Privacy Policy
This site is a read-only menu display. It processes as little personal data as technically possible.
Data controller (GDPR Art. 4(7))
Smash Food UG (haftungsbeschränkt), Friedrich-Wilhelm-Straße 64, 47051 Duisburg, Germany — represented by Zakaria Mouslih.
Data we collect
When you visit the site our server processes technically necessary data (IP address, date/time, requested file, user agent). The legal basis is GDPR Art. 6(1)(f) (legitimate interest in operating and securing the site). Logs are deleted as soon as they are no longer required for security purposes.
Hosting
The site is self-hosted on a dedicated server at IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. A data-processing agreement under GDPR Art. 28 is in place.
Fonts
Fonts are served locally from our own server. No connection is made to Google Fonts or any third-party CDN.
Cookies, local storage, tracking, analytics
This site uses a technically necessary local-storage entry (localStorage key "smashfood:cart:v1", max. 24 hours) exclusively to keep your cart during the ordering process. Legal basis: § 25(2)(2) TTDSG (strictly necessary for the user-requested cart service). No tracking cookies, third-party cookies, or analytics tools are used.
Order processing
When you place an online order, we process your name, phone number, email address, and the contents of your order in order to fulfil the contract. Legal basis: GDPR Art. 6(1)(b). Recipients: our self-hosted point-of-sale system (kasse.smashfood.de, hosted at IONOS) and the payment processor (see next section). Retention: 10 years per § 257 HGB / § 147 AO, then deletion.
Payment processing
Online payments are processed by Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. Stripe processes the payment data (card details, name, email) as a separate controller for the purposes of payment processing and fraud detection. Legal basis: GDPR Art. 6(1)(b). Stripe routes payments within the EEA; further information at stripe.com/de/privacy. Transfers to third countries are not normally made; where required, they take place on the basis of the EU Standard Contractual Clauses.
Your rights
You have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (GDPR Art. 21).
Privacy contact
For privacy requests, please write to the postal address above.
Data Protection Officer
A Data Protection Officer has not been designated because the statutory threshold (§ 38 BDSG: at least 20 persons regularly engaged in the automated processing of personal data) is not met. Please direct privacy requests in writing to the postal address listed under "Data controller".
Right to lodge a complaint
You may complain to the competent supervisory authority: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2-4, 40213 Düsseldorf, Germany.