Information on the processing and protection of your data
resmio is taking the issue of data privacy seriously. In accordance with the General Data Protection Regulation (GDPR), we are working continuously to ensure the best possible level of protection for any personal data of our customers (generally restaurant owners) and the users of our widgets ( customers of restaurant owners). At the same time, we aim to create transparency by answering frequently asked questions about our processes, how we store, process and protect data.
Table of contents
DPA, Withdrawal, Data Protection Officer
As a non-public entity that processes personal data itself or on behalf of others, we are required to take appropriate technical and organizational measures (“TOM”) based on Article 32 of the GDPR. Key security measures to protect our infrastructure and control mechanisms for secure data storage include:
- Access control systems to restrict third party access to data on our production systems.
- Obtaining mutually signed Data Processing Agreements (DPAs) with all external service providers who process personal data on behalf of resmio
- Access controls built into our service, such as user management to ensure that users (restaurant owners, waiters, …) cannot access other users’ data
Regular, automated creation of encrypted back-ups for data backup and recovery in case of failure
- Use of encryption technology (TLS) for secure data transmission
In addition, all resmio employees participated in the online training on “Data privacy in daily business routine” at PROLIANCE GmbH. As part of the training, our staff was sensitized to the topic of data protection and trained in the handling of personal data. The knowledge was subsequently tested with an online exam, which our employees had to pass successfully.
resmio uses the high-quality, secure cloud infrastructure of Heroku, a subsidiary of Salesforce Inc. for its services. The service uses data centers that are located within the European Union in compliance with the GDPR. Hosting and management of the certified data centers is handled by Amazon Web Services (AWW). Detailed information can be found at heroku.com/policy/security. A Data Processing Agreement (DPA) has been concluded with Heroku / Salesforce Inc. which regulates the order data processing in accordance with the statutory provisions.
When you create a user account with resmio via the sign-up form, using our services, guest booking, ordering or purchasing tickets / vouchers via our widgets, we may collect and process, among other things, the following personal data:
- Contact information such as your email address, name, phone number, and other information you might share.
- Device information such as IP address and browser settings (e.g., browser language to automatically display our Service translated in your preferred language).
- Usage and profile data such as number of reservations and orders, ticket sales, account activity such as reservations created and email notifications sent to guests.
Communication data, such as when you submit a request to our support via email, live chat (intercom) or other electronic means.
Your payment data, such as bank account details, which are required exclusively for the processing of chargeable services (e.g. PREMIUM / ULTIMATE tariff, acceptance of orders).
- Recordings of phone calls that come in and out of resmio may be stored, for example, for documentation purposes of contract conclusions and for internal quality assurance and may contain personal data, if disclosed on the phone.
- Guest data such as the name, address, email address as well as phone number that users enter via our widgets to make bookings with our customers, to order food & beverages and to purchase tickets / vouchers. More detailed information on the handling of guest data and notes on data protection responsibility below.
To use resmio in the most privacy compliant way, you should go through the following sections:
If you want to embed our widgets natively on your website as a script, we recommend that you block the widget loading via so-called script blockers until the user has given active consent (“opt-in“).
Blocking third-party applications such as resmio is the most secure solution in terms of compliance with data protection regulations (if properly set up), but usually has to be done by hand and therefore requires technical know-how as well as credentials to access the website.
If you are uncertain, consult your web developer and/or agency if possible.
Instructions for common cookie consent solutions are available at the following link:
Frequently asked questions and answers
Actually, yes, since the IP address – and thus the user’s online identifier – is logged when the widgets are loaded. This is technically necessary to provide our services. Through the IP address and with the help of authorities, it is basically possible to identify the individual concerned.
Other personal data of the user, however, will only be logged after the user has sent the reservation request and clicked on the “Confirm” button in the booking widget and transmitted to the digital reservation system of the respective customer. The same applies to orders as well as voucher and ticket purchases via the respective corresponding widgets.
For in-house performance monitoring, we use Google Analytics to measure, for instance, the traffic of integrated widgets. Google Analytics is used without setting a cookie, and IP anonymization is also activated to ensure that Google Analytics is used in a privacy-compliant manner.
In the light of the ongoing controversy surrounding Google Analytics, particularly with regard to the data transmitted to the US, it may nevertheless be recommended to block resmio widgets natively embedded on the website until the user has given his or her consent.
Our customers (restaurant owners) are fully responsible for compliance with the applicable data protection regulations for their guests, as the responsible party within the context of Art. 4 No. 7 of the German Data Protection Regulation (DSGVO).
Therefore, restaurant owners are required to delete personal guest data in accordance with their legal requirements.
With this in mind, we have implemented a feature in our service that allows all guest data to be deleted after customizable time periods. The feature is enabled by default in each account. Guest data is automatically deleted on a 30-day cycle based on the default settings.
In accordance with Art. 28 DSGVO, we provide our customers with this option. In order to sign a contract for the processing of personal data with resmio, we ask you to download the attached document (184 kb, PDF) and send it to firstname.lastname@example.org with the marked parts completely filled out and signed (page 1 and 10). We will then send you back a countersigned version for your records.
resmio has appointed an external data protection officer at PROLIANCE GmbH, Leopold Straße 21, 80802 Munich. For questions regarding data protection, contact the data protection officer via the e-mail address email@example.com.