Privacy Policy
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection provisions is:
Zentachain GmbH (operating under the brand "Omiser") Dortmund, Germany
Registry court: Amtsgericht Charlottenburg (Berlin) Registration number: HRB 242677 B VAT ID: DE363535928
Email: office@omiser.com
(hereinafter "Omiser", "we" or "us")
2. Data Protection Officer
A data protection officer will be appointed as soon as the legal requirements pursuant to Section 38 of the German Federal Data Protection Act (BDSG) are met — in particular, when at least twenty persons are regularly engaged in the automated processing of personal data or when processing operations are carried out that are subject to a data protection impact assessment pursuant to Art. 35 GDPR.
Should a data protection officer be appointed, they can be reached at:
Email: office@omiser.com
3. Overview of Processing Operations
3.1 Types of Data Processed
We process the following categories of personal data:
- Master data (e.g., names, addresses, company names)
- Contact data (e.g., email addresses, phone numbers)
- Contract data (e.g., subject matter of contract, term, customer category)
- Payment data (e.g., bank details, payment history — via payment service providers)
- Usage data (e.g., pages visited, access times, click behaviour)
- Meta/communication data (e.g., IP addresses, device information, browser type)
- Content data (e.g., entries in the contact form, message content)
- Authentication data (e.g., passwords in hashed form, OAuth tokens)
3.2 Categories of Data Subjects
- Visitors and users of our website (www.omiser.com)
- Business customers (restaurant owners and their employees)
- End customers of the restaurants (within the scope of commissioned processing)
- Communication partners (contact form, email)
3.3 Purposes of Processing
- Provision and operation of the website and platform
- Provision of contractual services (B2B SaaS services for restaurants)
- Commissioned processing of end customer order data on behalf of the restaurants
- Customer communication and support
- Ensuring IT security and smooth operation
- Analysis and optimisation of the website (only with consent)
- Marketing and advertising (only with consent)
- Fulfilment of legal obligations (e.g., retention obligations)
3.4 Platform Roles and Responsibilities
Omiser operates a B2B SaaS platform that provides restaurants with their own online ordering shop, a mobile app, and a management dashboard. In this context, two data protection relationships exist:
- Omiser as controller (Art. 4 No. 7 GDPR): For the processing of personal data of website visitors and business customers (restaurant owners), Omiser is the controller.
- Omiser as processor (Art. 4 No. 8, Art. 28 GDPR): For the processing of personal data of end customers who order through a restaurant's ordering shop, the respective restaurant is the controller. Omiser processes this data exclusively on behalf of and according to the documented instructions of the restaurant.
4. Legal Bases for Processing
The processing of personal data always takes place on a valid legal basis. The following legal bases apply in particular:
-
Consent (Art. 6(1)(a) GDPR, Section 25(1) TDDDG): Where we obtain the consent of the data subject for the processing of personal data or for accessing information on the user's terminal device (e.g., cookies, tracking pixels), Art. 6(1)(a) GDPR or Section 25(1) TDDDG serves as the legal basis. Consent can be withdrawn at any time for the future.
-
Performance of a contract and pre-contractual measures (Art. 6(1)(b) GDPR): Where the processing of personal data is necessary for the performance of a contract with the data subject or for the implementation of pre-contractual measures taken at the request of the data subject, the processing is based on Art. 6(1)(b) GDPR.
-
Legal obligation (Art. 6(1)(c) GDPR): Where the processing of personal data is necessary for compliance with a legal obligation to which we are subject (e.g., tax retention obligations under Sections 147 AO, 257 HGB), the processing is based on Art. 6(1)(c) GDPR.
-
Legitimate interests (Art. 6(1)(f) GDPR): Where the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, and the interests, fundamental rights and freedoms of the data subject do not override those interests, Art. 6(1)(f) GDPR serves as the legal basis. Our legitimate interests lie in particular in the provision and improvement of our platform, ensuring IT security, and the enforcement of legal claims.
5. Collection and Processing of Personal Data
5.1 Website Visit (Server Log Files)
Each time our website is accessed, our hosting provider automatically collects and stores information in so-called server log files, which your browser automatically transmits. These are:
- IP address of the requesting device (possibly truncated)
- Date and time of access
- Name and URL of the file retrieved
- Amount of data transferred
- Notification of successful retrieval (HTTP status code)
- Referrer URL (previously visited page)
- Web browser and operating system used
- Language and version of the browser software
- Name of the access provider
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring the smooth operation of the website, defending against attacks and misuse, and error analysis.
Storage period: Server log files are automatically deleted after a maximum of 30 days, unless longer retention is required for evidentiary purposes (e.g., in the event of security incidents).
No merging: These data are not merged with other data sources. No assignment to a specific person takes place.
5.2 Registration as a Restaurant Customer
Registration is required to use our SaaS platform. The following data is collected:
- First name and surname of the owner/managing director
- Email address
- Phone number
- Business address (street, house number, postal code, city, country)
- Company name (name of the restaurant or company)
- Tax details (VAT ID, if applicable)
- Payment information (for paid plans — processing is handled by payment service providers, see Section 10)
- Password (for email registration — stored exclusively as a bcrypt hash)
Registration can be performed in the following ways:
- Email registration: Creating an account with an email address and a self-chosen password.
- Google OAuth: Login via your Google/Gmail account. In this case, we receive your name, email address, and profile picture from Google. No further data is transmitted (see Section 9.1).
- Apple Sign in: Login via your Apple ID. In this case, we receive your name and email address from Apple. Apple offers the option of using a private relay address (see Section 9.2).
Legal basis: Art. 6(1)(b) GDPR (performance of the usage contract or pre-contractual measures).
Storage period: The data is stored for the duration of the contractual relationship and deleted after the end of the contract in compliance with statutory retention periods (see Section 15).
5.3 Processing of End Customer Data (Commissioned Processing pursuant to Art. 28 GDPR)
Restaurants using our platform process personal data of their end customers through their ordering shop and mobile app. This data includes in particular:
- Name and address of the end customer
- Email address and phone number
- Delivery/pickup address
- Order history and order details
- Payment information (processed via payment service providers)
- Communication data (e.g., messages within the scope of an order)
Data protection role distribution:
- The restaurant is the controller (Art. 4 No. 7 GDPR) for the processing of end customer data and determines the purpose and means of processing.
- Omiser is the processor (Art. 4 No. 8 GDPR) and processes end customer data exclusively on behalf of and according to the documented instructions of the restaurant.
Processing is based on a data processing agreement (DPA) pursuant to Art. 28 GDPR between Omiser and the respective restaurant. This DPA governs in particular:
- Subject matter and duration of processing
- Nature and purpose of processing
- Types of personal data and categories of data subjects
- Obligations and rights of the controller
- Technical and organisational measures (Art. 32 GDPR)
- Use of sub-processors
- Assistance in fulfilling data subject rights
- Deletion or return of data upon contract termination
Technical separation: Each restaurant receives its own logically isolated database. This ensures strict separation of end customer data from different restaurants.
Note for end customers: If you as an end customer wish to obtain information about your personal data or exercise your rights, please contact the respective restaurant from which you placed your order. The restaurant is the data protection controller.
5.4 Contact Form
Our website provides a contact form through which you can send us enquiries. The following data is collected:
- Name
- Email address
- Phone number (optional)
- Restaurant name (optional)
- Selected subject
- Content of your message
- Time of submission
- IP address (for technical reasons and to prevent misuse)
For sending the contact enquiry, we use the service Resend (Resend Inc., USA). A data processing agreement is in place with Resend. Data transfer to the USA is based on Standard Contractual Clauses (Art. 46(2)(c) GDPR).
Legal basis:
- Where your enquiry is aimed at concluding a contract: Art. 6(1)(b) GDPR (pre-contractual measures).
- Otherwise: Art. 6(1)(f) GDPR (legitimate interest in responding to user enquiries).
Storage period: Your enquiry and the associated data will be deleted after final processing, unless statutory retention obligations prevent this. If a contractual relationship arises, the general storage periods apply (see Section 15).
5.5 Newsletter
You can sign up for our newsletter on our website. Only your email address is collected.
Legal basis: Art. 6(1)(a) GDPR (consent). Registration is voluntary.
Sending and management: For sending and managing newsletter subscribers, we use the service Resend (Resend Inc., USA). Resend stores your email address and the time of registration. A data processing agreement is in place with Resend.
Unsubscribe: You can unsubscribe from the newsletter at any time. An unsubscribe link is included in every newsletter email. After unsubscribing, your email address will be removed from the distribution list, unless a statutory retention obligation exists.
6. Hosting and Content Delivery
6.1 Hosting
Our website and platform are operated by a professional hosting provider. The servers are located exclusively within the European Union (EU).
When visiting our website, the following data is processed by the hosting provider:
- Content data
- Usage data
- Meta/communication data (cf. Section 5.1)
The use of the hosting provider is based on Art. 6(1)(f) GDPR (legitimate interest in secure and efficient provision of our online offering) and — where a contract has been concluded — on the basis of Art. 6(1)(b) GDPR.
A data processing agreement pursuant to Art. 28 GDPR is in place with the hosting provider, ensuring data protection-compliant processing.
Hosting provider: Vercel Inc. 440 N Baxter St, Los Angeles, CA 90012, USA
7. Fonts (Google Fonts — Self-Hosted)
We use fonts from Google (Google Fonts) on our website. These fonts are locally installed on our server (self-hosting). When you access our website, the fonts are loaded directly from our server.
No connection to Google servers is established. No data is transmitted to Google. In particular, your IP address is not forwarded to Google.
The use of self-hosted fonts serves the interest of a uniform and appealing presentation of our website. A separate legal basis under data protection law is not required for self-hosting, as no personal data is transmitted to third parties.
8. Tracking and Analytics Services
We use the following tracking and analytics services on our website. The use of these services takes place exclusively after your prior explicit consent, which we obtain via a cookie consent banner (consent management platform).
Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with Section 25(1) TDDDG (consent to the storage of information on the user's terminal device or access thereto).
Without your explicit consent, no tracking cookies are set and no tracking pixels are loaded. Technically necessary cookies (Section 25(2) TDDDG) do not require consent.
8.1 Google Analytics 4 (Google Ireland Limited)
We use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google").
Google Analytics uses cookies and similar technologies that enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transferred to a Google server and stored there.
IP anonymisation: Google Analytics 4 anonymises your IP address by default, so no complete IP address is transmitted to Google.
Processed data:
- Online identifiers (e.g., cookie IDs, device IDs)
- IP address (anonymised)
- Information about the terminal device (device type, operating system, browser)
- Usage data (pages visited, session duration, interactions)
- Location data (based on the anonymised IP address, not precise)
- Referrer URL
Purpose: Analysis of user behaviour to improve our website and our offerings, creation of usage statistics.
Recipients/data transfer: Google Ireland Limited; possibly transfer to Google LLC, USA. Transfer to the USA is based on the EU-US Data Privacy Framework (adequacy decision of the EU Commission pursuant to Art. 45 GDPR) or Standard Contractual Clauses (Art. 46(2)(c) GDPR).
Further information: https://policies.google.com/privacy
Opt-out: You can prevent data collection by Google Analytics by not granting or revoking your consent. Additionally, Google offers a browser add-on for deactivation: https://tools.google.com/dlpage/gaoptout
8.2 Google Ads Conversion Tracking (Google Ireland Limited)
We use Google Ads Conversion Tracking, a service provided by Google Ireland Limited.
When you click on an ad placed by Google, a cookie for conversion tracking is placed on your terminal device. This cookie expires after 30 days and is not used for personal identification. If you visit certain pages of our website and the cookie has not yet expired, we and Google can recognise that you clicked on the ad and were redirected to our page.
Processed data:
- Online identifiers (cookie IDs)
- Conversion data (e.g., whether a specific action was performed)
- IP address (truncated)
- Information about the ad interaction
Purpose: Measuring the effectiveness of our Google Ads campaigns, optimising our advertising campaigns.
Recipients/data transfer: Google Ireland Limited; possibly Google LLC, USA (EU-US Data Privacy Framework / Standard Contractual Clauses).
Further information: https://policies.google.com/privacy
8.3 Meta Pixel (Meta Platforms Ireland Limited)
We use the Meta Pixel (formerly Facebook Pixel), a service provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereinafter "Meta").
The Meta Pixel is a JavaScript code snippet embedded on our website. It enables us to measure the effectiveness of our advertisements on Facebook and Instagram, create audiences for advertisements (Custom Audiences), and carry out retargeting measures.
Processed data:
- Online identifiers (cookie IDs, pixel ID)
- Usage data (pages visited, actions/events performed)
- Device information (browser, operating system, screen resolution)
- IP address
- Referrer URL
When our website is accessed, the Meta Pixel establishes a direct connection to Meta's server. Meta receives the information that you visited our website. If you are logged into Facebook/Instagram, Meta can associate the visit with your account.
Purpose: Measuring advertising effectiveness, audience creation, retargeting.
Recipients/data transfer: Meta Platforms Ireland Limited; possibly Meta Platforms, Inc., USA (EU-US Data Privacy Framework / Standard Contractual Clauses).
Joint controllership: For the collection and transmission of data to Meta, joint controllership exists between us and Meta pursuant to Art. 26 GDPR. The agreement can be accessed at: https://www.facebook.com/legal/controller_addendum
Further information: https://www.facebook.com/privacy/policy/
8.4 TikTok Pixel (TikTok Technology Limited)
We use the TikTok Pixel, a service provided by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (hereinafter "TikTok").
The TikTok Pixel enables us to measure the effectiveness of our TikTok advertisements and capture conversion events.
Processed data:
- Online identifiers (cookie IDs, pixel ID)
- Usage data (pages visited, actions/events performed)
- Device information
- IP address
Purpose: Measuring advertising effectiveness on TikTok, conversion tracking, retargeting.
Recipients/data transfer: TikTok Technology Limited, Ireland; possibly other entities of the TikTok group. Transfer to third countries is based on Standard Contractual Clauses (Art. 46(2)(c) GDPR).
Further information: https://www.tiktok.com/legal/privacy-policy
8.5 Twitter/X Pixel (X Corp.)
We use Twitter/X Conversion Tracking (Universal Website Tag), a service provided by X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA (hereinafter "X").
The Twitter/X Pixel enables us to measure the success of our advertisements on Twitter/X.
Processed data:
- Online identifiers (cookie IDs)
- Usage data (pages visited, conversion events)
- Device information
- IP address
Purpose: Measuring advertising effectiveness on Twitter/X, conversion tracking.
Recipients/data transfer: X Corp., USA. Transfer to the USA is based on Standard Contractual Clauses (Art. 46(2)(c) GDPR) and — where applicable — the EU-US Data Privacy Framework.
Further information: https://twitter.com/en/privacy
Revocation of Consent for Tracking and Analytics Services
You can revoke your consent to the use of the aforementioned tracking and analytics services at any time with effect for the future. You have the following options:
- Cookie settings: Adjust your consent via the "Cookie Settings" link in the footer of our website. There you can deactivate individual or all services.
- Browser settings: You can configure your browser to generally reject cookies, only allow certain cookies, or notify you when a cookie is about to be set.
- Opt-out links of the providers: The individual providers partly offer their own opt-out mechanisms (see the respective sections above).
The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent before the revocation (Art. 7(3) sentence 2 GDPR).
9. Third-Party Authentication Services
9.1 Google OAuth (Google Ireland Limited)
We offer you the option of registering and logging into our platform via your Google account (OAuth 2.0).
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Transmitted data: When logging in via Google, the following data is transmitted from Google to us:
- Name (first and last name)
- Email address
- Profile picture
- Unique Google user ID
The transmission takes place via the secure OAuth 2.0 interface. Only the data you have approved is transmitted. Google receives the information that you have logged into our service. We do not gain access to your Google password.
Legal basis: Art. 6(1)(b) GDPR (performance of contract — registration is a prerequisite for using our platform).
Further information: https://policies.google.com/privacy
9.2 Sign in with Apple (Apple Distribution International Ltd.)
We offer you the option of registering and logging into our platform via your Apple ID.
Provider: Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland.
Transmitted data: When logging in via Apple, the following data is transmitted from Apple to us:
- Name (first and last name)
- Email address
Apple offers the option of using a private, randomly generated relay address instead of your real email address via the "Hide My Email" function. Messages to this address are forwarded by Apple to your real email address without us learning your actual email address.
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
Further information: https://www.apple.com/legal/privacy/
10. Payment Service Providers
For processing payments within our SaaS platform, we use external payment service providers. Payment processing takes place directly between the user and the respective payment service provider. We only receive confirmation of payment receipt or a payment ID from the payment service provider.
10.1 Stripe (Stripe Payments Europe, Ltd.)
Provider: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, Ireland.
Processed data: In the course of the payment process, Stripe processes the data required for payment processing, in particular:
- Name of the cardholder
- Credit or debit card number (Omiser does not have access to the full card number)
- Expiry date
- Security code (CVC/CVV)
- Transaction amount
- Email address
- IP address
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
Stripe, as a payment service provider, is an independent controller for the data processing within its area of responsibility. We have concluded a data processing agreement with Stripe insofar as Stripe acts on our behalf.
Further information: https://stripe.com/privacy
10.2 Mollie (Mollie B.V.)
Provider: Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands.
Processed data: In the course of the payment process, Mollie processes the data required for payment processing, in particular:
- Name of the payer
- Payment data (depending on the chosen payment method)
- Transaction amount and currency
- Email address
- IP address
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
Mollie, as a payment service provider, is an independent controller for the data processing within its area of responsibility.
Further information: https://www.mollie.com/privacy
11. Map Services
We use map services for displaying maps and configuring delivery zones for restaurants on our platform.
Provider: Google Maps (Google Ireland Limited) Gordon House, Barrow Street, Dublin 4, Ireland
Processed data: When loading the map view, a connection is established to the map provider's servers. The following data may be transmitted:
- IP address
- Location data (if shared by the user)
- Device and browser information
- Usage data (e.g., map section, zoom level)
Purpose: Display of maps, configuration and display of restaurant delivery zones.
Legal basis: Art. 6(1)(b) GDPR (performance of contract), insofar as the map view is required for the provision of the contractually owed service (delivery zone configuration); otherwise Art. 6(1)(f) GDPR (legitimate interest in a user-friendly presentation).
Where data is transferred to third countries, this is done on the basis of Standard Contractual Clauses (Art. 46(2)(c) GDPR) or the EU-US Data Privacy Framework.
Further information: https://policies.google.com/privacy
12. Data Security
We implement comprehensive technical and organisational measures pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk for the personal data processed. These include in particular:
Technical measures:
- AES-256 encryption for stored customer data (encryption at rest)
- TLS/SSL encryption for all data transmission between client and server (encryption in transit)
- Isolated databases per restaurant — each restaurant receives its own logically separated database. This technically prevents access to the data of other restaurants.
- Secure password storage using bcrypt hashing. Passwords are never stored or transmitted in plain text.
- Regular security updates and patches for all systems and dependencies
- Automated backups with encryption
- Firewalls and intrusion detection systems to protect the infrastructure
Organisational measures:
- Role-based access control (RBAC): Access to personal data is strictly limited to those employees who require it for the performance of their duties (need-to-know principle).
- Confidentiality obligation of all employees and service providers pursuant to Art. 28(3)(b) GDPR
- Regular awareness training of employees on data protection and IT security
- Documented procedure for data protection incidents pursuant to Art. 33, 34 GDPR
Hosting in the EU: All servers and databases are located in data centres within the European Union.
We point out that, despite all security measures, complete security during data transmission over the Internet cannot be guaranteed.
13. Disclosure to Third Parties and Processors
Personal data is only transferred to third parties if:
- You have given explicit consent (Art. 6(1)(a) GDPR),
- This is necessary for the performance of a contract (Art. 6(1)(b) GDPR),
- A legal obligation exists (Art. 6(1)(c) GDPR), or
- This is necessary for the purposes of legitimate interests and there is no reason to believe that your overriding interest in preventing the transfer prevails (Art. 6(1)(f) GDPR).
Processors and Service Providers Used
We work with the following categories of service providers, with whom — where necessary — data processing agreements pursuant to Art. 28 GDPR have been concluded:
| Service provider / Category | Purpose | Location | |---|---|---| | Vercel Inc. | Hosting, server infrastructure | USA (DPF certified) | | Stripe Payments Europe, Ltd. | Payment processing | Ireland (EU) | | Mollie B.V. | Payment processing | Netherlands (EU) | | Google Ireland Limited | Google Analytics 4, Google Ads, Google OAuth | Ireland (EU) | | Meta Platforms Ireland Limited | Meta Pixel (Facebook/Instagram) | Ireland (EU) | | TikTok Technology Limited | TikTok Pixel | Ireland (EU) | | X Corp. | Twitter/X Pixel | USA | | Apple Distribution International Ltd. | Sign in with Apple | Ireland (EU) | | Google Ireland Limited | Map service (Google Maps) / Delivery zones | Ireland (EU) | | Resend Inc. | Sending contact form and newsletter emails | USA (SCCs) |
This list is updated when changes occur. The complete, current list of sub-processors can be provided upon request.
14. Data Transfer to Third Countries
Some of the service providers we use are based outside the European Union or the European Economic Area (EEA), particularly in the USA. Where personal data is transferred to these service providers, we ensure that an adequate level of data protection is guaranteed.
Legal bases for data transfer:
-
EU-US Data Privacy Framework (DPF): For companies based in the USA that are certified under the EU-US Data Privacy Framework, an adequacy decision of the EU Commission exists pursuant to Art. 45 GDPR (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023). This applies in particular to Google LLC and Meta Platforms, Inc.
-
Standard Contractual Clauses (SCCs): For transfers to third countries for which no adequacy decision exists, we use the Standard Contractual Clauses approved by the EU Commission pursuant to Art. 46(2)(c) GDPR (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) as a guarantee of an adequate level of data protection.
-
Supplementary measures: In addition to the Standard Contractual Clauses, we implement — where necessary — supplementary technical and organisational measures to ensure the protection of personal data during transfer to third countries (e.g., encryption, pseudonymisation).
For questions regarding the specific safeguards for a particular data transfer, you can contact us (see Section 1).
15. Storage Period
We store personal data only as long as is necessary for the respective processing purposes or as statutory retention obligations exist. The following storage periods apply in particular:
| Data category | Storage period | Legal basis | |---|---|---| | Server log files | Maximum 30 days | Art. 6(1)(f) GDPR | | Contract data (B2B customers) | Duration of the contractual relationship plus statutory retention periods | Art. 6(1)(b), (c) GDPR | | Commercial and business correspondence | 6 years after end of contract | Section 257 HGB | | Tax-relevant documents | 10 years after end of contract | Section 147 AO | | Contact enquiries | After final processing, unless statutory retention obligations exist | Art. 6(1)(b), (f) GDPR | | Consent records (consent logs) | 3 years after last consent / revocation | Art. 7(1) GDPR, Section 195 BGB | | End customer data (as processor) | According to the instructions of the controller (restaurant) | Art. 28 GDPR |
Export period after contract termination: After termination of the contractual relationship, the business customer (restaurant) has a period of 30 days to export their data, including the end customer data processed on their behalf. After this period, the data will be irrevocably deleted — subject to statutory retention obligations.
16. Rights of Data Subjects
As a data subject, you have the following rights vis-a-vis us as the controller. To exercise your rights, please contact us using the contact details provided in Section 1 or by email at: office@omiser.com.
We will process your request without undue delay, and in any case within one month of receipt (Art. 12(3) GDPR). In justified cases, this period may be extended by a further two months, of which we will inform you.
16.1 Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation from us as to whether we process personal data concerning you. If this is the case, you have the right of access to this personal data and to the following information:
- The purposes of processing
- The categories of personal data processed
- The recipients or categories of recipients
- The envisaged storage period
- The existence of the right to rectification, erasure, restriction, or objection
- The existence of the right to lodge a complaint with a supervisory authority
- The origin of the data, where they were not collected from you
- The existence of automated decision-making, including profiling
You have the right to receive a copy of the personal data undergoing processing (Art. 15(3) GDPR).
16.2 Right to Rectification (Art. 16 GDPR)
You have the right to obtain without undue delay the rectification of inaccurate personal data. Taking into account the purposes of processing, you have the right to have incomplete personal data completed — including by means of providing a supplementary statement.
16.3 Right to Erasure (Art. 17 GDPR)
You have the right to obtain from us the erasure of your personal data without undue delay where one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected.
- You have withdrawn your consent and there is no other legal basis for the processing.
- You object pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing.
- The personal data have been unlawfully processed.
- Erasure is required for compliance with a legal obligation.
The right to erasure does not apply where processing is necessary for compliance with a legal obligation (e.g., statutory retention obligations under HGB and AO) or for the establishment, exercise, or defence of legal claims.
16.4 Right to Restriction of Processing (Art. 18 GDPR)
You have the right to obtain restriction of processing of your personal data where:
- The accuracy of the data is contested by you (for the duration of the verification),
- The processing is unlawful and you oppose erasure and request restriction of use instead,
- We no longer need the data, but you require them for the establishment, exercise, or defence of legal claims, or
- You have objected pursuant to Art. 21(1) GDPR, pending the verification whether our legitimate grounds override yours.
16.5 Right to Data Portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You further have the right to transmit those data to another controller without hindrance from us, where:
- The processing is based on consent (Art. 6(1)(a) GDPR) or on a contract (Art. 6(1)(b) GDPR), and
- The processing is carried out by automated means.
Where technically feasible, you have the right to have the personal data transmitted directly from us to another controller.
16.6 Right to Object (Art. 21 GDPR)
IMPORTANT NOTICE — RIGHT TO OBJECT PURSUANT TO ART. 21 GDPR:
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(f) GDPR (legitimate interests).
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise, or defence of legal claims.
Where we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of personal data for the purposes of such marketing. This also applies to profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
To exercise your right to object, you can reach us via the contact details provided in Section 1.
16.7 Right to Withdraw Consent (Art. 7(3) GDPR)
Where the processing of your personal data is based on consent (Art. 6(1)(a) GDPR, Section 25(1) TDDDG), you have the right to withdraw this consent at any time with effect for the future. Withdrawal can be made informally, e.g., by email to office@omiser.com or via the cookie settings on our website.
Important: The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal (Art. 7(3) sentence 2 GDPR).
17. Automated Decision-Making and Profiling (Art. 13(2)(f) GDPR)
No automated decision-making within the meaning of Art. 22 GDPR takes place. We do not make decisions based solely on automated processing — including profiling — that produce legal effects concerning you or similarly significantly affect you.
Should this change in the future, we will inform you accordingly pursuant to Art. 13(2)(f) GDPR and take the necessary measures to protect your rights and freedoms and your legitimate interests.
18. Obligation to Provide Personal Data
In the context of the business relationship, you must provide those personal data that are necessary for the establishment, execution, and termination of the contractual relationship and the fulfilment of the associated contractual obligations, or that we are legally obligated to collect.
Mandatory information during registration:
- Name, email address, business address, and company name are mandatory for establishing and executing the contract. Without this data, we cannot enter into the contract or provide our services.
Voluntary information:
- Information beyond this (e.g., phone number in the contact form, profile picture) is voluntary. Fields that are not mandatory are marked as such.
- Granting consent to tracking and analytics services (Section 8) is entirely voluntary and does not affect the usability of our platform.
19. Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.
Competent supervisory authority:
Landesbeauftragte fuer Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW) Postfach 20 04 44, 40102 Duesseldorf Phone: +49 211 38424-0 https://www.ldi.nrw.de
A list of data protection supervisory authorities in Germany can be found at: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html
20. Changes to this Privacy Policy
We reserve the right to amend this privacy policy to adapt it to changed legal situations, technical innovations, or changes to our services. The current version applies from the time of its publication on our website.
We will inform you in good time of material changes that affect your rights or the nature of data processing — for example, by email or by means of a prominent notice on our website. We recommend that you review this privacy policy regularly to stay informed about the protection of your data.
Last updated: April 2026