PERSONAL DATA PROTECTION POLICY

Table of Contents

1 Definitions

2 What is the restaurant's role in processing your personal data?

3 How is your personal data collected?

4 What data is collected, for what processing purposes, on what legal basis and for how long?

5 Who are the recipients of your personal data? How do we share your data?

6 What are your rights and how can you exercise them?

7 How is your personal data secured?

8 Is your personal data transferred outside the European Union?

9 What are the links between the website and social media pages with third-party sites?

10 Can this data protection policy be modified?

Your privacy is important to us and we pay particular attention to it. We respect confidentiality and are committed to protecting the personal data collected about you. This personal data protection policy or privacy policy (hereinafter the "data protection policy") aims to inform you of the characteristics of your personal data processing implemented by the restaurant. The collection of this personal data concerning you may be carried out by means of or through, in whole or in part, the restaurant's website www.restaurant-shardana.fr (hereinafter the "website") and in the context of your relations with the restaurant.

This data protection policy also specifies the rights you hold over your personal data in accordance with applicable legal and regulatory provisions.

If you have any questions, comments or concerns regarding this policy, you can of course address them to the restaurant at the contact details provided below in the section "What are your rights and how can you exercise them?".

The personal data processing presented and described in this data protection policy concerns those implemented by the restaurant as controller of its own processing, for its own account.

Also presented and described in this data protection policy is the personal data processing implemented by the restaurant, as joint controller with Zenchef, which is the service provider that provides the restaurant with a software solution designed and developed to enable the restaurant to manage its relationship with its customers and prospects and to benefit from services useful to its business (such as online booking, table payment, review collection). To learn more about Zenchef, click here.

To learn more about the main lines of the distribution of roles, obligations and responsibilities in case of joint responsibility, you can contact Zenchef at the contact details referred to in paragraph 6 below.

You are also invited to consult Zenchef's personal data protection policy, accessible at the following address: https://www.zenchef.com/el/privacy-policy.

1 Definitions

In addition to the terms defined elsewhere in this policy, the following terms, whether used in the singular or plural in said policy, have the following meaning:

- "recipient": means the natural or legal person, public authority, service or any other body that receives communication of personal data, whether or not it is a third party.

- "personal data": means any information relating to an identified or identifiable natural person (cf. "data subject"); an "identifiable natural person" is considered to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more specific elements specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

- "controller": means the natural or legal person, public authority, service or other body which determines the purposes and means of the processing. When the controller jointly determines with others the purposes and means of processing, it is called a "joint controller".

- "processor": means the natural or legal person, public authority, service or other body which processes personal data on behalf of the controller.

- "processing": means any operation or set of operations which is performed or not with the aid of automated processes and applied to data or sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or any other form of making available, alignment or interconnection, restriction, erasure or destruction.

2 What is the restaurant's role in processing your personal data?

2.1 The restaurant Ristorantino Shardana (referred to as the "restaurant" in this data protection policy) is a -, with share capital of 2000 euros, registered under number 809 797 145 (Registration number 809 797 145), having its registered office at 134 rue di theatre paris 75015, VAT number: FR63809797145, tel: -, email: -.

To learn more about the restaurant, legal notices.

2.2 The restaurant publishes this website (cf. the "website" as defined above), which aims to make available to any internet user who uses or visits it information to discover the restaurant's activity, the menus and dishes offered, as well as its news, or reviews left by restaurant customers.

It also offers functionalities and/or information allowing users to contact the restaurant (cf. contact request), to book a table at the restaurant and/or to place a takeaway order from the restaurant (in "click and collect") if the restaurant offers such a service, but also to consult information and news related to the restaurant's activity.

The restaurant also administers pages presenting its activity and allowing it to publish content on social networks and to interact with internet users through these networks (for example, Facebook, Instagram and Twitter ("X"), depending on the social networks actually used by the restaurant and on which the restaurant actually has a page that it administers).

Therefore, personal data processing concerning you, whether you are a customer, prospect, contact, internet user / user, job applicant, supplier, service provider or partner, potential or current (also referred to as "you" or the "data subject(s)"), may be implemented by the restaurant for the purposes referred to below in paragraph 4.

3 How is your personal data collected?

3.1 Your personal data is collected by the restaurant directly from you, or indirectly from third parties.

3.1.1. Your personal data is notably collected or processed in whole or in part:

- during your navigation on the website (for example due to sharing or redirection plugins or social network functionalities integrated into the website or to which the website may be connected), your interactions with the website, and the entry by you of information in data collection forms that may appear there,

- more generally in the context of requests that you may be required to address to the restaurant by any means at your convenience, of your relationship and your exchanges with the restaurant, as well as when you share content from the website using "sharing buttons" on social networks that may be offered on the website, or during your navigation on one of the pages administered by the restaurant on social networks.

It is specified that your personal data may be collected through the services provided by Zenchef to the restaurant (for example, when you make a booking request to the restaurant through the booking module provided by Zenchef to the restaurant).

Your personal data is therefore collected by the restaurant from you in the aforementioned cases.

3.1.2. Furthermore, when you exchange directly with the Zenchef group, your personal data is collected through the relevant entity within the Zenchef group.

In addition, your personal data may be collected by the restaurant then transmitted or made accessible to the Zenchef group or may be collected by the Zenchef group and transmitted or made accessible to the restaurant if applicable.

3.1.3. Your personal data may also be collected through third parties.

The personal data that the restaurant collects and processes concerning you may possibly be collected or enriched by it, notably for the purpose of carrying out commercial operations, communication, solicitation, prospecting or marketing, by means of other sources of information (so-called "public" information, social networks, third-party / partner websites, professional directories, blogs, press articles, use of file rental operations / provision of files by third parties / partners, use of specialized databases offered by third parties, etc.).

Furthermore, with regard more particularly to personal data processed in the context of the restaurant's recruitment operations, it may use the information you provide (e.g.: information mentioned in your CV) which may, under certain conditions, be integrated into a candidate file (CV database) of the restaurant.

In this context, the restaurant may also be required to approach third parties (for example, recruitment agencies or former employers) or to use other sources of information (notably professional social networks, recruitment agencies or specialized recruitment sites) to collect information about you for the purpose of studying your application or your profile.

3.2 Furthermore, and in general, you are informed that in principle:

- if the processing of your personal data is necessary for compliance with the legal or regulatory obligations of the controller, the collection of said data is mandatory;

- if the processing of your personal data is subject to your consent, the communication of said data is totally optional (it being specified that their lack of communication could however result in preventing at least in certain cases the implementation of the relevant processing);

- if the processing of your personal data is necessary for the execution of a contract or pre-contractual measures taken at your request, the communication of said data is necessary for the pursuit of this purpose and the controller could, in the absence of communication of this data, be prevented from executing its contractual obligations or the aforementioned pre-contractual measures;

- if the processing of your personal data is based on the pursuit of the legitimate interests of the controller or a third party, the communication of said data is necessary for the pursuit of this purpose, and the absence of communication of your data may not allow the implementation of the relevant processing or obstruct it. For example, in the absence of providing information that would be necessary to respond to a request from you (request for information, etc.), your request related to this personal data collection might not be able to be processed or its processing delayed.

Special case: if collection forms (for example, forms integrated on the website) involve the entry of personal data on an optional basis, this will in principle be indicated to you by means of a legend. Otherwise, if the collection of certain data is mandatory for the implementation of the associated processing, you will in principle not be able to finalize your action (e.g.: validate your booking request or send your message on the contact form on the website) and an error message informing you about the fields to complete will be displayed.

3.3 Except in special situations, or contrary specifications in this policy, we do not collect so-called "sensitive" or "special categories" of personal data, i.e. which would reveal racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, nor genetic or biometric data for the purpose of uniquely identifying a natural person, nor data concerning health or data concerning a natural person's sex life or sexual orientation. In this regard, you are informed that you are asked not to provide such "sensitive" or "special categories" data in the context of your exchanges with the restaurant.

3.4 Personal data of minors or protected adults: in general, the use of the website and the restaurant's dedicated pages on social networks is reserved for adults with legal capacity, the restaurant cannot under any circumstances be held responsible for the use of the website or the restaurant's pages on social networks by minors or incapacitated persons, and therefore for the consequences that may result from it, particularly regarding the processing of their personal data.

However, in certain special cases, the restaurant may be required to process personal data of minors of at least fifteen years old when they contact the restaurant to apply for a job or internship offer.

4 What data is collected, for what processing purposes, on what legal basis and for how long?

Your personal data is processed for the following purposes:

4.1 Management and follow-up of information requests and exchanges with users, initiated via or through the website or the restaurant's social media pages or by any other means, and more generally relations with contacts in the broad sense

- Processing purpose: the restaurant processes your personal data to ensure the processing, management and follow-up of any request (for example, information request using the contact form on the website) addressed by you, by any means and notably via the website or via interactions on the restaurant's social media pages (including notably the management, processing, follow-up and possible moderation of your messages or comments) and the responses to be provided, the management and follow-up of functionalities offered on or via the website, and more generally for the purpose of managing its relations with its contacts in the broad sense.

- Controller: the restaurant.

- Data processed: identity (title, last name, first name), username or pseudonym / alias, contact details (notably postal address, telephone number or email address), country, contact request and correspondence exchanged, company affiliation and function if applicable.

- Legal basis for processing: the processing of your personal data in this context is necessary for the pursuit of the restaurant's legitimate interests in responding to your requests and more generally in ensuring the management and follow-up of its relations with its contacts.

- Data retention period: retention in active database of personal data for the time necessary to provide you with a response to your request or for the management of your relationship with the restaurant then, at the end of the retention period in active database, retention in the form of archives for 5 years for administrative and/or evidential purposes.

4.2 Management of the restaurant's relations with its customers and prospects

- Processing purpose: the restaurant processes personal data of its customers and prospects for the purpose of managing and monitoring its relations with them, including in the context of feeding and maintaining its customer file as well as carrying out import or export operations of files containing information relating to its customers or prospects, or in the context of managing complaints addressed by its customers or prospects.

- Controller: the restaurant.

- Data processed: identity (title, first name, last name), contact details (email address, telephone number, etc.), language / country, date of birth if provided to the restaurant, economic and financial information, comments entered by the restaurant, history of bookings, and more generally relations between the restaurant and its customers or prospects, or data relating to complaints and responses provided.

- Legal basis for processing: such processing of your personal data is in principle necessary for the pursuit of the restaurant's legitimate interests with a view to ensuring good management of relations with its current or potential customers, but also complaints and responses provided to them.

- Data retention period: retention in active database for three years from the collection of personal data or the end of relations with you, or from your last contact, then retention in the form of archives for legal limitation periods for administrative and/or evidential purposes.

4.3 Management of reservations and click and collect orders

- Processing purpose: the restaurant and Zenchef process personal data relating to persons who have made a reservation request or a click and collect order if applicable with the restaurant via Zenchef services (e.g. : using the Zenchef reservation request form appearing on the website). This processing has the purpose of taking, managing and following up on reservation requests and/or click and collect orders. Associated reports, indicators and statistics are also provided to the restaurant as part of Zenchef services (occupancy rate, evolution of the number of reservations / orders, "no-show" rate, etc.). When the reservation request or order is made with the restaurant by another means, the restaurant also processes personal data relating to persons who have made such a reservation request or such an order for the aforementioned purposes.

- Controller(s): the restaurant is responsible (possibly jointly with Zenchef when reservation requests or orders are made using Zenchef services) for such processing.

N.B: When reservations or orders are made with the restaurant without Zenchef visibility (e.g.: reservation or order made directly with the restaurant by telephone or via a reservation module other than the Zenchef module), then the restaurant is solely responsible for such processing.

- Data processed: identification data (first and last name), contact details (telephone number, email address), country/language, reservation number, date and time of the requested reservation, room chosen for the reservation and/or table reserved if applicable, reason for the reservation if applicable (birthday, professional event, family event, etc.), number of covers for the reservation request, date and time of taking the reservation or order, reservation status (confirmed, cancelled, on waiting list, etc.), source of the reservation (walk-in customer, reservation by email, website / reservation module from which the reservation was made, etc.), status to determine whether a customer honored their reservation or not ("no-show" / "arrived" or "cancelled") and associated timestamp (date and time), information relating to the click and collect order (products / items ordered and associated rates, pickup date and time, etc.), gift code, reason for reservation, comments concerning the reservation / order request, payment data (particularly in case of prepayment requested by the restaurant) or data necessary for taking a bank imprint if applicable, meal duration, reservation notifications, history of exchanges / missed phone calls if applicable / reservations / orders and alert in case of "no-show" risks (cf. risk that a person who has booked does not honor their reservation) which is automatic, objective and based on the history of reservations made by the person concerned (cf. in case of reservation not honored in the previous 12 months or if several reservations are made with several restaurants that are Zenchef clients, by the same person, for the same day and at the same time (or at 1 hour maximum interval)), it being specified that this alert does not deprive the person concerned of making their reservation request and does not lead to automatic cancellation of their reservation (the restaurant receiving this alert being able to decide to ignore this alert or to deploy additional measures to try to limit this risk (e.g.: request reconfirmation of the reservation by email/SMS, request for prepayment or even taking a bank imprint)).

- Legal basis for processing: such processing of your personal data is necessary for the pursuit of the restaurant's legitimate interests (and/or Zenchef when reservations and orders are made using Zenchef services) with a view to responding to reservation / order requests, ensuring good management of reservations and orders, and more generally relations with the restaurant's customers, or with a view to ensuring its development and assessing the level of performance of the services it provides.

4.4 Management of payment for bills made using the table payment tool provided by Zenchef

- Processing purpose: the restaurant and Zenchef process personal data relating to persons who have made a payment for a bill with the restaurant using the table payment tool provided by Zenchef. This processing has the purpose of managing and monitoring table payment services via this tool, and notably payment of the bill, when the personal data concerned has been collected using the table payment tool provided by Zenchef. Associated reports, indicators and statistics are also provided to the restaurant as part of Zenchef services provided to the restaurant (number of payments made using the table payment tool provided by Zenchef, proportion of payments made using this tool, monthly revenues generated associated with the use of this tool, etc.). When payment of bills is made with the restaurant by a means other than the table payment tool provided by Zenchef, the restaurant also processes personal data relating to persons who have made such a payment for the aforementioned purposes.

- Controller(s): the restaurant is responsible (possibly jointly with Zenchef when the table payment tool provided by Zenchef is used) for such processing.

N.B: When bill payments are made with the restaurant by a means other than the table payment tool provided by Zenchef (e.g.: payment in cash or by bank card at the restaurant's cash register or using a tool made available by a third party), then the restaurant is solely responsible for such processing.

- Data processed: identification data, information relating to the bill, items paid and price paid (and distribution among guests if applicable), tip amount, payment methods, payment data (cf. payment card information: number, expiration date, cryptogram, cardholder name), payment receipt and contact details provided to obtain a receipt following payment if applicable.

- Legal basis for processing: such processing of your personal data is necessary for the pursuit of the restaurant's legitimate interests (and/or Zenchef when the table payment tool provided by Zenchef is used) with a view to payment of bills and orders, and more generally the proper execution of relations with the restaurant's customers and restaurant services provided by the latter or with a view to ensuring its development and assessing the level of performance of the services it provides.

- Data retention period: retention in active database for three years from the collection of personal data or the end of relations with you, or from your last contact with the restaurant and/or the Zenchef group then retention in the form of archives for 5 years for administrative and/or evidential purposes. Regarding payment data, this is not retained by the restaurant or by Zenchef. The determination and application of their retention periods are the responsibility of the payment service providers used, the restaurant and/or Zenchef having no control over these periods.

4.5 Management of online reviews

- Processing purpose: the restaurant may process personal data relating to its customers, and more generally to its contacts, who have left their review online. This processing has the purpose of managing and monitoring online reviews concerning the restaurant (including notably moderation and processing of reviews and comments and responses to be provided if applicable), as well as publication of all or part of these reviews on the website or on other media. Reports, indicators and statistics associated with online reviews concerning the restaurant may also be carried out (average rating obtained by the restaurant, evolution of reviews, etc.).

- Controller(s): the restaurant is responsible for such processing (except regarding dissemination on the Zenchef mobile application of online reviews collected using services provided by Zenchef, such processing being implemented jointly by the restaurant and by Zenchef).

- Data processed: identification data (e.g.: last name, first name, pseudonym, etc.), elements relating to online reviews (ratings and associated comment, responses provided by the restaurant if applicable, etc.).

- Legal basis for processing: such processing of your personal data is necessary for the pursuit of the restaurant's legitimate interests (and/or Zenchef regarding dissemination of reviews on the Zenchef mobile application) with a view to ensuring management and monitoring of online reviews concerning the restaurant.

- Data retention period: retention in active database for three years from the collection of personal data or the end of relations with you, or from your last contact with the restaurant and/or the Zenchef group then retention in the form of archives for 5 years for administrative and/or evidential purposes. When online reviews are published on third-party platforms / websites, the determination of retention and publication periods is the responsibility of said third parties.

4.6 Management of relations with the restaurant's partners (including also prescribers, service providers and suppliers) current or potential

- Processing purpose: the restaurant may process personal data relating to its current or potential partners and/or contacts at these partners (e.g.: partner staff members, service provider/consultant at the partner, etc.). This processing has the purpose of searching for new partners, managing, monitoring and responding to partnership requests, quotes or service proposals, as well as managing partners and/or managing the restaurant's relations with them, including notably management and monitoring of contract execution, orders/services entrusted, deliveries, invoices, payments and transactions, associated accounting, and in particular management and monitoring of partner accounts, partner relations in the broad sense and possibly complaints.

- Controller: the restaurant.

- Data processed: identity (title, last name, first name), contact details (email address, postal address, telephone number, etc.), company affiliation and function, information relating to your training (studies, diplomas, etc.), your experience and your professional background, your skills/professional references, and any information that could be contained in your CV if applicable, information on partnership requests, quotes and service proposals, detail of orders / services / contracts, data relating to payments and payment methods, data relating to transactions, data relating to contract and relationship monitoring, data relating to invoices, data relating to complaints.

- Legal basis for processing: such processing of your personal data is in principle necessary for the pursuit of the restaurant's legitimate interests in ensuring good management of relations with its current or potential partners (and more generally contacts at said partners in the broad sense), notably in the context of searching for new partners, monitoring proper execution of contracts concluded with partners or with a view to organizing and properly executing missions or services entrusted to them.

- Data retention period: retention in active database for the duration of the pre-contractual relationship (for potential partners), contractual or commercial (for current partners), then retention in the form of archives for 5 years for administrative and/or evidential purposes.

4.7 Carrying out external communication operations

- Processing purpose: the restaurant may process personal data relating to its customers, prospects, contacts, internet users / users or partners, potential or current, with a view to carrying out communication operations including notably presentation of the restaurant as well as its activity and/or its services (testimonials, dissemination of presentation brochures, promotion and communication relating to events, information on news, etc.) on external communication media (e.g.: on the website and/or on the restaurant's pages on social networks), and more generally on all communication media over which the restaurant has control.

- Controller: the restaurant.

- Data processed: photograph / video, status (e.g.: customer, prospect, contact, internet user / user, partner, and possibly details on this status), professional information if applicable (position held / job / profession / function / service / activity / company affiliation, etc.), feedback and testimonials.

- Legal basis for processing: such processing is based on your consent (intended to be collected specifically by the restaurant, according to the modalities determined by the latter), which means that you have the possibility of not consenting to it or, if you consent to it, of subsequently withdrawing your consent at any time, and without having to provide reason or explanation.

- Data retention period: retention for the duration specified in the authorization consented to the restaurant.

4.8 Management and monitoring of accounting and financial situation of the restaurant

- Processing purpose: the restaurant may process personal data of its contacts (for example contacts at its partners or its customers) for the purpose of managing and monitoring accounting operations related to its activity and its financial and budgetary situation.

- Controller: the restaurant.

- Data processed: identity (title, last name, first name), contact details (postal address, telephone number, email address, etc.), bill amounts, data relating to payments and payment methods, data relating to transactions, data relating to contract and relationship monitoring with contacts and data relating to invoices, accounting, financial, budgetary and tax information.

- Legal basis for processing: such processing is in principle necessary for compliance with legal or regulatory obligations incumbent on the restaurant (financial, tax and accounting documents notably). Furthermore, regarding other processing purposes that are not imposed by a legal and regulatory obligation, such processing is necessary for the pursuit of the restaurant's legitimate interests in the context of proper management of its accounting and financial situation.

- Data retention period: retention in active database for the duration of the current accounting or tax year then retention in the form of archives until expiration of a duration of 10 years (except regarding data whose retention aims solely to take into account the tax limitation period and which are therefore retained in archives for a duration limited to 6 years).

4.9 Prospecting / solicitation by email

- Processing purpose: the restaurant may process personal data of its contacts (for example customers, prospects, or contacts at its partners) for the purpose of carrying out commercial operations, communication, solicitation, prospecting or marketing by email or SMS, with a view to sending them information promoting the image or services of the restaurant (e.g.: restaurant newsletter).

- Controller: the restaurant.

- Data processed: identity (title, first name, last name), contact details (email address, telephone number), function and company affiliation if applicable.

- Legal basis for processing:

o if you are a professional, your prior consent to receiving such solicitations is not necessary if the messages are related to your profession. In this case, such processing is implemented on the basis of the pursuit of the restaurant's legitimate interests in making itself known, ensuring its development notably commercial and/or carrying out prospecting and solicitation operations in the broad sense, it being specified that you have in any case the right to object to it at any time without having to provide reason or explanation;

o in other cases, notably when you subscribe to the newsletter on the website or make a reservation request through the website, such processing is based on your consent, which means that you have the possibility of not consenting to it or, if you consent to it, of subsequently withdrawing your consent at any time, and without having to provide reason or explanation.

- Data retention period: retention in active database for three years from the collection of personal data or the end of your relations with the restaurant or from your last contact with the restaurant (for example, from your last reservation) then retention in the form of archives for 6 years for administrative and/or evidential purposes.

4.10 Use of cookies or other similar technologies for the purpose of recording your preferences, managing and monitoring the proper functioning and security of the website, monitoring and measuring navigation, traffic and performance of the website, including carrying out and developing tests, studies, analyses, reports and statistics, or evaluating and analyzing how you use and interact with our website, adapting the website with an objective of improving website performance and user experience, making available certain services or certain functionalities on the website (excluding social networks or functionalities related to social networks)

- Processing purpose: in the context of your use of the website, the restaurant processes personal data concerning you notably for the purpose of recording your preferences, including carrying out and developing studies, analyses, reports and statistics, managing and monitoring proper functioning and notably securing the website, improving user experience, making available certain services or certain functionalities on the website, and monitoring and measuring audience and website performance. This personal data is collected using cookies or other similar technologies.

- Data processed: session, connection and Internet navigation data, including notably information about your browser or terminal and their configuration (e.g.: device fingerprinting, unique device identifier, display resolution, operating system, IP address, internet browser, terminal type, etc.), history and more generally traffic and navigation information on the website, information relating to traceability of actions on the website and interactions with the website, and on the number of visitors, origin of users and pages visited, information of "identifier" type linked to your terminal, your hardware or your operating system, or information of "scoring" type (e.g.: bot score aiming to ensure that the user is not a robot), information relating to your navigation and use preferences of the website or even third-party websites, location data (IP address and geographical area for example), information relating to the network, your language, or personal data (age, gender, interests, demographic data, family / marital situation, activity / professional status, etc.) non-nominative (i.e. specific to the internet user's identifier).

- Controller: the restaurant.

- Legal basis for processing: when the processing of your data either has the exclusive purpose of enabling or facilitating electronic communication, or is strictly necessary for providing an online communication service at your express request, i.e. generally if this processing is strictly necessary for the purpose of allowing you to navigate on the website and benefit from the functionalities offered, it is based on the restaurant's legitimate interest in facilitating your navigation on the website. In other cases, such processing is subject to your prior consent to the use of cookies and other similar technologies for the aforementioned purposes, which means that you have the possibility of not consenting to it or, if you consent to it, of subsequently withdrawing your consent at any time, and without having to provide reason or explanation.

- To learn more about cookies, trackers and other similar technologies used by the restaurant and by its partners on the website, on how to configure them, and on their lifespan, refer to the restaurant's cookie policy accessible at the bottom of the website pages.

4.11 Use of cookies or other similar technologies for the purpose of monitoring and measuring navigation, traffic and performance of the website (in connection with functionalities related to social networks) and the restaurant's pages on social networks, including carrying out and developing tests, studies, analyses, reports and statistics, or evaluating and analyzing how you use and interact with the website (in connection with functionalities related to social networks) and said pages on social networks, making available and monitoring interactive functionalities with social networks, adapting the website and the restaurant's pages on social networks with an objective of improving website performance and the restaurant's pages on social networks and user experience, and displaying advertisements, possibly targeted (social networks and functionalities related to social networks)

- Processing purpose: for the purpose of making available interactive functionalities between the website and social networks, and monitoring, understanding and studying the use of the website (in connection with functionalities related to social networks) and the restaurant's pages on social networks and interactions between the website and social networks, the restaurant may offer you on the website links or "buttons" to its pages on social networks, integrate / attach to the website or attach the website to functionalities related to social networks, configure said pages on social networks as administrator or offer you to use on these networks tools created / offered by these social networks. In this case, the restaurant processes personal data concerning you notably for the purpose of monitoring and measuring navigation, traffic and performance of the website (in connection with functionalities related to social networks) and the restaurant's pages on social networks, including carrying out and developing tests, studies (for example positioning), analyses, reports and statistics, or evaluating and analyzing how you use and interact with the website (in connection with functionalities related to social networks) and said pages on social networks, making available and monitoring interactive functionalities with social networks (for example, "share" button or access to pages on social networks, etc.), adapting the website (in connection with functionalities related to social networks) and the restaurant's pages on social networks with an objective of improving website performance (in connection with functionalities related to social networks) and said pages and user experience. Personal data concerning you may also be collected and processed to enable the display to your attention on the website, on third-party websites or on social networks of advertisements, possibly targeted (or behavioral or programmatic advertising) based on your profile, your navigation, your location (cf. geolocated advertising) and your interactions on social networks but also with the website or with other websites you visit. This personal data is collected using cookies or other similar technologies.

Warning: the use of these cookies may allow the social networks concerned to track users' navigation on the restaurant's website, whether or not they are users of these third-party social networks (i.e. whether or not they have created an account on these sites).

- Controller: when the configuration of a social network tool that the restaurant performs has an impact on the nature of personal data processed or on the characteristics of this processing, and more precisely when it can be considered that the restaurant contributes to jointly determining the purposes and means of personal data processing, the restaurant may be jointly responsible for processing your personal data with the social network concerned. In this case, the social network, which primarily determines the purpose and means of processing, as well as the nature and modalities of cookie deposits, has primary responsibility for processing and it is recommended that you consult the privacy policies and "cookie" policies of these third parties for detailed information on their personal data collection and processing practices. Depending on the social networks on which the restaurant administers a page, the social networks Facebook, Instagram and Twitter ("X") may be concerned (see below).

- Data processed: session, connection and Internet navigation data, including notably information about your browser or terminal and their configuration (e.g.: device fingerprinting, unique device identifier, display resolution, operating system, IP address, internet browser, terminal type, etc.), history and more generally traffic and navigation information on the website and on our pages on social networks, information relating to traceability of actions on and interactions with the website or with Zenchef pages on social networks or between the website and social networks, and on the number of visitors, origin of users and pages visited, information of "identifier" type linked to your terminal, your hardware, social networks or your operating system, or information of "scoring" type (e.g.: bot score aiming to ensure that the user is not a robot), information relating to your navigation and use preferences of the website, Zenchef pages on social networks, or even third-party websites, location data (IP address and geographical area for example), information relating to the network, your language, or personal data (age, gender, interests, demographic data, family / marital situation, activity / professional status, etc.) non-nominative (i.e. specific to the internet user's identifier).

- Legal basis for processing: such processing is subject to your prior consent to the use of cookies and other similar technologies for the aforementioned purposes, which means that you have the possibility of not consenting to it or, if you consent to it, of subsequently withdrawing your consent at any time, and without having to provide reason or explanation.

- Maximum lifespan of cookies and retention of personal data collected by this means: retention in active database for the lifespan of cookies and other similar trackers by means of which personal data is collected, and maximum six months. Regarding retention of personal data by Instagram, Facebook and/or Twitter ("X"), see the privacy policy and "cookie" policy of the latter (see below).

- To learn more about cookies, trackers and other similar technologies related to social networks:

o regarding Facebook (Meta) and Instagram: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour Dublin 2, Ireland. For more information on how Meta Platforms Ireland Limited processes your personal data, we invite you to refer to the Data Use Policy of Meta Platforms Ireland Limited, but also to the "Cookie" Policy of Facebook and Instagram;

o regarding Twitter ("X"): Twitter International Unlimited Company, One Cumberland Place, Fenian Street Dublin 2, D02 AX07 Ireland. For more information on how Twitter processes your personal data, we invite you to refer to Twitter's Privacy Policy and "Cookie" Policy.

4.12 Management of applications and recruitment process

- Processing purpose: the restaurant may process your personal data for the purpose of managing and monitoring applications, in response to job or internship offers or which are addressed to it spontaneously, and operations relating to the restaurant's recruitment process, including notably monitoring and active search for professional profiles corresponding to positions to be filled, reception and study of applications, evaluation and selection of applications and professional profiles, constitution of a candidate file (or CV database), convocation of candidates and conducting recruitment interviews, as well as resulting decision-making (rejection of application or recruitment of candidate).

- Controller(s): the restaurant.

- Data processed: identity (title, first name, last name), contact details (email address, telephone number, postal address, etc.), language(s) spoken, data relating to your professional life, information relating to your training (studies, diplomas, etc.), your experience and your professional background, your skills/professional references and the job you hold, economic and financial information, and any information contained in your CV (notably your interests if applicable), and more generally in your application (notably cover letter, recommendation letter, etc.).

- Legal basis for processing: such processing is necessary for the pursuit of the restaurant's legitimate interests with a view to searching for and recruiting new collaborators. The retention of your data, once the position to be filled is assigned, in our candidate database (or CV database) to subsequently offer you other positions that may interest you is however subject to your prior consent, which means that you have the possibility of not consenting to it or, if you consent to it, of subsequently withdrawing your consent at any time, and without having to provide reason or explanation.

- Data retention period: your personal data is retained for the time necessary to process your application, and may, subject to obtaining your prior consent, be retained until expiration of a period of two years from receipt of your application, for example to enable the restaurant to contact you again during this period if a position related to your profile becomes available. At the end of this period, your personal data is retained in the form of archives for 6 years for administrative and/or evidential purposes.

4.13 Management of requests to exercise rights of data subjects

- Processing purpose: to enable the restaurant, or Zenchef if applicable, to comply with their various legal and regulatory obligations regarding personal data protection (e.g.: responses to requests to exercise their rights by data subjects, taking into account resulting consequences notably management of objections to prospecting, etc.), the restaurant and Zenchef if applicable may process personal data concerning you in connection with this purpose.

- Controller(s): the restaurant and/or Zenchef (depending on the processing(s) that your request concerns).

- Data processed: identity (title, first name, last name), contact details (email address, telephone number, etc.) and more generally all data processed concerning you, content and substance of the request, exchanges and response, additional information or copy of an identity document but only when the situation requires it (cf. in case of reasonable doubts about the identity of the requester).

- Legal basis for processing: such processing is in principle necessary for compliance with the aforementioned legal and regulatory obligations incumbent on the restaurant and/or Zenchef if applicable, as controller(s) (possibly joint) of processing.

- Data retention period: retention in active database until the controller(s) respond to the request then retention in the form of archives for maximum 6 years from when the controller(s) respond to the request (depending on the type of request and the processing it concerns), it being however specified that when a copy of an identity document is collected in this context, it is:

o immediately deleted when it has been provided by you but the request does not require transmission of such an identity document;

o deleted once verification of the identity of the person at the origin of the request has been carried out (when the situation requires such verification) or, retained in the form of archives for evidence purposes in certain exceptional cases for which the controller(s) identify a strong litigation risk for 6 years.

*In case of objection on your part to receiving prospecting, then your identity and / or your contact details may be retained by the controller(s) in active database for 3 years to take into account your request (cf. maintaining an objection list to prospecting).

4.14 Management and monitoring of pre-litigation and litigation

- Processing purpose: such processing of personal data concerning you is carried out by the restaurant with a view to managing and monitoring pre-litigation and litigation (notably litigation with its customers, with its partners, with its contacts in the broad sense, etc.), including notably preparation, exercise and monitoring of litigation as well as execution of decisions rendered, but also management and monitoring of actions aimed at establishing, exercising or defending a right in justice (including, if applicable, execution of the decision rendered).

- Controller: the restaurant.

- Data processed: identity (title, first name, last name), civil status, economic and financial information, history / information relating to exchanges and relations with the restaurant, and more generally any information if it is necessary regarding the object of the dispute, litigious facts at the origin of the procedure, information / documents / evidence collected tending to establish or refute facts that may be reproached, characteristics and detail of pre-litigation / litigation / procedure, decision, information necessary for execution of the decision, etc. including, if applicable, data relating to convictions (notably criminal) or offenses or security measures, or so-called "special categories" data as defined above.

- Legal basis for processing: such processing of your personal data is based on the legitimate interests pursued by the restaurant with a view to preserving / asserting its interests and rights in justice, notably in execution of relations with its customers (current or potential), partners (current or potential), contacts, candidates, etc. Furthermore, in the context of this processing, so-called "special categories" personal data may be processed for the aforementioned purposes if they are strictly necessary for these purposes and for establishing, exercising or defending a right in justice. Similarly, data relating to offenses, convictions or security measures may be processed for the purpose of enabling the restaurant to prepare and, if applicable, exercise and monitor legal action as a victim, person involved, or on behalf of a victim or person involved, and to have the decision rendered executed.

- Data retention period: as specified above, data processed in the context of the various purposes presented above is retained in the form of archives for legal limitation periods notably for evidential purposes, in the event of litigation. In case of pre-litigation initiated before the end of the periods above and which would require retention of personal data notably with a view to establishing, exercising or defending the restaurant's rights, the latter will be retained until amicable settlement of the dispute (including its execution if applicable), or, failing that, will be deleted as soon as the corresponding legal action is time-barred. In case of litigation / procedure, notably judicial, initiated before the end of the periods above and which would require retention of personal data notably with a view to establishing, exercising or defending the restaurant's rights, the latter will be retained for the duration of said procedure and until ordinary and extraordinary appeals are no longer possible against the decision rendered. Decisions pronounced may be retained by the restaurant until complete execution of the decision, or even as definitive archives.

N.B: regarding all the retention periods in active database referred to above in paragraph 4, you are informed that these are the periods applied "in principle" by the controller(s), unless you exercise your right to erasure, objection or withdrawal of your consent, in the situations and in accordance with the specifications referred to in paragraph 6 below. Indeed, in this latter case, following the exercise of such rights, your data will only be retained in the form of archives for the period referred to above in 4.13.

5 Who are the recipients of your personal data? How do we share your data?

5.1 In principle, only authorized persons within the restaurant can access your personal data when this access is necessary for the exercise of their functions and / or missions, namely notably staff (including in the broad sense employees, interns, temporary workers, etc.) authorized by the restaurant in charge of reception within the restaurant, reservation management, marketing and communication aspects, recruitment and human resources, legal, etc.

5.2 External recipients to the restaurant are also likely to receive communication of your personal data, namely:

- authorized persons within the Zenchef group (including in the broad sense employees, interns, temporary workers, etc.), in particular staff in charge of marketing, communication, commercial management, recruitment and human resources, customer and prospect relations, administrative, financial and legal, development, IT, projects, etc.

- services or entities responsible for controlling the restaurant and/or Zenchef if applicable (auditor, services or entities responsible for internal or external control procedures, bodies authorized to carry out controls, etc.);

- advisors to the restaurant and/or Zenchef if applicable (legal, financial, accounting, etc.);

- partners of the restaurant and/or Zenchef if applicable, including notably their service providers and suppliers, current or potential;

- social network publishers, third-party website publishers or cookie publishers used on the website, or even third-party companies involved for example in carrying out prospecting, communication operations, etc. or in the context of managing our marketing, or for the operation of the website in the broad sense (e.g.: making available and proper functioning of functionalities offered there, performance, security, etc.). In this regard, it is also specified for the record that if you post content disclosing your personal data on the internet, and notably on the website or on the restaurant's social media pages, this content may of course be accessible to any internet user. Furthermore, if you leave your online review concerning the restaurant, you are informed that your data, and in particular the rating left by you, may be disseminated and more generally used on publicly accessible digital media, and notably on the Zenchef mobile application for your reviews collected via the Review service provided by Zenchef. Furthermore, if you have consented to the restaurant using your personal data for external communication purposes, these may be accessible / viewed by the audiences to whom these communications are intended, depending on the uses you have consented to;

- technical or other service providers involved in activities or missions for which access to personal data is necessary and/or justified. This category of recipients may also include any publisher of application, computer program or tool that would be used in the context of the restaurant's activity, or any IT service provider or maintenance of applications, computer programs and/or tools used by the restaurant and/or by Zenchef if applicable and in which your personal data could be processed;

- social and tax bodies authorized to receive, in certain cases, personal data;

- bodies, judicial auxiliaries and ministerial officers, in the context notably of their debt recovery mission;

- if applicable the body responsible for managing the telephone canvassing objection list;

- judicial auxiliaries, ministerial officers and if applicable competent courts or authorities, administrative or judicial, to enable the sale or transfer of all or part of the activities or assets of the restaurant and/or Zenchef if applicable, or in the context of managing and monitoring pre-litigation and/or litigation;

- insurers of the restaurant and/or Zenchef if applicable.

5.3 The controller(s) may furthermore be required to communicate your personal data in case of legitimate requests from public or authorized authorities, on the basis of legal or regulatory provisions that apply to them. Your personal data may therefore be communicated to any authority authorized to know about it, in particular in case of requisition from judicial, police or administrative authorities.

5.4 It is specified that the recipients referred to above are not necessarily recipients of all your personal data, but only of those necessary for the purpose involving such communication.

6 What are your rights and how can you exercise them?

6.1 You benefit, according to the conditions and modalities and within the limits defined by legal and regulatory provisions regarding personal data protection, from the following rights regarding your data:

- Right of access: you can obtain confirmation that personal data concerning you is processed or not by the controller(s), when it is, access to said personal data, as well as certain information relating to processing of your personal data and characteristics of such processing;

- Right to rectification: you can request correction of your personal data that you consider incomplete or inaccurate;

- Right to erasure: you can, in certain cases provided for by applicable provisions, request erasure of your personal data (except for example if they are necessary for execution of your contractual relations with the controller(s), or if they are necessary for the controller(s) to comply with their legal or regulatory obligations or establish or exercise their rights);

- Right to restriction of processing: you can request restriction of processing of your personal data, i.e. request in certain cases marking of your personal data to limit future processing;

- Right to portability of your personal data: you have the right in certain cases and under certain conditions provided for by applicable provisions to request to receive personal data concerning you that you have provided to us or, when technically possible, to have them transferred to a third party, in a machine-readable form (it being specified that this right to data portability only applies to processing based on consent of data subjects or on execution of contractual relations, and this subject to processing of data being carried out using automated processes);

- Right to withdraw your consent: you can withdraw your consent if processing is implemented on the basis of your consent, without however withdrawal of such consent affecting the lawfulness of processing based on consent carried out before withdrawal thereof;

- Right to define directives relating to retention, erasure or communication of your personal data after your death. In this regard, in case of death that would be brought to the knowledge of the controller(s), know that your personal data will be deleted (except necessity of retention for a determined period for reasons related to our legal and regulatory obligations and/or legal limitation and/or mandatory retention periods referred to above in paragraph 4 in the detail of processing characteristics), after having been communicated if applicable to a third party possibly designated by you.

Furthermore, you benefit, in certain cases and under certain conditions provided for by applicable provisions, from a right to object which allows you to object to processing of your personal data for reasons related to your particular situation, it being specified that regarding prospecting operations, including profiling operations that would be linked to such prospecting, you have an absolute right to object, which can be exercised at any time, without having to provide reason or justification.

6.2 Regarding processing of your personal data implemented by the restaurant as controller of its own processing as described in this policy, these rights are exercised with the latter at the contact details indicated in paragraph 2 or by email at -.

Upon receipt of such a request, it will be responded to as soon as possible and in any case within a maximum period of one month from receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests received, in which case the requester will be informed.

In case of reasonable doubt about the identity of the person concerned by such a request to exercise the aforementioned rights, they may be asked to provide additional information necessary to confirm their identity and they may be asked for this purpose, when the situation requires it, a photocopy of an identity document bearing their signature. In such a case, the aforementioned response periods will be suspended pending receipt of additional information necessary to identify the person concerned.

The request may be presented by the person concerned or by a person specially mandated for this purpose by the person concerned, provided that this mandated person justifies their identity and the identity of the principal, their mandate as well as the duration and precise object thereof. The mandate must also specify whether the representative may be made recipient of the response.

You are also informed that the restaurant has designated a data protection officer whose contact details are as follows: -.

6.3 Regarding processing of your personal data implemented jointly by Zenchef and by the restaurant, as joint controllers, as described in this policy, these rights are exercised with the data protection officer designated by Zenchef whose contact details are as follows: privacy@zenchef.com Zenchef, 63 avenue de Villiers, 75017 Paris (France).

6.4 Furthermore and for the record, the restaurant may in certain cases be considered as jointly responsible for processing your personal data with social networks within which the restaurant has dedicated pages or with which Zenchef offers you interactions (cf. detail of purposes in paragraph 4 above). Depending on the social network concerned, the joint controller may be:

- Regarding Facebook (Meta) and Instagram: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour Dublin 2, Ireland. For more information on how Meta Platforms Ireland Limited processes your personal data, we invite you to refer to the Data Use Policy of Meta Platforms Ireland Limited, but also to the "Cookie" Policy of Facebook and Instagram;

- regarding Twitter ("X"): Twitter International Unlimited Company, One Cumberland Place, Fenian Street Dublin 2, D02 AX07 Ireland. For more information on how Twitter processes your personal data, we invite you to refer to Twitter's Privacy Policy and "Cookie" Policy.

In these cases, you can also, for exercising your aforementioned rights, consult your account settings on the aforementioned social networks and/or contact:

- regarding Facebook and Instagram: the Data Protection Officer of Meta Platforms Ireland Limited by email, notably using the dedicated contact form;

- regarding Twitter ("X"): Twitter's Data Protection Officer by email, notably using the dedicated contact form.

6.5 Finally, you have in any case the right to lodge a complaint with the competent supervisory authority if you consider that processing of your personal data is not carried out in accordance with legal and regulatory provisions regarding personal data protection:

- in your jurisdiction, this would be the relevant data protection authority. You can find the list of European supervisory authorities at the following address: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

To understand your rights, you can also refer to explanations provided by your local data protection authority.

6.6 You are also informed that under applicable consumer protection laws, if you are a consumer, you can object at any time to being canvassed by telephone, by registering for free on your local telephone preference service.

7 How is your personal data secured?

7.1. The restaurant implements appropriate organizational and technical security measures, taking into account notably the categories of personal data processed, the state of knowledge, implementation costs and the nature, scope, context and purposes of processing as well as risks, whose degree of probability and severity varies, for the rights and freedoms of natural persons, to protect your personal data against any malicious intrusion, any loss, alteration or disclosure to unauthorized third parties, and more generally to preserve the security and confidentiality of said personal data and guarantee a level of security adapted to the risk.

In case of difficulties arising, the restaurant will make its best efforts to contain risks and will take all adequate measures, in accordance with its legal and regulatory obligations (corrective actions, information to a supervisory authority if necessary and if applicable to data subjects, etc.).

7.2. When developing, designing, selecting and using our services offered on the website that rely on personal data processing, the restaurant takes into account the right to personal data protection by default and from their design (cf. principles called "Privacy by design and by default").

7.3 Access to personal data concerning you is limited to collaborators or partners of the restaurant, and more generally to recipients referred to above, who are authorized and who need to know them in the context of executing their missions and/or their activities.

7.4 In case of subcontracting all or part of personal data processing, the restaurant contractually imposes on its subcontractors security guarantees and notably confidentiality regarding personal data to which they may have access (appropriate technical and organizational measures for protection of this data).

8 Is your personal data transferred outside the European Union?

8.1 Your personal data is processed preferentially within the European Union.

8.2. In the context of the aforementioned purposes, some of your personal data may however be transferred to third-party entities established in countries located outside the European Union (e.g.: subcontractors involved in the aforementioned processing).

Some of these entities are considered as ensuring a sufficient level of personal data protection because they are established in a country whose regulation regarding personal data protection has been recognized as ensuring an adequate level of protection of said data (cf. adequacy decisions of the European Commission https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en) or because they have committed to respecting a data protection framework entitled "Data Privacy Framework" (the list of entities concerned is available here: https://www.dataprivacyframework.gov/s/participant-search, it being specified that this data protection framework only concerns US entities).

Furthermore, if the country of the entity concerned or the entity itself does not offer an adequate level of protection of said data, we ensure that appropriate security and confidentiality measures are taken to guarantee maintenance of protection of your data.

Therefore, in these cases, you are informed that transfers of your personal data to other entities outside the European Union are governed by conclusion, with recipients of this data, of contractual clauses in accordance with European Commission recommendations enabling us to ensure that appropriate guarantees are taken regarding protection of said data.

You are furthermore informed that personal data transfers outside the European Union are lawful if the transfer is necessary for execution of a contract between the data subject and the controller or for implementation of pre-contractual measures taken at the request of the data subject, if the transfer is necessary for conclusion or execution of a contract concluded in the interest of the data subject between the controller and another natural or legal person, or if the data subject has given explicit consent to the envisaged transfer, after being informed of risks that this transfer could entail for them due to absence of adequacy decision and appropriate guarantees.

A copy of reference documents referred to in this paragraph can be obtained (free of all commercial information considered sensitive or confidential or covered by trade secrets), from the contact mentioned in the paragraph above "What are your rights and how can you exercise them?".

9 What are the links between the website and social media pages with third-party sites?

9.1 You are informed that the restaurant's digital media (notably the website or the restaurant's pages on social networks) are likely to provide or include links to third-party sites, including social network sites. The restaurant exercises no control over the activity of these sites and the policies they apply regarding protection of your personal data and your rights. It is recommended that you examine the guarantees offered by these sites, before any interaction with them. In this regard, your attention is drawn to the fact that the personal data protection policy of these sites may be different from this website's data protection policy and it is up to you to become aware of it.

9.2 If you post content disclosing your personal data on the internet, and notably on social networks, including the restaurant's social media pages, this content may be accessible to any internet user, and collected or exploited by third parties, for purposes that do not fall under the restaurant's responsibility. In any case, the restaurant's responsibility cannot be sought in the case where personal data processing implemented via one of these third-party sites would contravene applicable legal and regulatory provisions.

10 Can this data protection policy be modified?

10.1 This data protection policy may be subject to modifications at any time, which will take effect on the date of publication of the corresponding update.

10.2 Indeed, in case of modification, the new data protection policy will be put online on the website in the dedicated section.

10.3 We therefore invite you to consult it regularly.

Date of last update: June 5, 2025