Welcome to the website of Conexify. The owner of the website is Meal Revolution GmbH (hereinafter “Meal Revolution”).
The protection of your data is very important to Meal Revolution. We would therefore like you to
you understand how Meal Revolution handles your data. The offer available at meal-
revolution.de (“offer” or “website”) is operated by Meal Revolution, Waldenburger Str.
Revolution, Waldenburger Str. 75, 09116 Chemnitz, Germany, legally represented by the
Managing Director Christopher Fromm (“Meal Revolution”, “we” or “us”) as the
responsible within the meaning of the applicable data protection law. With
the following information, we inform you about which personal data we collect and
data we collect and how we process it when you use the services offered by Meal
Revolution and how we handle this data. We take the protection
your data seriously. If you have any questions about data protection, you can contact our data protection officer at any time.
You can find the contact details of our data protection officer in section 2
(“Name and contact details of the controller”).
Who is responsible?
Meal Revolution GmbH
Waldenburger Str. 75
09116 Chemnitz
privacy@meal-revolution.de
Data protection officer?
Meal Revolution GmbH
Waldenburger Str. 75
09116 Chemnitz
privacy@meal-revolution.de
Privacy policy for the use of the Meal Revolution app and the Meal
Revolution refrigerators.Translated with DeepL.com (free version)
Overview:
1. General Information on the Collection of Personal Data
1.1 The following provides information about the collection of personal data when you use our homepage and Meal Revolution user accounts. Personal data includes all data that can be personally related to you, e.g., name, address, email addresses, user behavior.
1.2 The controller pursuant to Article 4(7) of the EU General Data Protection Regulation (GDPR) is Meal Revolution GmbH, represented by Managing Director Christopher Fromm, Waldenburger Str. 75, 09116 Chemnitz (see our legal notice). You can contact our Data Protection Officer Christopher Fromm at privacy@meal-revolution.de or at our postal address with the addition “The Data Protection Officer”.
1.3 If we use commissioned service providers for individual functions of our offering or if we use your data for advertising purposes, we will inform you in detail below about the respective processes. In doing so, we will also name the criteria for the storage period.
2. Your Rights
2.1 You have the following rights regarding your personal data:
2.2 You also have the right to file a complaint with a data protection supervisory authority regarding the processing of your personal data by our company. The supervisory authority responsible for the operator is:
Saxon Data Protection Officer
Devrientstraße
501067 Dresden
www.datenschutz.sachsen.de
Email:saechsdsb@slt.sachsen.de
3. General Data Processing When Visiting the Website
3.1 When you visit our website for purely informational purposes, we collect only the personal data that your browser transmits to our server. If you want to view our website, we collect the following data, which is technically necessary to display the website and ensure its stability and security. The legal basis for the processing is Article 6(1)(f) GDPR. The data processed includes:
The collection of data for the provision of the website and the storage of the data in log files is essential for the secure operation of this website. Therefore, there is no possibility for the affected person to object.
3.2 Hosting – The hosting services used by the operator include providing the following services: infrastructure and platform services, computing capacity, storage space, and database services, security services, and technical maintenance services necessary for operating the website.
The operator or its processor processes user data (inventory data, contact data, content data, contractual data, usage data, meta and communication data) based on its legitimate interests in providing an efficient and secure online offering in accordance with Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (conclusion of a data processing agreement).
The hosting provider is Webflow GmbH, Wasserburger Straße 4, 83352 Altenmarkt a. d. Alz, with a German server location in Altenmarkt a.d. Alz.
4. General Use of Cookies
4.1 This website uses cookies. Cookies are small text files that are assigned to your browser by a unique string of characters and stored on your hard drive. They allow certain information to be transmitted to the entity that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer, and therefore cannot cause harm. They serve to make the overall online offering more user-friendly, effective, and pleasant for you.
Cookies can contain data that allow the device being used to be recognized. In some cases, cookies only contain information about specific settings that are not personally identifiable. Cookies cannot directly identify a user.
Cookies are categorized into session cookies, which are deleted as soon as you close your browser, and persistent cookies, which are stored beyond a single session. Regarding their function, cookies can be further classified into:
4.2 Legal Basis: Any use of cookies that is not strictly technically necessary constitutes data processing, which is only permitted with your explicit and active consent in accordance with Article 6(1)(a) GDPR. This particularly applies to the use of advertising, targeting, or sharing cookies. Furthermore, the operator will only share your personal data processed through cookies with third parties if you have provided explicit consent in accordance with Article 6(1)(a) GDPR.
You can withdraw your consent at any time. Please use one of the following options:
4.3 Your consent for non-essential cookies is granted via the cookie banner displayed when you visit the homepage. Through a plugin, non-essential cookies are blocked until you accept the use of cookies by clicking the button on the cookie banner.
4.4 The storage duration of individual cookies depends on the specific tool or plugin used and is described separately in the following sections where cookies are specifically implemented.
5. Hosting and Storage Location of User Data for Users with User Accounts
All data associated with a user account, as well as data collected when using the app, an intelligent refrigerator, or the Meal Revolution web portal, is stored on servers managed by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, with European server locations in Nuremberg, Falkenstein, Frankfurt, and Helsinki.
The hosting services we utilize are intended to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services, and technical maintenance services that we use for the operation of our Meal Revolution app.
In this process, we or our data processor handle inventory data, contact data, content data, contract data, usage data, meta and communication data from users of our app based on our legitimate interest in the efficient and secure provision of this online offering in accordance with Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (conclusion of a data processing agreement).
6. Collection of Personal Data for Registration and Use of a User Account
6.1 Registration of the User Account
To use our Meal Revolution app and refrigerator, a user account must be created via the Meal Revolution homepage. Such an account is a necessary prerequisite for accessing the purchasing function of the Meal Revolution app and the refrigerator. Registration of a user account is not freely available. Only those individuals who have been pre-registered by their employer with details including first and last name, employee ID, email address, address data, gender, date of birth, and potentially meal voucher usage are eligible. The employer is the data controller for transmitting these employee data to Meal Revolution for registration purposes under GDPR.
The following personal data are collected during the registration of a user account:
Email address: Used for user registration, account identification, and login. The legal basis is the performance of a contractual relationship under Article 6(1)(b) GDPR. Data is stored for up to 30 days after the user profile is deleted and deactivated by the employer.
First and last name: Used for user registration and account identification. The legal basis is the performance of a contractual relationship under Article 6(1)(b) GDPR. Data is stored for up to 30 days after the user profile is deleted and deactivated by the employer.
Employee number: Used for user registration and account identification. The legal basis is the performance of a contractual relationship under Article 6(1)(b) GDPR. Data is stored for up to 30 days after the user profile is deleted and deactivated by the employer.
Password: Used for user registration and login. The legal basis is the performance of a contractual relationship under Article 6(1)(b) GDPR. Data is stored for up to 30 days after the user profile is deleted and deactivated by the employer.
6.2 Processing of Personal Data in the User Account
The user account is accessible via the app and the Meal Revolution web portal, and the following personal data is processed:
For login purposes, we process the email address and password to identify the user account and enable login. The legal basis is the performance of the contractual relationship under Article 6(1)(b) GDPR. This data is stored for up to 30 days after the profile is deleted and deactivated by the employer.
Information provided by the employer, such as name, address, email address, gender, date of birth, password, employee number, and meal voucher usage, is used to pre-set the user account, enable login, identify the contractual partner, and facilitate billing. The legal basis is the performance of the contractual relationship under Article 6(1)(b) GDPR. This data is stored for up to 30 days after profile deletion and employer deactivation.
For weekly billing via Stripe, transaction times, first and last name, address, payment method, and email are used to create weekly invoices and charge the stored payment method. The legal basis is the performance of the contractual relationship under Article 6(1)(b) GDPR, and the data is stored for up to 30 days after the user profile is deleted and deactivated.
To enable payments, credit card details, bank account information, or PayPal login credentials are stored to facilitate refrigerator access and payment for purchases. The legal basis is the performance of the contractual relationship under Article 6(1)(b) GDPR. This data is stored for up to 30 days after the user profile is deleted and deactivated.
Information such as the employee number, meal vouchers used, and transaction dates is transferred to the employer’s payroll for meal voucher reimbursement. The legal basis for this transfer is legitimate interest under Article 6(1)(f) GDPR. The retention period for this data, based on tax regulations (§147 AO), is 10 years.
Invoices, including first and last name and email address, are processed for billing purchases. The legal basis is the performance of the contractual relationship under Article 6(1)(b) GDPR. Retention is required for 10 years under tax regulations (§147 AO).
6.3 Use of the App or Member Card for Purchases at a Meal Revolution Refrigerator
a) Operation of the Refrigerator via Meal Revolution App or Member Card
When using the app or member card, we process the following personal data to enable purchases at Meal Revolution refrigerators:
For login via the app, we process the email address, password, and first name to log into the refrigerator system and display a personalized greeting. The legal basis is the performance of the contractual relationship under Article 6(1)(b) GDPR, with a retention period of 6 years based on tax regulations (§147 AO).
For login via the member card, we process the member card number, login time, and first name to log into the system and display a personalized greeting. The legal basis is the performance of the contractual relationship under Article 6(1)(b) GDPR, with a retention period of 6 years based on tax regulations (§147 AO).
When opening and closing the refrigerator door, we process door status, date, and time to start or complete a transaction. The legal basis is the performance of the contractual relationship under Article 6(1)(b) GDPR, with a retention period of 6 years based on tax regulations (§147 AO).
When removing products, we process the weight, price, and quantity to calculate and display the incurred costs. The legal basis is the performance of the contractual relationship under Article 6(1)(b) GDPR, with a retention period of 10 years based on tax regulations (§147 AO).
To enable data communication and interaction with the Meal Revolution refrigerator, we use CloudMQTT, a hosted message broker for the Internet of Things (IoT). CloudMQTT is provided by 84codes AB, Hälsingegatan 49, 113 31 Stockholm, Sweden. The above-mentioned data is processed based on our legitimate interest in the efficient and secure provision of our services under Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (data processing agreement). We have concluded a GDPR-compliant data processing agreement with the provider. For more information, see: https://www.cloudmqtt.com/gdpr.html.
The legal basis for data communication is also Article 6(1)(b) GDPR, as operating the intelligent refrigerators and facilitating purchases requires data exchange. Product-related and interaction data are temporarily stored at CloudMQTT and deleted according to the specified retention periods.
b) Product Purchases and Payment Processing
When making purchases at a Meal Revolution refrigerator, the personal data stored in the account is used to process the transaction. The legal basis is the performance of the contractual relationship under Article 6(1)(b) GDPR, with retention periods determined by commercial and tax regulations, requiring storage for 10 years under §147 AO.
To facilitate payment, the data required for the chosen payment method is transmitted to the respective payment service provider. The legal basis for this is Article 6(1)(b) GDPR. Available payment methods include credit card via Stripe, PayPal, and SEPA direct debit.
For PayPal, personal data, such as name, address, email, phone number, and IP address, may be shared for processing payments. PayPal’s privacy policy can be found at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full/.
For Stripe, credit card and order details, such as name, address, credit card number, and transaction information, are transmitted for payment processing. Further details are available at: https://stripe.com/de/privacy#translation.
For SEPA direct debit, the personal data provided in the SEPA mandate is stored and transmitted to the bank. Users can revoke their consent at any time by changing the payment method in their user account.
7. User Accounts: Digital Meal Vouchers and Meal Revolution Coupons, Tax Subsidies
The company, as the employer of the user, has the option to subsidize meal purchases made through Meal Revolution and claim these subsidies for tax purposes. By using the “Meal Voucher” function, Meal Revolution evaluates the recorded receipt data of meals purchased by employees. Based on this data, a reimbursement file is generated monthly by the 10th of the following month, containing all necessary receipt data required to grant the meal subsidy. This reimbursement file is made available to the company via the Meal Revolution portal.
The reimbursement file contains the following employee data, provided it was transmitted by the company:
The meal amounts are categorized based on tax treatment and working days to enable the company to easily track the tax treatment for each employee.
The legal basis for this data processing is Article 6(1)(f) GDPR. Meal Revolution enhances its service for the purchasing user and their employer by offering the possibility to subsidize meal purchases. Through the reimbursement file, the employer can efficiently process and account for granted meal subsidies for tax purposes. Once the reimbursement file has been transmitted to the company, the company, as the user’s employer, becomes solely responsible for further data processing.
The retention period for the reimbursement file is determined by commercial and tax regulations.
8. Plugins and Social Media Tools on the Website
8.1 Google Fonts
The template of the Conexify homepage uses fonts provided by Google Fonts. Google Fonts is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Web fonts are loaded into the user’s browser cache, which requires a connection to Google’s servers. This process transmits the user's IP address to Google servers in the USA. The storage duration on Google’s side is unknown to the operator.
The legal basis for the use of Google Fonts is Article 6(1)(f) GDPR. The legitimate interest of the operator lies in providing users with a visually appealing display of fonts and texts. Further information about Google Fonts can be found at https://developers.google.com/fonts/faq and in Google’s privacy policy: https://www.google.com/policies/privacy/. Given the data transfer to the USA, reference is made to Google's standard contractual clauses: https://business.safety.google/adsprocessorterms/.
8.2 Use of Google Analytics
To design our website according to user needs, we create pseudonymized user profiles using Google Analytics. Google Analytics is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses targeting cookies that are stored on your device and read by us. This allows us to recognize returning visitors, count them, and analyze how often our website is accessed by different users.
Data processing occurs on the basis of Article 6(1)(a) GDPR (consent) or Article 6(1)(f) GDPR, with a legitimate interest in improving our website offering.
The information generated by the cookie about your website usage is usually transferred to a Google server in the USA and stored there. Since we have activated IP anonymization on our website, your IP address will first be shortened within member states of the European Union. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there. We have concluded a data processing agreement with Google in accordance with Article 28 GDPR. Google uses the collected data strictly for evaluating website usage and compiling reports. Reference is again made to Google's standard contractual clauses for data transfers to the USA: https://business.safety.google/adsprocessorterms/.
We explicitly point out that U.S. authorities currently have legal access to data processing carried out in the USA.
We also use the “Google Signals” extension, which enables cross-device tracking when visitors are logged into a Google service and have activated the "personalized ads" option in their Google account settings. We do not have access to personal data or user profiles from Google Signals; the data remains anonymous to us. You can disable the use of Google Signals in your Google account settings under “personalized ads.”
You can revoke your consent to Google Analytics at any time:
8.3 Google reCAPTCHA
Our website uses Google reCAPTCHA to verify that data entered on the website (e.g., in a contact form) is provided by a human and not by automated programs (bots). Before submitting their data, users must confirm they are not a robot and solve a task. reCAPTCHA is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
reCAPTCHA collects user data, such as IP address, location/referrer URL, and time, along with cookies, and transmits it to Google. Further information on how Google processes reCAPTCHA data is available in Google’s privacy policy: https://policies.google.com/privacy?hl=de.
The information generated is generally transferred to a Google server in the USA and stored there. We point out that U.S. authorities have access to data processed in the USA. Reference is made to Google’s standard contractual clauses: https://business.safety.google/adsprocessorterms/.
The legal basis for this data processing is Article 6(1)(a) GDPR (consent) or Article 6(1)(f) GDPR, with a legitimate interest in protecting the website operator from spam and data scraping. Consent is granted via the cookie banner displayed upon visiting the homepage.
If you wish to prevent the processing of your data, you can disable JavaScript execution in your browser or use a JavaScript blocker. Note that doing so may limit the functionality of the website.
8.4 Google Maps
Our website uses Google Maps, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This service allows interactive maps to be displayed directly on the website, enhancing user convenience.
When you visit the website, Google receives information that you accessed the relevant subpage. The data mentioned in Section 3 of this policy is also transmitted. If you are logged into a Google account, the data is directly assigned to your account. To prevent this, you must log out of your Google account before using Google Maps.
Google uses your data to create user profiles for advertising, market research, or customized website design. Such processing applies to both logged-in and non-logged-in users. You have the right to object to the creation of user profiles; to exercise this right, you must contact Google directly.
Further details on Google’s data collection and processing can be found here: http://www.google.de/intl/de/policies/privacy. Data is usually transferred to Google servers in the USA. Reference is made to Google’s standard contractual clauses: https://business.safety.google/adsprocessorterms/.
8.5 SSL Encryption
To best protect your transmitted data, the website uses SSL encryption. Encrypted connections are identified by the prefix “https://” in the browser address bar. Data transmitted to the website, such as inquiries or logins, is protected from unauthorized access. Unencrypted pages are marked with “http://”.
8.6 Online Presence in Social Media and on Facebook
Meal Revolution maintains social media profiles (currently: Instagram, LinkedIn) to inform users about services, interact, and communicate through these platforms. Social media channels are only accessible via external links from this website. Once you access these profiles, the respective platform’s terms and privacy policies apply.
Meal Revolution has no control over how social networks collect or process data. There is no information regarding the scope, location, or duration of data storage, compliance with deletion obligations, or sharing of data with third parties. Users should note that their personal data, such as IP address or other information, may be stored by social network operators and processed in countries like the USA.
Instagram: Operated by Facebook Ireland, 4 Grand Canal Square, Dublin 2, Ireland. More details on Instagram’s data processing can be found here: https://www.facebook.com/help/instagram/519522125107875/.
LinkedIn: Operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Details on LinkedIn’s data processing and privacy policy are available here: https://de.linkedin.com/legal/privacy-policy.
If you use these social media profiles to contact Meal Revolution (e.g., via posts, responses, or private messages), the provided data will only be used to communicate with you. The legal basis for data collection is Article 6(1)(a) GDPR (consent) or Article 6(1)(b) GDPR for contract initiation or execution. Stored data will be deleted at regular intervals, no later than annually, unless required for legal retention under commercial law.
If consent under Article 6(1)(a) GDPR is provided, you can revoke it at any time by sending a request to Meal Revolution, e.g., via email. Processing up to the point of revocation remains lawful.
9. Data Collection When Contacting Meal Revolution
Contacting Meal Revolution GmbH can be done via email, contact forms, and other communication methods. The information you provide in this context is based on your consent and is voluntary. Additionally, usage data such as IP address, email address, or phone number, along with timestamps, may be generated due to the technical requirements of the chosen communication method. Processing of this data is essential for us to handle your contact request.
If there is an existing contractual relationship between you and us, the legal basis for the processing of personal data during communication is Article 6(1)(b) or (f) GDPR.
If there is no contractual relationship, the legal basis for the exchange of personal data is your consent, as per Article 6(1)(a) GDPR. You can withdraw your consent at any time by informing us, e.g., via email. Until the point of withdrawal, the lawfulness of the data processing remains unaffected.
The data retention period will either be until a deletion request is made or, in the case of processing based on Article 6(1)(b) GDPR, it may be subject to legal retention requirements. The retention period for commercial correspondence is six years under § 147 I, III AO, and for other tax-relevant documents, such as accounting records, it is ten years according to § 147 I AO.
10. Data Collection When Subscribing to the Newsletter
10.1 With your consent, you can subscribe to our newsletter, through which we inform you about our current interesting promotions. The advertised goods and services are listed in the consent statement. We use the service ActiveCampaign, 1 North Dearborn Street, 5th floor, Chicago, IL 60602, USA. The email addresses of the newsletter recipients, as well as technical data (e.g., time of retrieval, IP address, browser type, and operating system), are stored on ActiveCampaign's servers in the USA. ActiveCampaign uses this information to send and evaluate our newsletter on our behalf. We have signed a data processing agreement with ActiveCampaign. According to ActiveCampaign, they may use this data to technically or economically optimize their service or analyze it statistically. ActiveCampaign does not use the data of newsletter subscribers to contact them or pass the data to third parties.
We explicitly point out that, as of now, U.S. authorities have legal access to data processing in the USA. Given the data transfer to the USA, the applicable ActiveCampaign standard contractual clauses are referenced: https://www.activecampaign.com/legal/gdpr-updates/privacy-shield or https://www.activecampaign.com/legal/newscc. You can find further information on the exact data processing by ActiveCampaign there.
10.2 To register for our newsletter, we use the so-called double-opt-in procedure. This means that after your registration, we will send an email to the provided email address, asking you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be locked and automatically deleted after one month. Additionally, we store the IP addresses and timestamps of your registration and confirmation. The purpose of this procedure is to provide evidence of your registration and to clarify potential misuse of your personal data.
10.3 The mandatory information for sending the newsletter is your email address. Providing additional, specifically marked data is voluntary and is used to address you personally. After your confirmation, we store your email address for the purpose of sending the newsletter. The legal basis is Article 6(1)(a) GDPR.
10.4 You can revoke your consent for receiving the newsletter at any time and unsubscribe from the newsletter. You can revoke your consent by clicking on the link provided in every newsletter email, by sending an email to privacy@meal-revolution.de, or by sending a message to the contact details provided in the imprint.
11. Applications
11.1 In the case of applications to Meal Revolution, we use the personal data you provide to us for the following purposes:
