Terms and Conditions for App Use
1. Subject matter of the contract
1.1 Choco Communications UK Limited (hereinafter "CHOCO") has developed an app and a web interface (hereinafter collectively the "App") through and via which commercial customers from the gastronomy, drink and food sector (hereinafter a "Buyer") can communicate and send their orders to their suppliers (hereinafter a "Supplier").
1.2 These General Terms and Conditions for App Use (hereinafter "General Terms and Conditions" or “GTC”) apply to the use of the App. For the free download of the App, the general terms and conditions of the Apple App Store or Google Play Store shall apply in addition to these GTC and any section of those general terms and conditions shall take precedence over any section in these GTC in the event of inconsistency. CHOCO may enter into separate agreement with the Suppliers for the paid use of the App and other paid services, which shall exclusively govern the relationship between the relevant Supplier and CHOCO, superseding these GTCs.
1.3 The object of these GTC is to set out the terms and conditions under which CHOCO grants a licence for the Buyers and Suppliers who use the App (each a "Company"). By using the App, the Company confirms that it accepts these GTC and that it agrees to comply with them. If the Company does not agree to these GTC, it must not use the App. CHOCO may enter into separate agreement with the Suppliers for the paid use of the App, which shall exclusively govern the relationship between the relevant Supplier and CHOCO, superseding these GTCs.
1.4 The provisions of these GTC shall prevail over any other general or specific terms and conditions of the Company. These GTC may be supplemented by CHOCO, where appropriate, by specific terms of use for certain aspects of the App, which shall supplement these GTC and shall prevail over them in the event of any conflict.
2. Use of the App
2.1 CHOCO grants to Company a non-exclusive, revocable, non-sublicensable, personal and non- transferable licence to use the App (in executable code) solely for the Company's internal business operations in the United Kingdom. For the avoidance of doubt, this licence also covers the use of the App by such individual Users (as defined in section 3.6 below) as the Company may designate. The source code of the App and other CHOCO software is not subject to these GTC and CHOCO reserves all rights thereto.
2.2 The App is designed and intended for professional use and is aimed exclusively at business customers, in particular the catering trade, the food industry and the food trade. Consumers are not permitted the use the App.
3. Registration and Account access Account creation and conclusion of contract
3.1 The use of the App requires that the Company registers in the App and accepts these GTC. For this purpose, a registration form is available in which all information marked as mandatory must be filled in. Before submitting the form, the Company can correct any errors directly by correcting the respective information in the form. CHOCO will not activate incomplete registrations.
3.2 The Company may access, save and print the current GTC on the website at any time. CHOCO does not store the text of the contract after it has been concluded.
3.3 Upon receipt of the Company's application for registration, CHOCO may then open an account in the Company's name (hereinafter the "Account"), which enables it to use the App.
3.4 The Company warrants, represents and undertakes that all information provided in the registration form is accurate, up-to-date, truthful and not misleading.
3.5 The Company undertakes to update the information relating to its Account immediately in the event of any changes, so that it always complies with the above criteria.
User Assignment
3.6 The Company shall ensure that any person ("User") who uses the App, or creates an Account, for or on behalf of a Company or assigns himself or herself to an existing Company Account is authorised to accept these GTC and to (in relation to the Buyer) place binding orders with Suppliers or to (in relation to the Supplier) receive and fulfil orders from Buyers.
3.7 CHOCO may technically enable a Company to create additional User profiles. The Company shall not permit any third party competing with CHOCO to (directly or indirectly) have access to the App.
3.8 The Company undertakes to ensure that Users do not allow any third party to use the App in their place or on their behalf.
3.9 The Company is responsible for ensuring that all Users are aware of these GTC and other applicable terms and conditions, and that they comply with them and the Company shall be liable for the acts and omissions of its Users.
Access data
3.10 The Company undertakes to maintain the security and confidentiality of the data it uploads to the App ("Access Data") and, where applicable, to impose the same obligations on Users associated with its Account.
3.11 Any access to the Account using the Company's Access Data shall be deemed to have been made by the Company. The Company shall immediately notify CHOCO if it becomes aware that its Account has been used without its knowledge. The Company acknowledges that CHOCO has the right to take all appropriate measures in such cases, in particular to temporarily block the Account to prevent misuse. CHOCO shall not be responsible for any loss, destruction, alteration or disclosure of Access Data.
4. Features and functionality of the App
4.1 The App contains a messaging service (the "Messaging Service") which enables: (a) the Buyer to communicate directly with its Suppliers and place orders; or (b) the Supplier to receive orders from the Buyer directly and bundled in digital form.
4.2 Conversations via the Messaging Service take place between two Companies, including at least one Buyer.
4.3 The Buyer may only start a conversation with Suppliers (i) whose contact details have been added to the Buyer's Account at the Buyer's initiative or (ii) whom the Buyer has invited to participate in its use of the App and who have accepted this invitation. CHOCO does not allow the Buyer or the Supplier to view the List (as defined in section 4.5) of all Suppliers / Buyers using the App or to compare their characteristics.
4.4 The App includes an optional feature that enables Buyers to voluntarily include the estimated price for products (the "My Price Feature"). The My Price Feature enables Buyers to calculate the estimated cost of their order via the App. The Company acknowledges that CHOCO does not control or alter the information transmitted via the My Price Feature (the "My Price Feature Information"), and they may change from time to time subject to the specific information that Gastronome may voluntarily insert therein. By using the App and submitting the My Price Feature Information, each Gastronome and Supplier agrees to the use of My Price Feature via the App. The My Price Feature Information cannot be seen by any other than the Buyer to which the My Price Feature Information relates. Please note that we cannot accept any responsibility for the content of the data that you voluntarily upload to the App, therefore, you are fully liable for any shared information on the App which may infringe any applicable laws and/or any third parties right.
4.5 In order to facilitate the placing of the order, the Buyer shall also have the option of entering lists of the products that it usually orders from the relevant Supplier (hereinafter "Lists") or to ask CHOCO to enter them on the basis of the documents provided by the Buyer. By selecting a List, the Buyer only needs to specify the desired quantities in order to place an order with the relevant Supplier.
4.6 To use the functionality set out in section 4.5 above: (a) the Buyer shall provide CHOCO with the contact details of its suppliers and the desired Lists; and (b) upon receipt of the information at section 4.6(a), CHOCO may set up the Account with the contact details of the Suppliers and the Lists requested by the Buyer.
4.7 The content on the App that CHOCO provides is provided for general information only. It is not intended to amount to advice on which the Company should rely. Although CHOCO makes reasonable efforts to update the information it provides on the App, it makes no promises and provide no assurances that that content on the App is accurate, complete or up to date.
4.8 The App may encompass functionalities that are powered by artificial intelligence (the “AI”). Company will retain ownership over the input it provides and the output generated by AI based on the input. Choco does not guarantee the accuracy, completeness and reliability of the output generated by AI and, to the extent permitted by law, disclaims all warranties and liability for such output. To the extent such full exclusion of liability is not enforceable, Choco’s (including its legal representatives’, employees’, agents’ and subcontractors’) aggregate liability shall be limited to £100 (one hundred pounds). Output generated by AI may not be unique to Company and it does not represent Choco’s views. Company undertakes to comply with the fair use policies of Choco’s third party service providers when using AI-powered functionalities. In the event of a conflict between this section and the rest of the GTCs, this section shall take precedence.
5. Suspension / withdrawal of the App
5.1 CHOCO does not guarantee that the App, or any content, will always be available or be uninterrupted. CHOCO may suspend or withdraw or restrict the availability of all or any part of the App for business and operational reasons. CHOCO will use reasonable endeavours to give the Company reasonable notice of any suspension or withdrawal (via the App or otherwise).
5.2 CHOCO reserves the right to offer other additional functionality in the App that it deems appropriate, in a form and according to the functionalities and technical means that it deems most suitable for the relevant functionality. CHOCO also reserves the right to modify the App (or any functionality of the App) or to remove certain functionality or other information to which a Company has access (such as a Supplier's product list).
6. Free service
6.1 CHOCO shall not charge the Buyer any commission or other costs for the provision of access to the App. CHOCO may charge the Supplier a fee for the provision of access to the App and such fee will be highlighted to the Supplier during the registration process.
6.2 The contract for the use of the App shall run for an indefinite period.
6.3 The Company may terminate the contract on the use of the Services at any time with 7 days' notice by sending a corresponding message by e-mail to CHOCO at the contact details stated at the beginning of these General Terms and Conditions. The termination shall result in the automatic deletion of the Company Account.
6.4 CHOCO may terminate the contract properly and close a Company's Account for any reason, subject to at least 30 days' notice.
6.5 In addition, the contract may also be terminated in writing by CHOCO without notice for good cause. Good cause entitling CHOCO to terminate the contract shall be deemed to exist in particular if the Company has breached Sections 2, 7, 10, 13 or 14 of these General Terms and Conditions and has not remedied this breach within seven days of receipt of a notification in text form by e-mail.
6.6 In any case, CHOCO also reserves the right to close and delete an Account that has remained inactive for a continuous period of six months.
7. Duties of the Company
Without prejudice to the other obligations provided for herein, the Company, the Buyer and/or the Supplier shall comply with the following obligations (as applicable):
7.1 The Buyer undertakes to ensure that orders sent via the App are accurate, true and correct.
7.2 The Supplier undertakes to respond to and fulfil orders placed via the App under the same conditions as other orders received outside the App.
7.3 The Company shall comply with applicable laws and regulations when using the App and shall not violate the rights of third parties or public order.
7.4 The Company shall be solely responsible for proper compliance with any legal requirements, in particular of an administrative, fiscal and/or labour nature, as well as for any payment of taxes or duties of any kind that may be incumbent upon it in connection with its use of the App. CHOCO shall not be held liable in this respect under any circumstances.
7.5 The Company acknowledges that it is aware of the limitations, particularly of a technical nature, of the App.
7.6 The Company undertakes to observe reasonable rules of politeness, courtesy and decency in its exchanges with other Companies.
7.7 The Company shall provide CHOCO with all necessary information and actively cooperate with CHOCO with regard to its use of the App and the proper performance of its obligations under these GTC.
7.8 The Company warrants, represents and undertakes that it is authorised to transmit through the App any content or information (commercial, editorial, graphics, audios, audiovisual or other, including the name and/or image that the Company or a User may have chosen to identify him/her within the App, the names of the Buyer and Suppliers and/or their contact details and the Lists of products) that it uses within the framework of the App and, in particular, within the framework of its exchanges with other Companies or that it transmits to CHOCO via the App (hereinafter "Content" and/or "Information").
7.9 The Company grants CHOCO the right to reproduce, display, disclose and use the Content and to perform all necessary acts on the Content for the purposes of operating the App and providing the services. In particular, CHOCO shall be entitled to collect and use the Content about the Company's use of the App for internal research, security, analytics and reporting purposes and for developing and improving its services. CHOCO shall retain all rights in the aggregated information derived from such practices and may use it at its own discretion during and after the term of these GTCs without being subject to any limitations (such as for distributing insights and reports), to the extent it does not identify the Company, its Users or any person. Choco may sublicense the rights granted herein to its subcontractors for the purposes of these GTCs. The Company warrants, represents and undertakes that it has all the necessary rights required to enable the use, reproduction and dissemination of this Content and Information by CHOCO.
7.10 The Company further undertakes to ensure that the said Content or Information is lawful, not contrary to public order, morality or the rights of third parties, whether intellectual property rights or equivalent, personal rights, trade secrets or confidential information, that it is not in breach of any legal or regulatory provisions and, more generally, that it is in no way likely to give rise to any liability on the part of CHOCO.
7.11 The Company shall only transmit Content and/or Information that is appropriate to the purpose of the App and, in particular, shall not transmit the following Content and/or Information through the App (including, for the avoidance of doubt, via the My Price Feature): (a) Content that is not reasonably related to the ordering or execution of contracts between Buyer and Supplier (such as political or religious Content); (b) Content that is pornographic, obscene, indecent, shocking or unsuitable for a family audience, defamatory, offensive, violent, racist, xenophobic or revisionist; (c) unlawful Content; (d) Content that violates personal rights; (e) Information that breaches a confidentiality agreement or discloses a trade secret without permission; (f) Content that is false or misleading or promotes illegal, fraudulent or deceptive activities; (g) Content that is harmful to computer systems (such as viruses, worms, Trojan horses, etc.); and (h) in general, any Content that in any way and in any form infringes the rights of third parties or may harm third parties.
7.12 In order to use the App, the Company must be connected to the internet. The Company is solely responsible for the internet connection, and the Company acknowledges that the quality of the App is directly dependent on this.
7.13 The App is subject to continuous development. CHOCO shall inform the Company of any new version or any change to an existing version. The Company acknowledges and accepts that the use of the App requires the use of the latest versions of the App.
7.14 In order to improve and promote the App, CHOCO has the right to get in touch with each User of the App without prior notice to or approval by the Company. This may include the participation of a User in referral programs, sweepstakes and similar promotional activities.
8. Limitation on liability
8.1 CHOCO: (a) does not warrant that: (i) that the App will meet the Company's requirements; or. (ii) the App will be free from viruses or malicious software. (b) is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Company acknowledges that the App may be subject to limitations, delays and other problems inherent in the use of such communications facilities.
8.2 The Company acknowledges and agrees that: (a) the App is provided on an "as is" basis; (b) CHOCO assumes no liability or responsibility whatsoever in connection with any products purchased and sold via the App or the contract or relationship between the Supplier and the Buyer, in particular, the Company acknowledges that: (i) CHOCO has no responsibility for the communications between businesses in the App and CHOCO does not moderate, select, routinely review, or control such communications, and acts only as a hosting provider for such communications; (ii) orders for products placed via the App are between the Buyer and the Supplier and CHOCO does not check the orders and is not a party to the contract between the Buyer and the Supplier; (iii) CHOCO does not control the pricing, payment or delivery of the products, which are agreed directly between the Supplier and the Buyer; (iv) CHOCO shall not be a party to disputes of any kind between the Buyer and the Supplier, including in relation to the terms and delivery times for products, warranties or guarantees, payment deadlines or payment obligations and other obligations of any kind entered into between the two parties; (v) CHOCO does not carry out any due diligence on the Supplier or Buyer; (vi) CHOCO does not carry out, and cannot be held liable for, any verification of the quality or characteristics of the products listed, their compliance with applicable laws and regulations, their storage or delivery conditions, or the financial capacity and solvency of the Buyer or Supplier; and. (vii) the App provides an additional, non-exclusive solution for communication and order placement between Buyer and Supplier and that this solution is not a substitute for other means that the Company might otherwise use to achieve the same objective; and. (c) all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from these GTC.
8.3 Nothing in these GTC shall limit or exclude either party's liability for: (a) death or personal injury caused by its negligence, or the negligence of its personnel, agents or subcontractors; (b) fraud or fraudulent misrepresentation; and (c) any other liability which cannot be limited or excluded by applicable law.
8.4 Subject to clause 8.3, the maximum aggregate liability of CHOCO arising out of or in connection with these GTC (whether such liability arises in contract, tort (including negligence), misrepresentation, breach of any duty (including strict liability) or otherwise shall be limited to the greater of (i) £100 and (ii) the amount of any fees CHOCO has received from the Company in relation to the provision of access to the App.
8.5 Subject to clause 8.3, CHOCO shall be liable to the other (whether such liability arises on contract or tort (including negligence) for misrepresentation, breach of any duty (including strict liability) or otherwise) for any of the following: (a) indirect or consequential loss or damage; (b) loss of profits; or (c) loss or depletion of goodwill.
9. Indemnification
9.1 The Company shall indemnify and keep indemnified CHOCO against all claims, demands, actions, proceedings, losses, actions, proceedings, fines, penalties, awards, liabilities, damages, compensation, settlements, charges and expenses/costs (including legal costs) suffered by CHOCO or any of its group companies as a result of or in connection with any claim from a third party in relation to the Company's use of the App.
10. Prohibited Conduct
10.1 The Company shall not use the App for the following purposes: (a) to engage in any activity that is illegal, fraudulent or prejudicial to the rights or safety of others; (b) to interfere with public order or to violate applicable laws and regulations; (c) to intrude into a third party's computer system or for any other activity designed to control, interfere with or intercept any Content or breach the integrity or security of all or part of a third party's computer system; (d) for sending unsolicited e-mails and/or sending commercial solicitation or advertising messages; (e) for manipulations aimed at improving the ranking of a third party's website; (f) for disseminating information or links referring to a third party's website; (g) for aiding or abetting in any way, shape or form one or more of the acts and activities described above; and. (h) generally for any activity using the App for purposes other than those for which it was designed.
10.2 The Company shall not (i) engage in any conduct that is likely to interrupt, suspend, slow down or prevent the continuous use of the App by any of CHOCO's customers, (ii) intrude or attempt to intrude into CHOCO's systems, (iii) engage in any improper use of the App's system resources, (iv) engage in any action that is likely to place a disproportionate load on the infrastructure of the App, (v) breach CHOCO or the App's security and authentication measures, or (vi) engage in any act likely to damage the financial, commercial or moral rights and interests of CHOCO, its customers or of the Users of the App.
10.3 The Company shall not monetise, sell or give access to all or part of the App and the information hosted and/or shared on it to third parties.
11. Measures in the event of non-compliance
11.1 In the event of non-compliance by a Company with any of the provisions of these General Terms and Conditions or, more generally, a breach of applicable laws and regulations, without prejudice to its other rights or remedies, CHOCO reserves the right to: (a) suspend or block access to the App of the Company or User who committed or participated in the breach; (b) remove Content posted on the App; (c) publish through the App such information notices as CHOCO deems necessary; (d) notify governmental agencies and authorities; and/or. (e) take legal action of any kind.
11.2 Other users may submit complaints about the Content or Choco may monitor the Content at its own discretion. Choco may, without prior notice, remove or disable access to any Content (i) if it violates the GTCs including Choco policies made available to Company, (ii) if it constitutes illegal content such as illegal hate speech, terrorist content, unlawful discriminatory content, or any content that the applicable laws render illegal or (iii) if it is likely to give rise to complaints by third parties or other Choco customers. Due account of the fundamental rights and freedoms and legitimate interests of all parties involved will be taken when making decisions about removal of the Content and will inform the involved users about the decision, including the reasons about why the complaint is accepted or rejected and available remedies.
12. Intellectual property
12.1 The Company acknowledges and agrees that CHOCO and/or its licensors own all intellectual property rights in the App, and all software, structures, infrastructures, databases and content of any kind (texts, images, graphics, music, logos, trademarks, databases, etc.) used by CHOCO in the context of the App (collectively "CHOCO IPR"). Any unauthorised use without the prior written consent of CHOCO is prohibited. Except as expressly stated herein, these GTC do not grant the Company any rights or licences in respect of the CHOCO IPR.
12.2 The Company is not entitled to reproduce and/or decompile the App in whole or in part.
12.3 The Company expressly authorises CHOCO to use the reproduction of its brand name or logo in the App, in particular to enable a Supplier to designate the brand name or logo on its Product List.
13. Confidentiality
13.1 Each party undertakes to keep strictly confidential the documents, data and Information of the other party which are confidential in nature ("Confidential Information").
13.2 The party receiving Confidential Information undertakes not to disclose it without the prior consent of the other party for a period of five years from the end of the performance of the Services concerned. It may only disclose it to employees, trainees, vicarious agents or consultants if they are subject to professional secrecy or if obligations corresponding to the confidentiality obligations of these General Terms and Conditions have been imposed on them beforehand. Furthermore, the parties shall only disclose the Confidential Information to those employees who need to know it for the performance of this contract and shall also oblige these employees to maintain confidentiality to the extent permitted by labour law for the time after their departure.
13.3 This obligation does not extend to Confidential Information: (a) which was already known to the receiving party or thereafter becomes known to it from a third party without breach of any confidentiality agreement, legal requirements or governmental orders; (b) which are already public at the time of their disclosure or which become public without breach of these conditions; which are required to be disclosed by law or by order of a court or governmental authority (c) disclosed upon the disclosing party's prior consent. To the extent permissible and possible, the recipient obliged to disclose shall notify the other party in advance and give it the opportunity to oppose the disclosure.
13.4 With respect to the personal data that Choco processes on behalf of Buyer for the provision of the Services, the Parties enter into a Data Processing Agreement available here ("DPA") and which is incorporated by reference into these GTC.
14. Publicity
14.1 The Company expressly authorises CHOCO to name it as a reference client and, where appropriate, to use its name, brand or logo for commercial references, including but not limited to at events, in its corporate or promotional materials, in articles, on its website and App, and on professional social networks such as LinkedIn, in any form whatsoever.
15. Amendments
15.1 CHOCO may amend these General Terms and Conditions at any time. CHOCO may notify the Company of any amendments to these General Terms and Conditions, either via e-mail or through an in-app notification. Any such amendments to these GTC shall be deemed to have been accepted by the Company if the Company continues to use the App.
16. General Provisions
16.1 In these GTC, unless the context otherwise requires the words "includes" or "including" shall be construed as illustrative only and shall not limit the generality of the preceding words.
16.2 CHOCO shall have no liability to the Company if it is prevented from or delayed in performing its obligations under these GTC, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including strikes, lock-outs or other industrial disputes (whether involving the workforce of CHOCO or any other party), failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or sub-contractors.
16.3 No failure or delay by a party to exercise any right or remedy provided under these GTC or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
16.4 Except as expressly provided in these GTC, the rights and remedies provided under these GTCs are in addition to, and not exclusive of, any rights or remedies provided by law.
16.5 If any provision or part-provision of these GTC is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of these GTC.
16.6 These GTC, including the DPA, constitute the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter. Each party acknowledges that in entering into these GTC it does not rely on any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in these GTC. Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in these GTC.
16.7 The Company shall not, without the prior written consent of CHOCO, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under these GTC. CHOCO may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under these GTC.
16.8 Nothing in these GTC is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
16.9 These GTC do not confer any rights on any person or party (other than the parties to these GTC and, where applicable, their successors and permitted assigns) pursuant to the Contracts (Rights of Third Parties) Act 1999 or otherwise.
17. Governing law & Jurisdiction
17.1 These GTC and any dispute or claim arising out of or in connection with them or their subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.
17.2 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with these GTC or their subject matter or formation (including non-contractual disputes or claims).
Data Processing Agreement
Preamble
This Data Processing Agreement ("DPA") specifies the data protection obligations and rights of the Parties in connection with the personal data processed by Choco as a processor on behalf of Buyer when providing the services (“Services”) as per the terms and conditions for the use of the App (“GTC”).
For the purposes of this DPA "Data Protection Laws" means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of personal data, including: (i) EU Regulation 2016/679 ("GDPR"); (ii) GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018; (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time; and the terms "data subject", "processing", "processor" and "controller" shall have the meanings set out in the Data Protection Laws. “Personal Data” has the meaning set out in Data Protection Laws, but is limited to personal data processed by Choco acting as a processor on behalf of Buyer under the GTCs as further described in Annex 1. Other defined terms shall have the meanings ascribed to them in the GTCs.
1. Subject and Scope of the Assignment
1.1 Choco shall process the Personal Data which Buyer has provided directly or indirectly for the provision of the Services exclusively on behalf of, and in accordance with, the instructions of Buyer, unless it is otherwise required by the applicable law. In such a case, Choco shall notify Buyer of such legal requirements prior to the processing, unless the relevant law prohibits such notification.
1.2 The processing of Personal Data by Choco on behalf of Buyer is specified in Annex 1 to this DPA. Buyer warrants and represents that it has obtained all necessary consents and complied with all obligations required by Data Protection Laws for transferring or otherwise making available any Personal Data to Choco under these GTCs.
1.3 Buyer may issue further instructions regarding the scope of processing of Personal Data. If Choco is of the opinion that a Buyer instruction violates this DPA or Data Protection Laws, then it shall without undue delay inform Buyer thereof in writing. Choco shall be entitled to suspend the execution of such instruction until Buyer confirms it in writing. If Buyer insists on the execution of an instruction despite the concerns raised by Choco, then Buyer shall indemnify Choco against all damages and costs that it incurred due to the execution of the Buyer's instruction. Choco shall inform Buyer of any damages asserted against it and any costs incurred by it and shall not acknowledge any claims of third parties without Buyer’s consent and shall, at Choco’s option, conduct the defense in consultation with Buyer or leave it to Buyer.
2. Requirements of Personnel
Choco shall ensure that all persons who are authorized to have access to the Personal Data are under a contractual obligation to maintain confidentiality or are under an appropriate statutory obligation of confidentiality when processing the Personal Data.
3. Processing Security
3.1 Choco shall implement and maintain throughout the term of the GTCs appropriate technical and organizational measures ("TOM") a specified in Annex 2 to ensure a level of protection of the Personal Data commensurate to the risk, taking into account the state of the art, the cost of implementation and, to the extent known to Choco, the nature, scope, circumstances and purposes of the processing of the Personal Data and the varying likelihood and severity of the risk to the rights and freedoms of the data subjects. Choco shall regularly assess the effectiveness of the TOM and implement alternative measures if necessary for ensuring appropriate level of security.
3.2 It shall be incumbent upon Buyer to review the TOM taken by Choco, particularly to review whether these measures are also sufficient with regard to circumstances of the data processing that are not known to Choco.
4. Use of Sub-Processors and Data Transfers
4.1 Buyer generally authorizes Choco to make use of services of sub-processors when processing the Personal Data. The current sub-processors engaged by Choco are listed in Annex 3. Choco will impose on any sub-processor substantially similar data protection obligations which are no less protective than the ones set out under this DPA and will remain liable towards Buyer for its sub-processors’ performance under this DPA to the extent Choco will be liable for its own performance.
4.2 Choco will update the list of sub-processors in Annex 3 before authorizing a new sub-processor to process Personal Data on behalf of Buyer and send a notice of that update. If Buyer wants to receive these updates, it shall sign up to the notification mechanism available in Annex 3. If Buyer does not object within 14 days following Choco’s notification by sending an email to legal@choco.com, then the engagement shall be deemed approved.
4.3 If Buyer objects, Choco shall be entitled, at its choice, to either provide its Services without using the rejected additional sub-processor or to terminate the GTCs.
4.4 Buyer authorizes Choco, its affiliates and its sub-processors to transfer, access or process the Personal Data outside the UK or the European Economic Area ("EEA"), provided that the requirements of transfer or engagement under Data Protection Laws are met.
5. Rights of the Data Subjects
5.1 Taking into account the nature of the processing of the Personal Data, Choco shall assist Buyer with appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Buyer’s obligation to respond to requests for exercising the data subject’s rights laid down in the Data Protection Laws.
5.2 Choco shall in particular:
inform Buyer without undue delay if a data subject contacts Choco directly with a request to exercise his/her rights;
provide Buyer upon Buyer's request with all information available to Choco regarding the processing of the Personal Data that Buyer needs to respond to the request of a data subject and that Buyer does not have itself;
correct, delete or restrict the processing of the Personal Data without undue delay upon the instruction of Buyer, unless Buyer is able to do so itself and it is technically possible for Choco to do so;
support Buyer to the extent necessary to receive the Personal Data processed in Choco’s sphere of responsibility - insofar as this is technically possible for Choco - in a structured, common and machine-readable format, insofar as a data subject asserts a right to data portability.
6. Support Obligations
6.1 Choco shall notify Buyer without undue delay after becoming aware of a breach of Personal Data. The notification shall include a description, if possible, of the nature of the breach; the categories and approximate number of data subjects affected by the breach; the probable consequences of the breach; of the measures taken or proposed by Choco to remedy the breach of the protection of the Personal Data and, if applicable, measures to mitigate its possible adverse effects.
6.2 Choco shall investigate the cause of the breach and, where appropriate, take reasonable measures to mitigate its possible adverse effects.
6.3 If Buyer is obligated to inform the supervisory authorities and/or data subjects about the personal data breach, Choco shall assist the Buyer with complying with this obligation, taking into account the nature of processing and the information available to Choco. Any additional costs incurred by Choco in this context, which exceed statutory processor obligations under the applicable law, will be borne by Buyer.
6.4 Choco shall notify Buyer of any subpoena or other judicial or administrative order, process or proceeding seeking access to, or disclosure of, the Personal Data insofar as such notification is not prohibited by law. If Buyer is obliged to provide information to a supervisory authority regarding the processing of the Personal Data or to otherwise cooperate with such authorities, Choco shall support Buyer in providing such information insofar as Buyer does not have the information itself and reasonably cooperate with Buyer and with supervisory authorities, including granting the competent supervisory authority the necessary rights of access, information and inspection.
6.5 Choco shall provide reasonable assistance to Buyer regarding Buyer’s compliance with its obligations related to security of processing, data protection impact assessments and prior consultations with the supervisory authorities in each case taking into account the nature of the processing and information available to Choco. Any additional costs incurred by Choco in this context, exceeding the foreseen statutory processor obligations under the applicable law, will be borne by Buyer.
7. Data Deletion and Return
7.1 Upon termination of the GTCs and written request from Buyer, Choco will either delete or return Personal Data, unless Choco is obliged to continue storing the Personal Data under applicable law.
7.2 Some Personal Data may be archived in our back-up systems and such archived Personal Data will be deleted in accordance with Choco’s retention policy. Any Personal Data archived in backups will be isolated and protected from any further processing. For the period that the data is stored after the termination of the GTCs, the rights and obligations of the Parties under this DPA shall continue to apply.
8. Verifications and Audits
8.1 Choco shall keep records of its processing activities performed on behalf of Buyer and upon request, make available to Buyer these records or any other information necessary to demonstrate compliance with statutory processor obligations set out under the Data Protection Laws.
8.2 Choco shall allow for and contribute to audits, including on-site inspections, by Buyer or an auditor mandated by Buyer in relation to the processing of the Personal Data. The audits and on-site inspections should, as far as possible, not hinder Choco in its normal business operations and should not place an undue burden on Choco. In particular, on-site inspections at Choco for no specific reason should not take place more than once per calendar year and only during Choco’s normal business hours. Buyer shall notify Choco of inspections in written or text form at least 30 (thirty) days in advance, providing Choco with information about the scope, duration, and inspection plan. Buyer and Choco shall cooperate in good faith and mutually agree on the scope, duration, and start date of the inspection. Any costs incurred by Choco for any on-site inspections which are not clearly disproportionate or excessive, will be borne by the Buyer. The auditor mandated by Buyer shall be an independent contractor which does not compete with Choco and such auditor shall enter into a non-disclosure agreement with Choco.
9. Miscellaneous
9.1 Each Party’s and their affiliates’ liability taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the GTCs.
9.2 This DPA, including its annexes, constitutes an integral part of the GTCs between Choco and Buyer. If there are any inconsistencies between this DPA and the provisions of the GTCs, the provisions of this DPA shall take precedence.
9.3 Amendments and side agreements to any parts of this DPA must be made in writing. This rule also applies to this written form requirement itself. The governing law and jurisdiction under the GTCs shall apply accordingly for any parts of this DPA.
Annex 1 - Description of Personal Data Processing
Purpose of data processing | Provision of App and associated services |
Nature and scope of data processing | Collection, processing, storage and transfer of Personal Data as necessary for:
|
Type of data |
|
Categories of data subjects |
|
Duration of processing | For the duration of the GTCs as further set out in Section 7 of DPA |
Annex 2 - Technical and Organizational Measures
Taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, Choco shall, in its capacity as data processor, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, but not limited to, the following:
1 Confidentiality
1.1 Physical access control
Choco shall take appropriate measures to reduce the risk of unauthorized persons gaining access to data processing systems with which Buyer’s personal data are processed and used.
Technical measures:
- Automatic access control systems, control of access by gatekeeper services and alarm systems
- Lockable server cabinets
- key regulation, service directives stipulating that service rooms are to be locked when employees are absent
1.2 System access control
Choco shall take appropriate measures to prevent data processing systems (computers) from being used by unauthorized persons. For this purpose, Choco shall take the following precautions:
Technical measures:
- Login with username + password
- Smartphone encryption
- Encryption of company laptops
- Remote laptop management
- Deployment of anti-virus software for laptops and systems
Organizational measures:
- Manage user permissions
- Create user profiles
- Policies on use of Company Hardware
- General policy on data protection and / or security
1.3 Data access control
Choco shall take appropriate measures to ensure that the persons authorized to use the data processing systems can only access the personal data subject to their access authorization and that the Personal Data of Buyer cannot be read, copied, modified or removed without authorization during processing, use and after storage. For this purpose, Choco shall take the following precautions:
Technical measures:
- Erasure of data carriers on laptops before reuse.
- Logging of access to important documents, especially when entering, changing and deleting data.
- File shredder (min. level 3, cross cut)
Organizational measures:
- Creating an authorization concept
- Management of rights by system administrator
- Reduction in the number of administrators
- Closed area for sensitive documents
1.4 Separation control
Choco shall take appropriate measures to ensure that the Personal Data of Buyer collected for different purposes can be processed separately. For this purpose, Choco shall take the following precautions:
Technical measures:
- Separate storage on different software
- Software-based customer separation
Organizational measures:
- Creation of an authorization concept
- Determination of database rights
2 Integrity
2.1 Transmission control
Choco shall take reasonable measures to reduce the risk that the Personal Data of Buyer can be read, copied, modified or removed without authorization during electronic transmission or during their transport or storage on data carriers. To this end, Choco shall take the following precautions:
Technical measures:
- Email encryption
- Logging of accesses and retrievals of important documents and data
- Provision via encrypted connections such as sftp, https
2.2 Data input control
Choco shall take appropriate measures to ensure that it is possible to check and determine retrospectively whether and by whom personal data of the customer have been entered into data processing systems, changed or removed. For this purpose, Choco shall take the following precautions:
Technical measures:
- Possibility of technical logging of the entry, modification and deletion of personal data.
Organizational measures:
- Traceability of entry, modification, and deletion of personal data through individual user names.
- Retention of forms from which personal data have been transferred to automated processing operations.
- Assignment of rights to enter, change, and delete personal data on the basis of an authorization concept.
3 Availability and resilience
3.1 Availability control
Choco shall take reasonable measures to ensure that the Personal Data of Buyer is protected against accidental destruction or loss. For this purpose, Choco shall take the following precautions:
Technical measures:
- Fire and smoke detection systems
- Careful selection of the hosting service provider
Organizational measures:
- Regular control of the hosting service provider
4 Procedures for regular review, assessment and evaluation.
Choco shall implement procedures for regular review, assessment and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing.
4.1 Data protection management
Organizational measures:
- Central documentation of all procedures, regulations and guidelines on data protection with access for employees as required / authorized
- A review of the effectiveness of the technical protective measures is carried out regularly
- Employees trained and committed to confidentiality
- Raising employee awareness through training
4.2 Incident response management
Organizational measures:
- Documentation of security incidents and data breaches
- Regulation of responsibilities for the follow-up of security incidents and data breaches
- Security breach response support.
- Formalized process for handling requests for information from data subjects is in place.
Annex 3 - Subprocessor List
You may find the list of sub-processors and the notification mechanism for new sub-processors at https://legal.choco.com/buyer-subprocessors.
Privacy Policy for the App
Choco offers a mobile application and web-based tool (collectively, the “App") designed to facilitate communication and order management between commercial buyers in the food sector such as restaurants (“Buyers") and their suppliers (“Suppliers"). This Privacy Policy describes how Choco Communications UK Ltd, a company incorporated in England and Wales whose registered office is at 6th Floor, One London Wall, London, EC2Y 5EB, and Choco Communications GmbH, whose registered office is at Wrangelstraße 100, 10997 Berlin, Germany, both of which may be contacted by email at legal@choco.com, (collectively, "Choco," "we," "us") collect, use, process and share personal data in connection with the use of the App as joint controllers.
The laws applicable to processing of personal data are namely (i) EU Regulation 2016/679 ("GDPR"); (ii) GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018 ("DPA"); (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time. The terms "data subject", "personal data", "processing", "processor" and "controller" shall have the meanings set out in the DPA.
Scope of Application
Choco provides the App and associated services to its Buyer and Supplier customers (collectively, “Customers"). The data subjects within the meaning of UK GDPR may only utilize the App or benefit from Choco’s services as the end users of these Customers (“User(s)” or “You”). When providing the App and services to our Customers, Choco processes your personal data as a processor on behalf of the relevant Customer in line with their instructions. For instance, when you send an order to a Supplier on behalf of a Buyer, we process your data on behalf of the relevant Buyer. Our Customers are responsible for complying with the privacy obligations such as informing you about use of your personal data in relation to the processing activities we perform on their behalf. Please refer to the privacy policies of the respective Customers for more information. This Privacy Policy applies exclusively to scenarios where we act as a data controller in processing the Users’ personal data.
A. Information we collect
1. Information provided by you
Account information
When creating an account, you will be asked to provide mandatory information, such as your first and last name, email address, phone number and company name. If you don’t provide this information, you will not be able to create an account to use the App. You may provide additional information in your profile, such as a profile picture and your title in the company.
Communications with Choco
You may communicate with us for different reasons. You may fill out a contact form, contact our customer support, complete a survey, participate in a user interview or interact with us in any other way. We may keep a record of these communications including any information provided during such interactions. These communications may be processed for different purposes as further described in Section B “How do we use your information”.
Transaction data
We receive transaction data when you carry out actions on our App, such as the date and time of the orders you place on behalf of a Customer, items you added to team orders or delivery checks you carry out. We mainly use transaction data to provide the functionalities of our App to our Customers.
Other information submitted by you
When using the App, you may enter, manage and edit various information. This information includes, in particular, your communications with other Users and other information you upload to the App, such as images. We use this information to provide the functionalities of our App to our Customers as a processor.
In some cases you may be asked for your specific permission before we access your information.
- Camera access: You may enable camera access to be able to upload pictures to the App directly from your phone. For this, we need your permission to access your camera and media content saved in your camera roll. This access is not mandatory for using the App, but it may make your communications and ordering process easier. This access is based on your consent, as per Article Article 6.1 (a) of UK GDPR, which you can withdraw at any time, in accordance with Article 7.3 of UK GDPR.
- Contact list access: You also have the option of adding team members to your account by adding their contact information manually or directly from the contact list on your phone. For the second option, we need your permission to access your contact list. This access is not mandatory for using the App. If you give permission, we will access the names and phone numbers in your contact list and display them to you. We’ll also check if any of your contacts are already using Choco and display this information as well. We will continue accessing your contact list until you withdraw your permission. We do not store your contact lists on our servers. We only store the information (name and phone number) of your contacts who are already Choco users and the ones that you have invited to use Choco. If you’re a Buyer User, you can also add the contact details of your Supplier’s sales representative. The same terms above apply in that case. The access and the described processing is based on your consent, as per Article Article 6.1 (a) of UK GDPR, which you can withdraw at any time, in accordance with Article 7.3 of UK GDPR.
- Microphone access: voice ordering feature allows you to place orders by recording them directly on your phone. To enable this feature, we need your permission to access your phone’s microphone. This access is optional and not required to use the App. If you grant permission, we’ll only access the microphone while you are actively recording an order. This access is based on your consent, as per Article Article 6.1 (a) of UK GDPR, which you can withdraw at any time, in accordance with Article 7.3 of UK GDPR.
- Location access: If you’re using the App as a sales representative, you may view your leads and customers on a map within the App. The map is provided via Google Maps API and Google Privacy Policy applies to use of the maps feature. To be able to display the relevant results near you, we need access to your location. This access is optional and not required to use the App. If you grant permission, we’ll only access your location while you’re using the App. This access is based on your consent, as per Article Article 6.1 (a) of UK GDPR, which you can withdraw at any time, in accordance with Article 7.3 of UK GDPR.
2. Information collected automatically
Device and Connection Data
When you visit our App, the App automatically collects certain information from your device, such as the operating system version, device type and manufacturer, access times, your IP address, your mobile carrier, configurations, browser type, information on Internet connection and including general location based on your IP address.
Usage Data
We use automated data collection tools, such as cookies, tracking pixels, and similar tools, to collect information about how you interact with our App and communications/emails. This includes information like User ID, IP address, the pages you visit and the time spent on those pages, the features you use, your commands and other statistical information relating to your use of the App. You may find more information on this in Section C on Cookies and other tracking technologies.
3. Information we collect from other sources
Information provided by other Users and/or Customers
We may obtain your contact information (such as name, business email address, business phone number, your company and title) from other Customers who want to communicate with the organization that you’re part of. We may also obtain your contact information from the Users that are in the same organization as you are and who invite you to use the App. We use this information in our capacity as a processor for our Customers for sending you communications and for onboarding you to the App on their behalf. But it’s the relevant Customer who is responsible for informing you about these activities as the controllers. When you create an account, as the provider of the App, we start processing your data as the controller in accordance with this Privacy Policy as well.
B. How do we use your information
1. To operate the App
We process your personal data for the following purposes:
- Operating, hosting and maintaining the App, including monitoring service performance, troubleshooting and debugging any malfunctions,
- Authenticating Users when they log in,
- Detecting, preventing, and responding to security incidents and to any malicious, deceptive, fraudulent or illegal activity,
- Ensuring safety, integrity and security of our App, our Users, Customers, employees and third parties.
The legal basis for the above listed processing activities is our legitimate interest within the meaning of Article 6.1(f) of UK GDPR in ensuring the functionality and error-free operation of the App and managing the use of our App.
Categories of personal data: account data, communications with Choco, transaction data, other information submitted by you, device and connection data, usage data
2. To manage the relationship with the Customer
We process your personal data for managing relationships with our Customers, such as for billing, account management and enforcing the terms of the agreement between the Customers and Choco.
The legal basis for this processing is our legitimate interest within the meaning of Article 6.1(f) of UK GDPR in managing and maintaining the relationship with our Customers.
Categories of personal data: account data, communications with Choco, transaction data, other information submitted by you, device and connection data, usage data
3. To support your use of the App and to communicate with you
We use your personal data to respond to your questions and requests and to provide you with customer support. We may keep a record of these communications including any information provided during such interactions. We may use this information to improve our customer support processes.
We will also use your personal data to send you technical or legal notices, updates, security messages or other messages concerning the operation of the App or administration of your or the Customer’s account. We use automatically collected information about your interactions with our communications to improve our communications with you. Some of these communications may be sent in the form of push notifications. You may disable push notifications from the settings of your mobile device.
The legal basis for this processing is our legitimate interest within the meaning of Article 6.1(f) of UK GDPR in responding to your requests and informing you about the functioning of the App.
Categories of personal data: account data, communications with Choco, transaction data, other information submitted by you, device and connection data, usage data
4. To improve our Services
In order to improve our App and your user experience, we use tools for the statistical recording and analysis of general usage behavior. We collect information about your in-App activity and engagement with the communications sent via our App. We generate and analyze statistical information about how our App is used. We may analyze and monitor user trends and user behavior, conduct tests for new features and perform troubleshooting activities. Where suitable, we aggregate or de-identify the information.
Legal basis is our legitimate interest in accordance with Art. 6.1 (f) of UK GDPR in improving the functions and performance of our App and ensuring its functionality.
We may contact you to ask you for your opinion about our App, to ask you to participate in user research. Legal basis for contacting you for this purpose is our legitimate interest in improving the functions of our App. Your participation in any user research or survey will be based on your consent. We may also use your communications with us, such as any feedback you may provide for improving our App.
Categories of personal data: account data, communications with Choco, transaction data, other information submitted by you, device and connection data, usage data
5. To comply with legal obligations and defend our rights
We may use your personal data to comply with our legal requirements, such as keeping records of payments for accounting purposes. The legal basis for this processing is Article 6.1(c) of UK GDPR. We may also process your information based on our legitimate interest within the meaning of Article 6.1(f) of UK GDPR in defending our rights.
Categories of personal data: account data, communications with Choco, transaction data, other information submitted by you, device and connection data, usage data, contact data
6. To display ads
We may display you advertisements ("ads") from food manufacturers and other third-party advertisers on our App, which may be relevant to the Buyers on whose behalf you are using the App. These ads are not personalised — as a B2B App we do not engage in personalised or behavioural advertising.
We may collect and use your personal data to display ads and measure ad performance. We may share the ad performance reports with the advertisers. However, these reports will only include aggregated and non-identifiable data, and will never include any personal data.
We do not share your personal data with third parties such as ad networks, social media platforms, ad serving companies, or data brokers under any circumstances. We also do not track you across third party websites or apps.
The legal basis for this processing is our legitimate interest in monetising the App and enhancing the user experience, as well as our Buyer Customers’ legitimate interests in discovering relevant products and offers. You may exercise your right to object to this processing at any time.
Some ads may include links to third party websites. We are not responsible for the privacy practices of those websites.
Categories of personal data: account data, device and connection data, usage data
C. Providing services to our Customers
We process your personal information to provide services and functionalities of our App to our Customers as a processor. We don’t have any control over how Users utilize the App. We only process personal information on their behalf to execute their instructions. For instance, we may process your contact information for delivering you a message from a Supplier or inviting you to use the App on behalf of a Supplier. Customer admins are responsible for managing access to their organization’s account, including the modification of access rights of Users as necessary. For more information, please refer to the privacy policy of our customers.
Categories of personal data: account data, contact information, transaction data, other information submitted by you, usage data
D. Cookies and other tracking technologies
We use tracking technologies such as cookies, pixels and other similar tools to automatically collect information as you use the App or when you interact with communications we send you or communications sent by other Users via the App. The data collected via these tools are described under Section A. 2 on Information Collected Automatically.
Some of these tools collect information from the end device to enable the basic functions of our App. These are called (“Essential tools”) and are for enabling the security and stability of our App, preventing misuse and detecting malicious activity. Without these tools, we could not provide our App. Some of these tools are used for statistical collection and analysis of general user behavior based on access data to understand and research how our users interact with our App to provide, update and improve our App.
E. How we share your information
We may share your personal data with the following categories of recipients.
1. Choco Group
Choco shares infrastructure, systems, and technology with other companies owned or operated by Choco Communications GmbH (“Choco Group”). We may share personal information within Choco Group to be able to provide and improve our services and operate our business. Other companies within Choco Group act as our service providers (processors) in that case and will process your personal data in line with our instructions.
2. Our service providers
We share your personal data with our contracted service providers who assist us in providing, supporting and improving our services and App and who process your personal data on our behalf. These third party service providers include hosting providers, IT tools and services, operational services, CRM and communication tools, cybersecurity services and the tools we use for the statistical recording and analysis of general usage behavior on our App and services. You can find a list of these service providers here.
These service providers are limited (by law and by contract) in their ability to use your personal data. We will ensure that these parties are subject to privacy and security obligations consistent with this Privacy Policy and applicable laws via concluding data processing agreements with them.
3. Competent authorities and legitimate third parties
We are under a duty to disclose your personal data in order to comply with any legal obligation or lawful request by a government or law enforcement authority. Any disclosure of the personal data will be justified by the fact that the processing is necessary to fulfill a legal obligation to which we are subject in accordance with Article 6.1(c) of UK GDPR in the national legal requirements for the disclosure of data to law enforcement authorities and to other supervisory authorities.
We may disclose your personal data to third parties in order to enforce the App’s terms of use or any other agreement we executed with you or our Customers; to protect or defend our rights or the rights of third parties; to prevent any illegal activity or to respond to any legal claims. Any disclosure of the personal data is justified by the fact that we have a legitimate interest within the meaning of Article 6.1(f) of UK GDPR in protecting or defending the rights, property and safety of Choco, our Customers and third parties.
4. Corporate restructuring
In the context of the further development of our business, the structure of our company may change by changing the legal form, founding, acquiring, or transferring subsidiaries, parts of companies or components. We may share your personal data with third parties if we are involved in an actual or proposed merger, acquisition, financing, bankruptcy, sale of all or a portion of our assets or a reorganization. Reasonable and proportionate disclosure of personal data in the permissible scope is justified by the fact that we have a legitimate interest within the meaning of Article 6.1(f) of UK GDPR in adapting our corporate form to the economic and legal circumstances if necessary.
| Besides the categories listed above, we may share your information with other third parties based on your consent or if your consent is legally not required by giving you prior notice. |
5. Information you share with other users
You may share your personal data (such as your name, surname and contact information) with other Users, with whom you have freely decided to communicate and/or to place your orders via the App. Just like any other communication platform, Users who are in the same chat as you may see your contact information, including the Users of the other business in your chat.
F. Data transfer to third countries
Some of the recipients may be located in counties outside of the UK, which do not provide adequate protection according to the competent supervisory authority in your country of residence.
Whenever we transfer personal data to those countries, we will take appropriate measures required by Data Protection Laws. These measures include entering into Standard Contractual Clauses with International Data Transfer Addendum or International Data Transfer Agreement which have been approved by the UK Parliament and impose higher standards on the recipients with respect to protection of personal data. If necessary, we also conduct a transfer impact assessment to make sure that there is no adverse impact on the data subject’s rights.
Where this is not possible, we base the data transfer on exceptions under Art. 49 UK GDPR, in particular your express consent or the necessity of the transfer for the fulfillment of the contract or for the implementation of pre-contractual measures. If a transfer to a third country is planned and there is no adequacy decision or suitable guarantees, it is possible and there is a risk that authorities in the respective third country (e.g. secret services) may gain access to the transferred data in order to collect and analyse it, and that the enforceability of your rights as a data subject cannot be guaranteed. When obtaining your consent via the consent banner, you will also be informed of this.
G. Your rights as a data subject
As a data subject, you have the following rights:
- Right to access the personal data we hold about you,
- Right to rectify the personal data we hold about you,
- Right to request deletion of your personal data under certain circumstances specified in the Data Protection Laws Art.17 of UK GDPR,
- Right to restrict processing of your personal data under certain circumstances specified in the Article 18 of UK GDPR,
- Right to object to processing in case the processing is based on our legitimate interests,
- Right to transfer your information to a third-party (right to data portability);
- Right not to be subject to a decision based solely on automated processing; and
- Right to withdraw your consent in case the data processing is based on your consent.
Please note that the existence of the right to withdraw your consent does not affect the lawfulness of processing before your withdrawal.
Your requests for the assertion of data protection rights and our answers to them will be kept for documentation purposes for a period of up to three (3) years and, in individual cases, for longer periods for the establishment, exercise or defense of legal claims in accordance with Article 6.1(f) of UK GDPR, which is based on our legitimate interest in defending Choco against any claims and the avoidance of fines.
If you have any questions, comments or complaints about our handling of your personal data, or if you wish to exercise your data subject rights, please contact the Choco Legal Team using the following contact details: legal@choco.com.
As a data subject you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the UK GDPR. The data protection authority responsible for Choco's processing of personal data in the UK is the Information Commissioner's Office, on this link.
If you wish to exercise your rights in relation to personal information that Choco processes as a processor on behalf of its Customers, please direct your request to the relevant Customer.
H. Data Protection Officer and contact details
You are welcome to direct your data protection concerns to our Data Protection Officer by sending an email to the above-mentioned email address. Please note that emails to the above email address will not solely be received by our Data Protection Officer as this is a generic email for the Choco Legal Team. If you solely wish to contact our Data Protection Officer and/or if you wish to send confidential information, please refer to the Data Protection Officer in the subject line or body of your email and please ask for them to contact you directly to further discuss your data protection concerns. You can also reach out to the Data Protection Officer by using the above postal address of the data controllers (keyword: "To the attention of Data Protection Officer").
You can also reach out to the Data Protection Officer by using the below postal address (keyword: "To the attention of Choco’s Data Protection Officer"): ISiCO Datenschutz GmbH, Am Hamburger Bahnhof 4, 10557 Berlin.
I. Information on the Joint Controllership
Choco Communications GmbH and Choco Communications UK Ltd jointly determine the purposes and means of processing. Choco Communications GmbH will be your point of contact when you want to exercise your rights described under section E. Please contact legal@choco.com if you want more information about the essence of such agreement between the parties.
J. Storage duration
We keep the personal data we process as a controller as long as necessary to fulfill the purposes for which we processed it. After that we either delete or anonymize your data unless we are legally required to keep it for a longer period of time, or unless they are necessary for establishment, exercise or defense of legal claims. In those cases, we’ll delete such personal data after the expiration of the legal periods.
K. Security
We implement various technical, administrative and organizational measures to protect your personal data against unauthorized access and unlawful processing, alteration or destruction.
L. Hyperlink
Our App may contain hyperlinks to third-party websites. If these hyperlinks are activated, you will be redirected from our App directly to the websites of third-party service providers. You can recognize this, amongst other things, by the changing URL. We cannot accept any responsibility for the confidential handling of your data on these third-party websites, nor for their compliance with the UK GDPR, which is beyond our control. Please refer directly to those websites for information about their handling of your personal data.
M. Changes to this Privacy Policy
We always keep this privacy policy up to date. Therefore, we reserve the right to update or change it from time to time and to maintain these changes in the processing of your personal data. We will indicate the date of the most recent update in the beginning of the Privacy Policy.