Privacy
Privacy Policy
Data controller
Your personal data is processed by the following data controller, in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 — hereinafter the “GDPR”) and the Croatian Act on the Implementation of the General Data Protection Regulation (Official Gazette NN 42/2018):
Yumi Brunch
Ulica Vlade Gotovca 7, 10000 Zagreb, Hrvatska
Contact email for data protection enquiries: brunchyumi@gmail.com
Purposes of processing and legal bases
We process your personal data only for clearly defined purposes and on the appropriate legal basis under Article 6(1) GDPR. 1. Reservations and online orders — we process your name, email, phone number, party size and notes to perform a contract you are party to (Article 6(1)(b) GDPR). Without these data we cannot process the reservation, deliver the order, or have it ready for collection. 2. Marketing communications — with your explicit consent (Article 6(1)(a) GDPR) we occasionally send you offers, event news and benefits. You can withdraw consent at any time, without giving reasons, via the “Unsubscribe” link at the bottom of every promotional message or via the “Your data” portal. 3. Compliance with legal obligations — fiscalisation of receipts, retention of tax-relevant records and responses to requests from competent authorities are processed on the basis of a legal obligation (Article 6(1)(c) GDPR), in accordance with the Croatian VAT Act (Zakon o porezu na dodanu vrijednost), the Croatian Cash Transactions Fiscalisation Act and other applicable rules. 4. Legitimate interests — internal communication with the restaurant owner about new reservations and orders, rate-limiting failed admin-panel logins and basic security logs (Article 6(1)(f) GDPR). Our legitimate interests cover orderly business operations, abuse prevention and protection of the information system from unauthorised access. We do not use your data for automated decision-making or profiling that produces legal effects on you or similarly significantly affects you.
Data retention periods
We keep your personal data only as long as is necessary to achieve the purposes set out above, in accordance with the storage-limitation principle (Article 5(1)(e) GDPR). • Reservations: 3 years from the reservation date, after which personal identifiers (name, email, phone, notes) are anonymised and statistical data (date, party size, status) is retained for business analysis. • Orders: 3 years from the order date, with the same anonymisation procedure. • Guest user profiles: until the last activity plus 3 years, or until an explicit erasure request, whichever comes first. • Fiscal records and payment data: in accordance with the Croatian VAT Act (Zakon o porezu na dodanu vrijednost). Guest identifiers are anonymised when reservations/orders are routinely deleted, while the mandatory fiscal data (amount, tax, reference) is kept for the legally prescribed period. • Address geocoding cache: 90 days from last use (LRU), after which entries are deleted automatically. • Driver (delivery courier) records: until end of active status plus 1 year, in line with employment-records rules. • Marketing-send logs: 3 years. • Erasure-request records: kept indefinitely as evidence of compliance with Article 17 GDPR. Once these periods expire, data is either anonymised (where preserving statistical features is useful) or permanently deleted in a way that prevents recovery.
Your rights
Under Articles 12–22 GDPR you have the following rights regarding your personal data: • Right of access (Art. 15) — you can obtain confirmation that we are processing your data and a copy of those data. • Right to rectification (Art. 16) — you can ask us to correct inaccurate data or complete incomplete data. • Right to erasure (“right to be forgotten”, Art. 17) — you can request deletion of data when it is no longer needed for the processing purposes or when you withdraw consent, subject to the exceptions set out in the GDPR (e.g. legal retention obligations). • Right to restriction of processing (Art. 18) — you can ask us to temporarily suspend processing while accuracy is verified or an objection is resolved. • Right to data portability (Art. 20) — you can receive your data in a structured, machine-readable format (JSON) and transmit it to another controller. • Right to object (Art. 21) — you may object to processing based on legitimate interests, and you may at any time, free of charge, object to processing for direct marketing. • Right to withdraw consent (Art. 7(3)) — you may withdraw consent for marketing communication at any time, without consequences for other services. You can exercise all of these rights yourself via the “Your data” portal, accessible from the link sent in your reservation or order confirmation. There you can download a copy of your data in JSON format or submit an erasure request. Alternatively, you may send your request directly to the contact email at the top of this document — we will reply within one month at the latest, in accordance with Article 12(3) GDPR.
Right to lodge a complaint with the supervisory authority
If you consider that our processing of your personal data infringes the GDPR or the Croatian Act on the Implementation of the General Data Protection Regulation (NN 42/2018), you have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP), Selska cesta 136, 10 000 Zagreb, by emailing azop@azop.hr or via the online form available at https://azop.hr/. Before formal proceedings, we invite you to contact us directly — most concerns can be resolved quickly and informally.