Data policy

Data relating to the use of our services

Personal data relating to the Customer, collected, in particular, during the creation of Administrator Accounts, are processed by the Service Provider to ensure the execution of the Services and the management and monitoring of the relationship with the Customer.

The Service Provider may transmit the Customer's data to subcontractors used to perform the Services, subject to the Customer's express consent.

The Service Provider undertakes to keep the data collected only for as long as is necessary for the purpose of processing.

In accordance with the applicable regulations on the protection of personal data and in particular the European Regulation n°2016/679 of 27 April 2016 and the Data Protection Act of 6 January 1978 as amended, the Customer has:

- a right of access, rectification, deletion and portability of their data, - a right to limit the processing of their data,

- a right to object to the processing of their data and their use for commercial prospecting purposes,

- a right to define directives concerning the fate of his or her data post-mortem,

- a right not to be subjected to automated decision-making, including not to be subject to profiling measures,

which he may exercise by sending a letter to the address of the Provider's establishment as referred to in the terms of the present document. The Client may also file a complaint with the French National Commission for Data Processing and Liberties ("CNIL").

User data

The Service Provider undertakes to comply with the undertakings set out in this article and to ensure that its staff, whether permanent or non-permanent, and any subcontractors comply with the terms thereof, in particular by passing on to them undertakings similar to those set out below.

The purpose of this clause is to define the conditions under which the Service Provider undertakes to carry out the operations defined below on behalf of the Client, which is responsible for processing Users' personal data.

In this context, the Parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable as from 25 May 2028 (or hereinafter the "GDPR").

The Service Provider is authorised to process on behalf of the data controller, the Client, the personal data of the Users necessary to provide the subscribed Services.

The nature of the operations carried out on the data is recording, organising, structuring, storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The purpose of processing is the performance of its obligations, as set out herein or in any documentation or appendix brought to the attention of the Client, by the Service Provider to the Client.

The User's data are those initially collected by the Client when the User creates a personal account for the use of the Application, plus those necessary for the execution of the present contract. The data concerned is the surname, first name, date of birth, profile photo, food preferences, mobile phone number, email, bank details and TRD information. For the performance of this Agreement, the Client undertakes to provide the Service Provider with the aforementioned information, in addition to any other information that may be necessary during the performance of this Agreement.

The Service Provider undertakes to:

1. process the data only for the sole purpose(s) for which it is outsourced;

2. process the data in accordance with the documented instructions of the controller. If the processor considers that an instruction constitutes a breach of the European Data Protection Regulation or any other provision of Union or Member State law relating to data protection, it shall immediately inform the controller. In addition, if the processor is required to transfer data to a third country or to an international organisation under Union law or the law of the Member State to which it is subject, it must inform the controller of this legal obligation prior to processing, unless the law concerned prohibits such information on important public interest grounds

3. to guarantee the confidentiality of personal data processed under this contract;

4. ensure that persons authorised to process personal data under this contract :

- undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality

- receive the necessary training on the protection of personal data

5. take into account the principles of data protection by design and data protection by default in its tools, products, applications or services;

6. Subcontracting: The Service Provider, as subcontractor, may engage another subcontractor (hereinafter, "the subcontractor") to carry out specific processing activities.

The sub-processor shall be required to fulfil the obligations of this contract on behalf of and in accordance with the instructions of the controller. It is the responsibility of the original processor to ensure that the sub-processor provides the same sufficient guarantees as to the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the European Data Protection Regulation. If the sub-processor fails to fulfil its data protection obligations, the original processor shall remain fully responsible to the controller for the performance of the other processor's obligations.

In the event of recourse to a subsequent subcontractor, the Service Provider shall inform the controller in advance and in writing of any change envisaged concerning the addition or replacement of other subcontractors. The data controller has a minimum of FIFTEEN (15) DAYS from the date of receipt of this information to present his objections.

Such outsourcing may only be carried out if the controller has not objected within the agreed time limit.

The Client, as the data controller, is hereby informed that, for the time being, the Service Provider uses the following service providers to ensure the payment of Users' Orders EDENRED FRANCE, (S.A.S. au capital de 464.966.992 €, whose registered office is located at 166-180, boulevard Gabriel Péri, 92240 Malakoff - 393 365 135 R.C.S. Nanterre; SWILE (S.A.S. au capital de 49.171.20 Euros, whose registered office is located at 7 center, Immeuble l'Atlis, Bâtiment A, 561 rue Georges Meliés - 34000 Montpellier, registered in the Montpellier Trade and Companies Register under no. 824 012 173; OCTOPLUS, a simplified joint stock company with a capital of 88.593.70, having its registered office at 33, Rue du Temple, 75004 Paris, registered with the Paris Trade and Companies Register under number 531 601 136 RCS Paris; UP, Société Coopérative et Participative à forme Anonyme et à capital variable, registered with the NANTERRE Trade and Companies Register under number 642 044 366, having its registered office at Z.A.C. des Louvresses, 27-29 avenue des Louvresses - 92230 GENNEVILLIERS; SODEXO PASS FRANCE, a public limited company with capital of €61,623,908, registered with the Nanterre Trade and Companies Register under number 340 393 065, having its registered office at 19 Rue Ernest Renan, 92022 Nanterre Cedex; NATIXIS INTERTITRES, a public limited company with capital of 380.380,800, registered in the Paris Trade and Companies Register under No. B 718 503 386, having its registered office at 30, avenue Pierre Mendès France 75013 Paris; AGENCE NATIONALE CHEQUES VACANCES, having its registered office at 36, Bd Henri Bergson - 95200 Sarcelles.

7. It is the responsibility of the controller to provide information to the data subjects of the processing operations at the time of collection of the data.

8. Where data subjects make requests to the data processor to exercise their rights, the data processor shall send such requests immediately upon receipt by e-mail to the contact address of Pokawa.

9. The processor shall notify the controller of any personal data breach within a maximum of TWENTY-FOUR (24) hours of becoming aware of it by any means. This notification shall be accompanied by any useful documentation to enable the controller, if necessary, to notify the breach to the competent supervisory authority.

10. Subject to the provisions of Article 7.1 above, the Subcontractor undertakes to implement the following security measures:

- pseudonymisation and encryption of personal data

- the means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;

- the means to restore the availability of and access to personal data within an appropriate timeframe in the event of a physical or technical incident, subject to having subscribed to the support option;

11. Upon completion of the services relating to the processing of such data, the sub-processor undertakes to: (choose) (i) destroy all personal data or (ii) return all personal data to the controller or (iii) return the personal data to the processor appointed by the controller;

12. The processor declares to keep a written record of all categories of processing activities carried out on behalf of the controller;

13. The data controller undertakes to :

- provide the data necessary for the Service Provider to the subcontractor under the conditions and in the manner defined herein.

- document in writing any instructions concerning the processing of data by the processor.

- ensure, beforehand and throughout the processing operation, that the processor complies with the obligations laid down in the European Data Protection Regulation.

- supervising the processing, including carrying out audits and inspections of the processor.

The Client is therefore responsible for the processing of Users' personal data by the Service Provider for the performance of this Agreement.

The Service Provider shall be directly liable for any actions of its subcontractors that do not comply with the state of the art or the relevant regulations.

The Service Provider undertakes not to exploit or use, copy or create files of the Client's data for its own purposes or for third parties.

Upon the Client's request, the Service Provider undertakes to specify at any time the geographical locations of data processing, storage and transit that will be used to provide the Services to the Client in order to comply with the applicable legal requirements.

Similarly, the Service Provider undertakes to :

- use its best efforts, in its own name and in the name and on behalf of any subcontractors, to collaborate with and assist the Customer, in particular by providing all useful information to enable the Customer to comply with the legal requirements or those of the regulators concerning the protection of personal data, or by organising the implementation, where applicable, of the rights of access, rectification, etc., granted to the Customer's customers;

- take all necessary measures to protect the security and confidentiality of data and personal data, in particular in the event of processing, storage, archiving or transfer to countries outside the European Union which are not considered to have "adequate" protection for personal data according to an official decision of the European Commission.

If the subcontractor is located in countries outside the European Union that do not have an adequate level of protection, the Service Provider undertakes to ensure that the subcontractor adheres to all the provisions of this Article and to the contractual clauses for the transfer of Personal Data to subcontractors established in third countries within the framework of the aforementioned legislation and regulations, by signing a specific Contract relating to the transfer of Personal Data to a country outside the European Union that does not benefit from an adequate level of protection, a model of which will be sent by the Customer.

This contract will be signed in a tripartite manner between the Client (data controller), the Service Provider (data exporter) and the non-EU processor (data importer).