Privacy Policy

1. Data Controller

The data controller within the meaning of the GDPR is: Mambil UG (haftungsbeschränkt) Zwinglistr. 6 30171 Hannover Germany Represented by: Mohammadali Karimi (Managing Director) Email: datenschutz@mambil.app Phone: [+49 XXX XXXXXXX] Website: https://magicmenu.de The appointment of a data protection officer is currently not legally required.

If you have any questions about data protection, you can contact us at any time at the email address above.

2. Scope and Definitions

This privacy policy applies to the website magicmenu.de, the SaaS platform Mambil, and all associated features and services.

2.1 User Groups

Our platform distinguishes between two user groups:

• Restaurant operators (B2B customers): Natural or legal persons who register with Mambil, create digital menus, accept online orders, and manage reservations.
• End customers (B2C users): Guests who view menus via QR codes or the restaurant's website, place orders, make reservations, or process payments.

2.2 Responsibilities

Mambil UG (haftungsbeschränkt) is the data controller for data processing related to the operation of the platform, registration of restaurant operators, subscription billing, and the provision of technical infrastructure. For the processing of end customer personal data within the scope of the customer relationship (e.g., orders, reservations), the respective restaurant operator is generally considered the independent data controller. Mambil UG provides the technical platform and processes end customer data as a data processor on behalf of the restaurant operator in accordance with Art. 28 GDPR. A corresponding data processing agreement (DPA) is concluded with each restaurant operator. Insofar as Mambil UG processes end customer data for its own purposes (e.g., fraud prevention, platform improvement, aggregated statistics), Mambil UG is the independent data controller for this processing.

3. Legal Bases for Processing

We process personal data exclusively on the basis of the legal grounds provided for in the GDPR:

• Art. 6 Para. 1 lit. a GDPR (Consent): Where you have given us consent to process your personal data, e.g., for receiving newsletters or the use of optional cookies.
• Art. 6 Para. 1 lit. b GDPR (Contract Performance): Where processing is necessary for the performance of a contract or for pre-contractual measures, e.g., registration, subscription management, order processing.
• Art. 6 Para. 1 lit. c GDPR (Legal Obligation): Where processing is necessary to comply with a legal obligation, e.g., tax retention requirements.
• Art. 6 Para. 1 lit. f GDPR (Legitimate Interest): Where processing is necessary for the purposes of legitimate interests pursued by us or a third party, provided that your interests do not override, e.g., IT security, fraud prevention, platform improvement.

4. Website Visit and Server Log Files

Each time our website is accessed, our hosting provider automatically collects and stores information in so-called server log files, which your browser automatically transmits. The following data is collected:

• IP address of the requesting device
• Date and time of access
• Time zone difference to Greenwich Mean Time (GMT)
• URL of the requested page
• HTTP status code
• Amount of data transferred
• Website from which the request originates (referrer URL)
• Browser type and version
• Operating system of the user

This data is processed to ensure trouble-free operation of the website, to ensure network security, and for error analysis. The legal basis is Art. 6 Para. 1 lit. f GDPR (legitimate interest in the security and stability of our web offering). Log files are automatically deleted after 14 days. No merging with other data sources takes place.

5. Registration and Account Data (Restaurant Operators)

When you register as a restaurant operator with Mambil, we collect and process the following personal data:

• First and last name or company name
• Email address
• Phone number (optional)
• Name and address of the restaurant
• Password (stored encrypted)
• Selected plan (Free, Pro, Premium, Enterprise)
• Payment information (for paid plans, processed via Stripe)

5.1 Purpose of Processing

The data is processed for setting up and managing your user account, providing the contractually agreed platform features, billing and managing subscriptions, communication regarding your account (e.g., service notifications, security alerts), and fulfilling tax and commercial law retention obligations.

The legal basis is Art. 6 Para. 1 lit. b GDPR (contract performance) and Art. 6 Para. 1 lit. c GDPR (legal obligation) for tax-relevant data.

5.2 Staff Accounts

Restaurant operators can create staff accounts with different roles and permissions. In this context, the name and email address of staff members are collected. The restaurant operator, as the employer, is responsible for informing their employees about data protection.

6. Order Data (End Customers)

When end customers place an order through Mambil, the following data is collected:

• Ordered food and beverages (cart contents)
• Order time
• Order type (dine-in, takeaway, pre-order)
• Table number (for dine-in)
• Name of the end customer (if provided)
• Phone number or email address (if required for order processing)
• Delivery address (for takeaway orders, if applicable)
• Special notes (e.g., allergies, special requests)

6.1 Responsibility

The respective restaurant operator is considered the independent data controller for the processing of their end customers' order data pursuant to Art. 4 No. 7 GDPR. They decide on the purposes and means of processing within the scope of their customer relationship. Mambil UG processes this data as a data processor on behalf of the restaurant operator and provides the technical infrastructure.

The legal basis for processing by the restaurant operator is Art. 6 Para. 1 lit. b GDPR (performance of the hospitality contract between restaurant and end customer).

6.2 Processing by Mambil UG

Mambil UG processes order data in aggregated and anonymized form for platform statistics and service optimization. Insofar as personal order data is processed by Mambil UG for its own purposes (e.g., fraud prevention, abuse detection), the legal basis is Art. 6 Para. 1 lit. f GDPR (legitimate interest).

7. Reservation Data (End Customers)

When end customers make a table reservation through Mambil, the following data is collected:

• First and last name
• Email address
• Phone number
• Desired date and time
• Number of guests
• Special requests or notes

7.1 Responsibility and Purpose

As with order data, the respective restaurant operator is the data controller for their guests' reservation data. Mambil UG processes the data as a data processor. The data is processed for the execution and management of the reservation, the sending of confirmation and reminder messages, and no-show prevention.

The legal basis is Art. 6 Para. 1 lit. b GDPR (performance of pre-contractual measures or contract performance).

8. Payment Data and Stripe Connect

We use the payment service provider Stripe for payment processing. There are two separate payment flows:

8.1 Subscription Payments (Restaurant Operators)

Monthly or annual subscription fees (Pro: EUR 19/month, Premium: EUR 79/month, Enterprise: custom) are processed via Stripe. Payment data (e.g., credit card data, IBAN for SEPA direct debit) is collected and processed directly by Stripe. Mambil UG does not have access to complete credit card numbers.

The legal basis is Art. 6 Para. 1 lit. b GDPR (contract performance).

8.2 Order Payments (End Customers)

For online orders, end customers pay via Stripe Connect. The payment is directed to the Stripe Connect account of the respective restaurant operator. Mambil UG only receives the agreed platform fee. The following payment data is processed by Stripe:

• Cardholder name
• Email address
• Credit card number (tokenized by Stripe, not viewable by Mambil UG)
• Credit card expiration date
• Security code (CVC)
• IBAN (for SEPA direct debit)
• Transaction amount, date, and time
• Order number

The legal basis is Art. 6 Para. 1 lit. b GDPR (contract performance) and Art. 6 Para. 1 lit. f GDPR (legitimate interest in secure and efficient payment processing).

8.3 Stripe as Recipient

The payment service provider is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter "Stripe"). Stripe is certified under the Payment Card Industry Data Security Standard (PCI DSS) and processes payment data according to its own privacy policy. Stripe's privacy policy can be found at: https://stripe.com/privacy Stripe acts in payment processing both as an independent data controller (for regulatory obligations and fraud prevention) and as a data processor (for processing transactions according to our instructions). Stripe has implemented compliance measures for international data transfers based on EU Standard Contractual Clauses (SCCs). Additionally, Stripe is certified under the EU-US Data Privacy Framework (DPF) (see Section 13).

9. Contact Form and Email Contact

When you contact us via the contact form on our website or by email, we collect the following data:

• First and last name
• Email address
• Phone number (optional)
• Restaurant name (optional)
• Subject and content of your message

This data is processed exclusively to handle your inquiry and will be deleted after completion of processing, unless statutory retention obligations apply. The legal basis is Art. 6 Para. 1 lit. b GDPR (pre-contractual measures or contract performance) or Art. 6 Para. 1 lit. f GDPR (legitimate interest in responding to inquiries).

10. Newsletter

When you subscribe to our newsletter, we collect your email address. Registration follows a double opt-in procedure: After registration, you will receive a confirmation email with a link to verify your email address. We use the newsletter service to inform you about product news, tips for the hospitality industry, and relevant offers. As part of newsletter delivery, opening and click behavior is statistically evaluated.

• The legal basis is Art. 6 Para. 1 lit. a GDPR (consent).
• You can revoke your consent at any time with future effect by unsubscribing via the unsubscribe link in each email or by emailing datenschutz@mambil.app.

11. Cookies and Similar Technologies

Our website and platform use only technically necessary cookies. Cookies are small text files that are stored on your device.

11.1 Technically Necessary Cookies

We exclusively use technically necessary cookies that are essential for the proper operation of the website and platform. These enable basic functions such as page navigation, access to protected areas (login), and storage of your session information. Without these cookies, the website cannot function properly. We do not use analytics, tracking, or marketing cookies.

The legal basis is Art. 6 Para. 1 lit. f GDPR (legitimate interest in operating the website) or Section 25 Para. 2 TDDDG. Since we exclusively use technically necessary cookies, no consent is required.

11.2 Third-Party Cookies

In the context of payment processing, Stripe may set technically necessary cookies required for the secure execution of payment transactions. These cookies are set by Stripe as an independent data controller. For more information, see Stripe's privacy policy at: https://stripe.com/privacy

12. Data Processing (Art. 28 GDPR)

We use external service providers (data processors) who process personal data on our behalf. We have concluded data processing agreements pursuant to Art. 28 GDPR with all processors to ensure data protection-compliant processing.

• Stripe Payments Europe, Ltd. (Dublin, Ireland / Stripe, Inc., San Francisco, USA): Payment processing for subscriptions and order payments via Stripe Connect.
• Hetzner Online GmbH (Gunzenhausen, Germany): Hosting of the platform and website. Servers are located in Germany.
• Mailgun Technologies, Inc. (San Antonio, USA): Sending transactional emails (e.g., registration confirmations, order confirmations, password resets).

Mambil UG ensures that all data processors guarantee an adequate level of data protection. Service providers located outside the EU/EEA are only used when an adequate level of data protection is ensured through appropriate safeguards (see Section 13).

13. International Data Transfers

Some of our service providers have their registered office or sub-processors in the USA. The transfer of personal data to the USA is based on the following safeguards:

13.1 EU-US Data Privacy Framework (DPF)

The European Commission adopted an adequacy decision for the EU-US Data Privacy Framework on July 10, 2023 (Implementing Decision (EU) 2023/1795). Insofar as our US service providers are certified under the DPF, the data transfer is permissible on this basis. Stripe, Inc. is certified under the EU-US Data Privacy Framework.

13.2 Standard Contractual Clauses (SCCs)

Additionally, or in the event that the DPF loses its validity, we have concluded the EU Commission-approved Standard Contractual Clauses (SCCs) pursuant to Art. 46 Para. 2 lit. c GDPR with our US service providers. These ensure that your data enjoys a level of protection comparable to the EU even when transferred to the USA.

13.3 Data Transfers Within the EU

Our hosting provider Hetzner operates its data centers in Germany. The storage and processing of your data primarily takes place on servers in Germany. Payment processing by Stripe is conducted through Stripe Payments Europe, Ltd., based in Ireland (EU).

14. Data Security

We implement extensive technical and organizational measures pursuant to Art. 32 GDPR to protect your personal data against unauthorized access, loss, destruction, or alteration:

• SSL/TLS Encryption: All data transmissions between your browser and our servers are encrypted via HTTPS.
• Encrypted Storage: Passwords are stored exclusively as cryptographic hash values. Sensitive data is stored in encrypted form.
• Access Controls: Access to personal data is restricted to authorized employees and protected by authentication procedures.
• Regular Backups: Automated, encrypted data backups ensure the availability and recoverability of your data.
• Server Location Germany: Our servers are located in certified data centers in Germany and meet the highest security standards (ISO 27001).
• PCI DSS Compliance: Payment data processing is conducted exclusively through the PCI DSS-certified payment service provider Stripe. Mambil UG does not store complete credit card or account data at any time.
• Regular Security Audits: We conduct regular security audits and updates to keep our systems at the current state of the art.

15. Data Retention and Deletion

We store your personal data only as long as necessary for the respective processing purposes or as required by statutory retention periods.

15.1 Account Data (Restaurant Operators)

Your account data is stored for the duration of the contractual relationship. After termination and expiry of the billing period, your data will be deleted within 30 days, unless statutory retention obligations apply.

15.2 Order and Reservation Data

Order and reservation data is stored for the duration of the restaurant operator's business relationship and deleted within 30 days after termination of their account, unless statutory retention obligations apply.

15.3 Statutory Retention Periods

Certain data is subject to statutory retention obligations:

• Tax law retention obligation (Section 147 AO): 10 years for booking records, invoices, account statements, and accounting-relevant documents.
• Commercial law retention obligation (Section 257 HGB): 6 years for received and sent commercial letters and other business documents.
• Objection and litigation periods: Up to 3 years after the end of the calendar year in which the contractual relationship was terminated (general civil law limitation period pursuant to Sections 195, 199 BGB).

After expiry of the respective periods, the data is routinely deleted.

15.4 Server Log Files

Server log files are automatically deleted after 14 days.

15.5 Contact Inquiries

Data from contact inquiries is deleted after completion of processing, unless the inquiry leads to a contractual relationship. In the case of a pre-contractual inquiry, the data is deleted no later than 6 months after the last communication.

16. Rights of Data Subjects

You have the following rights under the GDPR regarding your personal data. To exercise your rights, an informal notification to datenschutz@mambil.app is sufficient. We will process your request without undue delay, and in any event within one month of receipt (Art. 12 Para. 3 GDPR). In particularly complex cases, this period may be extended by a further two months, of which we will inform you in a timely manner.

16.1 Right of Access (Art. 15 GDPR)

You have the right to request confirmation as to whether personal data concerning you is being processed. If so, you have the right to access this data and further information pursuant to Art. 15 GDPR.

16.2 Right to Rectification (Art. 16 GDPR)

You have the right to request the immediate rectification of inaccurate personal data and the completion of incomplete data.

16.3 Right to Erasure (Art. 17 GDPR)

You have the right to request the erasure of your personal data if one of the grounds listed in Art. 17 GDPR applies, e.g., if the data is no longer necessary for the purposes for which it was collected. The right to erasure does not apply insofar as processing is necessary to comply with a legal obligation.

16.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request the restriction of processing of your data, e.g., if you contest the accuracy of the data or the processing is unlawful.

16.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format and to transmit this data to another controller.

16.6 Right to Object (Art. 21 GDPR)

You have the right to object at any time to the processing of your personal data insofar as the processing is based on Art. 6 Para. 1 lit. f GDPR (legitimate interest). We will then no longer process your data unless we can demonstrate compelling legitimate grounds that override your interests.

16.7 Right to Withdraw Consent (Art. 7 Para. 3 GDPR)

Insofar as the processing is based on consent, you may withdraw this consent at any time with future effect. The lawfulness of the processing carried out until the withdrawal remains unaffected.

17. Right to Lodge a Complaint with a Supervisory Authority

Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR. You may in particular contact the supervisory authority of your place of residence, your place of work, or the place of the alleged infringement. The supervisory authority responsible for us is: Die Landesbeauftragte für den Datenschutz Niedersachsen Prinzenstraße 5, 30159 Hannover https://www.lfd.niedersachsen.de A list of data protection supervisory authorities in Germany can be found at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

18. No Automated Decision-Making / Profiling

We do not use purely automated decision-making pursuant to Art. 22 Para. 1 GDPR that produces legal effects concerning you or similarly significantly affects you. We use AI-powered translation services for the automatic translation of menu texts (see Section 19). This involves processing publicly available restaurant content, not personal data.

19. AI-Powered Translations

Our platform offers an AI-powered translation feature that allows restaurant operators to automatically translate their menus into multiple languages. Only the content posted by the restaurant operator (names of food and beverages, descriptions, category names) is transmitted to the translation service. This involves publicly available restaurant content, not personal data. The restaurant operator is obligated to review all AI-generated translations before publication, in particular regarding the correct translation of allergen labels and ingredients.

20. Disclosure of Data to Third Parties

Your personal data is only disclosed to third parties in the cases described in this privacy policy or where we are legally obligated to do so. We do not sell your personal data to third parties. In the context of Stripe Connect, order data is exchanged between the end customer, the restaurant operator, and Stripe insofar as this is necessary for payment processing. In the event of an official request, we may be legally obligated to disclose data to law enforcement or supervisory authorities.

21. Information for End Customers

If you, as an end customer, view a menu, place an order, make a reservation, or process a payment through Mambil, please note the following:

• The data controller for your order and reservation data is the respective restaurant operator. Please contact the respective restaurant for access, rectification, or erasure requests regarding your order and reservation data.
• Mambil UG, as the platform operator, provides the technical infrastructure and processes your data on behalf of the restaurant operator.
• Stripe Connect is used for payment processing. Your payment data is processed directly by Stripe. Neither Mambil UG nor the restaurant operator has access to your complete payment data (e.g., credit card number).
• Simply viewing a digital menu (scanning a QR code) does not require registration, and no personal data is collected beyond the server log files described in Section 4.
• For questions about data protection when using the platform, you can contact datenschutz@mambil.app.
• The restaurant operator provides their end customers with a separate privacy policy at https://menu.mambil.com/privacy.

22. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy to comply with changed legal requirements, new technical developments, or changes to our services. The current version is always available on our website. In the event of material changes affecting your rights, we will inform registered users by email.

Last updated: March 2026