Privacy Policy

The controller responsible for the processing of your personal data in connection with the Chacos Tacos Account service is the Chacos Tacos entity identified in our Imprint (Impressum).

For questions about data protection, to exercise your rights, or to contact our data protection officer (if designated), please use the contact details given in the Imprint or on the Legal page.

We process the following categories of personal data for the purposes stated. Processing is based on the legal grounds indicated (GDPR Art. 6).

• Account and profile: Username, first name, last name, email address, phone (optional), password (stored only as a secure hash). Purpose: Provision of the account, authentication, CT Member ID / CT Staff ID assignment. Legal basis: Contract (Art. 6(1)(b)) and, where applicable, consent (Art. 6(1)(a)).
• Addresses: Delivery and invoice addresses you provide. Purpose: Orders, invoicing, takeaway. Legal basis: Contract (Art. 6(1)(b)).
• Consent preferences: Marketing emails, order-related emails, acceptance of terms. Purpose: To honour your choices and comply with consent. Legal basis: Consent (Art. 6(1)(a)) and legitimate interest (Art. 6(1)(f)) for essential service communications.
• Payment method metadata: Only the last four digits of the card and brand (e.g. Visa, Mastercard). We do not store full card numbers or CVV. Purpose: Display and management of saved payment methods. Legal basis: Contract (Art. 6(1)(b)).
• Staff data (if you are staff/admin): Clock-in/out events, shifts, leave requests (type, dates, status, notes). Purpose: Time tracking, scheduling, leave management. Legal basis: Contract and legal obligations (Art. 6(1)(b), (c)).
• Orders and invoices: Order and invoice records linked to your account. Purpose: Order history, invoicing, and legal retention. Legal basis: Contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)).
• Authentication tokens: Session and refresh tokens (hashed where stored). Purpose: Keeping you signed in securely. Legal basis: Contract (Art. 6(1)(b)).
• Email verification and password reset: Tokens and timestamps for verification and reset links. Purpose: Account security and password recovery. Legal basis: Contract and legitimate interest (Art. 6(1)(b), (f)).

We collect only data that is necessary for the purposes described. We do not use your data for purposes incompatible with those stated. Marketing communications are sent only if you have given consent (e.g. marketing email preference in your account settings).

We retain your data only as long as necessary for the purposes above or as required by law. Examples: account data for the duration of your account; after account deletion, we remove your data in line with our deletion process. Email verification and password-reset tokens expire after a short period (e.g. 24 hours). Refresh tokens are subject to expiry and cleanup. Where we are required to retain certain data for legal obligations (e.g. tax, commercial law), we retain it only for the legally required period.

Under the GDPR (and, where applicable, the BDSG), you have the following rights in relation to your personal data:

• Right of access (Art. 15): You can request a copy of the personal data we hold about you. You can also download your data at any time via Settings → Download my data (or the data export API) in your account.
• Right to rectification (Art. 16): You can update your profile, addresses, and contact details in your account settings.
• Right to erasure (Art. 17): You can request deletion of your account and associated data. You can do this via Settings → Delete account (with password confirmation). This permanently deletes your account and related data in line with our systems.
• Right to data portability (Art. 20): The data export (Download my data) provides your data in a machine-readable format (JSON).
• Right to restrict processing (Art. 18) and right to object (Art. 21): You can withdraw consent for marketing at any time in Settings → Consent. For other processing based on legitimate interest, you may object where applicable.
• Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time in your consent settings; this does not affect the lawfulness of processing before withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your residence, place of work, or place of the alleged infringement. In Germany, the competent authority is the relevant state data protection commissioner (e.g. Landesdatenschutzbeauftragte/r).

For more detail on how to exercise these rights, see our Your data protection rights page. To make a request by email or post, use the contact details in our Imprint.

We implement appropriate technical and organisational measures to protect your data (GDPR Art. 32). Passwords are stored only as secure hashes (bcrypt). Authentication uses signed tokens (JWT) with validation of issuer and audience. API access is restricted by role; members cannot access other members’ data. We use HTTPS in production and security headers (e.g. HSTS, CSP, X-Frame-Options) to protect confidentiality and integrity. We do not return sensitive data (such as password hashes) in API responses.

We use cookies and similar technologies as described in our Cookie Policy. Essential cookies (e.g. for session and authentication) are necessary for the service; other cookies are used only where we have a legal basis (e.g. consent under ePrivacy/TTDSG).

Your data may be processed by service providers (e.g. database, hosting) that operate inside or outside the European Economic Area (EEA). Where we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as an adequacy decision by the European Commission, Standard Contractual Clauses (SCCs), or other mechanisms permitted under GDPR Chapter V. Details can be provided on request via our contact details in the Imprint.

We use processors (e.g. for database, hosting, email) that process personal data on our behalf. We enter into data processing agreements (DPA) where required by GDPR Art. 28, and we choose processors that provide sufficient guarantees for the security and lawful processing of your data.

Our service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you are under 16, please do not register. If we become aware that we have collected data from a child under 16, we will take steps to delete it.

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Last updated" date. For material changes we may notify you by email or through the service. We encourage you to review this policy periodically.

Our Terms and Conditions govern your use of the service. The Imprint contains our identity and contact details. For a concise overview of your rights, see Your data protection rights.