Privacy Policy

Privacy and Data Protection Policy

V1.2 – June 23, 2022

Basic Information

This privacy policy provides information on the processing of the personal data of our Users who interact with us and users of the contact form on our website or web application, as provided in the General Data Protection Regulation (“GDPR”).

Processing of Data of Users and Persons Who Contact P&P

1. Data Processed

   1. Information supplied directly by Users:

      Registration Data: the information provided by Users when they create an account on the P&P Platform: e-mail.

      User Profile Information: the information added by Users on the Platform in order to be able to use the P&P services, i.e. their mobile phone number. Users can view and edit the personal data on their profile whenever they wish. P&P does not store Users’ credit card details, but these are provided to licensed electronic payment service providers, who receive the data included directly and store it in order to facilitate the payment process for Users and to manage it on P&P’s behalf. This information is under no circumstances stored on P&P’s servers. Users may delete the details of the credit cards linked to their account at any time. This will trigger the service provider to delete the information, which will have to be re-entered or selected in order to place new orders through the Platform. Users may request such providers’ privacy policies at any time.

      Additional information that Users wish to share: any information that a User could supply to P&P for other purposes. Examples include a photograph of the User or food preferences.

      Information about previous communications with P&P: P&P will have access to the information supplied by Users for the resolution of any queries or complaints about the use of the platform, whether through the contact form, by e-mail or by phone through the customer service.

      Information on accidents involving any of the parties involved in the provision of services through the Platform for the purpose of making insurance claims or carrying out any other actions with the insurance companies contracted by P&P.

      Transcription and recording of conversations held between the USER and P&P for the processing of incidents, queries or any other consultations that may be made.

      Information on Communications between Users and Restaurants: P&P will have access to the communications exchanged between Users and the Restaurants that collaborate with the Platform.

2. Information indirectly supplied by Users:

   2. Data arising from the Use of the Platform: P&P collects the data arising from Users’ Use of the Platform every time they interact with the Platform.

   3. Data on the application and the device: P&P stores data on the device and the Application used by Users to access the services.

      This data is:

      1. The IP address used by each User to connect to the Internet using his/her computer or mobile phone.
      2. The full uniform resource locator (URL) Clickstream, including date and time.
      3. Data from the User’s account: information on the orders made by each User, as well as feedback and/or comments made about them by such User.
      4. The User’s browsing history and preferences.
      5. Data arising from the User’s origin: if a User arrives at the P&P Platform through an external source (such as a link from another website or a social network), P&P collects data on the source from which the P&P User arrived.
      6. Data resulting from the management of incidents: if a User contacts the P&P Platform through the Contact Form or on P&P’s phone number, P&P will collect the messages received in the format used by the User and may use and store them to manage current or future incidents.
      7. Data arising from “cookies”: P&P uses its own and third-party cookies to facilitate browsing by its users and for statistical purposes (see the Cookie Policy).
      8. Data resulting from external third parties: P&P may collect personal data or information from external third parties only if the User authorises such third parties to share that information with P&P.
      9. Similarly, if a user accesses P&P through products and services offered by Google, Google may send the User’s browsing data to P&P, with access to the platform through the links created by Google.

   4. The information provided by the external third party may be controlled by the User in accordance with the third party’s own privacy policy.

   5. Geolocation Data: provided that this has been authorised by Users, P&P will collect data relating to their location, including the real-time geographic location of their computer or mobile device.

3. Purpose

   6. To use the P&P Platform

   P&P uses the data collected from Users to enable them to access and communicate with the P&P platform and to provide the services requested by them through their account on the P&P Platform, in accordance with the procedure described in the “Terms of Use”.

   7. To send communications

   P&P uses Users’ personal data to communicate via e-mail and/or send them SMS messages relating to the operation of the service.

   P&P may send messages to the User’s mobile phone with information relating to the status of the order requested. When the order is completed, P&P will send a summary/receipt of the order and price thereof to the User’s e-mail.

   8. To detect and investigate fraud and possible criminal offences

   P&P also uses the information to research and analyse how to improve the services it provides to Users, as well to develop and improve the features of the service it offers. Internally, P&P uses the information for statistical purposes in order to analyse User behaviour and trends, to understand how Users use the P&P Platform and to manage and improve the services offered, including the possibility of adding new, different services to the Platform.

   9. P&P may monitor all actions that could result in fraud or in the commission of a criminal offence relating to the means of payment employed by users. P&P may ask users for a copy of their ID card as well as for certain information on the credit card used to place the order. In any event, all data will be processed by P&P for the sole purpose of fulfilling its fraud prevention and monitoring functions, and it shall be stored for as long as its relationship with the user concerned remains in force, and even after this time until the user’s right to make claims or take legal action relating to payment for the products or services ordered through P&P has expired. The data relating to the credit card used will be retained until the incident has been resolved and for 120 days thereafter. If any irregularities in its use that could be considered illegal activities are detected, P&P reserves the right to retain the data provided and to share it with the competent authorities in order to carry out the relevant investigation. P&P may share the data with the authorities based on the legal obligation to prosecute conducts that are contrary to the applicable law.
   10. To comply with the legislation and bring and defend legal actions
   11. P&P informs the user that conversations with the Restaurant be reviewed and used by P&P for the purpose of filing and/or defending any claims and/or legal actions that may be necessary, as well as to manage any incidents arising in connection with orders.
   12. Promotion and commercial offers (on-line and off-line)

   P&P uses third-party technology integrated in its Platform for the purpose of collecting Users’ data and preferences and using this with CRM systems and advanced technology for the benefit of Users. The following processing will thus be carried out on their data through the information collected:

   P&P may send e-mails with promotional messages and/or offers relating to the service offered by it that may be of interest to Users. P&P may gauge and personalise such advertising in accordance with its users’ preferences. If a P&P User does not wish to receive this information and/or commercial communications, he/she may at any time opt to “Unsubscribe” in the e-mail, and P&P will immediately stop sending the aforementioned information.

   P&P may also send Users messages and/or offers relating to such services through “push” notifications consisting of sending such promotional messages and/or offers to their mobile phones. If a P&P User does not wish to receive the commercial communications described in this clause and in 3.1 above, he/she may remove them all by disabling them with a single click in the privacy preferences of his/her profile.

   P&P and/or the third parties associated with P&P may use the order delivery address entered by the User for the purpose of carrying out promotional activities for the delivery of samples or free products of the service related to P&P which may be of interest to the User (e.g. home delivery of free samples or advertising brochures) at the same time as delivering the order.

   Users may use their privacy management centre to unsubscribe from online marketing services or to close their account if they do not wish to receive samples with their P&P orders.

   13. For statistical and service analysis purposes

   P&P uses the information for statistical purposes in order to analyse User behaviour and trends, to understand how Users use the P&P Platform and to manage and improve the services offered, including the possibility of adding new, different services to the Platform.

   P&P also uses the information to research and analyse how to improve the services it provides to Users, as well as to develop and improve the features of the service it offers.

   P&P also processes User’s statistics based on the Users Personal data in order to assist Users in their decisions and use of the service, including the possibility to quickly reorder from the stores where Users have ordered in the past or suggest Users stores based on their past orders or “popularity” among new users. Additionally, P&P could assist Users in their decisions through automatically determined filters by the historical order Users have placed in the past.

   Anonymized data can be shared with third parties in order to help development of new services

   14. To process incidents and claims with insurance companies

   If a User contacts P&P to report the occurrence of any damage or unforeseen event that may be covered by P&P’s insurance policy, P&P shall process all data relating to the incident for the purpose of handling and responding to requests.

4. Legal Basis of Processing

   Users’ data is processed in accordance with the following legal bases:

   15. To perform the contractual relationship following Users’ registration on the Platform (for example, processing their data to deliver an order placed).
   16. On the basis of our own legitimate interest (such as monitoring for the prevention of fraud through the Platform).
   17. To fulfill our legal obligations (such as when competent authorities request data in connection with court investigations and/or with the filing of the necessary actions to protect P&P’s interests.
   18. Express consent for the disclosure of users’ data to third parties for the purpose of making commercial communications.

5. Recipients of the Data

   19. P&P warrants that all commercial partners, technicians, suppliers or independent third parties are bound by contractually binding promises to process the information shared with them in accordance with P&P’s indications, this Privacy Policy and the applicable data protection legislation. We will not disclose your personal data to any third party who does not act under our instructions, and no communication will involve selling, renting, sharing or in any other way revealing customers’ personal information for commercial purposes in breach of the commitments made in this Privacy Policy.
   20. When carrying out an order, data may be shared with:
       10. The establishment or venue in charge of selling the product, if the User has requested the purchase of a product. If a User contacts the above-mentioned providers directly and gives them his/her data directly, P&P will not be responsible for the providers’ use of such data.
       11. The Customer Care Services contracted by P&P for the purpose of warning the User of any possible incidents or asking why negative feedback has been given for the service. P&P may use the data provided in order to manage any incidents that may occur during the provision of the services.
       12. The payment Platform and payment service providers so that the amount can be charged to the User’s account.
       13. Telecommunications service providers, when they are used to send communications regarding orders or incidents relating to orders.
       14. Providers rendering satisfaction survey services on P&P’s behalf.
   21. Sharing User data with third parties

   In order to continue providing the services offered through the Platform, P&P may share certain personal data of Users with:

   E-invoicing service providers: P&P may share User data with electronic invoicing service providers in order to send the respective invoices.

   Payment Service Providers: When a User enters his/her card number on the P&P Platform, this is stored directly by the Payment Platforms contracted by P&P, which will allow payment to be charged to the User’s account. Payment service providers have been chosen based on their security measures and in any event complying with the security measures stipulated in the payment service legislation, and they are PC1 Compliant under the Payment Card Industry Data Security Standard or PCI DSS. P&P does not store such data in any event.

   Service providers for fraud control purposes: P&P will share Users’ data with fraud control service providers to assess the risk of the transactions carried out.

   Service providers for the anonymisation of some data: In order to prevent the misuse of Users’ data by third-party service providers, P&P may disclose Users’ data for the purpose of anonymising it so that it can be used solely for the provision of the service to Users. For example, P&P may assign Users’ telephone numbers to third parties in order to anonymise them and provide them in this format to the providers used to carry out the services contracted by Users.

   Security companies and Law Enforcement Forces and Agencies: P&P may disclose personal information and data on its customers’ accounts if it believes that such disclosure is necessary to comply with the law, to enforce or apply the “Terms of Use” or to protect P&P’s, its users’ or third parties’ rights, property or safety. The above therefore includes the exchange of information with other companies and organisations as well as with Law Enforcement Forces and Agencies to protect against fraud and reduce credit risk. After being required to do so by law, P&P may share information with bodies of executive authorities and/or third parties in relation to requests for information relating to criminal investigations and alleged illegal activities.

   Call centre and incident management services: In order to provide a Customer Service and call centres, actions to measure Users’ degree of satisfaction and the provision of administrative support services, P&P may disclose Users’ data to companies located outside the EEA, provided it is authorised to do so and the security requirements mentioned in the preceding section have been met.

   Telecommunications services: In order to be able to provide Users with telephone contact services, P&P may contact telecommunications companies that provide secure lines and systems for the purpose of contacting Users.

   Social media connected by Users: If a User connects his/her P&P account to other social media or to a third-party platform, P&P may use the information provided to such social media or third party, provided that it has been made available to P&P in compliance with the privacy policy of the social media or third-party platform in question.

   Third parties associated with P&P for the purposes of commercial communications: P&P may, with a User’s express consent, transfer his/her personal data to third parties associated with P&P, provided that the User has given his/her express informed and unequivocal consent to such transfer of data and is aware of the purpose and recipient of such transfer.

   Changes of ownership: If P&P’s ownership changes or the majority of its assets are acquired by a third party, Users are informed that P&P will transfer their data to the acquiring organisations in order to continue to provide the services subject to the processing of data. The new file controller will inform Users of its identification data. P&P states that it will comply with its duty of information to the relevant Supervisory Authority in the event of such circumstances arising, and it shall inform Users of the change of file controller if and when this happens. This processing shall be carried out under the contract entered into with P&P.

   Insurance companies: P&P may provide users’ data to those insurers and insurance brokers with which it has an agreement in place for the management and processing of claims and losses arising from the activity carried out by P&P and the parties that collaborate with it.

   P&P Users’ data will not be disclosed to any third parties unless: (i) this is necessary in order to provide the services requested if P&P is collaborating with third parties; (ii) if P&P has the User’s express and unambiguous authorisation; (iii) where this has been requested by a competent authority pursuant to its functions (in order to investigate, prevent or take action in relation to illegal actions); or (iv) finally, where required by law.

6. International Data Transfers

   When choosing service providers, P&P may transfer users’ data outside the borders of the European Economic Area. In such cases, P&P will ensure before sending the data that such service providers are in compliance with the minimum security standards established by the European Commission and that they always process the data in accordance with P&P’s instructions. P&P may have a contractual relationship with them under which the service providers agree to comply with P&P’s instructions and to put in place the necessary security measures to protect Users’ data.

7. Retention Periods

   Users’ data will be retained during the performance and maintenance of the contractual relationship; i.e. for as long as they are P&P Users or until they exercise their right to restrict the processing of their data.

   Once a User has cancelled his or her registration with the Platform, P&P will keep his or her data for the time established in the tax, health, criminal and any other legislation that may apply, for the purpose of filing and defending any actions to which P&P may be a party. P&P will in any event block Users’ data so that it can only be consulted if an action has to be filed or defended in connection with it.

   Regarding anonymous information, P&P will apply everything set forth in Recital 26 of the GDPR, according to which “The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”

8. Profiling and decision making

   P&P does not adopt any decision that could affect User significantly based solely on automated processing of User’s data (for example, reordering from the stores where Users have ordered in the past). The only decision-making processes of P&P are conducted by applying human intervention.

   When using the application, P&P classifies Users based on the information provided by them about their usage of the application to adapt it to their needs and to improve it. The classification is conducted by solely using first party data. P&P use information that Users provide P&P, such as their historical orders and popularity among new users to suggest similar stores that could be of Users’ interest.

9. Exercise of Rights

   Users may exercise their rights free of charge at any time using the form available on the Platform. They may also exercise their rights by sending an e-mail to the following e-mail address: gdpr@P&Papp.com. The e-mail must specify which right they wish to exercise, as well as, where applicable, the identifying data registered on the Platform. We will contact the User if we need additional data to that provided in order to verify his or her identity.

   You may exercise the following rights vis-à-vis P&P:

   The right of access to your personal data in order to know which data is being processed and the processing operations carried out thereon;

   • The right to correct any inaccuracies in relation to your personal data;
   • The right to the erasure of your personal data, where possible;
   • The right to request the restriction of processing of your personal data when the accuracy, legality or need for processing of the data is in question, in which case we may retain the data for the purpose of filing or defending claims.
   • The right to object to the processing of your data in order to resolve any query you may have raised with us through the contact form, and the right to object to the processing of your data on social media and/or for the purpose of processing your CV. In addition, you may withdraw your consent to the receipt of commercial communications at any time, through the Platform User profile, either by sending an e-mail or by using the link provided for this purpose in every commercial communication. You can also object to profiling at any time through the Platform User profile or by sending an e-mail.

10. If you believe that P&P is in breach of data protection law, please do not hesitate to contact us at the e-mail address gdpr@P&Papp.com telling us what you consider to be the case, so that we can resolve the problem as soon as possible. In any event, you may also report it to the Spanish Data Protection Agency (Agencia Española de Protección de Datos) and file a claim with the said body for the protection of your rights.

11. Security Measures

    P&P has taken the necessary steps recommended by the European Commission and the competent authority to maintain the required security level, according to the nature of the personal data processed and the circumstances of the processing, in order to avoid, to the extent possible and always in accordance with the state of the art, its alteration, loss or unauthorised access or processing. As mentioned above, the personal data supplied will not be disclosed to third parties without the data subject’s prior authorisation.

12. Notifications and Modifications

    As stated above, all Users have the right to access, update and erase their data, as well as object to its processing. You may exercise these rights, or make any enquiries in relation to P&P’s Privacy Policy, through the Contact Form.

    Due to the constant evolution of P&P’s activities, this Privacy Policy, the Cookie Policy and the Terms of Use are also subject to change. P&P will send Users notifications about substantial changes and modifications to such documents by e-mail or through any other method that ensures their receipt. In any case, P&P will in no event modify its policies or practices to make them less effective in the protection of our customers’ previously stored personal data.

    In the event of discrepancies between the translations and the Spanish version of this document, the Spanish version will prevail.