyperlink
Our App contains hyperlinks to third-party websites. If these hyperlinks are activated, you will be redirected from our App directly to the websites of third-party service providers. You can recognize this, amongst other things, by the changing URL. We cannot accept any responsibility for the confidential handling of your data on these third-party websites, nor for their compliance with the UK GDPR, which is beyond our control. Please refer directly to those websites for information about their handling of your personal data.
7. Your rights as a data subject
7.1 In accordance with Articles 15 to 21 (inclusive) and 77 of UK GDPR, as data subjects you have the following rights:
- Right of access by the data subject (Article 15 of UK GDPR)
- Right to rectification (Article 16 of UK GDPR)
- Right to erasure "right to be forgotten" (Article 17 of UK GDPR)
- Right to restriction of processing (Article 18 of UK GDPR)
- Right to data portability (Article 20 of UK GDPR)
- Right to object (Article 21 of UK GDPR)
- Right not to be subject to a decision based solely on automated processing (Article 22 of UK GDPR)
- Right to lodge a complaint with a supervisory authority (Article 77 of UK GDPR).
7.2 In case the data processing is based on your consent, you have the right to withdraw your consent at any time, in accordance with Article 7.3 of UK GDPR. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In case the data processing is based on our legitimate interest [Article 6.1(f) of UK GDPR], you have the right to object, on grounds relating to your situation, at any time.
7.3 Your requests for the assertion of data protection rights and our answers to them will be kept for documentation purposes for a period of up to three (3) years and, in individual cases, for longer periods for the establishment, exercise or defense of legal claims in accordance with Article 6.1(f) of UK GDPR, which is based on our legitimate interest in:
(i) Defending against any civil law claims pursuant to Article 82 of UK GDPR;
(ii) The avoidance of fines pursuant to Article 83 of UK GDPR; and
(iii) The fulfillment of our accountability under Article 5.2 of UK GDPR.
7.4 As a data subject you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the UK GDPR. The data protection authority responsible for Choco's processing of personal data in the UK is the Information Commissioner's Office.
8. Data Protection Officer and contact details
8.1 If you have any questions, comments or complaints about our handling of your personal data, or if you wish to exercise your data subject rights, please contact the Choco Legal Team using the following contact details: datenschutz@choco.com.
8.2 Furthermore, you are welcome to direct your data protection concerns to our Data Protection Officer by sending an email to the above-mentioned email address. Please note that emails to the above email address will not solely be received by our Data Protection Officer as this is a generic email for the Choco Legal Team. If you solely wish to contact our Data Protection Officer and/or if you wish to send confidential information, please refer to the Data Protection Officer in the subject line or body of your email and please ask for them to contact you directly to further discuss your data protection concerns.
9. Changes to this Privacy Policy
We always keep this privacy policy up to date. Therefore, we reserve the right to update or change it from time to time and to maintain these changes in the processing of your personal data.
Annex I
Third-party service providers Performing business or operational services, infrastructure provisioning, IT services, and administrative services for Choco or on Choco’s behalf.
Aircall SAS
- Address: 11 Rue Saint-Georges, 75009 Paris, France.
- Personal data processed: Username, phone number, and Email Address.
- Storage Information: The servers storing your personal data are located in the Amazon Web Services US West servers in Oregon, USA. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Amazon Web Services, Inc.
- Address: 410 Terry Avenue North, Seattle, WA 98109, United States of America.
- Personal data processed: Username, Phone number, Business Address, IP Address, Device Info, and Email Address.
- Storage Information: The servers storing your personal data are located in Ireland. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Dovetail Research Pty. Ltd.
- Address: Level 1, 276 Devonshire Street, Surry Hills, 2010, NSW, Australia.
- Personal data processed: Username, and Email address.
- Storage Information: The servers storing your personal data are located in AWS us-east-1 region located in North Virginia, United States. Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco.
Google Ireland Limited (reCAPTCHA Enterprise)
- Address: Gordon House, Barrow Street, Dublin 4, Ireland.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email Address.
- Storage Information: The servers storing your personal data are located in Dublin, Ireland. Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco. Google Ireland Limited may transfer personal data to Google Inc, their parent company in the USA.
Intercom, Inc.
- Address: 3rd Floor, Stephens Ct., 18-21 St. Stephen’s Green, Dublin 2, Ireland.
- Personal data processed: Username, Phone number, IP Address, Email Address, and Device info.
- Storage Information: The servers storing your personal data are located in the Amazon Web Services (AWS) facilities in Dublin, Ireland (eu-west-1). Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Invisible Technologies, Inc.
- Address: 548 Market Street #85820 San Francisco, CA, USA.
- Personal data processed: Username, Phone number, Email Address, Address, and Financial Info.
- Storage Information: The servers storing your personal data are within the Amazon Web Services (AWS) us-east-1 region located in North Virginia, United States, and the Google Cloud Platform facilities of Mountain View, California, USA (us-west-1). Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Lobster DATA GmbH
- Address: Hindenburgstraße 15, 82343 Pöcking, Germany.
- Personal data processed: Address, Email address, Fax Number (only when previously provided by the user), Phone number, and Username.
- Storage Information: The servers storing your personal data are located in Germany. Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco.
Salesforce.com Germany GmbH
- Address: Erika-Mann-Str. 31, 80636 Munich, Germany.
- Personal data processed: Username, Address, Phone number, and Email Address.
- Storage Information: The servers storing your personal data are located in Frankfurt am Main, Germany, and Paris, France. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Sentry, owned by Functional Software, Inc.
- Address: Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, United States.
- Personal data processed: Username, Address, Device info, Email address, Phone number, and IP Address.
- Storage Information: The servers storing your personal data are located in Iowa, USA. Your Personal Data will be stored by the service provider as long as necessary for the provision of the services to Choco.
Talend Stitch Inc.
- Address: 1339 Chestnut St #1500, Philadelphia, Pennsylvania 19107, United States.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email Address.
- Storage Information: The servers storing your personal data are located in Frankfurt am Main, Germany, in the AWS eu-central-1 servers. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
The Rocket Science Group LLC d/b/a Mailchimp
- Address: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 3030, United States.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email address.
- Storage Information: Mailchimp provides an email service, automation and marketing platform and other related services. The servers storing your personal data are located in the United States of America. Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco.
Annex II
The third-party providers of Analysis tools which are used by Choco are as follows:
Amplitude, Inc.
- Address: 201 3rd Street, Suite 200, San Francisco, CA 94103, United States.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email address.
- Storage Information: Personal data is logically separated using multiple techniques. All data is stored in an Amazon Web Services in the US region. We require this provider’s service for operational reasons, namely, to reach out to the users who are affected by an incident which impedes the correct functionality of the App.Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco.
Google Cloud EMEA Limited (Looker)
- Address: 70 Sir John Rogerson’s Quay, Dublin 2, Ireland.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email address.
- Storage Information: The servers storing your personal data are located in the EEA. Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco. Google Cloud EMEA Limited may transfer personal data to Google LLC, its parent company in the USA.
Google Ireland Limited (Google Analytics)
- Address: Gordon House, Barrow Street, Dublin 4, Ireland.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email address.
- Storage Information: The servers storing your personal data are located in Dublin, Ireland.Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco. Google Ireland Limited may transfer personal data to Google LLC, its parent company in the USA.
Segment.io, Inc.
- Address: 100 California St, Suite 700, San Francisco, CA 94103, United States.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email address.
- Storage Information: The servers storing your personal data are located in S3 AWS Dublin, Ireland. Your Personal Data will be stored by the service provider as long as necessary for the provision of the services to Choco.
Effective March 20, 2023 to April 21, 2023
DownloadTable of Contents
Privacy Policy for the Choco App
Preamble
This service (hereinafter "App") is provided by Choco Communications UK Ltd, a company incorporated in England and Wales with registered number 13937613 whose registered office is at 6th Floor, One London Wall, London, EC2Y 5EB, and can be contacted via email at legal@choco.com (hereinafter “Choco”, "we" or "us"), as the controller within the meaning of the applicable data protection law, namely (i) EU Regulation 2016/679 ("GDPR"); (ii) GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018 ("DPA"); (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time; and the terms "data subject", "personal data", "processing", "processor" and "controller" shall have the meanings set out in the DPA.
The use of the services offered by Choco requires that the users register in the App or via the web interface and accept our General Terms and Conditions.
The Choco App provides its users with access to messaging and ordering services, which may allow commercial customers from the gastronomy and food sector (hereinafter the "Gastronomers") to communicate directly with their suppliers (hereinafter the "Suppliers") and place orders, which are directly received by the Suppliers and bundled in digital form without any time delay. For more detailed information about the services offered by Choco, please refer to section 4 of our General Terms and Conditions.
When you use the App, we process your personal data. Personal data means any information relating to an identified or identifiable natural person (data subject). The protection of your privacy when using the app is important to us, therefore we would like to inform you especially about the scope, the legal basis, data subject rights and the personal data which we process when you use the App.
1. Information on the processing of your personal data
Certain information is already processed automatically by Choco as soon as you use the App. The personal data that we may process are indicated in detail below:
1.1 Information collected during download
When downloading the app, Choco does not require nor collect any personal data of yours, nevertheless, we would like to inform you that certain required information might be requested by the App Store selected by you (e.g. Google Play or Apple App Store). The processing of this data, which takes place exclusively by the respective App Store, is beyond our control and we are not responsible for damages that occur to you arising from the data processing which is carried out by the App Store which you selected to download the App from.
1.2 Information collected automatically
As part of your use of the App, we automatically collect certain personal data that is necessary for the use of the App. This includes: device information, the version of your operating system, the type of device you use, your time of access, and your IP address.
This data is automatically transmitted to us and stored in our servers, in order to: (i) provide you with the Service and related features; (ii) improve the functions and performance features of the App; and (iii) prevent and to remove misuse and malfunctions of the App. Choco processes your personal data on the basis that such processing is necessary for the performance of the services foreseen in the General Terms and Conditions, between you as the data subject and us, in accordance with Article 6.1(b) of UK GDPR (regarding clause 1.2 (i) of this Privacy Policy). We also have a legitimate interest in ensuring the functionality and error-free operation of the App and being able to offer a service in line with the market and your interests. Our legitimate interest here outweighs your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR (regarding the clauses 1.2 (ii) and (iii) of this Privacy Policy).
1.3 Creation of a user account (registration) and login
1.3.1 For the creation of a user account, you are required to complete a registration form in the App and accept the General Terms and Conditions, for this purpose information marked as mandatory in the registration form shall be filled in as necessary. For your user account or log-in, we use your telephone number to grant you access to and manage your user account ("Mandatory Information"). The Mandatory information (username, telephone number, business name, and business address) is required for completing the registration form in the App, together with the acceptance of the General Terms and Conditions. If you do not provide this data, you will not be able to create a user account.
We use the mandatory information provided to authenticate you when you log in. In that case, on the login page of the App, you may indicate your telephone number and request to receive an automatic four-digit code (the “Code”), at the provided telephone number, via SMS. After you receive the Code, you will be required to promptly enter the Code on the login page of the App. We would like to inform you that the Code is temporary and has limited validity. If you do not enter the Code on the login page of the App within 60 seconds, you will need to request a new Code to complete the login authentication. Please note that you are fully responsible for the confidentiality of the Code which is strictly personal and should not be shared with unauthorized persons. The data entered by you during registration or login will be processed and used by us to: (i) verify your authorization to manage the user account; (ii) enforce the terms of use of the App and all associated rights and obligations; and (iii) send you technical or legal notices, updates, security messages or other messages concerning the administration of the user account.
The data processing of the Mandatory Information is justified by the fact that, with regards to clause 1.3.1 (i) of this Privacy Policy, the processing is necessary for the performance of the contract between you, as the data subject, and us, for the proper functioning of the App, in accordance with Article 6.1(b) of UK GDPR, or, with regard to clauses 1.3.1 (ii) and (iii) of this Privacy Policy, that we have a legitimate interest in ensuring the functionality and error-free operation of the App as well as in contacting our users concerning any information relevant to them for the use of the App. Our legitimate interest here outweighs your rights and interests in protecting your personal data within the meaning of Article 6.1(f) of UK GDPR.
1.3.2 Furthermore, you can provide the following voluntary information during the registration: email address and nickname. In addition, you can provide the following voluntary information after the registration on the App:
(a) Contact details of your Suppliers (ONLY if you are a Gastronomer): Aiming to facilitate the placing of your orders, you may provide us with the contact details of your Suppliers or you may request that we set up the account with the contact details of your Suppliers.
(b) Additional information: You have the option of uploading pictures and screenshots to the App which contain additional information to simplify the placing of your orders. Moreover, the content of the additional information which you may voluntarily share on the App may vary depending on the type of data which you voluntarily upload to the App.
In accordance with Article 6.1(a) of UK GDPR, we will process the voluntary information based on your consent which you can withdraw at any time in accordance with Article 7.3 of UK GDPR.
1.4 Use of the App
When using the App, you can enter, manage and edit various information, tasks and activities. This information includes, in particular, data related to the communications that the Gastronomers send, together with their orders, to their Suppliers which are directly received by the latter and bundled in digital form without any time delay. You can also activate the following functions:
(a) Internet access: This is required to store your entries on our servers.
(b) Camera access: This access is required for communications between Gastronomers and Suppliers which allows you to include pictures and/or screenshots to simplify the placing of your orders and store them in the App and on our servers. By granting access to your camera, you agree that Choco will have access to your pictures and media contents, thus data processing in this context is based on your consent. Furthermore, we would like to inform you that currently the pictures and/or screenshots, which you may voluntarily upload to the App, will not be automatically deleted from the App. Nevertheless, if you wish to delete your uploaded pictures and/or screenshots, you may forward your request to the Choco Legal Team, using the following email address: datenschutz@choco.com (this does not affect the general rules on the deletion of data in the event of cancellation of your user account according to clause 4 of this Privacy Policy). Please note that we cannot accept any responsibility for the content that you voluntarily upload to the App, therefore, you are fully liable for any shared additional information on the App which is not required for the purpose of processing personal data, which infringes the applicable laws and/or any third parties rights.
The processing of the above-mentioned data is based on your consent which you can withdraw at any time, in accordance with Article 7.3 of UK GDPR.
2. Disclosure and transfer of data
We transfer your personal data to recipients on the condition a legal basis exists and/ or you gave your consent to the data process. Moreover, your personal data is processed by service providers who act as data processors. Any third parties with whom we share your personal data are limited (by law and by contract) in their ability to use your personal information. We will ensure that any third parties with whom we share your personal information are subject to privacy and security obligations consistent with this Privacy Policy and applicable laws.
We transfer your data to the following recipients:
2.1 The data provided by you during registration will be passed on within the Choco Group for internal administrative purposes, including joint customer support, as far as necessary. Please note that "Choco Group" means the worldwide Choco group of companies of which Choco Communications GmbH is the parent company with its legal seat in Hasenheide 54, 10967 Berlin, Germany. The Choco Group is composed of other companies owned or controlled by Choco, present in different Member States of the European Union and the United States of America, and other companies owned by or under common ownership as Choco, which also includes our subsidiaries (i.e., any organization we own or control), particularly when we collaborate in providing the App.
The App will be hosted by Choco Communications GmbH, with its legal seat in Hasenheide 54, 10967 Berlin, Germany, and can be reached at the following email address: legal@choco.com. For this purpose, Choco Communications GmbH acts as our processor. Choco Communications GmbH will also process your personal data for its own purposes (such as analytical purposes) and as controller. The information about the data processing by Choco Communications GmbH can be found here.
2.2 We may share your personal data with our business partners, such as Gastronomers or Suppliers and delivery partners, as well as third parties with whom we partner to provide contests, joint promotional activities or co-branded services, and such disclosure is necessary to fulfill requests or applications.
2.3 Please note, that if you are using the App in connection with your role as an employee or contractor of a company or other legal entity, we may share your information with such entity.
2.4 We share your personal data with third parties who assist us in providing our customer services and facilitating our communications with individuals that submit inquiries. We engage third-party service providers that perform business or operational services for us or on our behalf, including infrastructure provisioning, IT services, and administrative services. A list with complete details about the above-mentioned third-party service providers is available within Annex I of this Privacy Policy.
2.5 We are under a duty to disclose or share your personal data in order to comply with any legal obligation, any lawful request from government or law enforcement officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity. Any disclosure of the personal data is justified by the fact that the processing is necessary to fulfill a legal obligation to which we are subject in accordance with Article 6.1(c) of UK GDPR in the national legal requirements for the disclosure of data to law enforcement authorities
2.6 We may disclose your personal data to third parties in order to enforce the App’s terms of use, our terms and conditions for customers or any other agreement or to respond to any claims, to protect our rights or the rights of a third party, or to protect the safety of any person or to prevent any illegal activity. Any disclosure of the personal data is justified by the fact that we have a legitimate interest in using the data in the presence of evidence of abusive behavior or to enforce our terms of use, of other conditions or legal claims to the aforementioned third parties and your rights and interests in relation to the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
2.7 In the context of the further development of our business, the structure of our company may change by changing the legal form, founding, acquiring, or transferring subsidiaries, parts of companies or components. In accordance with such operations, the customer information may be shared together with the part of the company to be transferred. Each time personal data is transferred to third parties to the extent described above, we shall ensure that this transfer is done in accordance with this Privacy Policy and UK GDPR. Any disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances if necessary and your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
3. Data transfer to third countries
We may share your personal data to members of the Choco Group or third party service providers who are outside the UK or the EEA. If we provide any personal data about you to any such non-UK and non-EEA members of our group or suppliers, we will take appropriate measures to ensure that the recipient protects your personal data adequately in accordance with this Privacy Policy. In particular, we would like to inform you that the EU-US Privacy Shield (adequacy decision) has been declared invalid and that in case of data transfers to insecure third countries (here, the USA), there is no adequate level of data protection according to EU and UK standards. The measures we take to ensure the recipient of your personal data protects it adequately may include:
(a) Ensuring that there is an adequacy decision by the UK Government in the case of transfers out of the UK, or by the European Commission in the case of transfers out of the EEA, which means that the recipient country is deemed to provide adequate protection for such personal data;
(b) Where we have in place standard model contractual arrangements with the recipient which have been approved by the European Commission or the UK Government for transfers outside the UK. These model contractual clauses include certain safeguards to protect the personal data.
4. Storage duration
We delete your personal data as soon as the purposes for which we collected or processed it, in accordance with the preceding paragraphs, are achieved, and no statutory requirements require us to continue storing it for a longer period of time. We delete your personal data as soon as you submit to us your request for the cancellation of your user account, for the purposes for which we collected or used it in accordance with the preceding paragraphs. Please note that in case of cancellation of your user account, your personal data stored within the App will be deleted insofar as there are no statutory requirements which require us to continue storing it for a longer period of time.
5. Hyperlink
Our App contains hyperlinks to the websites of other providers. If these hyperlinks are activated, you will be redirected from our App directly to the website of the other providers. You can recognize this, amongst other things, by the URL changing. We cannot accept any responsibility for the confidential handling of your data on these third-party websites, as we have no influence on the fact that these companies comply with UK GDPR. Please inform yourself about the handling of your personal data by these companies directly on these websites.
6. Your rights as a data subject
6.1 In accordance with Articles 15 to 21 (inclusive) and 77 of UK GDPR, as data subjects you have the following rights:
- Right of access by the data subject (Article 15 of UK GDPR)
- Right to rectification (Article 16 of UK GDPR)
- Right to erasure ('right to be forgotten') (Article 17 of UK GDPR)
- Right to restriction of processing (Article 18 of UK GDPR)
- Right to data portability (Article 20 of UK GDPR)
- Right to object (Article 21 of UK GDPR)
- Right not to be subject to a decision based solely on automated processing (Article 22 of UK GDPR)
- Right to lodge a complaint with a supervisory authority (Article 77 of UK GDPR).
6.2 In case the data processing is based on your consent, you have the right to withdraw your consent at any time, in accordance with Article 7.3 of UK GDPR. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In case the data processing is based on our legitimate interest (Article 6.1(f) of UK GDPR), you have the right to object, on grounds relating to your situation, at any time.
6.3 Your requests for the assertion of data protection rights and our answers to them will be kept for documentation purposes for a period of up to three (3) years and, in individual cases, for longer periods for the establishment, exercise or defense of legal claims in accordance with Article 6.1(f) of UK GDPR, which is based on our legitimate interest in: (i) defending against any civil law claims pursuant to Article 82 of UK GDPR, (ii) the avoidance of fines pursuant to Article 83 of UK GDPR and (iii) the fulfillment of our accountability under Article 5.2 of UK GDPR.
6.4 As a data subject you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the UK GDPR. The data protection authority responsible for Choco's processing of personal data in the UK is the Information Commissioner's Office.
7. Data Protection Officer and contact details
7.1 If you have any questions, comments or complaints about our handling of your personal data, or if you wish to exercise your data subject rights, please contact the Choco Legal Team using the following contact details: datenschutz@choco.com.
7.2 Furthermore, you are welcome to direct your data protection concerns to our Data Protection Officer by sending an email to the above-mentioned email address. Please note that emails to the above email address will not solely be received by our Data Protection Officer as this is a generic email for the Choco Legal Team. If you solely wish to contact our Data Protection Officer and/or if you wish to send confidential information, please refer to the Data Protection Officer in the subject line or body of your email and please ask for them to contact you directly to further discuss your data protection concerns.
8. Changes to this Privacy Policy
We always keep this privacy policy up to date. Therefore, we reserve the right to update or change it from time to time and to maintain these changes in the collection, processing or use of your data.
Annex I
Third-party service providers
Performing business or operational services, infrastructure provisioning, IT services, and administrative services for Choco or on Choco’s behalf:
Aircall SAS
- Address: 11 Rue Saint-Georges,75009 Paris, France.
- Personal data processed: Username, phone number, and Email Address.
- Storage Information: The servers storing your personal data are located in the Amazon Web Services US West servers in Oregon, USA. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Amazon Web Services, Inc.
- Address: 410 Terry Avenue North, Seattle, WA 98109, United States of America.
- Personal data processed: Username, Phone number, Business Address, IP Address, Device Info, and Email Address.
- Storage Information: The servers storing your personal data are located in Ireland. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Google Ireland Limited (reCAPTCHA Enterprise)
- Address: Gordon House, Barrow Street, Dublin 4, Ireland.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email Address.
- Storage Information: The servers storing your personal data are located in Dublin, Ireland. Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco. Google Ireland Limited may transfer personal data to Google Inc, their parent company in the USA.
Intercom, Inc.
- Address: 3rd Floor, Stephens Ct., 18-21 St. Stephen’s Green, Dublin 2, Ireland.
- Personal data processed: Username, Phone number, IP Address, Email Address, and Device info.
- Storage Information: The servers storing your personal data are located in the Amazon Web Services (AWS) facilities in Dublin, Ireland (eu-west-1). Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Invisible Technologies, Inc.
- Address: 548 Market Street #85820 San Francisco, CA, USA.
- Personal data processed: Username, Phone number, Email Address, Address, and Financial Info.
- Storage Information: The servers storing your personal data are within the Amazon Web Services (AWS) us-east-1 region located in North Virginia, United States, and the Google Cloud Platform facilities of Mountain View, California, USA (us-west-1). Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Salesforce.com Germany GmbH
- Address: Erika-Mann-Str. 31, 80636 Munich, Germany.
- Personal data processed: Username, Phone number, Email Address, User Data regarding Physical, Social and Cultural identity.
- Storage Information: The servers storing your personal data are located in Frankfurt am Main, Germany, and Paris, France. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Talend Stitch Inc.
- Address: 1339 Chestnut St #1500, Philadelphia, Pennsylvania 19107, United States.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email Address.
- Storage Information: The servers storing your personal data are located in Frankfurt am Main, Germany, in the AWS eu-central-1 servers. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services
Effective March 20, 2023 to March 20, 2023
DownloadTable of Contents
Privacy Policy for the Choco App
Preamble
This service (hereinafter "App") is provided by Choco Communications UK Ltd, a company incorporated in England and Wales with registered number 13937613 whose registered office is at 6th Floor, One London Wall, London, EC2Y 5EB, and can be contacted via email at legal@choco.com (hereinafter “Choco”, "we" or "us"), as the controller within the meaning of the applicable data protection law, namely (i) EU Regulation 2016/679 ("GDPR"); (ii) GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018 ("DPA"); (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time; and the terms "data subject", "personal data", "processing", "processor" and "controller" shall have the meanings set out in the DPA.
The use of the services offered by Choco requires that the users register in the App or via the web interface and accept our General Terms and Conditions.
The Choco App provides its users with access to messaging and ordering services, which may allow commercial customers from the gastronomy and food sector (hereinafter the "Gastronomers") to communicate directly with their suppliers (hereinafter the "Suppliers") and place orders, which are directly received by the Suppliers and bundled in digital form without any time delay. For more detailed information about the services offered by Choco, please refer to section 4 of our General Terms and Conditions.
When you use the App, we process your personal data. Personal data means any information relating to an identified or identifiable natural person (data subject). The protection of your privacy when using the app is important to us, therefore we would like to inform you especially about the scope, the legal basis, data subject rights and the personal data which we process when you use the App.
1. Information on the processing of your personal data
Certain information is already processed automatically by Choco as soon as you use the App. The personal data that we may process are indicated in detail below:
1.1 Information collected during download
When downloading the app, Choco does not require nor collect any personal data of yours, nevertheless, we would like to inform you that certain required information might be requested by the App Store selected by you (e.g. Google Play or Apple App Store). The processing of this data, which takes place exclusively by the respective App Store, is beyond our control and we are not responsible for damages that occur to you arising from the data processing which is carried out by the App Store which you selected to download the App from.
1.2 Information collected automatically
As part of your use of the App, we automatically collect certain personal data that is necessary for the use of the App. This includes: device information, the version of your operating system, the type of device you use, your time of access, and your IP address.
This data is automatically transmitted to us and stored in our servers, in order to: (i) provide you with the Service and related features; (ii) improve the functions and performance features of the App; and (iii) prevent and to remove misuse and malfunctions of the App. Choco processes your personal data on the basis that such processing is necessary for the performance of the services foreseen in the General Terms and Conditions, between you as the data subject and us, in accordance with Article 6.1(b) of UK GDPR (regarding clause 1.2 (i) of this Privacy Policy). We also have a legitimate interest in ensuring the functionality and error-free operation of the App and being able to offer a service in line with the market and your interests. Our legitimate interest here outweighs your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR (regarding the clauses 1.2 (ii) and (iii) of this Privacy Policy).
1.3 Creation of a user account (registration) and login
1.3.1 For the creation of a user account, you are required to complete a registration form in the App and accept the General Terms and Conditions, for this purpose information marked as mandatory in the registration form shall be filled in as necessary. For your user account or log-in, we use your telephone number to grant you access to and manage your user account ("Mandatory Information"). The Mandatory information (username, telephone number, business name, and business address) is required for completing the registration form in the App, together with the acceptance of the General Terms and Conditions. If you do not provide this data, you will not be able to create a user account.
We use the mandatory information provided to authenticate you when you log in. In that case, on the login page of the App, you may indicate your telephone number and request to receive an automatic four-digit code (the “Code”), at the provided telephone number, via SMS. After you receive the Code, you will be required to promptly enter the Code on the login page of the App. We would like to inform you that the Code is temporary and has limited validity. If you do not enter the Code on the login page of the App within 60 seconds, you will need to request a new Code to complete the login authentication. Please note that you are fully responsible for the confidentiality of the Code which is strictly personal and should not be shared with unauthorized persons. The data entered by you during registration or login will be processed and used by us to: (i) verify your authorization to manage the user account; (ii) enforce the terms of use of the App and all associated rights and obligations; and (iii) send you technical or legal notices, updates, security messages or other messages concerning the administration of the user account.
The data processing of the Mandatory Information is justified by the fact that, with regards to clause 1.3.1 (i) of this Privacy Policy, the processing is necessary for the performance of the contract between you, as the data subject, and us, for the proper functioning of the App, in accordance with Article 6.1(b) of UK GDPR, or, with regard to clauses 1.3.1 (ii) and (iii) of this Privacy Policy, that we have a legitimate interest in ensuring the functionality and error-free operation of the App as well as in contacting our users concerning any information relevant to them for the use of the App. Our legitimate interest here outweighs your rights and interests in protecting your personal data within the meaning of Article 6.1(f) of UK GDPR.
1.3.2 Furthermore, you can provide the following voluntary information during the registration: email address and nickname. In addition, you can provide the following voluntary information after the registration on the App:
(a) Contact details of your Suppliers (ONLY if you are a Gastronomer): Aiming to facilitate the placing of your orders, you may provide us with the contact details of your Suppliers or you may request that we set up the account with the contact details of your Suppliers.
(b) Additional information: You have the option of uploading pictures and screenshots to the App which contain additional information to simplify the placing of your orders. Moreover, the content of the additional information which you may voluntarily share on the App may vary depending on the type of data which you voluntarily upload to the App.
In accordance with Article 6.1(a) of UK GDPR, we will process the voluntary information based on your consent which you can withdraw at any time in accordance with Article 7.3 of UK GDPR.
1.4 Use of the App
When using the App, you can enter, manage and edit various information, tasks and activities. This information includes, in particular, data related to the communications that the Gastronomers send, together with their orders, to their Suppliers which are directly received by the latter and bundled in digital form without any time delay. You can also activate the following functions:
(a) Internet access: This is required to store your entries on our servers.
(b) Camera access: This access is required for communications between Gastronomers and Suppliers which allows you to include pictures and/or screenshots to simplify the placing of your orders and store them in the App and on our servers. By granting access to your camera, you agree that Choco will have access to your pictures and media contents, thus data processing in this context is based on your consent. Furthermore, we would like to inform you that currently the pictures and/or screenshots, which you may voluntarily upload to the App, will not be automatically deleted from the App. Nevertheless, if you wish to delete your uploaded pictures and/or screenshots, you may forward your request to the Choco Legal Team, using the following email address: datenschutz@choco.com (this does not affect the general rules on the deletion of data in the event of cancellation of your user account according to clause 4 of this Privacy Policy). Please note that we cannot accept any responsibility for the content that you voluntarily upload to the App, therefore, you are fully liable for any shared additional information on the App which is not required for the purpose of processing personal data, which infringes the applicable laws and/or any third parties rights.
The processing of the above-mentioned data is based on your consent which you can withdraw at any time, in accordance with Article 7.3 of UK GDPR.
2. Disclosure and transfer of data
We transfer your personal data to recipients on the condition a legal basis exists and/ or you gave your consent to the data process. Moreover, your personal data is processed by service providers who act as data processors. Any third parties with whom we share your personal data are limited (by law and by contract) in their ability to use your personal information. We will ensure that any third parties with whom we share your personal information are subject to privacy and security obligations consistent with this Privacy Policy and applicable laws.
We transfer your data to the following recipients:
2.1 The data provided by you during registration will be passed on within the Choco Group for internal administrative purposes, including joint customer support, as far as necessary. Please note that "Choco Group" means the worldwide Choco group of companies of which Choco Communications GmbH is the parent company with its legal seat in Hasenheide 54, 10967 Berlin, Germany. The Choco Group is composed of other companies owned or controlled by Choco, present in different Member States of the European Union and the United States of America, and other companies owned by or under common ownership as Choco, which also includes our subsidiaries (i.e., any organization we own or control), particularly when we collaborate in providing the App.
The App will be hosted by Choco Communications GmbH, with its legal seat in Hasenheide 54, 10967 Berlin, Germany, and can be reached at the following email address: legal@choco.com. For this purpose, Choco Communications GmbH acts as our processor. Choco Communications GmbH will also process your personal data for its own purposes (such as analytical purposes) and as controller. The information about the data processing by Choco Communications GmbH can be found here.
2.2 We may share your personal data with our business partners, such as Gastronomers or Suppliers and delivery partners, as well as third parties with whom we partner to provide contests, joint promotional activities or co-branded services, and such disclosure is necessary to fulfill requests or applications.
2.3 Please note, that if you are using the App in connection with your role as an employee or contractor of a company or other legal entity, we may share your information with such entity.
2.4 We share your personal data with third parties who assist us in providing our customer services and facilitating our communications with individuals that submit inquiries. We engage third-party service providers that perform business or operational services for us or on our behalf, including infrastructure provisioning, IT services, and administrative services. A list with complete details about the above-mentioned third-party service providers is available within Annex I of this Privacy Policy.
2.5 We are under a duty to disclose or share your personal data in order to comply with any legal obligation, any lawful request from government or law enforcement officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity. Any disclosure of the personal data is justified by the fact that the processing is necessary to fulfill a legal obligation to which we are subject in accordance with Article 6.1(c) of UK GDPR in the national legal requirements for the disclosure of data to law enforcement authorities
2.6 We may disclose your personal data to third parties in order to enforce the App’s terms of use, our terms and conditions for customers or any other agreement or to respond to any claims, to protect our rights or the rights of a third party, or to protect the safety of any person or to prevent any illegal activity. Any disclosure of the personal data is justified by the fact that we have a legitimate interest in using the data in the presence of evidence of abusive behavior or to enforce our terms of use, of other conditions or legal claims to the aforementioned third parties and your rights and interests in relation to the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
2.7 In the context of the further development of our business, the structure of our company may change by changing the legal form, founding, acquiring, or transferring subsidiaries, parts of companies or components. In accordance with such operations, the customer information may be shared together with the part of the company to be transferred. Each time personal data is transferred to third parties to the extent described above, we shall ensure that this transfer is done in accordance with this Privacy Policy and UK GDPR. Any disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances if necessary and your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
3. Data transfer to third countries
We may share your personal data to members of the Choco Group or third party service providers who are outside the UK or the EEA. If we provide any personal data about you to any such non-UK and non-EEA members of our group or suppliers, we will take appropriate measures to ensure that the recipient protects your personal data adequately in accordance with this Privacy Policy. In particular, we would like to inform you that the EU-US Privacy Shield (adequacy decision) has been declared invalid and that in case of data transfers to insecure third countries (here, the USA), there is no adequate level of data protection according to EU and UK standards. The measures we take to ensure the recipient of your personal data protects it adequately may include:
(a) Ensuring that there is an adequacy decision by the UK Government in the case of transfers out of the UK, or by the European Commission in the case of transfers out of the EEA, which means that the recipient country is deemed to provide adequate protection for such personal data;
(b) Where we have in place standard model contractual arrangements with the recipient which have been approved by the European Commission or the UK Government for transfers outside the UK. These model contractual clauses include certain safeguards to protect the personal data.
4. Storage duration
We delete your personal data as soon as the purposes for which we collected or processed it, in accordance with the preceding paragraphs, are achieved, and no statutory requirements require us to continue storing it for a longer period of time. We delete your personal data as soon as you submit to us your request for the cancellation of your user account, for the purposes for which we collected or used it in accordance with the preceding paragraphs. Please note that in case of cancellation of your user account, your personal data stored within the App will be deleted insofar as there are no statutory requirements which require us to continue storing it for a longer period of time.
5. Hyperlink
Our App contains hyperlinks to the websites of other providers. If these hyperlinks are activated, you will be redirected from our App directly to the website of the other providers. You can recognize this, amongst other things, by the URL changing. We cannot accept any responsibility for the confidential handling of your data on these third-party websites, as we have no influence on the fact that these companies comply with UK GDPR. Please inform yourself about the handling of your personal data by these companies directly on these websites.
6. Your rights as a data subject
6.1 In accordance with Articles 15 to 21 (inclusive) and 77 of UK GDPR, as data subjects you have the following rights:
- Right of access by the data subject (Article 15 of UK GDPR)
- Right to rectification (Article 16 of UK GDPR)
- Right to erasure ('right to be forgotten') (Article 17 of UK GDPR)
- Right to restriction of processing (Article 18 of UK GDPR)
- Right to data portability (Article 20 of UK GDPR)
- Right to object (Article 21 of UK GDPR)
- Right not to be subject to a decision based solely on automated processing (Article 22 of UK GDPR)
- Right to lodge a complaint with a supervisory authority (Article 77 of UK GDPR).
6.2 In case the data processing is based on your consent, you have the right to withdraw your consent at any time, in accordance with Article 7.3 of UK GDPR. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In case the data processing is based on our legitimate interest (Article 6.1(f) of UK GDPR), you have the right to object, on grounds relating to your situation, at any time.
6.3 Your requests for the assertion of data protection rights and our answers to them will be kept for documentation purposes for a period of up to three (3) years and, in individual cases, for longer periods for the establishment, exercise or defense of legal claims in accordance with Article 6.1(f) of UK GDPR, which is based on our legitimate interest in: (i) defending against any civil law claims pursuant to Article 82 of UK GDPR, (ii) the avoidance of fines pursuant to Article 83 of UK GDPR and (iii) the fulfillment of our accountability under Article 5.2 of UK GDPR.
6.4 As a data subject you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the UK GDPR. The data protection authority responsible for Choco's processing of personal data in the UK is the Information Commissioner's Office.
7. Data Protection Officer and contact details
7.1 If you have any questions, comments or complaints about our handling of your personal data, or if you wish to exercise your data subject rights, please contact the Choco Legal Team using the following contact details: datenschutz@choco.com.
7.2 Furthermore, you are welcome to direct your data protection concerns to our Data Protection Officer by sending an email to the above-mentioned email address. Please note that emails to the above email address will not solely be received by our Data Protection Officer as this is a generic email for the Choco Legal Team. If you solely wish to contact our Data Protection Officer and/or if you wish to send confidential information, please refer to the Data Protection Officer in the subject line or body of your email and please ask for them to contact you directly to further discuss your data protection concerns.
8. Changes to this Privacy Policy
We always keep this privacy policy up to date. Therefore, we reserve the right to update or change it from time to time and to maintain these changes in the collection, processing or use of your data.
Annex I
Third-party service providers
Performing business or operational services, infrastructure provisioning, IT services, and administrative services for Choco or on Choco’s behalf:
Aircall SAS
- Address: 11 Rue Saint-Georges,75009 Paris, France.
- Personal data processed: Username, phone number, and Email Address.
- Storage Information: The servers storing your personal data are located in the Amazon Web Services US West servers in Oregon, USA. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Amazon Web Services, Inc.
- Address: 410 Terry Avenue North, Seattle, WA 98109, United States of America.
- Personal data processed: Username, Phone number, Business Address, IP Address, Device Info, and Email Address.
- Storage Information: The servers storing your personal data are located in Ireland. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Google Ireland Limited (reCAPTCHA Enterprise)
- Address: Gordon House, Barrow Street, Dublin 4, Ireland.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email Address.
- Storage Information: The servers storing your personal data are located in Dublin, Ireland. Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco. Google Ireland Limited may transfer personal data to Google Inc, their parent company in the USA.
Intercom, Inc.
- Address: 3rd Floor, Stephens Ct., 18-21 St. Stephen’s Green, Dublin 2, Ireland.
- Personal data processed: Username, Phone number, IP Address, Email Address, and Device info.
- Storage Information: The servers storing your personal data are located in the Amazon Web Services (AWS) facilities in Dublin, Ireland (eu-west-1). Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Invisible Technologies, Inc.
- Address: 548 Market Street #85820 San Francisco, CA, USA.
- Personal data processed: Username, Phone number, Email Address, Address, and Financial Info.
- Storage Information: The servers storing your personal data are within the Amazon Web Services (AWS) us-east-1 region located in North Virginia, United States, and the Google Cloud Platform facilities of Mountain View, California, USA (us-west-1). Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Salesforce.com Germany GmbH
- Address: Erika-Mann-Str. 31, 80636 Munich, Germany.
- Personal data processed: Username, Phone number, Email Address, User Data regarding Physical, Social and Cultural identity.
- Storage Information: The servers storing your personal data are located in Frankfurt am Main, Germany, and Paris, France. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Talend Stitch Inc.
- Address: 1339 Chestnut St #1500, Philadelphia, Pennsylvania 19107, United States.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email Address.
- Storage Information: The servers storing your personal data are located in Frankfurt am Main, Germany, in the AWS eu-central-1 servers. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services
Effective March 20, 2023 to March 20, 2023
DownloadTable of Contents
Privacy Policy for the Choco App
Preamble
This service (hereinafter "App") is provided by Choco Communications UK Ltd, a company incorporated in England and Wales with registered number 13937613 whose registered office is at 6th Floor, One London Wall, London, EC2Y 5EB, and can be contacted via email at legal@choco.com (hereinafter “Choco”, "we" or "us"), as the controller within the meaning of the applicable data protection law, namely (i) EU Regulation 2016/679 ("GDPR"); (ii) GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018 ("DPA"); (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time; and the terms "data subject", "personal data", "processing", "processor" and "controller" shall have the meanings set out in the DPA.
The use of the services offered by Choco requires that the users register in the App or via the web interface and accept our General Terms and Conditions.
The Choco App provides its users with access to messaging and ordering services, which may allow commercial customers from the gastronomy and food sector (hereinafter the "Gastronomers") to communicate directly with their suppliers (hereinafter the "Suppliers") and place orders, which are directly received by the Suppliers and bundled in digital form without any time delay. For more detailed information about the services offered by Choco, please refer to section 4 of our General Terms and Conditions.
When you use the App, we process your personal data. Personal data means any information relating to an identified or identifiable natural person (data subject). The protection of your privacy when using the app is important to us, therefore we would like to inform you especially about the scope, the legal basis, data subject rights and the personal data which we process when you use the App.
1. Information on the processing of your personal data
Certain information is already processed automatically by Choco as soon as you use the App. The personal data that we may process are indicated in detail below:
1.1 Information collected during download
When downloading the app, Choco does not require nor collect any personal data of yours, nevertheless, we would like to inform you that certain required information might be requested by the App Store selected by you (e.g. Google Play or Apple App Store). The processing of this data, which takes place exclusively by the respective App Store, is beyond our control and we are not responsible for damages that occur to you arising from the data processing which is carried out by the App Store which you selected to download the App from.
1.2 Information collected automatically
As part of your use of the App, we automatically collect certain personal data that is necessary for the use of the App. This includes: device information, the version of your operating system, the type of device you use, your time of access, and your IP address.
This data is automatically transmitted to us and stored in our servers, in order to: (i) provide you with the Service and related features; (ii) improve the functions and performance features of the App; and (iii) prevent and to remove misuse and malfunctions of the App. Choco processes your personal data on the basis that such processing is necessary for the performance of the services foreseen in the General Terms and Conditions, between you as the data subject and us, in accordance with Article 6.1(b) of UK GDPR (regarding clause 1.2 (i) of this Privacy Policy). We also have a legitimate interest in ensuring the functionality and error-free operation of the App and being able to offer a service in line with the market and your interests. Our legitimate interest here outweighs your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR (regarding the clauses 1.2 (ii) and (iii) of this Privacy Policy).
1.3 Creation of a user account (registration) and login
1.3.1 For the creation of a user account, you are required to complete a registration form in the App and accept the General Terms and Conditions, for this purpose information marked as mandatory in the registration form shall be filled in as necessary. For your user account or log-in, we use your telephone number to grant you access to and manage your user account ("Mandatory Information"). The Mandatory information (username, telephone number, business name, and business address) is required for completing the registration form in the App, together with the acceptance of the General Terms and Conditions. If you do not provide this data, you will not be able to create a user account.
We use the mandatory information provided to authenticate you when you log in. In that case, on the login page of the App, you may indicate your telephone number and request to receive an automatic four-digit code (the “Code”), at the provided telephone number, via SMS. After you receive the Code, you will be required to promptly enter the Code on the login page of the App. We would like to inform you that the Code is temporary and has limited validity. If you do not enter the Code on the login page of the App within 60 seconds, you will need to request a new Code to complete the login authentication. Please note that you are fully responsible for the confidentiality of the Code which is strictly personal and should not be shared with unauthorized persons. The data entered by you during registration or login will be processed and used by us to: (i) verify your authorization to manage the user account; (ii) enforce the terms of use of the App and all associated rights and obligations; and (iii) send you technical or legal notices, updates, security messages or other messages concerning the administration of the user account.
The data processing of the Mandatory Information is justified by the fact that, with regards to clause 1.3.1 (i) of this Privacy Policy, the processing is necessary for the performance of the contract between you, as the data subject, and us, for the proper functioning of the App, in accordance with Article 6.1(b) of UK GDPR, or, with regard to clauses 1.3.1 (ii) and (iii) of this Privacy Policy, that we have a legitimate interest in ensuring the functionality and error-free operation of the App as well as in contacting our users concerning any information relevant to them for the use of the App. Our legitimate interest here outweighs your rights and interests in protecting your personal data within the meaning of Article 6.1(f) of UK GDPR.
1.3.2 Furthermore, you can provide the following voluntary information during the registration: email address and nickname. In addition, you can provide the following voluntary information after the registration on the App:
(a) Contact details of your Suppliers (ONLY if you are a Gastronomer): Aiming to facilitate the placing of your orders, you may provide us with the contact details of your Suppliers or you may request that we set up the account with the contact details of your Suppliers.
(b) Additional information: You have the option of uploading pictures and screenshots to the App which contain additional information to simplify the placing of your orders. Moreover, the content of the additional information which you may voluntarily share on the App may vary depending on the type of data which you voluntarily upload to the App.
In accordance with Article 6.1(a) of UK GDPR, we will process the voluntary information based on your consent which you can withdraw at any time in accordance with Article 7.3 of UK GDPR.
1.4 Use of the App
When using the App, you can enter, manage and edit various information, tasks and activities. This information includes, in particular, data related to the communications that the Gastronomers send, together with their orders, to their Suppliers which are directly received by the latter and bundled in digital form without any time delay. You can also activate the following functions:
(a) Internet access: This is required to store your entries on our servers.
(b) Camera access: This access is required for communications between Gastronomers and Suppliers which allows you to include pictures and/or screenshots to simplify the placing of your orders and store them in the App and on our servers. By granting access to your camera, you agree that Choco will have access to your pictures and media contents, thus data processing in this context is based on your consent. Furthermore, we would like to inform you that currently the pictures and/or screenshots, which you may voluntarily upload to the App, will not be automatically deleted from the App. Nevertheless, if you wish to delete your uploaded pictures and/or screenshots, you may forward your request to the Choco Legal Team, using the following email address: datenschutz@choco.com (this does not affect the general rules on the deletion of data in the event of cancellation of your user account according to clause 4 of this Privacy Policy). Please note that we cannot accept any responsibility for the content that you voluntarily upload to the App, therefore, you are fully liable for any shared additional information on the App which is not required for the purpose of processing personal data, which infringes the applicable laws and/or any third parties rights.
The processing of the above-mentioned data is based on your consent which you can withdraw at any time, in accordance with Article 7.3 of UK GDPR.
2. Disclosure and transfer of data
We transfer your personal data to recipients on the condition a legal basis exists and/ or you gave your consent to the data process. Moreover, your personal data is processed by service providers who act as data processors. Any third parties with whom we share your personal data are limited (by law and by contract) in their ability to use your personal information. We will ensure that any third parties with whom we share your personal information are subject to privacy and security obligations consistent with this Privacy Policy and applicable laws.
We transfer your data to the following recipients:
2.1 The data provided by you during registration will be passed on within the Choco Group for internal administrative purposes, including joint customer support, as far as necessary. Please note that "Choco Group" means the worldwide Choco group of companies of which Choco Communications GmbH is the parent company with its legal seat in Hasenheide 54, 10967 Berlin, Germany. The Choco Group is composed of other companies owned or controlled by Choco, present in different Member States of the European Union and the United States of America, and other companies owned by or under common ownership as Choco, which also includes our subsidiaries (i.e., any organization we own or control), particularly when we collaborate in providing the App.
The App will be hosted by Choco Communications GmbH, with its legal seat in Hasenheide 54, 10967 Berlin, Germany, and can be reached at the following email address: legal@choco.com. For this purpose, Choco Communications GmbH acts as our processor. Choco Communications GmbH will also process your personal data for its own purposes (such as analytical purposes) and as controller. The information about the data processing by Choco Communications GmbH can be found here.
2.2 We may share your personal data with our business partners, such as Gastronomers or Suppliers and delivery partners, as well as third parties with whom we partner to provide contests, joint promotional activities or co-branded services, and such disclosure is necessary to fulfill requests or applications.
2.3 Please note, that if you are using the App in connection with your role as an employee or contractor of a company or other legal entity, we may share your information with such entity.
2.4 We share your personal data with third parties who assist us in providing our customer services and facilitating our communications with individuals that submit inquiries. We engage third-party service providers that perform business or operational services for us or on our behalf, including infrastructure provisioning, IT services, and administrative services. A list with complete details about the above-mentioned third-party service providers is available within Annex I of this Privacy Policy.
2.5 We are under a duty to disclose or share your personal data in order to comply with any legal obligation, any lawful request from government or law enforcement officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity. Any disclosure of the personal data is justified by the fact that the processing is necessary to fulfill a legal obligation to which we are subject in accordance with Article 6.1(c) of UK GDPR in the national legal requirements for the disclosure of data to law enforcement authorities
2.6 We may disclose your personal data to third parties in order to enforce the App’s terms of use, our terms and conditions for customers or any other agreement or to respond to any claims, to protect our rights or the rights of a third party, or to protect the safety of any person or to prevent any illegal activity. Any disclosure of the personal data is justified by the fact that we have a legitimate interest in using the data in the presence of evidence of abusive behavior or to enforce our terms of use, of other conditions or legal claims to the aforementioned third parties and your rights and interests in relation to the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
2.7 In the context of the further development of our business, the structure of our company may change by changing the legal form, founding, acquiring, or transferring subsidiaries, parts of companies or components. In accordance with such operations, the customer information may be shared together with the part of the company to be transferred. Each time personal data is transferred to third parties to the extent described above, we shall ensure that this transfer is done in accordance with this Privacy Policy and UK GDPR. Any disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances if necessary and your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
3. Data transfer to third countries
We may share your personal data to members of the Choco Group or third party service providers who are outside the UK or the EEA. If we provide any personal data about you to any such non-UK and non-EEA members of our group or suppliers, we will take appropriate measures to ensure that the recipient protects your personal data adequately in accordance with this Privacy Policy. In particular, we would like to inform you that the EU-US Privacy Shield (adequacy decision) has been declared invalid and that in case of data transfers to insecure third countries (here, the USA), there is no adequate level of data protection according to EU and UK standards. The measures we take to ensure the recipient of your personal data protects it adequately may include:
(a) Ensuring that there is an adequacy decision by the UK Government in the case of transfers out of the UK, or by the European Commission in the case of transfers out of the EEA, which means that the recipient country is deemed to provide adequate protection for such personal data;
(b) Where we have in place standard model contractual arrangements with the recipient which have been approved by the European Commission or the UK Government for transfers outside the UK. These model contractual clauses include certain safeguards to protect the personal data.
4. Storage duration
We delete your personal data as soon as the purposes for which we collected or processed it, in accordance with the preceding paragraphs, are achieved, and no statutory requirements require us to continue storing it for a longer period of time. We delete your personal data as soon as you submit to us your request for the cancellation of your user account, for the purposes for which we collected or used it in accordance with the preceding paragraphs. Please note that in case of cancellation of your user account, your personal data stored within the App will be deleted insofar as there are no statutory requirements which require us to continue storing it for a longer period of time.
5. Hyperlink
Our App contains hyperlinks to the websites of other providers. If these hyperlinks are activated, you will be redirected from our App directly to the website of the other providers. You can recognize this, amongst other things, by the URL changing. We cannot accept any responsibility for the confidential handling of your data on these third-party websites, as we have no influence on the fact that these companies comply with UK GDPR. Please inform yourself about the handling of your personal data by these companies directly on these websites.
6. Your rights as a data subject
6.1 In accordance with Articles 15 to 21 (inclusive) and 77 of UK GDPR, as data subjects you have the following rights:
- Right of access by the data subject (Article 15 of UK GDPR)
- Right to rectification (Article 16 of UK GDPR)
- Right to erasure ('right to be forgotten') (Article 17 of UK GDPR)
- Right to restriction of processing (Article 18 of UK GDPR)
- Right to data portability (Article 20 of UK GDPR)
- Right to object (Article 21 of UK GDPR)
- Right not to be subject to a decision based solely on automated processing (Article 22 of UK GDPR)
- Right to lodge a complaint with a supervisory authority (Article 77 of UK GDPR).
6.2 In case the data processing is based on your consent, you have the right to withdraw your consent at any time, in accordance with Article 7.3 of UK GDPR. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In case the data processing is based on our legitimate interest (Article 6.1(f) of UK GDPR), you have the right to object, on grounds relating to your situation, at any time.
6.3 Your requests for the assertion of data protection rights and our answers to them will be kept for documentation purposes for a period of up to three (3) years and, in individual cases, for longer periods for the establishment, exercise or defense of legal claims in accordance with Article 6.1(f) of UK GDPR, which is based on our legitimate interest in: (i) defending against any civil law claims pursuant to Article 82 of UK GDPR, (ii) the avoidance of fines pursuant to Article 83 of UK GDPR and (iii) the fulfillment of our accountability under Article 5.2 of UK GDPR.
6.4 As a data subject you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the UK GDPR. The data protection authority responsible for Choco's processing of personal data in the UK is the Information Commissioner's Office.
7. Data Protection Officer and contact details
7.1 If you have any questions, comments or complaints about our handling of your personal data, or if you wish to exercise your data subject rights, please contact the Choco Legal Team using the following contact details: datenschutz@choco.com.
7.2 Furthermore, you are welcome to direct your data protection concerns to our Data Protection Officer by sending an email to the above-mentioned email address. Please note that emails to the above email address will not solely be received by our Data Protection Officer as this is a generic email for the Choco Legal Team. If you solely wish to contact our Data Protection Officer and/or if you wish to send confidential information, please refer to the Data Protection Officer in the subject line or body of your email and please ask for them to contact you directly to further discuss your data protection concerns.
8. Changes to this Privacy Policy
We always keep this privacy policy up to date. Therefore, we reserve the right to update or change it from time to time and to maintain these changes in the collection, processing or use of your data.
Annex I
Third-party service providers
Performing business or operational services, infrastructure provisioning, IT services, and administrative services for Choco or on Choco’s behalf:
Aircall SAS
- Address: 11 Rue Saint-Georges,75009 Paris, France.
- Personal data processed: Username, phone number, and email address, only when previously provided by the user.
- Storage Information: The servers storing your personal data are located in the Amazon Web Services US West servers in Oregon, USA. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Amazon Web Services, Inc.
- Address: 410 Terry Avenue North, Seattle, WA 98109, United States of America.
- Personal data processed: Username, Phone number, Business Address, IP Address, Device Info, (email address, birth date only when previously provided by the user).
- Storage Information: The servers storing your personal data are located in Ireland. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Google Ireland Limited (reCAPTCHA Enterprise)
- Address: Gordon House, Barrow Street, Dublin 4, Ireland.
- Personal data processed: Username, Phone number, IP Address, Device Info, and Email Address.
- Storage Information: The servers storing your personal data are located in Dublin, Ireland. Your personal data will be stored by the service provider as long as necessary for the provision of the services to Choco. Google Ireland Limited may transfer personal data to Google Inc, their parent company in the USA.
Intercom, Inc.
- Address: 3rd Floor, Stephens Ct., 18-21 St. Stephen’s Green, Dublin 2, Ireland.
- Personal data processed: Username, Phone number, IP Address, Email Address, Device info.
- Storage Information: The servers storing your personal data are located in the Amazon Web Services (AWS) facilities in Dublin, Ireland (eu-west-1). Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Invisible Technologies, Inc.
- Address: 548 Market Street #85820 San Francisco, CA, USA.
- Personal data processed: Username, Phone number, Email Address, Address, and Financial Info.
- Storage Information: The servers storing your personal data are within the Amazon Web Services (AWS) us-east-1 region located in North Virginia, United States, and the Google Cloud Platform facilities of Mountain View, California, USA (us-west-1). Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Salesforce.com Germany GmbH
- Address: Erika-Mann-Str. 31, 80636 Munich, Germany.
- Personal data processed: Username, and Phone number (email address, only when previously provided by the user), User Data regarding Physical, Social and Cultural identity.
- Storage Information: The servers storing your personal data are located in Frankfurt am Main, Germany, and Paris, France. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Talend Stitch Inc.
- Address: 1339 Chestnut St #1500, Philadelphia, Pennsylvania 19107, United States.
- Personal data processed: Username, Phone number, IP Address, Device Info, (email address, only when previously provided by the user).
- Storage Information: The servers storing your personal data are located in Frankfurt am Main, Germany, in the AWS eu-central-1 servers. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services
Effective February 3, 2023 to March 20, 2023
DownloadTable of Contents
Privacy Policy for the Choco App
Preamble
This service (hereinafter "App") is provided by Choco Communications UK Ltd, a company incorporated in England and Wales with registered number 13937613 whose registered office is at 6th Floor, One London Wall, London, EC2Y 5EB, and can be contacted via email at legal@choco.com (hereinafter “Choco”, "we" or "us"), as the controller within the meaning of the applicable data protection law, namely (i) EU Regulation 2016/679 ("GDPR"); (ii) GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018 ("DPA"); (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time; and the terms "data subject", "personal data", "processing", "processor" and "controller" shall have the meanings set out in the DPA.
The use of the services offered by Choco requires that the users register in the App or via the web interface and accept our General Terms and Conditions.
The Choco App provides its users with access to messaging and ordering services, which may allow commercial customers from the gastronomy and food sector (hereinafter the "Gastronomers") to communicate directly with their suppliers (hereinafter the "Suppliers") and place orders, which are directly received by the Suppliers and bundled in digital form without any time delay. For more detailed information about the services offered by Choco, please refer to section 4 of our General Terms and Conditions.
When you use the App, we process your personal data. Personal data means any information relating to an identified or identifiable natural person (data subject). The protection of your privacy when using the app is important to us, therefore we would like to inform you especially about the scope, the legal basis, data subject rights and the personal data which we process when you use the App.
1. Information on the processing of your personal data
Certain information is already processed automatically by Choco as soon as you use the App. The personal data that we may process are indicated in detail below:
1.1 Information collected during download
When downloading the app, Choco does not require nor collect any personal data of yours, nevertheless, we would like to inform you that certain required information might be requested by the App Store selected by you (e.g. Google Play or Apple App Store). The processing of this data, which takes place exclusively by the respective App Store, is beyond our control and we are not responsible for damages that occur to you arising from the data processing which is carried out by the App Store which you selected to download the App from.
1.2 Information collected automatically
As part of your use of the App, we automatically collect certain personal data that is necessary for the use of the App. This includes: device information, the version of your operating system, the type of device you use, your time of access, and your IP address.
This data is automatically transmitted to us and stored in our servers, in order to: (i) provide you with the Service and related features; (ii) improve the functions and performance features of the App; and (iii) prevent and to remove misuse and malfunctions of the App. Choco processes your personal data on the basis that such processing is necessary for the performance of the services foreseen in the General Terms and Conditions, between you as the data subject and us, in accordance with Article 6.1(b) of UK GDPR (regarding clause 1.2 (i) of this Privacy Policy). We also have a legitimate interest in ensuring the functionality and error-free operation of the App and being able to offer a service in line with the market and your interests. Our legitimate interest here outweighs your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR (regarding the clauses 1.2 (ii) and (iii) of this Privacy Policy).
1.3 Creation of a user account (registration) and login
1.3.1 For the creation of a user account, you are required to complete a registration form in the App and accept the General Terms and Conditions, for this purpose information marked as mandatory in the registration form shall be filled in as necessary. For your user account or log-in, we use your telephone number to grant you access to and manage your user account ("Mandatory Information"). The Mandatory information (username, telephone number, business name, and business address) is required for completing the registration form in the App, together with the acceptance of the General Terms and Conditions. If you do not provide this data, you will not be able to create a user account.
We use the mandatory information provided to authenticate you when you log in. In that case, on the login page of the App, you may indicate your telephone number and request to receive an automatic four-digit code (the “Code”), at the provided telephone number, via SMS. After you receive the Code, you will be required to promptly enter the Code on the login page of the App. We would like to inform you that the Code is temporary and has limited validity. If you do not enter the Code on the login page of the App within 60 seconds, you will need to request a new Code to complete the login authentication. Please note that you are fully responsible for the confidentiality of the Code which is strictly personal and should not be shared with unauthorized persons. The data entered by you during registration or login will be processed and used by us to: (i) verify your authorization to manage the user account; (ii) enforce the terms of use of the App and all associated rights and obligations; and (iii) send you technical or legal notices, updates, security messages or other messages concerning the administration of the user account.
The data processing of the Mandatory Information is justified by the fact that, with regards to clause 1.3.1 (i) of this Privacy Policy, the processing is necessary for the performance of the contract between you, as the data subject, and us, for the proper functioning of the App, in accordance with Article 6.1(b) of UK GDPR, or, with regard to clauses 1.3.1 (ii) and (iii) of this Privacy Policy, that we have a legitimate interest in ensuring the functionality and error-free operation of the App as well as in contacting our users concerning any information relevant to them for the use of the App. Our legitimate interest here outweighs your rights and interests in protecting your personal data within the meaning of Article 6.1(f) of UK GDPR.
1.3.2 Furthermore, you can provide the following voluntary information during the registration: email address and nickname. In addition, you can provide the following voluntary information after the registration on the App:
(a) Contact details of your Suppliers (ONLY if you are a Gastronomer): Aiming to facilitate the placing of your orders, you may provide us with the contact details of your Suppliers or you may request that we set up the account with the contact details of your Suppliers.
(b) Additional information: You have the option of uploading pictures and screenshots to the App which contain additional information to simplify the placing of your orders. Moreover, the content of the additional information which you may voluntarily share on the App may vary depending on the type of data which you voluntarily upload to the App.
In accordance with Article 6.1(a) of UK GDPR, we will process the voluntary information based on your consent which you can withdraw at any time in accordance with Article 7.3 of UK GDPR.
1.4 Use of the App
When using the App, you can enter, manage and edit various information, tasks and activities. This information includes, in particular, data related to the communications that the Gastronomers send, together with their orders, to their Suppliers which are directly received by the latter and bundled in digital form without any time delay. You can also activate the following functions:
(a) Internet access: This is required to store your entries on our servers.
(b) Camera access: This access is required for communications between Gastronomers and Suppliers which allows you to include pictures and/or screenshots to simplify the placing of your orders and store them in the App and on our servers. By granting access to your camera, you agree that Choco will have access to your pictures and media contents, thus data processing in this context is based on your consent. Furthermore, we would like to inform you that currently the pictures and/or screenshots, which you may voluntarily upload to the App, will not be automatically deleted from the App. Nevertheless, if you wish to delete your uploaded pictures and/or screenshots, you may forward your request to the Choco Legal Team, using the following email address: datenschutz@choco.com (this does not affect the general rules on the deletion of data in the event of cancellation of your user account according to clause 4 of this Privacy Policy). Please note that we cannot accept any responsibility for the content that you voluntarily upload to the App, therefore, you are fully liable for any shared additional information on the App which is not required for the purpose of processing personal data, which infringes the applicable laws and/or any third parties rights.
The processing of the above-mentioned data is based on your consent which you can withdraw at any time, in accordance with Article 7.3 of UK GDPR.
2. Disclosure and transfer of data
We transfer your personal data to recipients on the condition a legal basis exists and/ or you gave your consent to the data process. Moreover, your personal data is processed by service providers who act as data processors. Any third parties with whom we share your personal data are limited (by law and by contract) in their ability to use your personal information. We will ensure that any third parties with whom we share your personal information are subject to privacy and security obligations consistent with this Privacy Policy and applicable laws.
We transfer your data to the following recipients:
2.1 The data provided by you during registration will be passed on within the Choco Group for internal administrative purposes, including joint customer support, as far as necessary. Please note that "Choco Group" means the worldwide Choco group of companies of which Choco Communications GmbH is the parent company with its legal seat in Hasenheide 54, 10967 Berlin, Germany. The Choco Group is composed of other companies owned or controlled by Choco, present in different Member States of the European Union and the United States of America, and other companies owned by or under common ownership as Choco, which also includes our subsidiaries (i.e., any organization we own or control), particularly when we collaborate in providing the App.
The App will be hosted by Choco Communications GmbH, with its legal seat in Hasenheide 54, 10967 Berlin, Germany, and can be reached at the following email address: legal@choco.com. For this purpose, Choco Communications GmbH acts as our processor. Choco Communications GmbH will also process your personal data for its own purposes (such as analytical purposes) and as controller. The information about the data processing by Choco Communications GmbH can be found here.
2.2 We may share your personal data with our business partners, such as Gastronomers or Suppliers and delivery partners, as well as third parties with whom we partner to provide contests, joint promotional activities or co-branded services, and such disclosure is necessary to fulfill requests or applications.
2.3 Please note, that if you are using the App in connection with your role as an employee or contractor of a company or other legal entity, we may share your information with such entity.
2.4 We share your personal data with third parties who assist us in providing our customer services and facilitating our communications with individuals that submit inquiries. We engage third-party service providers that perform business or operational services for us or on our behalf, including infrastructure provisioning, IT services, and administrative services. A list with complete details about the above-mentioned third-party service providers is available within Annex I of this Privacy Policy.
2.5 We are under a duty to disclose or share your personal data in order to comply with any legal obligation, any lawful request from government or law enforcement officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity. Any disclosure of the personal data is justified by the fact that the processing is necessary to fulfill a legal obligation to which we are subject in accordance with Article 6.1(c) of UK GDPR in the national legal requirements for the disclosure of data to law enforcement authorities
2.6 We may disclose your personal data to third parties in order to enforce the App’s terms of use, our terms and conditions for customers or any other agreement or to respond to any claims, to protect our rights or the rights of a third party, or to protect the safety of any person or to prevent any illegal activity. Any disclosure of the personal data is justified by the fact that we have a legitimate interest in using the data in the presence of evidence of abusive behavior or to enforce our terms of use, of other conditions or legal claims to the aforementioned third parties and your rights and interests in relation to the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
2.7 In the context of the further development of our business, the structure of our company may change by changing the legal form, founding, acquiring, or transferring subsidiaries, parts of companies or components. In accordance with such operations, the customer information may be shared together with the part of the company to be transferred. Each time personal data is transferred to third parties to the extent described above, we shall ensure that this transfer is done in accordance with this Privacy Policy and UK GDPR. Any disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances if necessary and your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
3. Data transfer to third countries
We may share your personal data to members of the Choco Group or third party service providers who are outside the UK or the EEA. If we provide any personal data about you to any such non-UK and non-EEA members of our group or suppliers, we will take appropriate measures to ensure that the recipient protects your personal data adequately in accordance with this Privacy Policy. In particular, we would like to inform you that the EU-US Privacy Shield (adequacy decision) has been declared invalid and that in case of data transfers to insecure third countries (here, the USA), there is no adequate level of data protection according to EU and UK standards. The measures we take to ensure the recipient of your personal data protects it adequately may include:
(a) Ensuring that there is an adequacy decision by the UK Government in the case of transfers out of the UK, or by the European Commission in the case of transfers out of the EEA, which means that the recipient country is deemed to provide adequate protection for such personal data;
(b) Where we have in place standard model contractual arrangements with the recipient which have been approved by the European Commission or the UK Government for transfers outside the UK. These model contractual clauses include certain safeguards to protect the personal data.
4. Storage duration
We delete your personal data as soon as the purposes for which we collected or processed it, in accordance with the preceding paragraphs, are achieved, and no statutory requirements require us to continue storing it for a longer period of time. We delete your personal data as soon as you submit to us your request for the cancellation of your user account, for the purposes for which we collected or used it in accordance with the preceding paragraphs. Please note that in case of cancellation of your user account, your personal data stored within the App will be deleted insofar as there are no statutory requirements which require us to continue storing it for a longer period of time.
5. Hyperlink
Our App contains hyperlinks to the websites of other providers. If these hyperlinks are activated, you will be redirected from our App directly to the website of the other providers. You can recognize this, amongst other things, by the URL changing. We cannot accept any responsibility for the confidential handling of your data on these third-party websites, as we have no influence on the fact that these companies comply with UK GDPR. Please inform yourself about the handling of your personal data by these companies directly on these websites.
6. Your rights as a data subject
6.1 In accordance with Articles 15 to 21 (inclusive) and 77 of UK GDPR, as data subjects you have the following rights:
- Right of access by the data subject (Article 15 of UK GDPR)
- Right to rectification (Article 16 of UK GDPR)
- Right to erasure ('right to be forgotten') (Article 17 of UK GDPR)
- Right to restriction of processing (Article 18 of UK GDPR)
- Right to data portability (Article 20 of UK GDPR)
- Right to object (Article 21 of UK GDPR)
- Right not to be subject to a decision based solely on automated processing (Article 22 of UK GDPR)
- Right to lodge a complaint with a supervisory authority (Article 77 of UK GDPR).
6.2 In case the data processing is based on your consent, you have the right to withdraw your consent at any time, in accordance with Article 7.3 of UK GDPR. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In case the data processing is based on our legitimate interest (Article 6.1(f) of UK GDPR), you have the right to object, on grounds relating to your situation, at any time.
6.3 Your requests for the assertion of data protection rights and our answers to them will be kept for documentation purposes for a period of up to three (3) years and, in individual cases, for longer periods for the establishment, exercise or defense of legal claims in accordance with Article 6.1(f) of UK GDPR, which is based on our legitimate interest in: (i) defending against any civil law claims pursuant to Article 82 of UK GDPR, (ii) the avoidance of fines pursuant to Article 83 of UK GDPR and (iii) the fulfillment of our accountability under Article 5.2 of UK GDPR.
6.4 As a data subject you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the UK GDPR. The data protection authority responsible for Choco's processing of personal data in the UK is the Information Commissioner's Office.
7. Data Protection Officer and contact details
7.1 If you have any questions, comments or complaints about our handling of your personal data, or if you wish to exercise your data subject rights, please contact the Choco Legal Team using the following contact details: datenschutz@choco.com.
7.2 Furthermore, you are welcome to direct your data protection concerns to our Data Protection Officer by sending an email to the above-mentioned email address. Please note that emails to the above email address will not solely be received by our Data Protection Officer as this is a generic email for the Choco Legal Team. If you solely wish to contact our Data Protection Officer and/or if you wish to send confidential information, please refer to the Data Protection Officer in the subject line or body of your email and please ask for them to contact you directly to further discuss your data protection concerns.
8. Changes to this Privacy Policy
We always keep this privacy policy up to date. Therefore, we reserve the right to update or change it from time to time and to maintain these changes in the collection, processing or use of your data.
Annex I
Third-party service providers
Performing business or operational services, infrastructure provisioning, IT services, and administrative services for Choco or on Choco’s behalf:
Aircall SAS
- Address: 11 Rue Saint-Georges,75009 Paris, France.
- Personal data processed: Username, phone number, and email address, only when previously provided by the user.
- Storage Information: The servers storing your personal data are located in the Amazon Web Services US West servers in Oregon, USA. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Amazon Web Services, Inc.
- Address: 410 Terry Avenue North, Seattle, WA 98109, United States of America.
- Personal data processed: Username, Phone number, Business Address, IP Address, Device Info, (email address, birth date only when previously provided by the user).
- Storage Information: The servers storing your personal data are located in Ireland. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Intercom, Inc.
- Address: 3rd Floor, Stephens Ct., 18-21 St. Stephen’s Green, Dublin 2, Ireland.
- Personal data processed: Username, Phone number, IP Address, Email, Device info.
- Storage Information: The servers storing your personal data are located in the Amazon Web Services (AWS) facilities in Dublin, Ireland (eu-west-1). Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Salesforce.com Germany GmbH
- Address: Erika-Mann-Str. 31, 80636 Munich, Germany.
- Personal data processed: Username, and Phone number (email address, only when previously provided by the user), User Data regarding Physical, Social and Cultural identity.
- Storage Information: The servers storing your personal data are located in Frankfurt am Main, Germany, and Paris, France. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services.
Talend Stitch Inc.
- Address: 1339 Chestnut St #1500, Philadelphia, Pennsylvania 19107, United States.
- Personal data processed: Username, Phone number, IP Address, Device Info, (email address, only when previously provided by the user).
- Storage Information: The servers storing your personal data are located in Frankfurt am Main, Germany, in the AWS eu-central-1 servers. Your Personal Data will be stored by the service provider as long as necessary for the provision of the Services
Effective November 16, 2022 to February 3, 2023
DownloadTable of Contents
Privacy Policy for the Choco App
Preamble
This service (hereinafter "App") is provided by Choco Communications UK Ltd, a company incorporated in England and Wales with registered number 13937613 whose registered office is at 6th Floor, One London Wall, London, EC2Y 5EB, and can be contacted via email at legal@choco.com (hereinafter “Choco”, "we" or "us"), as the controller within the meaning of the applicable data protection law, namely (i) EU Regulation 2016/679 ("GDPR"); (ii) GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018 ("DPA"); (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time; and the terms "data subject", "personal data", "processing", "processor" and "controller" shall have the meanings set out in the DPA.
The use of the services offered by Choco requires that the users register in the App or via the web interface and accept our General Terms and Conditions.
The Choco App provides its users with access to messaging and ordering services, which may allow commercial customers from the gastronomy and food sector (hereinafter the "Gastronomers") to communicate directly with their suppliers (hereinafter the "Suppliers") and place orders, which are directly received by the Suppliers and bundled in digital form without any time delay. For more detailed information about the services offered by Choco, please refer to section 4 of our General Terms and Conditions.
When you use the App, we process your personal data. Personal data means any information relating to an identified or identifiable natural person (data subject). The protection of your privacy when using the app is important to us, therefore we would like to inform you especially about the scope, the legal basis, data subject rights and the personal data which we process when you use the App.
1. Information on the processing of your personal data
Certain information is already processed automatically by Choco as soon as you use the App. The personal data that we may process are indicated in detail below:
1.1 Information collected during download
When downloading the app, Choco does not require nor collect any personal data of yours, nevertheless, we would like to inform you that certain required information might be requested by the App Store selected by you (e.g. Google Play or Apple App Store). The processing of this data, which takes place exclusively by the respective App Store, is beyond our control and we are not responsible for damages that occur to you arising from the data processing which is carried out by the App Store which you selected to download the App from.
1.2 Information collected automatically
As part of your use of the App, we automatically collect certain personal data that is necessary for the use of the App. This includes: device information, the version of your operating system, the type of device you use, your time of access, and your IP address.
This data is automatically transmitted to us and stored in our servers, in order to: (i) provide you with the Service and related features; (ii) improve the functions and performance features of the App; and (iii) prevent and to remove misuse and malfunctions of the App. Choco processes your personal data on the basis that such processing is necessary for the performance of the services foreseen in the General Terms and Conditions, between you as the data subject and us, in accordance with Article 6.1(b) of UK GDPR (regarding clause 1.2 (i) of this Privacy Policy). We also have a legitimate interest in ensuring the functionality and error-free operation of the App and being able to offer a service in line with the market and your interests. Our legitimate interest here outweighs your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR (regarding the clauses 1.2 (ii) and (iii) of this Privacy Policy).
1.3 Creation of a user account (registration) and login
1.3.1 For the creation of a user account, you are required to complete a registration form in the App and accept the General Terms and Conditions, for this purpose information marked as mandatory in the registration form shall be filled in as necessary. For your user account or log-in, we use your telephone number to grant you access to and manage your user account ("Mandatory Information"). The Mandatory information (username, telephone number, business name, and business address) is required for completing the registration form in the App, together with the acceptance of the General Terms and Conditions. If you do not provide this data, you will not be able to create a user account.
We use the mandatory information provided to authenticate you when you log in. In that case, on the login page of the App, you may indicate your telephone number and request to receive an automatic four-digit code (the “Code”), at the provided telephone number, via SMS. After you receive the Code, you will be required to promptly enter the Code on the login page of the App. We would like to inform you that the Code is temporary and has limited validity. If you do not enter the Code on the login page of the App within 60 seconds, you will need to request a new Code to complete the login authentication. Please note that you are fully responsible for the confidentiality of the Code which is strictly personal and should not be shared with unauthorized persons. The data entered by you during registration or login will be processed and used by us to: (i) verify your authorization to manage the user account; (ii) enforce the terms of use of the App and all associated rights and obligations; and (iii) send you technical or legal notices, updates, security messages or other messages concerning the administration of the user account.
The data processing of the Mandatory Information is justified by the fact that, with regards to clause 1.3.1 (i) of this Privacy Policy, the processing is necessary for the performance of the contract between you, as the data subject, and us, for the proper functioning of the App, in accordance with Article 6.1(b) of UK GDPR, or, with regard to clauses 1.3.1 (ii) and (iii) of this Privacy Policy, that we have a legitimate interest in ensuring the functionality and error-free operation of the App as well as in contacting our users concerning any information relevant to them for the use of the App. Our legitimate interest here outweighs your rights and interests in protecting your personal data within the meaning of Article 6.1(f) of UK GDPR.
1.3.2 Furthermore, you can provide the following voluntary information during the registration: email address and nickname. In addition, you can provide the following voluntary information after the registration on the App:
(a) Contact details of your Suppliers (ONLY if you are a Gastronomer): Aiming to facilitate the placing of your orders, you may provide us with the contact details of your Suppliers or you may request that we set up the account with the contact details of your Suppliers.
(b) Additional information: You have the option of uploading pictures and screenshots to the App which contain additional information to simplify the placing of your orders. Moreover, the content of the additional information which you may voluntarily share on the App may vary depending on the type of data which you voluntarily upload to the App.
In accordance with Article 6.1(a) of UK GDPR, we will process the voluntary information based on your consent which you can withdraw at any time in accordance with Article 7.3 of UK GDPR.
1.4 Use of the App
When using the App, you can enter, manage and edit various information, tasks and activities. This information includes, in particular, data related to the communications that the Gastronomers send, together with their orders, to their Suppliers which are directly received by the latter and bundled in digital form without any time delay. You can also activate the following functions:
(a) Internet access: This is required to store your entries on our servers.
(b) Camera access: This access is required for communications between Gastronomers and Suppliers which allows you to include pictures and/or screenshots to simplify the placing of your orders and store them in the App and on our servers. By granting access to your camera, you agree that Choco will have access to your pictures and media contents, thus data processing in this context is based on your consent. Furthermore, we would like to inform you that currently the pictures and/or screenshots, which you may voluntarily upload to the App, will not be automatically deleted from the App. Nevertheless, if you wish to delete your uploaded pictures and/or screenshots, you may forward your request to the Choco Legal Team, using the following email address: datenschutz@choco.com (this does not affect the general rules on the deletion of data in the event of cancellation of your user account according to clause 4 of this Privacy Policy). Please note that we cannot accept any responsibility for the content that you voluntarily upload to the App, therefore, you are fully liable for any shared additional information on the App which is not required for the purpose of processing personal data, which infringes the applicable laws and/or any third parties rights.
The processing of the above-mentioned data is based on your consent which you can withdraw at any time, in accordance with Article 7.3 of UK GDPR.
2. Disclosure and transfer of data
We transfer your personal data to recipients on the condition a legal basis exists and/ or you gave your consent to the data process. Moreover, your personal data is processed by service providers who act as data processors. Any third parties with whom we share your personal data are limited (by law and by contract) in their ability to use your personal information. We will ensure that any third parties with whom we share your personal information are subject to privacy and security obligations consistent with this Privacy Policy and applicable laws.
We transfer your data to the following recipients:
2.1 The data provided by you during registration will be passed on within the Choco Group for internal administrative purposes, including joint customer support, as far as necessary. Please note that "Choco Group" means the worldwide Choco group of companies of which Choco Communications GmbH is the parent company with its legal seat in Hasenheide 54, 10967 Berlin, Germany. The Choco Group is composed of other companies owned or controlled by Choco, present in different Member States of the European Union and the United States of America, and other companies owned by or under common ownership as Choco, which also includes our subsidiaries (i.e., any organization we own or control), particularly when we collaborate in providing the App.
The App will be hosted by Choco Communications GmbH, with its legal seat in Hasenheide 54, 10967 Berlin, Germany, and can be reached at the following email address: legal@choco.com. For this purpose, Choco Communications GmbH acts as our processor. Choco Communications GmbH will also process your personal data for its own purposes (such as analytical purposes) and as controller. The information about the data processing by Choco Communications GmbH can be found here.
2.2 We may share your personal data with our business partners, such as Gastronomers or Suppliers and delivery partners, as well as third parties with whom we partner to provide contests, joint promotional activities or co-branded services, and such disclosure is necessary to fulfill requests or applications.
2.3 Please note, that if you are using the App in connection with your role as an employee or contractor of a company or other legal entity, we may share your information with such entity.
2.4 We share your personal data with third parties who assist us in providing our customer services and facilitating our communications with individuals that submit inquiries. We engage third-party service providers that perform business or operational services for us or on our behalf, including infrastructure provisioning, IT services, and administrative services. A list with complete details about the above-mentioned third-party service providers is available here.
2.5 We are under a duty to disclose or share your personal data in order to comply with any legal obligation, any lawful request from government or law enforcement officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity. Any disclosure of the personal data is justified by the fact that the processing is necessary to fulfill a legal obligation to which we are subject in accordance with Article 6.1(c) of UK GDPR in the national legal requirements for the disclosure of data to law enforcement authorities
2.6 We may disclose your personal data to third parties in order to enforce the App’s terms of use, our terms and conditions for customers or any other agreement or to respond to any claims, to protect our rights or the rights of a third party, or to protect the safety of any person or to prevent any illegal activity. Any disclosure of the personal data is justified by the fact that we have a legitimate interest in using the data in the presence of evidence of abusive behavior or to enforce our terms of use, of other conditions or legal claims to the aforementioned third parties and your rights and interests in relation to the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
2.7 In the context of the further development of our business, the structure of our company may change by changing the legal form, founding, acquiring, or transferring subsidiaries, parts of companies or components. In accordance with such operations, the customer information may be shared together with the part of the company to be transferred. Each time personal data is transferred to third parties to the extent described above, we shall ensure that this transfer is done in accordance with this Privacy Policy and UK GDPR. Any disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances if necessary and your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
3. Data transfer to third countries
We may share your personal data to members of the Choco Group or third party service providers who are outside the UK or the EEA. If we provide any personal data about you to any such non-UK and non-EEA members of our group or suppliers, we will take appropriate measures to ensure that the recipient protects your personal data adequately in accordance with this Privacy Policy. In particular, we would like to inform you that the EU-US Privacy Shield (adequacy decision) has been declared invalid and that in case of data transfers to insecure third countries (here, the USA), there is no adequate level of data protection according to EU and UK standards. The measures we take to ensure the recipient of your personal data protects it adequately may include:
(a) Ensuring that there is an adequacy decision by the UK Government in the case of transfers out of the UK, or by the European Commission in the case of transfers out of the EEA, which means that the recipient country is deemed to provide adequate protection for such personal data;
(b) Where we have in place standard model contractual arrangements with the recipient which have been approved by the European Commission or the UK Government for transfers outside the UK. These model contractual clauses include certain safeguards to protect the personal data.
4. Storage duration
We delete your personal data as soon as the purposes for which we collected or processed it, in accordance with the preceding paragraphs, are achieved, and no statutory requirements require us to continue storing it for a longer period of time. We delete your personal data as soon as you submit to us your request for the cancellation of your user account, for the purposes for which we collected or used it in accordance with the preceding paragraphs. Please note that in case of cancellation of your user account, your personal data stored within the App will be deleted insofar as there are no statutory requirements which require us to continue storing it for a longer period of time.
5. Hyperlink
Our App contains hyperlinks to the websites of other providers. If these hyperlinks are activated, you will be redirected from our App directly to the website of the other providers. You can recognize this, amongst other things, by the URL changing. We cannot accept any responsibility for the confidential handling of your data on these third-party websites, as we have no influence on the fact that these companies comply with UK GDPR. Please inform yourself about the handling of your personal data by these companies directly on these websites.
6. Your rights as a data subject
6.1 In accordance with Articles 15 to 21 (inclusive) and 77 of UK GDPR, as data subjects you have the following rights:
- Right of access by the data subject (Article 15 of UK GDPR)
- Right to rectification (Article 16 of UK GDPR)
- Right to erasure ('right to be forgotten') (Article 17 of UK GDPR)
- Right to restriction of processing (Article 18 of UK GDPR)
- Right to data portability (Article 20 of UK GDPR)
- Right to object (Article 21 of UK GDPR)
- Right not to be subject to a decision based solely on automated processing (Article 22 of UK GDPR)
- Right to lodge a complaint with a supervisory authority (Article 77 of UK GDPR).
6.2 In case the data processing is based on your consent, you have the right to withdraw your consent at any time, in accordance with Article 7.3 of UK GDPR. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In case the data processing is based on our legitimate interest (Article 6.1(f) of UK GDPR), you have the right to object, on grounds relating to your situation, at any time.
6.3 Your requests for the assertion of data protection rights and our answers to them will be kept for documentation purposes for a period of up to three (3) years and, in individual cases, for longer periods for the establishment, exercise or defense of legal claims in accordance with Article 6.1(f) of UK GDPR, which is based on our legitimate interest in: (i) defending against any civil law claims pursuant to Article 82 of UK GDPR, (ii) the avoidance of fines pursuant to Article 83 of UK GDPR and (iii) the fulfillment of our accountability under Article 5.2 of UK GDPR.
6.4 As a data subject you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the UK GDPR. The data protection authority responsible for Choco's processing of personal data in the UK is the Information Commissioner's Office.
7. Data Protection Officer and contact details
7.1 If you have any questions, comments or complaints about our handling of your personal data, or if you wish to exercise your data subject rights, please contact the Choco Legal Team using the following contact details: datenschutz@choco.com.
7.2 Furthermore, you are welcome to direct your data protection concerns to our Data Protection Officer by sending an email to the above-mentioned email address. Please note that emails to the above email address will not solely be received by our Data Protection Officer as this is a generic email for the Choco Legal Team. If you solely wish to contact our Data Protection Officer and/or if you wish to send confidential information, please refer to the Data Protection Officer in the subject line or body of your email and please ask for them to contact you directly to further discuss your data protection concerns.
8. Changes to this Privacy Policy
We always keep this privacy policy up to date. Therefore, we reserve the right to update or change it from time to time and to maintain these changes in the collection, processing or use of your data.
Effective November 1, 2022 to November 16, 2022
DownloadTable of Contents
Privacy Policy for the Choco App
Preamble
This service (hereinafter "App") is provided by Choco Communications UK Ltd, a company incorporated in England and Wales with registered number 13937613 whose registered office is at 6th Floor, One London Wall, London, EC2Y 5EB, and can be contacted via email at legal@choco.com (hereinafter “Choco”, "we" or "us"), as the controller within the meaning of the applicable data protection law, namely (i) EU Regulation 2016/679 ("GDPR"); (ii) GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018 ("DPA"); (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time; and the terms "data subject", "personal data", "processing", "processor" and "controller" shall have the meanings set out in the DPA.
The use of the services offered by Choco requires that the users register in the App or via the web interface and accept our General Terms and Conditions.
The Choco App provides its users with access to messaging and ordering services, which may allow commercial customers from the gastronomy and food sector (hereinafter the "Gastronomers") to communicate directly with their suppliers (hereinafter the "Suppliers") and place orders, which are directly received by the Suppliers and bundled in digital form without any time delay. For more detailed information about the services offered by Choco, please refer to section 4 of our General Terms and Conditions.
When you use the App, we process your personal data. Personal data means any information relating to an identified or identifiable natural person (data subject). The protection of your privacy when using the app is important to us, therefore we would like to inform you especially about the scope, the legal basis, data subject rights and the personal data which we process when you use the App.
1. Information on the processing of your personal data
Certain information is already processed automatically by Choco as soon as you use the App. The personal data that we may process are indicated in detail below:
1.1 Information collected during download
When downloading the app, Choco does not require nor collect any personal data of yours, nevertheless, we would like to inform you that certain required information might be requested by the App Store selected by you (e.g. Google Play or Apple App Store). The processing of this data, which takes place exclusively by the respective App Store, is beyond our control and we are not responsible for damages that occur to you arising from the data processing which is carried out by the App Store which you selected to download the App from.
1.2 Information collected automatically
As part of your use of the App, we automatically collect certain personal data that is necessary for the use of the App. This includes: device information, the version of your operating system, the type of device you use, your time of access, and your IP address.
This data is automatically transmitted to us and stored in our servers, in order to: (i) provide you with the Service and related features; (ii) improve the functions and performance features of the App; and (iii) prevent and to remove misuse and malfunctions of the App. Choco processes your personal data on the basis that such processing is necessary for the performance of the services foreseen in the General Terms and Conditions, between you as the data subject and us, in accordance with Article 6.1(b) of UK GDPR (regarding clause 1.2 (i) of this Privacy Policy). We also have a legitimate interest in ensuring the functionality and error-free operation of the App and being able to offer a service in line with the market and your interests. Our legitimate interest here outweighs your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR (regarding the clause 1.2 (ii) and (iii) of this Privacy Policy).
1.3 Creation of a user account (registration) and login
For the creation of a user account, you are required to complete a registration form in the App and accept the General Terms and Conditions, for this purpose information marked as mandatory in the registration form shall be filled in as necessary. For your user account or log-in, we use your telephone number to grant you access to and manage your user account ("Mandatory Information"). The Mandatory information (username, telephone number, business name, and business address) is required for completing the registration form in the App, together with the acceptance of the General Terms and Conditions. If you do not provide this data, you will not be able to create a user account.
We use the mandatory information provided to authenticate you when you log in. In that case, on the login page of the App, you may indicate your telephone number and request to receive an automatic four-digit code (the “Code”), at the provided telephone number, via SMS. After you receive the Code, you will be required to promptly enter the Code on the login page of the App. We would like to inform you that the Code is temporary and has limited validity. If you do not enter the Code on the login page of the App within 60 seconds, you will need to request a new Code to complete the login authentication. Please note that you are fully responsible for the confidentiality of the Code which is strictly personal and should not be shared with unauthorized persons. The data entered by you during registration or login will be processed and used by us to: (i) verify your authorization to manage the user account; (ii) enforce the terms of use of the App and all associated rights and obligations; and (iii) send you technical or legal notices, updates, security messages or other messages concerning the administration of the user account.
The data processing of the Mandatory Information is justified by the fact that, with regards to clause 1.3 (i) of this Privacy Policy, the processing is necessary for the performance of the contract between you, as the data subject, and us, for the proper functioning of the App, in accordance with Article 6.1(b) of UK GDPR, or, with regards to clauses 1.3 (ii) and (iii) of this Privacy Policy, that we have a legitimate interest in ensuring the functionality and error-free operation of the App as well as in contacting our users concerning any information relevant to them for the use of the App. Our legitimate interest here outweighs your rights and interests in protecting your personal data within the meaning of Article 6.1(f) of UK GDPR.
Furthermore, you can provide the following voluntary information during the registration: email address and nickname. In addition, you can provide the following voluntary information after the registration on the App:
Contact details of your Suppliers (ONLY if you are a Gastronomer): Aiming to facilitate the placing of your orders, you may provide us with the contact details of your Suppliers or you may request that we set up the account with the contact details of your Suppliers.
Additional information: You have the option of uploading pictures and screenshots to the App which contain additional information to simplify the placing of your orders. Moreover, the content of the additional information which you may voluntarily share on the App may vary depending on the type of data which you voluntarily upload to the App.
In accordance with Article 6.1(a) of UK GDPR, we will process the voluntary information based on your consent which you can withdraw at any time in accordance with Article 7.3 of UK GDPR.
1.4 Use of the App
When using the App, you can enter, manage and edit various information, tasks and activities. This information includes, in particular, data related to the communications that the Gastronomers send, together with their orders, to their Suppliers which are directly received by the latter and bundled in digital form without any time delay.
You can also activate the following functions:
Internet access: This is required to store your entries on our servers.
Camera access: This access is required for communications between Gastronomers and Suppliers which allows you to include pictures and/or screenshots to simplify the placing of your orders and store them in the App and on our servers. By granting access to your camera, you agree that Choco will have access to your pictures and media contents, thus data processing in this context is based on your consent. Furthermore, we would like to inform you that currently the pictures and/or screenshots, which you may voluntarily upload to the App, will not be automatically deleted from the App. Nevertheless, if you wish to delete your uploaded pictures and/or screenshots, you may forward your request to the Choco Legal Team, using the following email address: datenschutz@choco.com (this does not affect the general rules on the deletion of data in the event of cancellation of your user account according to clause 4 of this Privacy Policy). Please note that we cannot accept any responsibility for the content that you voluntarily upload to the App, therefore, you are fully liable for any shared additional information on the App which is not required for the purpose of processing personal data, which infringes the applicable laws and/or any third parties rights. The processing of the above-mentioned data is based on your consent which you can withdraw at any time, in accordance with Article 7.3 of UK GDPR.
2. Disclosure and transfer of data
We transfer your personal data to recipients on the condition a legal basis exists and/ or you gave your consent to the data process. Moreover, your personal data is processed by service providers who act as data processors. Any third parties with whom we share your personal data are limited (by law and by contract) in their ability to use your personal information. We will ensure that any third parties with whom we share your personal information are subject to privacy and security obligations consistent with this privacy policy and applicable laws.
We transfer your data to the following recipients:
2.1 The data provided by you during registration will be passed on within the Choco Group for internal administrative purposes, including joint customer support, as far as necessary. Please note that "Choco Group" means the worldwide Choco group of companies of which Choco Communications GmbH is the parent company with its legal seat in Hasenheide 54, 10967 Berlin, Germany. The Choco Group is composed of other companies owned or controlled by Choco, present in different Member States of the European Union and the United States of America, and other companies owned by or under common ownership as Choco, which also includes our subsidiaries (i.e., any organization we own or control), particularly when we collaborate in providing the App.
The App will be hosted by Choco Communications GmbH, with its legal seat in Hasenheide 54, 10967 Berlin, Germany, and can be reached at the following email address: legal@choco.com. For this purpose, Choco Communications GmbH acts as our processor. Choco Communications GmbH will also process your personal data for its own purposes (such as analytical purposes) and as controller. The information about the data processing by Choco Communications GmbH can be found here.
2.2 We may share your personal data with our business partners, such as Gastronomers or Suppliers and delivery partners, as well as third parties with whom we partner to provide contests, joint promotional activities or co-branded services, and such disclosure is necessary to fulfill requests or applications.
2.3 Please note, that if you are using the App in connection with your role as an employee or contractor of a company or other legal entity, we may share your information with such entity.
2.4 We share your personal data with third parties who assist us in providing our customer services and facilitating our communications with individuals that submit inquiries. We engage third-party service providers that perform business or operational services for us or on our behalf, including infrastructure provisioning, IT services, and administrative services. A list with complete details about the above-mentioned third-party service providers is available here.
2.5 If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, any lawful request from government or law enforcement officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity;
Any disclosure of the personal data is justified by the fact that the processing is necessary to fulfill a legal obligation to which we are subject in accordance with Article 6.1(c) of UK GDPR in the national legal requirements for the disclosure of data to law enforcement authorities
2.6 We may disclose your personal data to third parties in order to enforce the App’s terms of use, our terms and conditions for customers or any other agreement or to respond to any claims, to protect our rights or the rights of a third party, or to protect the safety of any person or to prevent any illegal activity.
Any disclosure of the personal data is justified by the fact that we have a legitimate interest in using the data in the presence of evidence of abusive behavior or to enforce our terms of use, of other conditions or legal claims to the aforementioned third parties and your rights and interests in relation to the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
2.7 In the context of the further development of our business, the structure of our company may change by changing the legal form, founding, acquiring, or transferring subsidiaries, parts of companies or components. In accordance with such operations, the customer information may be shared together with the part of the company to be transferred. Each time personal data is transferred to third parties to the extent described above, we shall ensure that this transfer is done in accordance with this privacy policy and UK GDPR.
Any disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances if necessary and your rights and interests in the protection of your personal data within the meaning of Article 6.1(f) of UK GDPR do not prevail.
3. Data transfer to third countries
We may share your personal data to members of the Choco Group or third party service providers who are outside the UK or the EEA. If we provide any personal data about you to any such non-UK and non-EEA members of our group or suppliers, we will take appropriate measures to ensure that the recipient protects your personal data adequately in accordance with this privacy policy. In particular, we would like to inform you that the EU-US Privacy Shield (adequacy decision) has been declared invalid and that in case of data transfers to insecure third countries (here, the USA), there is no adequate level of data protection according to EU and UK standards. The measures we take to ensure the recipient of your personal data protects it adequately may include:
(a) Ensuring that there is an adequacy decision by the UK Government in the case of transfers out of the UK, or by the European Commission in the case of transfers out of the EEA, which means that the recipient country is deemed to provide adequate protection for such personal data;
(b) Where we have in place standard model contractual arrangements with the recipient which have been approved by the European Commission or the UK Government for transfers outside the UK. These model contractual clauses include certain safeguards to protect the personal data.
4. Storage duration
We delete your personal data as soon as the purposes for which we collected or processed it, in accordance with the preceding paragraphs, are achieved, and no statutory requirements require us to continue storing it for a longer period. We delete your personal data as soon as you submit to us your request for the cancellation of your user account, for the purposes for which we collected or used it in accordance with the preceding paragraphs. Please note that in case of cancellation of your user account, your personal data stored within the App will be deleted insofar as there are no statutory requirements which require us to continue storing it for a longer period of time.
5. Hyperlink
Our App contains hyperlinks to websites of other providers. If these hyperlinks are activated, you will be redirected from our App directly to the website of the other providers. You can recognize this, amongst other things, by the URL changing. We cannot accept any responsibility for the confidential handling of your data on these third-party websites, as we have no influence on the fact that these companies comply with UK GDPR. Please inform yourself about the handling of your personal data by these companies directly on these websites.
6. Your rights as a data subject
In accordance with Articles 15 to 21 (inclusive) and 77 of UK GDPR, as data subjects you have the following rights:
Right of access by the data subject (Article 15 of UK GDPR)
Right to rectification (Article 16 of UK GDPR)
Right to erasure ('right to be forgotten') (Article 17 of UK GDPR)
Right to restriction of processing (Article 18 of UK GDPR)
Right to data portability (Article 20 of UK GDPR)
Right to object (Article 21 of UK GDPR)
Right not to be subject to a decision based solely on automated processing (Article 22 of UK GDPR)
Right to lodge a complaint with a supervisory authority (Article 77 of UK GDPR).
In case the data processing is based on your consent, you have the right to withdraw your consent at any time, in accordance with Article 7.3 of UK GDPR. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
In case the data processing is based on our legitimate interest (Article 6.1(f) of UK GDPR), you have the right to object, on grounds relating to your situation, at any time.
Your requests for the assertion of data protection rights and our answers to them will be kept for documentation purposes for a period of up to three (3) years and, in individual cases, for longer periods for the establishment, exercise or defense of legal claims in accordance with Article 6.1(f) of UK GDPR, which is based on our legitimate interest in: (i) defending against any civil law claims pursuant to Article 82 of UK GDPR, (ii) the avoidance of fines pursuant to Article 83 of UK GDPR and (iii) the fulfillment of our accountability under Article 5.2 of UK GDPR.
As a data subject you have the right to lodge a complaint with a supervisory authority t if you consider that the processing of personal data relating to you infringes the UK GDPR. The data protection authority responsible for Choco's processing of personal data in the UK is the Information Commissioner's Office.
7. Data Protection Officer and contact details
If you have any questions, comments or complaints about our handling of your personal data, or if you wish to exercise your data subject rights, please contact the Choco Legal Team using the following contact details: datenschutz@choco.com.
Furthermore, you are welcome to direct your data protection concerns to our Data Protection Officer by sending an email to the above-mentioned email address. Please note that emails to the above email address will not solely be received by our Data Protection Officer as this is a generic email for the Choco Legal Team. If you solely wish to contact our Data Protection Officer and/or if you wish to send confidential information, please refer to the Data Protection Officer in the subject line or body of your email and please ask for them to contact you directly to further discuss your data protection concerns.
8. Changes to this Privacy Policy
We always keep this privacy policy up to date. Therefore, we reserve the right to update or change it from time to time and to maintain these changes in the collection, processing or use of your data.