Data Security

Data Protection Policy for the VAPIANO PEOPLE Programme

Date: June 2017 

The protection of your data is very important to us. Therefore, we would like to inform you comprehensively and clearly about the processing of your data in connection with the VAPIANO PEOPLE Programme.

 

Data Controller

 

Personal data in connection with participants of the VAPIANO PEOPLE rewards programme will be collected, processed and used by Vapiano International Marketing GmbH, Im zollhafen 2-5, 50678 Cologne,  Germany (hereinafter: “Vapiano” or “We”).

 

Purpose of the collection, processing and use of personal data

 

Unless otherwise indicated, Vapiano collects, processes or uses your personal data which you have provided via the VAPIANO website, the Vapiano App or in the handwritten registration form for the following purposes:

to process your registration for the VAPIANO PEOPLE Programme and to generate a respective customer account, to enable you to participate in the VAPIANO PEOPLE Programme in all participating restaurants worldwide, to give you access to your customer profile on the website www.vapiano-people.com and to the offers which you may find there, to send you an email for your birthday with a birthday present, for anonymised, internal, statistical market research purposes in order to help us improve our response to your individual needs, to contact you in the event of questions in connection with your VAPIANO PEOPLE customer account, to inform you via email about changes to this Data Protection Policy, changes to the General Terms and Conditions, or organisational changes to your VAPIANO PEOPLE membership, to identify you at the checkout during visits to a restaurant, to provide you with further information, in the event that you have explicitly asked Vapiano for the respective information, for the Vapiano Finder in the Vapiano app, in order to find the closest Vapiano restaurant, for the provision of the payment function, which we are unable to offer in all participating countries, to send you our newsletter, where you have requested it, to inform you about vouchers, forthcoming promotions or special offers from Vapiano, where you have separately agreed to this, to notify you of the organisation of competitions in connection with VAPIANO PEOPLE and prizes,to allow PEOPLE points to be recorded later in the restaurant, for other legally permitted purposes.

 

Category of data collected, processed and used by Vapiano

3.1 Provision of your customer account

Vapiano may collect, process and use the following personal information in order to provide you with your customer account after your application:

  • name,
  • address,
  • date of birth,
  • email address,
  • Number of your VAPIANO PEOPLE membership,
  • password.

 

3.2 Identification at the checkout

When using the VAPIANO PEOPLE card or the Vapiano app during a restaurant visit, we may collect, process or use the following data for purposes of identification at the checkout, to ensure that you are the owner of the card or an authorised participant:

  • First name, surname
  • Date of birth.

 

3.3 Collection of reward points and status points

When you collect reward points or status points, we collect, process and use the following data via the participating VAPIANO restaurants for internal, statistical purposes:

  • date and time of your visit,
  • location of the restaurant,
  • total turnover (sold products and foods),
  • total number of visits,
  • reward points redeemed,
  • birthday presents redeemed.

 

3.4 Worldwide use

So that you can use the advantages of the VAPIANO PEOPLE Programme and the app in participating restaurants worldwide, Vapiano transmits the following information to participating restaurants and national companies - but only where necessary:

  • First name, surname
  • date of birth,
  • score of points,
  • PEOPLE status,
  • email address.

 

3.5 Vapiano newsletter

If you are not yet a Vapiano PEOPLE member but have ordered the Vapiano newsletter, the following data will be collected, processed and used by us: Name, where you have told us this during registration, email address.

 

If you are a Vapiano PEOPLE member and have ordered the newsletter, the following data will be collected, processed and used by us:

  • Name
  • Email address.

 

3.6 Vapiano Finder

When using the Vapiano Finder of the Vapiano App to find the closest Vapiano restaurant, we collect, process and use:

Your GPS location data, if you activate these.

 

3.7 Mobile payment function

When using the mobile payment function within the VAPIANO app, VAPIANO collects, processes and uses the following personal data:

  • Username
  • Password
  • Customer number (People ID)
  • App version and operating system

 

For payment processing the following personal data are transmitted to our payment service provider, B+S Card Service GmbH, Lyoner Straße 9, 60528 Frankfurt am Main, where they are processed:

PayPal account or credit card data (number, expiry date, security code)ID of the SEPA Mandate.

Detailed information on the mobile payment function is shown at 5.1 in this data protection declaration.

 

VAPIANO PEOPLE Card

An anonymised participant number will be stored in the QR code (“Quick Response”) on your VAPIANO PEOPLE Card. PEOPLE Points or status points and personal data provided by you, will be stored in the system only. This way, in the event of loss of the VAPIANO PEOPLE Card, none of your personal data will be lost or be made available to third parties.

 

VAPIANO App

Vapiano International Marketing GmbH, hereinafter designated as VIM, makes a mobile app available. The app allows you to order in the restaurant, learn about our products, use the mobile payment function, or identify yourself at the checkout of participating Vapiano restaurants as a VAPIANO PEOPLE member using the QR code in this app, and use all functions of the VAPIANO PEOPLE programme without needing to use the VAPIANO PEOPLE card.

 

5.1 Data processing during use of the app

Vapiano Finder 

This app allows you to find the closest Vapiano restaurant via the “Vapiano Finder”. For this purpose we either need your GPS location data or you insert your current location data into the app. If you have activated the location functions on your mobile, VIM will collect and use your GPS data exclusively for purposes of locating the closest Vapiano restaurants. No movement-tracking profile will be prepared from this data.

 

Use in the restaurant

So that you can benefit from the advantages of the VAPIANO PEOPLE programme even in the event of a technical problem with your smartphone or limited battery life, we save your first name and your VAPIANO PEOPLE number for the duration of your visit to a restaurant, and display it in the checkout system. In this manner, it remains possible to correlate the data with you and your VAPIANO PEOPLE account, even in unforeseen circumstances.

 

If you have chosen to use the VAPIANO app, you will agree to the following declarations of consent:

By registering for the VAPIANO PEOPLE programme, you agree to the creation of a personal user profile by VIM.

 

To this end, VIM correlates the registration data from the app or the VAPIANO PEOPLE website with the use and transaction data generated in the Vapiano restaurants. If you log into the Vapiano app in one of the participating Vapiano restaurants, VIM will collect usage data (e.g. meal and drink orders, saved favourites, duration of visit in the restaurant). This data collection allows reward and status points to be credited, and serves purposes of market research in order to further improve our products and services, and – where you have separately requested this – to send you advertising customised to your personal interests (e.g. information about products or promotions in the Vapiano restaurants) via email, SMS or Push message. You will thus receive current information that is relevant to you based on your previous restaurant visits.

 

Saving login data

 

When using the VAPIANO app, you have the option of staying permanently logged in. To this end, VIM or its authorised service providers use cookies and other similar technologies in order to offer you a faster and better user experience. For this purpose, your access data, consisting of the email address and password, will be saved so that you do not need to enter them again every time you open the VAPIANO app.

 

5.2 Mobile payment function

The mobile payment function is an additional voluntary service. Therefore, the following descriptions and declarations of consent only apply if you wish to use the mobile payment function.

 

The mobile payment function is a process allowing registered users to use their smartphone for cashless payment in participating restaurants. The log-in in the restaurant is effected by means of a dynamic QR code in the active VAPIANO PEOPLE app. In connection with the payment function each individual payment transaction must also be authorised by a personal identification number (“PIN”) to be freely chosen by the user, or by fingerprint.

 

After authorisation has been effected the payment services provider B+S Card Service GmbH, Lyoner Straße 9, 60528 Frankfurt am Main (hereinafter designated as B+S Card Service GmbH) shall be entitled to charge the credit card with the respective amount.

 

Collection, processing and use of personal data

 

For participation in the mobile payment process the data types stated at 3.7 are required. When creating a payment method (e.g. credit card payment or a PayPal account) in connection with the VAPIANO app, a so-called payment method alias (a randomly generated unique sequence of characters) is generated and stored. This alias is transmitted to B+S Card Service GmbH where it is stored together with the payment data. This alias will thereafter be used as a “replacement” for the concrete payment data (e.g. credit card number, account number) in the communication with B+S Card Service GmbH so that the card data do not actually have to be transmitted every time.

When checking into the restaurant using your VAPIANO app, an ID is set up on your smartphone. This is your virtual card number stored in the app, which you can view in the same. This virtual card number consists of the People ID and a randomly generated sequence of characters. It replaces the card which you would otherwise be given at the checkout. Using the ID, orders and payments can be allocated to you. The shopping cart (article and price) is shown to you in the app. The SEPA mandate will be sent to you and also stored in our system.

At the log-in a token is created which is used for authentication purposes. The token will be encrypted within the VAPIANO app and stored therein. For encryption a four-digit PIN which you have entered will be used, or - if available - the fingerprint sensor of your smartphone. In both cases the PIN will be encrypted and stored in a secure area of the operating system that cannot be accessed without your PIN or your fingerprint. The PIN is only known to you.

This token will be stored in encrypted form within the VAPIANO app as well as with us in an unencrypted form. In addition to the payment-relevant communication between the VAPIANO app and ourselves, this token is also required to generate the checkout QR code.

The decryption of the token is effected on your smartphone by means of your PIN or your fingerprint. Using the token, the VAPIANO app generates a code which must be used for checkout.

This CODE contains the following information:

 

People ID
Installation ID of the application
A time stamp
Virtual card number
The payment method to be used (not the concrete card data but an ID)
Using the ID, the payment data can be identified in the system.

 

All this information is encrypted by means of the token. The checkout scans this code and transmits the same to us. We decrypt the QR code and transmit the relevant data (amount, invoice no., payment method alias) in an encrypted form for payment processing to our payment services provider, B+S Card Service GmbH. Using the payment method alias, B+S Card Service GmbH is able to correctly assign the relevant stored payment data. The token or encrypted content and the shopping cart are not transmitted to the B+S Card Service GmbH. B+S Card Service GmbH checks the correctness of the details provided and then handles the payment transaction.

 

Specifics relating to credit card payments

 

Credit cards: Visa and Mastercard 

When a credit card is first set up within the application, the credit card data (number, expiry date, security code, name) are directly transmitted by the app via HTTPS to B+S Card Service GmbH. When making payments, the credit card data will then no longer be required, only the above-described alias will be used.

 

Specifics relating to PayPal payments 

PayPal: Please see www.paypal.com for information on PayPal payments.

 

5.3 Withdrawal of consent

By using the VAPIANO app, you consent to the use of your data described under section 5 of this Data Protection Declaration.

 

You can withdraw this consent at any time with effect for the future; you will then no longer be able to use the PEOPLE programme. For details see Item 9: Termination of the participation in the VAPIANO PEOPLE programme.

 

Withdrawal of consent should be sent to:

 

Vapiano International Marketing GmbH
Im Zollhafen 2-4,
50678 Cologne, Germany
Email: people-support@vapiano.co.uk

 

Newsletter

 

On our website, you have the option to sign up for our free newsletter. The newsletter informs you about current offers, exciting specials and news from the world of Vapiano. We require your email address for this subscription. You may tell us your name but you don’t need to. If you voluntarily tell us your name, we will use it to address you personally.

 

After sending the registration form, you will receive a confirmation email from us.

The registration will only become effective when you have clicked on the link in the confirmation email. You can unsubscribe from the newsletter at any time. To do this, use the unsubscribe function on our website, or the unsubscribe link at the end of each email. Your email address will then immediately be deleted from the distribution system.

 

If you have subscribed to the newsletter, you have agreed to the following declarations of consent for this:

 

I agree to receive advertising from Vapiano in the form of newsletters. By subscribing to the newsletter, I consent to you analysing and processing my usage data (e.g. clicking links) in order to continuously improve the service, and in order to create newsletters customised to my interests.

 

You can withdraw your consent to the analysis of your usage data at any time. We treat your data as strictly confidential and do not disclose it to third parties.

Withdrawal of consent should be sent to:

 

Vapiano International Marketing GmbH
Im Zollhafen 2-4,
50678 Cologne, Germany
Email: people-support@vapiano.co.uk

 

Marketing

 

If you have consented to marketing, Vapiano may submit advertising to you by email, when using the Vapiano app or the Vapiano website and – if you have ordered these separately – in other services (e.g. SMS/MMS, push or in-app messages), which advertising is directed to your own individual interests and which Vapiano selects on the basis of the following data: Your basic data, any voluntary specifications, and the data generated during the use of your personal PEOPLE QR code or the PEOPLE app.

We record which links in the newsletter are clicked, and which products interest you. This enables us to send you customised newsletters.

You can withdraw your consent to the analysis of your usage data at any time. We treat your data as strictly confidential and do not disclose it to third parties.

You can withdraw these consents at any time, independently of one another, and with effect for the future. 

Withdrawal of consent should be sent to:

 

Vapiano International Marketing GmbH
Im Zollhafen 2-4,
50678 Cologne, Germany
Email: people-support@vapiano.co.uk

 

Scope of the data disclosure

 

Vapiano does not use the data for commercial purposes. The disclosure of your personal data to third parties takes place only with your permission, and within the scope described in the following.

 

8.1          Use of service providers

Vapiano uses service providers in order to realise the VAPIANO PEOPLE programme in Germany and in other EU countries. The service providers will process the data exclusively according to the instructions given by Vapiano and have been placed under an obligation to comply with the applicable data protection provisions. Vapiano and its assigned service providers will take reasonable technical and organisational precautions to protect the data of the participants.

 

8.2         Disclosure to other third parties

Vapiano will otherwise not disclose your personal data to any third parties, unless we are obliged to do so by legal regulations (e.g. disclosure to courts or law enforcement authorities), unless you have given us your explicit consent, or unless the disclosure is permitted by law. Vapiano will not disclose a participant's data to address brokers or to other companies for advertising purposes.

 

8.3          Disclosure to participating Vapiano restaurants and Vapiano companies in Germany and in other countries

The VAPIANO PEOPLE programme is fundamentally designed to enable its participants to use the VAPIANO PEOPLE card and the benefits of the programme in all participating countries.

 

If you have subscribed to the VAPIANO PEOPLE programme, you have agreed to the following declaration of consent for this:

I agree to Vapiano using the personal data defined under section 3.4 for the purposes defined in section 2 worldwide, and transferring these data to the restaurants and national companies participating in the VAPIANO PEOPLE programme.

 

You can withdraw this consent at any time with effect for the future.

 

Withdrawal of consent should be sent to:

Vapiano International Marketing GmbH
Im Zollhafen 2-4,
50678 Cologne, Germany
Email: people-support@vapiano.co.uk

 

As soon as you withdraw your consent to the data processing under section 8.3, your participation in the VAPIANO PEOPLE programme will also be terminated. Upon termination of your participation, your customer data will be completely anonymised, with the exception of the data subject to statutory archiving periods.

 

Termination of the participation in the VAPIANO PEOPLE programme

You may terminate your participation in the VAPIANO PEOPLE programme at any time. Upon termination of your participation, your customer data will be completely anonymised, with the exception of the data subject to statutory archiving periods.

 

Your rights as a VAPIANO PEOPLE member

As a VAPIANO PEOPLE member, you have the right to request information regarding what data about you have been stored with us, and for what purpose they have been stored. Furthermore, you can correct inaccurate data, or request the deletion of data which it is either inadmissible to store or where such storage is no longer required. In order to assert your rights, please contact the address specified at Item 12 in writing or via email.

 

Modification of VAPIANO PEOPLE Data Protection Policy

We retain the right to modify this Data Protection Policy at regular intervals according to the underlying data processing procedures. When we make changes to this VAPIANO PEOPLE data protection policy, we will inform you via our website, via app or via email.

 

Questions, suggestions, comments

We are happy to answer your questions and receive your suggestions and comments regarding this VAPIANO PEOPLE Data Protection Policy. You can contact Vapiano on our website www.vapiano-people.com under CONTACT or via email at people-support@vapiano.co.uk, or at the following postal address:

 

Vapiano International Marketing GmbH
Im Zollhafen 2-4,
50678 Cologne, Germany

 

 

* * *

top