BiteClub LogoBiteClub

Privacy Policy

How we handle your data at Bite Club.

I. General Information

In the following, we inform you about the processing of personal data when using Bite Club.

The responsible party for data processing is:

MindTrajour UG (limited liability)

Larissa Lange

Straße der Jugend 18

14974 Ludwigsfelde

Email: datenschutz@bite-club.app

Protecting your privacy is very important to us. Therefore, please read this privacy policy carefully.

II. Scope of Data Processing, Processing Purposes, and Legal Basis

The scope of data processing, processing purposes, and legal basis are detailed further below.

Art. 4 No. 1 GDPR: Personal data refers to any information relating to an identified or identifiable natural person (e.g., their name or IP address).

Art. 4 No. 2 GDPR: "Processing" means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

  • Art. 6(1)(a) GDPR serves as our legal basis for processing operations for which we obtain consent.
  • Art. 6(1)(b) GDPR is the legal basis insofar as the processing of personal data is necessary for the performance of a contract, such as when a customer subscribes to our canteen management service or we perform a service for them. This legal basis also applies to processing necessary for pre-contractual measures, such as inquiries about our services.
  • Art. 6(1)(c) GDPR applies when we need to fulfill a legal obligation, such as in tax law.
  • Art. 6(1)(f) GDPR serves as a legal basis when we have a legitimate interest in processing personal data, such as for cookies necessary for the technical operation of our website and software.

III. Data Transfer Outside the EU

1. Data Transfer Based on an Adequacy Decision per Art. 45 GDPR

Where we transfer data to service providers or other third parties outside the EEA, adequacy decisions by the EU Commission under Art. 45(3) GDPR ensure data security, where available, such as for the UK, Canada, and Israel.

2. Data Transfer to the USA

On July 10, 2023, the Data Privacy Framework https://www.dataprivacyframework.gov/s/?hl=de came into effect. The USA is now considered a secure third country under EU data protection law. The tools we use are certified by the US Department of Commerce for the Data Privacy Framework: Amazon Inc., Google Inc., Vercel Inc.

3. Data Transfer Subject to Appropriate Safeguards per Art. 46 GDPR

If there is no adequacy decision under Art. 45(3) GDPR, a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards and provided that enforceable rights and effective legal remedies for data subjects are available.

IV. Storage Duration

Unless a more specific storage period is stated within this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or revoke your consent for data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g., retention periods under commercial or tax law); in the latter case, deletion will occur after these reasons no longer apply.

V. Data Subject Rights

As a data subject, you have the following rights:

Pursuant to Art. 15 GDPR, the right to request information about your personal data processed by us to the extent specified therein.

Pursuant to Art. 16 GDPR, the right to request the correction of incorrect or incomplete personal data stored by us without undue delay.

Pursuant to Art. 17 GDPR, the right to request the deletion of your personal data stored by us, unless further processing is necessary:

  • To exercise the right of freedom of expression and information;
  • To fulfill a legal obligation;
  • For reasons of public interest; or
  • To establish, exercise, or defend legal claims.

Pursuant to Art. 18 GDPR, the right to request the restriction of the processing of your personal data where:

  • You contest the accuracy of the data;
  • The processing is unlawful, but you oppose the deletion of the data;
  • We no longer need the data, but you require it to establish, exercise, or defend legal claims; or
  • You have objected to processing pursuant to Art. 21 GDPR.

Pursuant to Art. 20 GDPR, the right to receive your personal data in a structured, commonly used, and machine-readable format or to request the transfer to another controller.

Pursuant to Art. 77 GDPR, the right to lodge a complaint with a supervisory authority. You can usually contact the supervisory authority of your habitual residence for this purpose. Contact details of data protection supervisory authorities are available at https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.

Pursuant to Art. 21 GDPR, the right to object in specific situations and against direct marketing. When data processing is based on Art. 6(1)(e) or (f) GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation. The respective legal basis for processing can be found in this privacy policy. If you object, we will no longer process your affected personal data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or the processing serves to establish, exercise, or defend legal claims (objection under Art. 21(1) GDPR).

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing.

For questions about data collection and data processing, please contact us directly at datenschutz@bite-club.app.

VI. Data Processing on the Website

1. Web Hosting and Provision of the Website and Software Application

This website and our software application are hosted externally. The personal data collected on this website and in the software are stored on the servers of the service providers listed below. This includes:

IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses, and employee meal orders.

The use of the host is for fulfilling contracts with our customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure and fast provision of our online presence and software by the professional provider (Art. 6 para. 1 lit. f GDPR). The host will only process your data to the extent necessary to fulfill its service obligations.

The following hosts are used:

a. Vercel

Our website uses the data hosting service "Vercel" provided by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, privacy@vercel.com. More information on the handling of user data by "Vercel" can be found in the privacy policy at Vercel Privacy Policy.

b. Supabase

Our website and software application uses the data hosting service "Supabase" provided by Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992. More information on the handling of user data by "Supabase" can be found in the privacy policy at Supabase Privacy Policy.

c. Amazon Web Services (AWS)

Our website and software application uses the data hosting service "AWS" (Amazon Web Services) provided by Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210, USA, aws-security@amazon.com. More information on the handling of user data by "AWS" can be found in the privacy policy at AWS Privacy Policy.

Note: AWS Amplify is used exclusively for our internal staging environment and does not process production user data.

2. Informational Use of the Website

When using the website for informational purposes, i.e., if visitors do not provide us with information, we collect the personal data that the browser transmits to our server to ensure the stability and security of our website. This constitutes our legitimate interest, so the legal basis is Art. 6 para. 1 lit. f GDPR.

Server Log Data

The provider of these pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These include:

  • Browser type and version
  • Operating system used
  • Referrer URL
  • Hostname of the accessing computer
  • Time of the server request
  • IP address
  • Access status/HTTP status code

This data is not combined with other data types. The collection of this data is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the technically error-free presentation and optimization of our website - for this, the server log files must be recorded.

3. Cookies on Our Website

What are Cookies?

Cookies are small text files stored on your device when you visit our website. They enable us to store your activities and preferences (such as login data, language, font size, and other display settings) over a certain period, so you do not have to re-enter them each time you visit the website.

Types of Cookies We Use

We use different types of cookies on our website for various purposes:

  • Necessary Cookies: These cookies are essential to enable you to navigate the website and use its basic functions, including session management and authentication. Without these cookies, certain services cannot be provided. The legal basis for necessary cookies is our legitimate interest (Art. 6 para. 1 lit. f GDPR).

  • Functional Cookies: These cookies allow our website to remember choices you make (e.g., your username, language, or the region you are in) and provide enhanced, more personalized features.

  • Analytical/Performance Cookies: These cookies collect information about how visitors use our website. For registered and logged-in users, we use PostHog analytics (see section VII.2.b below) based on our legitimate interest in providing and improving our service (Art. 6 para. 1 lit. f GDPR).

We use a cookie banner to inform you about our use of cookies and to obtain your consent where required. The cookie banner stores your cookie preferences locally on your device. This is technically necessary for the use of the website and therefore falls under our legitimate interest, making the legal basis Art. 6 para. 1 lit. f GDPR.

You can withdraw your cookie consent at any time by adjusting your cookie settings through our cookie banner or by contacting us at datenschutz@bite-club.app.

4. Contact

Inquiries by Email or Phone

If you contact us by email, phone, or the contact form on the website, your request, including the personal data resulting from it (name, request, email address, phone number), will be stored and processed by us for the purpose of handling your request. We do not pass on this data without your consent.

The processing of this data is based on Art. 6 para. 1 lit. b GDPR, provided your request is related to the fulfillment of a contract or necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of requests addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR), if this has been requested.

We delete the data collected in this context once the storage is no longer necessary or restrict processing if there are statutory retention obligations.

VII. Data Processing in the Login Area and Use of Our Bite Club Software

1. Employee Data Processing

Our Bite Club software processes personal data of employees who use the platform to order meals. This includes:

  • Employee names
  • Employee email addresses
  • Meal preferences and dietary restrictions
  • Order history
  • Department or cost center information (if applicable)

The legal basis for this processing is Art. 6 para. 1 lit. b GDPR (contract fulfillment with the customer organization) and Art. 6 para. 1 lit. f GDPR (legitimate interest in providing the canteen management service).

As the customer organization, you are responsible for informing your employees about the data processing and obtaining any necessary consents in accordance with applicable data protection laws.

2. Third-Party Providers

a. Session Cookies from Supabase (Technically Necessary)

Our Bite Club software uses session cookies from "Supabase," provided by Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992.

The legal basis for this is our legitimate interest under Art. 6 para. 1 lit. f GDPR, as we otherwise cannot ensure a smooth login process into the software.

For more information on how user data is handled, please refer to Supabase's privacy policy: Supabase Privacy Policy.

b. PostHog Analytics

We use PostHog to optimize our software and understand how registered users interact with our platform. PostHog helps us identify errors, bugs, and other performance issues, and allows us to improve the user experience. It is a product of PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA.

Legal Basis: For registered and logged-in users, we process analytics data based on our legitimate interest in providing and continuously improving our service (Art. 6 para. 1 lit. f GDPR). This is also contractually agreed in our Terms of Service.

The following data is collected:

Event Data:

  • Error Messages: The exact error message or exception that occurred
  • Stack Traces: Detailed information about where in the code the error occurred
  • Log Entries: Relevant log information that helps understand the context of the error

User Data:

  • User ID or Email: Information about the user who experienced the error
  • Session Data: Details about the user session, such as session ID, session time, duration, and actions during the session

System and Environment Data:

  • Operating System and Version
  • Browser and Version
  • Device Type and Model
  • Software Version

Network Data:

  • IP Address: To determine location and other network-related information
  • HTTP Requests: Details of the HTTP requests made at the time of the error

Application and Configuration Data:

  • Configuration Parameters: Settings and configurations of the application
  • Environment Variables: Values set at runtime

Tags and Metadata:

  • Custom Tags: Additional contextual information
  • Release Information: Details about the specific release or version

Session Recordings:

  • Recordings showing user interactions with the application, such as mouse clicks, scroll movements, and keyboard inputs, to understand how software errors occurred

Your Rights: You have the right to object to this processing at any time for reasons arising from your particular situation by contacting us at datenschutz@bite-club.app.

For more information on how user data is handled, please refer to PostHog's privacy policy: PostHog Privacy Policy.

VIII. Changes to This Privacy Policy

We reserve the right to change this privacy policy with future effect. The current version is available here.

Date of Last Update: November 27, 2025