This Policy is intended to help you understand: 

• why we collect your personal data;
• how we collect, use and store your personal data;
• which rights relating to your personal data you have;
• how you can exercise the rights relating to your personal data;
• how we use cookies and other tracking technologies;
• how we share and disclose your personal data;

EATAGRAM GROUP LIMITED is located in Limassol, Cyprus

EATAGRAM GROUP LIMITED (“we”, “us”, “our”, “Company”, “Eatagram“) cares for your privacy and therefore provides you with the information hereunder. On this page, you can learn what information about you we collect while you interact with Eatagram, what for and how it is used, stored, disclosed etc., as well as how we process personal data you provide us with.

This Privacy Policy (“Policy”) describes how we handle the data you provide us with through the website https://eatagram.com/ (“Site”), Eatagram application (collectively the “Platform”), via social media, or by interacting with us in other ways. Such treatment may include, but is not limited to, the following:

• collection; 
• recording;
• organization;
• storage;
• structuring;
• adaptation;
• alteration;
• retrieval;
• consultation;
• use;
• disclosure by transmission;
• dissemination or otherwise making available;
• alignment or combination;
• restriction; and
• erasure or destruction.

When processing your personal data Eatagram can play different roles under the GDPR and other applicable laws and regulations. Depending on the factual circumstances of the processing, we may act as a data controller or data processor under the GDPR and business and service provider under the CCPA respectively. 

When you submit your personal data as a client through our Platform, you may be asked to consent to our processing of the personal data you provide as explained in this Policy to enable us to provide you with the information or service requested, if no other legal ground can be used. 

To facilitate your understanding of this Policy, we explain the usage of the definitions listed here in accordance with the GDPR and CCPA.

We use the following definitions in this Policy: 

“data controller” means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is processed. 

“data processor” means the natural or legal person who processes personal data on behalf of the data controller. 

“data subject” is any living individual who is using our Platform. 

“personal data” means any information relating to you and helping identify you (directly or indirectly) such as your name, last name, email, location data, etc. 

“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

“services” means access and/or use the functionalities of the Platform described in Terms of Use in order to familiarize yourself with and order services performed by the respective businesses as provided in Terms of Use. 

“business” means an individual or legal entity who uses the Platform through its business account on the terms described in Business Terms of Use . 

“joint controllers” means two or more controllers jointly determining the purposes and means of processing. 

The definitions of terms used within this Policy are taken from the GDPR in consideration of the definitions established in the CCPA. The pair of definitions “personal data” and “personal information”; “controller” and “business”; “processor” and “service provider”; “data subject” and “consumer” may be used interchangeably unless another meaning is mentioned.

We collect and process the information about you or obtained from you in accordance with this Policy.

We act as a controller and a processor in relation to the different categories of personal data.

We collect the information from you through the registration form on the Site, the Platform, and email and process it as a data controller. 

We may process some third-party personal data you provide us with when you are interacting with the Platform and process it as a data processor.

We use your personal data we collected and the personal data you provided us with only for the purposes listed in this Policy. We may share your personal data with third parties solely for purposes listed herein.

We do not sell your data. We DO NOT use automated decision-making and profiling.

Purposes

Type of personal data

Legal grounds

Third Parties recipients

Source

Registration on the Platform

Registration Data: username, email, phone, name, surname.

Information from Identification token: name, surname, email.

Performance of a contract (Article 6(1)(b)).

Amazon.com, Inc. , Hetzner Online GmbH , Avada Media LLC , Postman, Inc. 

User, Google/Facebook/Twitter/Apple account

Maintenance of the account on the Platform

Registration Data: username, email, phone, name, surname.

Information from Identification token: name, surname, email.

Reservation Data: 

name, surname, phone, other information about reservation.

Other Data: sex, date of birth, city of registration, photo, or any other information you may provide to us through your account. 

Performance of a contract (Article 6(1)(b)).

Amazon.com, Inc. , Hetzner Online GmbH , Avada Media LLC , Postman Inc. , Businesses 

User, Google/Facebook/Twitter/Apple account

Fraud Prevention

Registration Data: username, email, phone number, first name and last name/registered business name, history of visits, device model, Device ID/Mobile ID.

Our legitimate interest (Article 6(1)(f)).

Amazon.com, Inc. , Hetzner Online GmbH , Avada Media LLC 

User

Verification (only for Business accounts)

Verification Data: 

name, surname, date of birth, address, phone, email, documents information (ID, driver's license, etc.)

Performance of a contract (Article 6(1)(b)).

Amazon.com, Inc. , Hetzner Online GmbH , Avada Media LLC 

User

Analytics

Data obtained via cookies. 

Your consent (Article 6(1)(a)).

Amazon.com, Inc. , Hetzner Online GmbH , Avada Media LLC , Google LLC 

User

Personalization of content 

Geolocation data (GPS data, IP address). 

Legitimate interest (Article 6(1)(f)).

Amazon.com, Inc. , Hetzner Online GmbH , Avada Media LLC 

User

Information Purposes (to publish your feedback, posts, photos, videos and other content on the Platform)

Posts, feedback, comments.

Performance of a contract (Article 6(1)(b)).

Amazon.com, Inc. , Hetzner Online GmbH , Avada Media LLC , Businesses

User

We will store and process your personal data for as long as needed to provide you or other clients with the services. 

Also, you may request erasing of your personal data by contacting us in any way convenient for you.

We store and process your personal data until we do not need it for any of the purposes defined in this policy unless longer storage is required or expressly permitted by law. 

In any case we store personal data we obtained from you, as described under the ‘Use of Your Personal Data’ section, for a specified period, as described below:

12. We store the information you provided us with when you registered on the Platform (including information obtained from identification token), as well as the information you added to your profile, and/or provided us for verification purposes for the entire period when you access or use our services and for 6 months since the deletion of your account from the Platform.
13. We store personal data needed to prevent fraudulent actions for 5 years. 
14. Analytics data regarding how you interact with our Platform to enhance your user experience is stored for 5 years unless another retention period is specified in this Policy or Cookie Policy .
15. We store automated collected data obtained via cookies and similar technologies for the period specified in our Cookie Policy[8] .  
16. Your posts left within the Site or the Platform are stored for 6 months since the deletion of the account on the Platform to make it easier if you want to restore your account and use our services again. 
17. If you have deleted your account on the platform, your comments and feedback will remain visible for 5 years in an anonymized form (not linked to your account).

We may not delete or anonymize your data if we are compelled to keep it under the under article 30 of the GDPR and other applicable laws. 

Notwithstanding any of the aforementioned periods of data storage, you may request to delete your personal data by sending us an email at [email protected] or contacting us via another way convenient for you. 

We have implemented appropriate organisational, technical, administrative, and physical security measures that are designed to protect your personal data from unauthorized access, disclosure, use, and modification. We regularly review our security procedures and policies to consider appropriate new technology and methods.

We only transfer your personal data to third parties according to the requirements of GDPR.

Where possible, we always enter into data processing agreements (DPAs) and Non-Disclosure Agreements (NDAs) with our third parties.

We may disclose the personal data to third parties, including those located outside the EU and EEA, provided that proper safeguards are put in place and the applicable local laws do not put your rights at risk.

We may share your personal data as a data controller to joint controllers and data processors in accordance with provisions specified hereafter.

Sharing data with joint controllers

In some cases we may act as a joint controller jointly with other joint controllers, for example, for example, while allowing users to make reservations in the restaurants which have business accounts on the Platform. 

If a user makes a reservation at a restaurant, we transmit to the restaurant information about the date and time of the reservation, number of people, name and phone number of the user who makes the reservation.

Sharing data with data processors

There are many features necessary to provide you with our services that we cannot complete ourselves, thus we seek help from third parties. We may grant some service providers access to your personal data, in whole or in part, to provide the necessary services. We have established Supplier Assessment Procedures to ensure we choose trusted partners who provide appropriate security measures and safeguards.

Therefore, we may share and disclose your personal data to other data processors: 

• Hetzner (Hetzner Online GmbH, Germany): to provide secure transfer and storage of personal data on the servers. You may read its Privacy Policy here;
• Amazon Web Services, AWS (Amazon.com, Inc., USA): to provide secure transfer and storage of personal data on the servers. You may read AWS Privacy Policy here;
• ●        Postman (Postman, Inc., USA): to provide safe and high-quality operation of the Site and the Platform. You may read its Privacy Policy here.
• Google Analytics (Google LLC, USA): to analyze statistical data on how the visitor uses the Site in order to improve our Site’s functionality. You may read its Privacy Policy here;
• Avada Media (Avada Media LLC, Ukraine): to improve our Platform and your experience as well as deliver the functionality of the Platform.

During our business activities we may engage different specialists which may receive your personal data, including technical, sales and marketing specialists, to provide you with better client service. Also, we may disclose some of your personal data to our outsource legal professionals to make our business accurate and transparent. The abovementioned specialists are collectively referred to as Contractors. 

We may transfer your personal data to countries outside the EU and EEA (the USA, UAE and Ukraine) that are not determined to offer an adequate level of data protection on the basis of article 45 of GDPR (adequacy decision) with appropriate safeguards as determined under the GDPR.

We only transfer your personal data to third parties within requirements under the GDPR. Where possible, we always enter into Data Processing Agreements (DPAs) and Non-Disclosure Agreements (NDAs) with them and treat personal data transfer seriously. Where the Contractor has an appropriate data processing agreement in place, Eatagram may adjoin such data processing agreement. If so, Eatagram and the Contractor may regulate the transfer of the personal data to such Contractor by means of this data processing agreement.

Eatagram had adjoined the publicly available data processing agreements of the following Contractors:

We may transfer your personal data to third countries outside the EU and the EEA under Article 46 of the GDPR on the appropriate safeguards, including the standard contractual clauses (SCC).

For transfers to countries that do not fall under requirements of Article 45 of the GDPR on the adequacy of the level of protection, we may transfer your personal data to the third countries outside the EU and the EEA, including the onward transfers of the personal data from the third countries to another third countries, under Article 46 of the GDPR with the appropriate safeguards, including the SCC.

We disclose your personal data to the countries outside the EU and the EEA, in compliance with our internal International Transfer Procedure in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of natural and legal persons. 

We put supplementary technical and organizational measures in place when transferring data outside the EU and the EEA. e.g. prior assessment of the service supplier’s reliability and personal data protection practices, encryption of the transferred personal data, prompt reacting to any threats to confidentiality, integrity and availability of the personal data, conducting transfer impact assessments (TIA) when necessary, etc. 

We undertake best possible efforts to secure the processing of personal data belonging to the underage.

The Platform does not knowingly collect personal data from persons under the age of 13. 

By registering on the Platform and entering into the contract with the Company, you acknowledge that you have reached the age of 13 and under the laws of your country of residence you have all rights to provide us with your personal data for processing. 

If you have any reason to believe that a child under the age of 13 has provided his/her personal data to us, please contact us at [email protected].

You may exercise the following rights under the General Data Protection Act (GDPR):

• right of access;
• right to rectification;
• right to erasure;
• right to restriction of processing;
• right to object to processing;
• right to data portability;
• right to lodge a complaint;
• right to consent withdrawal.

You may exercise the following rights by submitting your request at [email protected] .

When we act as a joint controller with regard to particular processing of personal data, you may exercise your rights under the GDPR in respect of and against both advertising platform/delivery service/Food Institution and us.

If we receive any complaint, claim or request from the data subject which shall be completed by our joint controller, we immediately notify it of such request and inform the data subject on the applied measures and further performance steps regarding serving such complaint/claim/request.

Rights under the GDPR

• right of access means that you may ask us to send you the copy of your personal data collected together with information regarding the nature, processing and disclosure of that personal data;

• right to rectification means that you may ask us to update and correct the false data, missing or incomplete personal data.  
• right to erasure (to be “forgotten”) means that you may ask us to delete your personal data collected, except insofar it is prohibited by appropriate laws.
• right to restriction of processing means that you may ask us to restrict processing where:

1. your personal data is not correct or outdated;
2. the processing is unlawful.

• right to object to the processing means that you may raise objections on grounds relating to your particular situation;
• right to data portability means that you may ask us to transfer a copy of your personal data to another organisation or to you;
• right to withdraw the consent when your personal data processed on a basis of your consent;
• right to lodge a complaint with the supervisory data protection authority pertaining to the processing of your personal data. 

You may submit the complaint to the supervisory authority of your place of residence within the EU or to the data protection authority stated in this Policy.

Please, note that we may need to confirm your identity to process your requests to exercise your rights under the GDPR. Thus, we may not be able to satisfy your request if you do not provide us with sufficient detail to allow us to verify your identity and respond to your request.

We kindly ask you to contact us directly so that we can quickly answer your question.

We kindly invite you to share your concerns with us in the first place regarding any issue related to your personal data processing. You may use the following channels to address your inquiries: [email protected]. 

In some cases, you have the right to lodge a complaint about our use of your personal data with a data protection authority. For more information, please contact your national data protection authority. We will cooperate with the appropriate governmental authorities to resolve any privacy-related complaints that cannot be amicably resolved between you and us. 

This section applies to the processing of the personal information of the California residents

Under the California Consumer Privacy Act (the “CCPA”), California residents have certain rights regarding our collection, use, and sharing of their personal information.

We may collect various categories of personal information when you use and/or access our Platform, including information you provide when you create an account on the Platform, providing us with any additional information, and automatically collected data (regarding your interactions with our Platform).

In particular, depending on actual circumstances, we may collect the following categories of personal information specified in the CCPA when you use and/or access our Platform: 

•         Category A – Identifiers;
•         Category B – Personal information categories listed in the Cal. Civ. Code § 1798.80(e);
•         Category C – Protected classification characteristics under California or federal law;
•         Category F – Internet or other similar network activity;
•         Category G – Geolocation data;
•         Category I – Professional or employment-related information;
•         Category L – Sensitive personal information.

You can find a detailed description of the personal information that we may collect from you above in the ‘Use of Your Personal Data’ section of this Policy. Note that in the ‘Data Disclosure and Sharing’ section of this Policy you can review the categories of third parties with whom we may share your personal information. The terms used within those sections of this Policy are taken from the GDPR in consideration of the definitions established in the CCPA.

If you are a California resident, to the extent provided for by the CCPA and subject to applicable exception, you have the following rights in relation to the personal information we have about you:

•         Right to obtain information. You can request information about what personal information has been collected about you and how we have used that personal information during the preceding 12 months. 
•         Right of access. You can request a copy of the personal information that we have collected about you during the preceding 12 months. 
•         Right to deletion. You can request us to delete the personal information that we have collected from you unless it is necessary for us to maintain your personal information in certain cases under the CCPA, such as protection against malicious, deceptive, fraudulent, or illegal activity. 
•         Right to be free from discrimination relating to the exercise of any of your privacy rights.

We do not sell your personal information to third parties for monetary or other valuable consideration. Additionally, we do not offer any financial incentives associated with our collection, sharing, or retention of your personal information. 

We take the protection of your privacy seriously, so in no way will we discriminate against you for exercising any of your rights granted by the CCPA. 

You can exercise your rights under the CCPA by sending us an email by any other means of communications convenient for you, including those listed in the ‘How to Contact Us’ section of this Policy. 

Please, note that we may need to confirm your identity to process your requests to exercise your rights under the CCPA. Thus, we may not be able to satisfy your request if you do not provide us with sufficient detail to allow us to verify your identity and respond to your request.

We may change this policy from time to time due to the different purposes.

We will notify you on such material changes through means available to us.

This Policy may be changed from time to time due to the implementation of new updates, technologies, laws’ requirements or for other purposes. We will send notice to you if these changes are dramatic and where required by applicable laws, we will obtain your consent for the subsequent processing. In any case, we encourage you to regularly review this Policy to check for any changes. 

Such notification may be provided via your email address, announcement published on the Platform and/or by other means, consistent with applicable law.

Please contact us if you have any questions about our processing activities, this Privacy Policy, or your rights.

If you have a question related to this Privacy Policy, our processing activities, or your data subject rights under GDPR, CCPA, and other applicable laws, you can contact us directly using the following details:  

• Our address: Bldg 16-Co Work, SD2-48, Dubai, United Arab Emirates
• Our email: [email protected]