Privacy Policy

1. Data Controller

The data controller within the meaning of the GDPR is: Mambil UG (haftungsbeschränkt) Zwinglistr. 6 30171 Hannover Germany Represented by: Mohammadali Karimi (Managing Director) Email: privacy@dev.mambil.com Phone: +4915567298324 Website: https://test-mambil.com The appointment of a data protection officer is currently not mandatory under Art. 37(1) GDPR or § 38(1) BDSG, because (i) fewer than 20 persons are constantly engaged in the automated processing of personal data, (ii) no large-scale processing of special categories of personal data (Art. 9 GDPR) is carried out as a core activity, and (iii) no systematic and large-scale monitoring of data subjects within the meaning of Art. 37(1)(b) GDPR takes place as a core activity. This assessment is reviewed on an ongoing basis. For all data-protection matters, please contact us at privacy@dev.mambil.com.

If you have any questions about data protection, you can contact us at any time at the email address above.

2. Scope and Definitions

This privacy policy applies to the website test-mambil.com, the SaaS platform Mambil, and all associated features and services.

2.1 User Groups

Our platform distinguishes between two user groups:

• Restaurant operators (B2B customers): Natural or legal persons who register with Mambil, create digital menus, accept online orders, and manage reservations.
• End customers (B2C users): Guests who view menus via QR codes or the restaurant's website, place orders, make reservations, or process payments.

2.2 Responsibilities

Personal data on the platform is processed in clearly separated roles. Based on our assessment and consistent with the German DSK (Short Paper No. 16), Mambil and the relevant restaurant operators are in principle independent (separate) controllers within the meaning of the GDPR; each party determines the purposes and means of the processing operations allocated to it independently. Should joint controllership within the meaning of Art. 26 GDPR be established for individual processing steps in light of the case law of the CJEU (in particular Case C-210/16 Wirtschaftsakademie, C-40/17 Fashion ID, and C-604/22 IAB Europe), Mambil and the respective restaurant operator have additionally entered into an arrangement pursuant to Art. 26(1) GDPR as Annex 2 to our Terms of Service; the essence of that arrangement is made available free of charge to data subjects on request at privacy@dev.mambil.com pursuant to Art. 26(2) sentence 2 GDPR. The point of contact for the exercise of data-subject rights is in any event the controller assigned below; in addition, data subjects may pursuant to Art. 26(3) GDPR contact any of the parties involved. (a) Mambil as independent controller (Art. 4(7) GDPR) for: operation of the platform and website; registration and management of restaurant operators; subscription billing and management; platform-level security and abuse prevention (based on technical metadata such as IP address and device/session signals; not on the personal order content of individual end customers); technical server log files; exclusively aggregated and anonymised platform statistics; dispatch of platform-triggered transactional email and push notifications (registration, security, order, reservation, and status messages); and compliance with statutory obligations (in particular PStTG/DAC7 and tax and commercial retention requirements). (b) Restaurant operators as independent controllers for the processing of order, reservation, and guest data of their own customers in connection with the catering or reservation contract concluded between the restaurant and the end customer. The restaurant operator determines the purposes and means of that processing and is responsible for: the lawfulness of on-site collection (e.g., QR code, table assignment); the substantive accuracy of order and reservation data; compliance with food, allergen, and consumer-information obligations; handling complaints and refund requests; responding to data-subject rights requests in respect of those data; and obtaining any consents required for its own marketing or loyalty programmes. (c) Mambil as processor (Art. 28 GDPR) acting on behalf of the restaurant operator, where order, reservation, and guest data are processed solely to provide the contracted platform service and on the restaurant operator's documented instructions (in particular storage, transmission to the restaurant, technical provision of order and reservation functionality, and export of guest lists). The corresponding Data Processing Agreement (DPA) forms Annex 1 to our Terms of Service; a PDF copy can be requested at any time at privacy@dev.mambil.com. Point of contact for data-subject rights: requests concerning order and reservation data should be addressed to the relevant restaurant operator as controller. You may alternatively send such requests to privacy@dev.mambil.com; we will forward them without undue delay to the responsible restaurant operator pursuant to Art. 28(3)(e) GDPR and assist with the response. Requests concerning the processing activities under (a) above are handled directly by Mambil.

3. Legal Bases for Processing

We process personal data exclusively on the basis of the legal grounds provided for in the GDPR:

• Art. 6 Para. 1 lit. a GDPR (Consent): Where you have given us consent to process your personal data, e.g., for the use of optional cookies.
• Art. 6 Para. 1 lit. b GDPR (Contract Performance): Where processing is necessary for the performance of a contract or for pre-contractual measures, e.g., registration, subscription management, order processing.
• Art. 6 Para. 1 lit. c GDPR (Legal Obligation): Where processing is necessary to comply with a legal obligation, e.g., tax retention requirements.
• Art. 6 Para. 1 lit. f GDPR (Legitimate Interest): Where processing is necessary for the purposes of legitimate interests pursued by us or a third party, provided that your interests do not override, e.g., IT security, fraud prevention, platform improvement.

4. Website Visit and Server Log Files

Each time our website is accessed, our hosting provider automatically collects and stores information in so-called server log files, which your browser automatically transmits. The following data is collected:

• IP address of the requesting device
• Date and time of access
• Time zone difference to Greenwich Mean Time (GMT)
• URL of the requested page
• HTTP status code
• Amount of data transferred
• Website from which the request originates (referrer URL)
• Browser type and version
• Operating system of the user

This data is processed to ensure trouble-free operation of the website, to ensure network security, and for error analysis. The legal basis is Art. 6 Para. 1 lit. f GDPR (legitimate interest in the security and stability of our web offering). Log files are automatically deleted after 14 days. No merging with other data sources takes place.

5. Registration and Account Data (Restaurant Operators)

When you register as a restaurant operator with Mambil, we collect and process the following personal data:

• First and last name or company name
• Email address
• Language preference (UI language), country code, and content/currency preferences
• Name, address, and public contact details of the restaurant (public email, phone number, social media links, logo/banner, legal imprint information) – these are entered by restaurant operators themselves and published to end customers
• Password (stored exclusively in encrypted form; the plaintext password is never stored)
• Selected plan (Free, Pro, Premium, Enterprise)
• Stripe customer reference (for paid plans; the actual payment data is collected and stored exclusively by Stripe, not by us)
• Push notification tokens of your registered devices, if you enable push notifications for orders or reservations

5.1 Purpose of Processing

The data is processed for setting up and managing your user account, providing the contractually agreed platform features, billing and managing subscriptions, communication regarding your account (e.g., service notifications, security alerts), and fulfilling tax and commercial law retention obligations.

The legal basis is Art. 6 Para. 1 lit. b GDPR (contract performance) and Art. 6 Para. 1 lit. c GDPR (legal obligation) for tax-relevant data.

5.2 Staff Accounts

Restaurant operators can create staff accounts with different roles and permissions. In this context, only the email address, a language preference, an encrypted password, and the assigned permissions (restaurant, menu, and modifier-group access) are collected. The restaurant operator may optionally add an internal note about the staff member. The restaurant operator, as the employer, is responsible for informing their employees about data protection.

6. Order Data (End Customers)

When end customers place an order through Mambil, the following data is collected:

• Ordered food and beverages (cart contents) including quantities, modifiers, and prices
• Order time and, where applicable, scheduled pickup time (for pre-orders)
• Order type (dine-in, takeaway, delivery, pre-order)
• Table number or table identifier (for dine-in)
• End customer name or identifier (e.g., first name for pickup)
• End customer email address (required to send order confirmations, acceptance/rejection notifications, and cancellation/refund messages)
• Delivery address (only for takeaway/delivery orders)
• Order note / special request, if voluntarily entered by the end customer (free-text field)
• Stripe payment references (Payment Intent ID, Checkout Session ID) – the actual card/bank data remains with Stripe

6.1 Responsibility

The respective restaurant operator is considered the independent data controller for the processing of their end customers' order data pursuant to Art. 4 No. 7 GDPR. They decide on the purposes and means of processing within the scope of their customer relationship. Mambil processes this data as a data processor on behalf of the restaurant operator and provides the technical infrastructure.

The legal basis for processing by the restaurant operator is Art. 6 Para. 1 lit. b GDPR (performance of the hospitality contract between restaurant and end customer).

6.2 Processing by Mambil

We process the personal order data referred to in Section 6 in principle exclusively as a processor on behalf of the restaurant operator. Such personal order data is not processed for Mambil's own purposes (in particular not for platform statistics or for training internal models); any such analytics are performed exclusively after prior anonymisation in accordance with Recital 26 GDPR. Anonymised data is no longer subject to the GDPR. For the security and integrity of the platform (e.g., detection of abusive ordering patterns, automated attacks, cancellation chains intended to cause harm) we process selected technical metadata (e.g., IP address, device and session identifiers, order frequency, cancellation rates) on the basis of Art. 6(1)(f) GDPR (legitimate interest in secure platform operation). This processing does not rely on the content of individual orders or on the identity of specific end customers vis-à-vis the restaurant operator. You may object to this processing at any time pursuant to Art. 21 GDPR (see Section 15.6); we will examine each objection on its merits. We do not transfer order data to the restaurant operator for the operator's own purposes outside the processor relationship without a separate legal basis on the operator's side.

7. Reservation Data (End Customers)

When end customers make a table reservation through Mambil, the following data is collected:

• Name
• Email address (required for sending confirmation and reminder emails)
• Phone number (optional)
• Desired date, start and end time
• Number of guests (party size)
• Reservation type (reservation or walk-in)
• Special requests or notes

7.1 Responsibility and Purpose

As with order data, the respective restaurant operator is the data controller for their guests' reservation data. Mambil processes the data as a data processor. The data is processed for the execution and management of the reservation, the sending of confirmation and reminder messages, and no-show prevention.

The legal basis is Art. 6 Para. 1 lit. b GDPR (performance of pre-contractual measures or contract performance).

8. Payment Data and Stripe Connect

We use the payment service provider Stripe for payment processing. There are two separate payment flows:

8.1 Subscription Payments (Restaurant Operators)

Monthly or annual subscription fees are processed via Stripe. Payment data (e.g., credit card data, IBAN for SEPA direct debit) is collected and processed directly by Stripe. Mambil does not have access to complete credit card numbers.

The legal basis is Art. 6 Para. 1 lit. b GDPR (contract performance).

8.2 Order Payments (End Customers)

For online orders, end customers pay via Stripe Connect. The payment is directed to the Stripe Connect account of the respective restaurant operator. Mambil only receives the agreed platform fee. The following payment data is processed by Stripe:

• Cardholder name
• Email address
• Credit card number (tokenized by Stripe, not viewable by Mambil)
• Credit card expiration date
• Security code (CVC)
• IBAN (for SEPA direct debit)
• Transaction amount, date, and time
• Order number

The legal basis is Art. 6 Para. 1 lit. b GDPR (contract performance) and Art. 6 Para. 1 lit. f GDPR (legitimate interest in secure and efficient payment processing).

8.3 Stripe as Recipient

The payment service provider is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter "Stripe"). Stripe is certified under the Payment Card Industry Data Security Standard (PCI DSS) and processes payment data according to its own privacy policy. You can find Stripe's privacy policy on the Stripe website. Stripe acts in payment processing both as an independent data controller (for regulatory obligations, fraud prevention, and KYC) and as a data processor (for processing transactions according to our instructions). Our contracting party is Stripe Payments Europe, Ltd., based in Dublin, Ireland (EU). Details of the automated fraud and risk checks (Stripe Radar) and the associated rights under Art. 22(3) GDPR are set out in Stripe's privacy policy (see Section 17).

9. Contact Form and Email Contact

When you contact us via the contact form on our website or by email, we collect the following data:

• First and last name
• Email address
• Phone number (optional)
• Restaurant name (optional)
• Subject and content of your message

This data is processed exclusively to handle your inquiry and will be deleted after completion of processing, unless statutory retention obligations apply. The legal basis is Art. 6 Para. 1 lit. b GDPR (pre-contractual measures or contract performance) or Art. 6 Para. 1 lit. f GDPR (legitimate interest in responding to inquiries).

9a. Transactional Communications

We send certain email and push notifications to restaurant operators and — as platform-triggered transactional messages in our role as controller pursuant to Section 2.2(a) — to end customers, where these messages are necessary for performance of the contract. They include in particular: registration confirmations, password resets, security notices, order confirmations, acceptance and rejection notices, cancellation and refund notices, reservation confirmations, and reminders for upcoming reservations. These messages do not constitute marketing within the meaning of Section 7 UWG. The legal basis is Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in informing you about the status of an ongoing transaction). Opt-out from purely transactional messages is, for legal reasons, possible only by terminating the underlying contractual relationship. Push notifications may be deactivated at any time in your device settings. We do not currently send marketing emails, newsletters, or other direct-marketing communications.

10. Cookies and Similar Technologies

On our marketing website (test-mambil.com) and within the platform application we use cookies and comparable storage technologies (such as localStorage and sessionStorage). We distinguish between strictly necessary storage and storage that requires your prior consent.

10.1 Strictly necessary storage (Section 25(2) No. 2 TDDDG)

Certain storage operations are strictly necessary within the meaning of Section 25(2) No. 2 TDDDG in order to provide the telemedia service expressly requested by you. No consent is required under either Section 25 TDDDG or Art. 6 GDPR; the legal basis is Art. 6(1)(f) GDPR (legitimate interest in operating the service) and, where required for contract performance, Art. 6(1)(b) GDPR. This includes in particular:

• Session and authentication cookies (login, session integrity)
• CSRF protection and security tokens
• Storage of your shopping cart and selected language/currency
• Load-balancing and stability cookies set by our CDN/WAF provider Cloudflare
• Strictly necessary cookies set by our payment service provider Stripe to execute a payment initiated by you

10.2 Consent-based storage (Section 25(1) TDDDG)

Storage operations that go beyond what is strictly necessary are only used after we have obtained your prior, explicit consent within the meaning of Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR. This includes in particular:

• Push notification tokens stored on your device, where you expressly enable push notifications
• Any third-party embeds (e.g., maps, videos, third-party fonts), to the extent used

We do not use analytics, tracking, or marketing cookies for our own purposes. A cookie consent banner is therefore not required. To the extent you have given consent in exceptional cases (in particular for push notifications), you may withdraw it at any time with effect for the future by disabling the feature in your device or browser settings, or by contacting privacy@dev.mambil.com.

10.3 Cookies and storage by Stripe

In the course of the payment process initiated by you, Stripe may, acting as an independent controller (see Section 8.3), trigger storage and read operations on your end device, including for fraud and risk analysis (Stripe Radar). To the extent these operations are strictly necessary within the meaning of § 25(2) No. 2 TDDDG to provide the payment service expressly requested by you, no consent is required; otherwise, Stripe obtains as the responsible controller any consent required under § 25(1) TDDDG itself. Mambil has no direct influence over these operations. For further information please see Stripe's privacy policy and the Stripe cookie policy.

11. Data Processors and Other Recipients

We use external service providers who process personal data either on our behalf or as independent controllers. We have concluded data processing agreements pursuant to Art. 28 GDPR with all data processors.

11.1 Data Processors

• Hetzner Online GmbH (Gunzenhausen, Germany): Hosting of the platform and website. Servers are located in the EU.
• Amazon Web Services EMEA SARL (Luxembourg): Additional hosting. Data is processed exclusively in data centers within the EU.
• Cloudflare Germany GmbH (Rosenheimer Straße 143 C, 81671 Munich, Germany; HRB 242623, Amtsgericht München) as local contracting party and centrally contracted Cloudflare, Inc. (San Francisco, USA), with EU jurisdiction / EU Customer Data Boundary enabled (region "EU"): Storage of uploaded media (e.g., logos, banners), long-term archival of completed orders, and provision of content delivery, DDoS protection, and WAF functions. Content storage takes place exclusively within the EU jurisdiction; due to transit and control-plane operations, IP addresses, connection metadata, and log data may be processed transiently across the globally distributed edge network, including servers in the USA. Cloudflare, Inc. is DPF-certified; supplementary Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR apply (see Section 11.3).
• Resend (Plus Five Five, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA): Delivery of transactional emails (e.g., registration confirmations, order confirmations, password resets). The data transferred is limited to the recipient address, a display name, and the content of the relevant transactional message; no use for marketing, tracking, or profiling purposes takes place. The sending endpoint is operated in the EU region eu-west-1 (Ireland); however, account, log, and metadata of the emails sent are stored by Resend in the USA. The transfer to the USA is based on the European Commission's adequacy decision of 10 July 2023 on the EU-US Data Privacy Framework (Resend is DPF-certified) and additionally on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Resend (see Section 11.3).
• Google Ireland Ltd. (Dublin, Ireland; parent company Google LLC, Mountain View, USA): Delivery of push notifications via Firebase Cloud Messaging (FCM) to the devices of registered restaurant operators and staff. Only a device token and a short, generic notification text (e.g., "New order received" or "New reservation") are transmitted; the actual order, reservation, or guest data (in particular items, prices, names, addresses, messages) are not transmitted via FCM and remain on our EU servers. The FCM backend infrastructure is operated by Google LLC in the USA; insofar, a transfer to the USA takes place. On iOS devices, Google forwards the notification via the Apple Push Notification Service (APNs, operated by Apple Distribution International Limited, Cork, Ireland; backend infrastructure Apple Inc., Cupertino, USA), which Google engages for this purpose as its own sub-processor. Google LLC is certified under the EU-US Data Privacy Framework; the transfer to Google is based on the adequacy decision of 10 July 2023, supplemented by Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. The forwarding via the Apple Push Notification Service is safeguarded by Google under its own agreement with Apple (see Section 11.3). The storage of the push token on your device requires your consent pursuant to § 25(1) TDDDG.
• DeepL SE (Cologne, Germany): AI-assisted translation of menu content (see Section 18).

11.2 Independent Controllers / Other Recipients

The following recipients act, in whole or predominantly, as independent controllers and not as pure data processors:

• Stripe Payments Europe, Ltd. (Dublin, Ireland): Payment processing for subscriptions and order payments via Stripe Connect. Stripe acts as an independent controller for regulatory payment processing, fraud prevention, and KYC obligations; insofar as Stripe additionally provides ancillary services on our behalf, it does so as a data processor (see Section 8.3).

11.3 Transfers to Third Countries (Art. 44 et seq. GDPR)

The core processing of personal data (hosting of account, order, reservation, and media data) takes place exclusively on servers within the European Union or the European Economic Area (Hetzner Online GmbH in Germany, AWS EMEA SARL with region eu-central-1 in Frankfurt, Cloudflare storage with EU jurisdiction). However, certain ancillary services result in transfers to the USA, in particular:

• Resend (Plus Five Five, Inc.): Account, log, and metadata of the transactional emails sent are stored in the USA (see Section 11.1).
• Google LLC (Firebase Cloud Messaging): Device token and short, generic notification text (no order or reservation content) are routed via US backend infrastructure to deliver push notifications. On iOS devices, delivery takes place by relaying via the Apple Push Notification Service (Apple Inc.), which Google engages as its own sub-processor (see Section 11.1).
• Cloudflare, Inc.: Control-plane, log, and connection metadata may be processed transiently across the globally distributed edge network, including servers in the USA (see Section 11.1).

These transfers are based on the following safeguards: (i) the EU-US Data Privacy Framework adequacy decision (Implementing Decision (EU) 2023/1795 of 10 July 2023) — the named US recipients are each DPF-certified (list available at dataprivacyframework.gov/list); (ii) Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR as set out in Implementing Decision (EU) 2021/914; (iii) supplementary technical and organizational measures, in particular transport and storage encryption and data minimization (e.g., no order content in push notifications). A copy of the applicable safeguards will be made available to you free of charge upon request at privacy@dev.mambil.com.

13. Data Security and Notification of Personal Data Breaches

We implement appropriate technical and organisational measures to safeguard the security of your personal data and comply with the statutory notification and communication obligations in the event of a personal data breach.

13.1 Technical and Organizational Measures

We implement extensive technical and organizational measures pursuant to Art. 32 GDPR to protect your personal data against unauthorized access, loss, destruction, or alteration:

• SSL/TLS Encryption: All data transmissions between your browser and our servers are encrypted via HTTPS.
• Encrypted Storage: Passwords are stored exclusively as cryptographic hash values. Sensitive data is stored in encrypted form.
• Access Controls: Access to personal data is restricted to authorized employees and protected by authentication procedures.
• Regular Backups: Automated, encrypted data backups ensure the availability and recoverability of your data.
• Server Location EU: Our core hosting servers for account, order, and reservation data are located in data centers within the EU. Our hosting providers (Hetzner Online GmbH, AWS EMEA SARL Luxembourg) are certified to ISO 27001. For individual ancillary services with transfers to the USA (Resend, FCM/APNs, Cloudflare), see Section 11.3.
• PCI DSS Compliance: Payment data processing is conducted exclusively through the PCI DSS-certified payment service provider Stripe. Mambil does not store complete credit card or account data at any time.
• Regular Security Audits: We conduct regular security audits and updates to keep our systems at the current state of the art.

13.2 Notification of Personal Data Breaches

In the event of a personal data breach (e.g., unauthorized access, loss, or disclosure), we comply with the statutory notification obligations under Art. 33 and Art. 34 GDPR.

• Notification to the supervisory authority (Art. 33 GDPR): We report personal data breaches to the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of them, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
• Notification of affected individuals (Art. 34 GDPR): If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in clear and plain language.
• Internal documentation: All personal data breaches — including the relevant facts, their effects, and the remedial action taken — are documented internally to demonstrate compliance with the accountability principle under Art. 5(2) GDPR vis-à-vis the supervisory authority.

14. Data Retention and Deletion

We store your personal data only as long as necessary for the respective processing purposes or as required by statutory retention periods.

14.1 Account Data (Restaurant Operators)

Your account data is stored for the duration of your active use of the platform. Free accounts without an active paid subscription that show no sign-in activity for more than 6 months (inactivity) are automatically deleted; before any inactivity-based deletion we notify you by email at the registered address at least 30 days in advance, allowing you to prevent deletion by signing in. You may in addition request deletion of your account at any time directly via the platform; final deletion takes place 45 days after receipt of the request and may be revoked within that period. Accounts with an active paid subscription are not subject to inactivity-based automatic deletion. In all cases, your personal data is deleted unless statutory retention obligations apply (see Section 14.3).

14.2 Order and Reservation Data

Completed orders are archived; older archive records are additionally moved to encrypted long-term storage. We distinguish between records subject to tax/commercial retention and other order and reservation data: (a) Paid orders as accounting vouchers: Records of paid orders constitute accounting vouchers within the meaning of § 147(1) No. 4 AO and § 257(1) No. 4 HGB (each as amended by BEG IV) and are subject to a statutory retention obligation of 8 years from the end of the calendar year in which the voucher was created. During this period, the data is subject to a processing restriction (storage block) pursuant to Art. 18(1)(b) GDPR, kept in a separate, encrypted long-term store, and not used for any other purpose. After expiry of the retention period, the data is routinely deleted. (b) Other order and reservation data: Order and reservation data fields not covered by tax or commercial retention obligations (in particular reservation master data without payment, free-text notes, telephone numbers, special requests) are stored for the duration of the restaurant operator's business relationship and deleted no later than 45 days after termination of the account, unless other statutory retention obligations or limitation periods apply (see Section 14.3). Accounts without any tax, commercial-law, or PStTG-relevant data (in particular pure Free-tier accounts without completed order transactions and without Stripe Connect activation) are deleted in full, without long-term archiving. (c) Reservation data without payment: Reservation data not associated with a payment transaction is generally deleted or anonymised no later than 90 days after the reservation date, unless the restaurant operator has determined a different retention or processing period on the basis of its own legal basis.

14.3 Statutory Retention Periods

Certain data is subject to statutory retention obligations. The retention periods set out below apply only to the categories of data expressly named; they do not extend the storage period of other personal data:

• Tax law retention obligation (Section 147 AO as amended by the Fourth Bureaucracy Relief Act – BEG IV): 10 years for accounting books and records, inventories, annual financial statements, management reports, opening balance sheets and the working instructions and other organisational documents required to understand them (Section 147(3) sentence 1 no. 1 AO); 8 years for booking vouchers (Section 147(3) sentence 1 no. 4 AO – reduced from ten to eight years for vouchers whose retention period had not yet expired by 31 December 2024); 6 years for the remaining documents listed in Section 147(1) AO (in particular received and copies of sent commercial and business letters).
• Commercial law retention obligation (Section 257 HGB as amended by BEG IV): 10 years for commercial books, inventories, opening balance sheets, annual financial statements, separate financial statements, and consolidated financial statements; 8 years for booking vouchers; 6 years for received and copies of sent commercial letters.
• Retention under the Platform Tax Transparency Act (Section 24 PStTG): 10 years, limited to the information about reportable sellers (restaurant operators) collected pursuant to Sections 13 et seq. PStTG and the records of the due-diligence and reporting procedures performed; see Section 19a. End-customer order and reservation data is not covered.
• Objection and litigation periods: Up to 3 years after the end of the calendar year in which the contractual relationship was terminated (standard limitation period pursuant to Sections 195, 199 BGB); longer periods only where strictly necessary and proportionate for legal defence in the specific case.

During a statutory retention period, the relevant data is restricted in processing pursuant to Art. 18 GDPR (storage with a processing block) and is not used for other purposes. After expiry of the respective period the data is routinely deleted.

14.4 Server Log Files

Server log files are automatically deleted after 14 days.

14.5 Contact Inquiries

Data from contact inquiries is deleted after completion of processing, unless the inquiry leads to a contractual relationship. In the case of a pre-contractual inquiry, the data is deleted no later than 6 months after the last communication.

15. Rights of Data Subjects

Notice pursuant to Art. 21(4) GDPR – right to object: You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR. This also applies to profiling based on those provisions. Where personal data is processed for direct marketing purposes, you have the right to object at any time and without giving any reason to processing of personal data concerning you for such marketing; this also includes profiling to the extent that it is related to such direct marketing. An informal notice to privacy@dev.mambil.com or a click on the unsubscribe link contained in any marketing message is sufficient. Where you object to processing for direct marketing purposes, we will no longer process your data for those purposes. In addition to the above, you have the further rights set out below. To exercise your rights, an informal notification to privacy@dev.mambil.com is sufficient. We will process your request without undue delay, and in any event within one month of receipt (Art. 12 Para. 3 GDPR). In particularly complex cases, this period may be extended by a further two months, of which we will inform you in a timely manner. Where we have reasonable doubts about your identity, we may, pursuant to Art. 12 Para. 6 GDPR, request additional information necessary to confirm your identity. We use such information solely for that purpose.

15.1 Right of Access (Art. 15 GDPR)

You have the right to request confirmation as to whether personal data concerning you is being processed. If so, you have the right to access this data and further information pursuant to Art. 15 GDPR.

15.2 Right to Rectification (Art. 16 GDPR)

You have the right to request the immediate rectification of inaccurate personal data and the completion of incomplete data.

15.3 Right to Erasure (Art. 17 GDPR)

You have the right to request the erasure of your personal data if one of the grounds listed in Art. 17 GDPR applies, e.g., if the data is no longer necessary for the purposes for which it was collected. The right to erasure does not apply insofar as processing is necessary to comply with a legal obligation.

15.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request the restriction of processing of your data, e.g., if you contest the accuracy of the data or the processing is unlawful.

15.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format and to transmit this data to another controller.

15.6 Right to Object (Art. 21 GDPR)

You have the right to object at any time to the processing of your personal data insofar as the processing is based on Art. 6 Para. 1 lit. f GDPR (legitimate interest). We will then no longer process your data unless we can demonstrate compelling legitimate grounds that override your interests.

15.7 Right to Withdraw Consent (Art. 7 Para. 3 GDPR)

Insofar as the processing is based on consent, you may withdraw this consent at any time with future effect. The lawfulness of the processing carried out until the withdrawal remains unaffected.

15.8 Notification Obligation (Art. 19 GDPR)

To the extent that we have disclosed your personal data to recipients, we communicate any rectification, erasure, or restriction of processing to those recipients, unless this proves impossible or involves disproportionate effort. We will inform you about those recipients upon request.

15.9 Right Regarding Automated Decision-Making (Art. 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you. Further information on the automated processes operated by Stripe and by us, as well as the available means to challenge such decisions and obtain human review, is set out in Section 17.

16. Right to Lodge a Complaint with a Supervisory Authority

Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR. You may in particular contact the supervisory authority of your place of residence, your place of work, or the place of the alleged infringement. The supervisory authority responsible for us is: Die Landesbeauftragte für den Datenschutz Niedersachsen Prinzenstraße 5, 30159 Hannover Website of the Lower Saxony Data Protection Commissioner A list of all German data protection supervisory authorities is provided by the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

17. Automated Decision-Making and Profiling

As a rule, we do not take solely automated decisions within the meaning of Art. 22(1) GDPR that produce legal effects concerning you or similarly significantly affect you. Where the activities described below involve automated steps, we inform you in accordance with Art. 13(2)(f) and Art. 22(3) GDPR about the logic involved, as well as the significance and the envisaged consequences, and we safeguard your right to obtain human intervention, to express your point of view, and to contest the decision.

17.1 Automated fraud and risk checks during payment (Stripe Radar)

Who decides? Stripe is the independent controller for the automated fraud and risk checks during payment (see Section 8.3). The decision to accept, decline, or step up a payment to additional authentication (3-D Secure) is taken by Stripe; Mambil has no direct influence over that decision. Logic involved: for each payment attempt, Stripe evaluates a wide range of rule-based and machine-learning-derived risk signals. These include device and browser signals, IP address, the velocity of consecutive payment attempts, BIN/card information, geographical consistency, and pattern matches across the global Stripe network. The result is a risk score that is matched against rules defined by Stripe and, where applicable, configured by the restaurant in Stripe Radar. Significance and envisaged consequences: possible outcomes are (a) the payment is approved; (b) additional authentication is required (Strong Customer Authentication under PSD2 / 3-D Secure); or (c) the payment is declined. A decline means the relevant order or subscription does not come into effect; you can choose another payment method or retry the payment. No further legal or contractual disadvantages arise. Your rights (Art. 22(3) GDPR): if you believe a payment was wrongly declined, you can contact us at privacy@dev.mambil.com. We will forward your concern to Stripe, communicate your point of view and request a manual review by a natural person. You may also contact Stripe directly; further information on the logic is set out in Stripe's privacy policy and Stripe's Radar materials.

17.2 Automated tax-related plausibility checks (PStTG/DAC7)

In the context of our duties under the German Platform Tax Transparency Act (PStTG) we carry out automated plausibility checks of the tax and identification data provided by the restaurant operator, in particular validation of the VAT identification number via the European Commission's MIAS/VIES system. No solely automated decision with significant effects is associated with these checks; any anomalies detected are reviewed manually.

17.3 Automated enforcement under Section 23 PStTG

Where the cooperation duties required under Sections 13 et seq. PStTG are not fulfilled in full despite two reminders and an overall grace period of 60 days, we are legally obliged to suspend the restaurant operator's activity on the platform and/or withhold pay-outs (Section 23 PStTG). This measure follows fixed rules. Before any such measure you will receive an explicit request; you may at any time request individual human review with the opportunity to express your point of view by contacting privacy@dev.mambil.com.

17.4 AI-powered translation

We use AI-powered translation services for the automatic translation of menu texts (see Section 18). This involves processing of publicly available restaurant content; no automated decision within the meaning of Art. 22 GDPR takes place.

18. AI-Powered Translations

Our platform offers a machine translation feature that allows restaurant operators to automatically translate their menus into multiple languages. We use DeepL (DeepL SE, Cologne, Germany) as our translation provider. Only the content posted by the restaurant operator (names of food and beverages, descriptions, category names) is transmitted to DeepL. As a rule, this involves publicly available restaurant content and not personal data. DeepL processes the transmitted texts exclusively for the purpose of providing the translation service and does not retain them permanently. If restaurant operators exceptionally include personal data in menu texts (e.g., names of owners, chefs, or staff in descriptions), they themselves are responsible for establishing an appropriate legal basis and informing the affected individuals accordingly. The menu version stored by the restaurant operator in the original language is binding; machine translations are displayed to end customers labelled as such. The restaurant operator may disable the automatic translation for individual target languages at any time.

19. Disclosure of Data to Third Parties

Your personal data is only disclosed to third parties in the cases described in this privacy policy or where we are legally obligated to do so. We do not sell your personal data to third parties. In the context of Stripe Connect, order data is exchanged between the end customer, the restaurant operator, and Stripe insofar as this is necessary for payment processing. In the event of an official request, we may be legally obligated to disclose data to law enforcement or supervisory authorities.

19a. Data Transmission to the Federal Central Tax Office (PStTG / DAC7)

Insofar as Mambil qualifies as a reporting platform operator within the meaning of Section 3 of the German Platform Tax Transparency Act (Plattformen-Steuertransparenzgesetz – PStTG), implementing Council Directive (EU) 2021/514 (DAC7), we are legally obligated to transmit certain data of our restaurant operators annually to the German Federal Central Tax Office (Bundeszentralamt für Steuern – BZSt). The qualification is assessed on the basis of the specific contractual arrangement with each restaurant partner and is reviewed on an ongoing basis; we will update these notices if our assessment changes. This obligation only concerns restaurant operators acting as reportable sellers within the meaning of Section 4 PStTG; end-customer order and reservation data is neither subject to the report nor to the special retention period under Section 24 PStTG. Processed data categories (seller data): name or company name, address, tax identification number or tax number, VAT identification number, date of birth (for natural persons), commercial register number (for legal entities), Member State of residence, bank account details of the payout account, as well as, on a quarterly basis, the consideration paid out to the restaurant operator via the Platform, the platform fees withheld, and the number of relevant activities. Recipient: Bundeszentralamt für Steuern (BZSt), An der Küppe 1, 53225 Bonn, Germany. The BZSt exchanges the data with the competent tax authorities of other EU Member States within the EU-wide DAC7 mechanism, insofar as the restaurant operator is resident there. Legal basis: Art. 6(1)(c) GDPR in conjunction with Sections 13 et seq. PStTG (compliance with a legal obligation). Retention period: 10 years after the end of the relevant reporting period pursuant to Section 24 PStTG, limited to the seller information collected and transmitted in performance of our due-diligence and reporting obligations and the records of the due-diligence steps taken. Consequences of non-provision: If the required data is not provided in full after two reminders and a total period of 60 days, we are legally obligated under Section 23 PStTG to suspend the restaurant operator's activity on the Platform and/or withhold payouts. Before each transmission to the BZSt, we notify the affected restaurant operator in text form of the data to be transmitted, in accordance with Section 22(4) PStTG.

20. Information for End Customers

If you, as an end customer, view a menu, place an order, make a reservation, or process a payment through Mambil, please note the following:

• The data controller for your order and reservation data is the respective restaurant operator. Please contact the respective restaurant for access, rectification, or erasure requests regarding your order and reservation data. Alternatively, you may also send such requests to privacy@dev.mambil.com; we will then forward them to the responsible restaurant operator without undue delay (Art. 28 Para. 3 lit. e GDPR).
• Mambil, as the platform operator, provides the technical infrastructure and processes your data on behalf of the restaurant operator.
• Our services are not directed at children. Where consent of a minor would be required for a processing activity, an age threshold of 16 years applies in Germany and most EU Member States (Art. 8(1) GDPR; Germany has not exercised the opening clause to lower this age). Should a restaurant operator become aware that orders or reservations have been placed by minors below this threshold, the operator is required to obtain the consent of the legal guardians as required by Art. 8 GDPR.
• Stripe Connect is used for payment processing. Your payment data is processed directly by Stripe. Neither Mambil nor the restaurant operator has access to your complete payment data (e.g., credit card number).
• Simply viewing a digital menu (scanning a QR code) does not require registration, and no personal data is collected beyond the server log files described in Section 4.
• For questions about data protection when using the platform, you can contact privacy@dev.mambil.com.
• After completing an order, you will automatically receive an order confirmation by email or in the browser listing the ordered items and the total price. This order confirmation is expressly not an invoice within the meaning of § 14 UStG (German VAT Act) and not a cash register receipt within the meaning of § 146a AO (German Fiscal Code). For a tax receipt showing VAT, please contact the respective restaurant directly — as the seller of the food and beverages, the restaurant is legally responsible for issuing invoices and cash register receipts.

21. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy to comply with changed legal requirements, new technical developments, or changes to our services. The current version is always available on our website. In the event of material changes affecting your rights, we will inform registered users by email.

Last updated: May 2026