PRIVACY POLICY

Bella & Bona GmbH

Last updated: 15.03.2026


Thank you for choosing Bella & Bona GmbH (“Bella & Bona,” “we,” “us,” or “our”). We are committed to protecting your personal data and respecting your privacy. This privacy policy explains how we collect, use, store, and share your personal data when you:

  • Visit our website at www.bellabona.com

  • Use our B2B food delivery ordering platform and mobile app

  • Contact us for support or enquiries

  • Interact with us in any other way, including events or marketing

This policy applies to all personal data processing carried out by Bella & Bona, whether through our website, our ordering platform, or offline interactions. Please read it carefully.

 


1. Data Controller

The data controller responsible for your personal data is:

Bella & Bona GmbH

Represented by the managing directors Mr Matteo Cricco and Mr Niccolò Lapini

Kapellenstraße 12, 85622 Feldkirchen, Germany

Email: legal@bellabona.com

Phone: +49 151-54079664

We have not appointed a Data Protection Officer (DPO) as we are not legally required to do so under Art. 37 GDPR and §38 BDSG. For any privacy-related enquiries, please contact us at the email address above.

 

 

2. What personal data do we collect?

2.1 When you visit our website

  • When you access our website, the following data is automatically collected by our servers:

  • IP address (anonymised where possible)

  • Date and time of access

  • Browser type and version, operating system

  • Referring URL (the page you visited before ours)

  • Pages visited on our website

Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in ensuring website functionality, security, and stability. Server log data is deleted after 30 days.

 

2.2 When you use our ordering platform

When you register for or place an order through our B2B food delivery platform, we collect:

  • Name and surname

  • Business email address

  • Delivery address (office building / company location)

  • Order details (dishes ordered, dates, quantities)

  • Payment information (processed by PayPal — see Section 5)


Legal basis: Art. 6(1)(b) GDPR — performance of a contract. This data is necessary to process and deliver your orders. We may also use your order history and preferences to personalise the user experience (e.g., recommended meals or preferred dishes). This personalisation is based on Art. 6(1)(f) GDPR (legitimate interest in improving our service) and does not involve automated decision-making that produces legal or similarly significant effects (Art. 22 GDPR). You may opt out of personalised recommendations at any time by contacting us.

 

2.3 Dietary preferences and allergy information

Providing allergy, intolerance, or dietary preference information (e.g., vegetarian, vegan, gluten-free) is entirely voluntary. You are not required to provide this information to use our service. If you choose to provide this data, we collect and processit solely to ensure your safety and satisfaction with our food delivery service. Allergy data may qualify as health-related data under Art. 9 GDPR (special category data).

Legal basis: Art. 9(2)(a) GDPR — your explicit consent, provided when you enter this information in your profile or order. You may withdraw your consent and request deletion of this data at any time by contacting us at legal@bellabona.com.

 

2.4 When you contact us for support

When you contact us via email, our website contact form, or our support system, we collect your name, email address, and the content of your enquiry.

Legal basis: Art. 6(1)(b) GDPR (if related to a contract) or Art. 6(1)(f) GDPR (our legitimate interest in responding to enquiries).

 

2.5 Newsletter and marketing communications

If you subscribe to our newsletter or marketing communications, we collect your email address and, optionally, your name. We only send marketing emails with your prior consent.

Legal basis: Art. 6(1)(a) GDPR — your consent. You may unsubscribe at any time via the link in each email or by contacting us.

 

2.6 When you use our mobile app

Our mobile app is built with React Native and functions as a web-based application wrapped in a native shell. The app collects the same data as our ordering platform (see Section 2.2 above). In addition:

  • Push notifications: We may send you push notifications about your orders (e.g., delivery updates, order confirmations). We request your explicit consent before enabling push notifications. You can disable them at any time through yourdevice settings.
  • Device data: We collect basic device information (device type, operating system, app version) for troubleshooting and ensuring compatibility. This data is processed in anonymised form.
  • No geolocation: Our app does not collect or track your geographic location.

Legal basis: Art. 6(1)(a) GDPR (consent) for push notifications; Art. 6(1)(f) GDPR (legitimate interest in app functionality and troubleshooting) for device data.

 

 

3. Cookies and tracking technologies

We use cookies and similar technologies on our website and platform. In accordance with §25 TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, formerly TTDSG) and Art. 6(1)(a) GDPR, non-essential cookies are onlyactivated after you have given your explicit consent via our cookie consent banner.

Essential cookies (no consent required)

These cookies are strictly necessary for the functioning of our website and platform (e.g., session management, shopping cart, security). They cannot be deactivated.

Legal basis: §25(2) TDDDG — strictly necessary for the service requested by the user.

Analytics cookies (consent required)

We use Google Analytics 4 (GA4) to understand how visitors use our website. GA4 uses cookies to collect anonymised usage data. IP anonymisation is enabled. Analytics cookies are only set after you consent via our cookie banner.

Legal basis: Art. 6(1)(a) GDPR and §25(1) TDDDG — your consent.

You may withdraw your consent at any time through our cookie settings or by using the Google Analytics Opt-out Browser Add-on.

 

 

4. Who do we share your data with?

We only share your personal data with third parties when necessary to provide our services, comply with legal obligations, or with your consent. We do not sell your personal data. We ensure that all service providers act as processors under appropriate data processing agreements in accordance with Art. 28 GDPR.

Service provider

Purpose

Data shared

Location

Transfer mechanism

PayPal (Europe) S.à r.l. et Cie, S.C.A.

Payment processing for orders

Name, email, payment transaction data

Luxembourg (EU)

N/A (EU)

Google LLC (Google Analytics 4)

Website analytics (with consent only)

Anonymised usage data, cookies, IP (anonymised)

USA

EU-US Data Privacy Framework (DPF)

HubSpot Inc.

Customer support ticketing, CRM

Name, email, support ticket content

Frankfurt, Germany (EU data centre)

EU data residency / SCCs

Amazon Web Services EMEA SARL (AWS)

Cloud hosting, database, infrastructure

All platform data (encrypted at rest and in transit)

Frankfurt, Germany (eu-central-1)

N/A (EU data centre)

Cloudflare Inc.

Content delivery network (CDN), website security, DDoS protection

IP address, request metadata (transient processing)

Global (EU processing preferred)

EU-US Data Privacy Framework (DPF) + SCCs

5. International data transfers

Some of our service providers are based in the United States. When personal data is transferred outside the European Economic Area (EEA), we ensure adequate protection through one or more of the following mechanisms:

  • 1. EU-US Data Privacy Framework (DPF): for US-based providers that are certified under the DPF, as recognised by the European Commission’s adequacy decision of 10 July 2023.
  • 2. Standard Contractual Clauses (SCCs): approved by the European Commission, ensuring contractual safeguards for data protection.
  • 3. Adequacy decisions: for transfers to countries that the European Commission has determined provide an adequate level of data protection.
  •  

 

6. How long do we keep your data?

We retain your personal data only for as long as necessary for the purposes described in this policy, or as required by applicable law. The specific retention periods are:

Data category

Retention period

Legal basis for retention

Order and billing data

10 years from end of fiscal year

Art. 6(1)(c) GDPR — legal obligation (§257 HGB, §147 AO: German commercial and tax law)

User account data

Duration of account + 6 months

Art. 6(1)(b) GDPR — contract performance; deletion after account termination

Allergy / dietary data

Duration of account (immediate deletion on consent withdrawal)

Art. 9(2)(a) GDPR — explicit consent

Server logs (IP, access)

30 days

Art. 6(1)(f) GDPR — legitimate interest in security

Support tickets (HubSpot)

3 years after resolution

Art. 6(1)(f) GDPR — legitimate interest in quality and dispute resolution

Analytics data (Google Analytics)

14 months (GA4 default)

Art. 6(1)(a) GDPR — consent; automatic expiry

Marketing / newsletter

Until consent is withdrawn

Art. 6(1)(a) GDPR — consent

Contact form enquiries

6 months after resolution

Art. 6(1)(a) or (f) GDPR

When the retention period expires, personal data is securely deleted or anonymised. Backup data is purged within 30 days of the primary deletion.

 

 

7. Your rights under the GDPR

Under the General Data Protection Regulation (EU) 2016/679 (GDPR), you have the following rights regarding your personal data:

1. Right of access (Art. 15 GDPR): You may request confirmation of whether we process your data and obtain a copy of it.
  • 2. Right to rectification (Art. 16 GDPR): You may request correction of inaccurate or incomplete data.
  • 3. Right to erasure (Art. 17 GDPR): You may request deletion of your data where it is no longer necessary, or where you withdraw consent.
  • 4. Right to restriction of processing (Art. 18 GDPR): You may request that we limit processing under certain circumstances.
  • 5. Right to data portability (Art. 20 GDPR): You may request to receive your data in a structured, machine-readable format.
  • 6. Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests, including direct marketing. We will cease processing unless we have compelling legitimate grounds.
  • 7. Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw it at any time. This does not affect the lawfulness of processing before the withdrawal.

To exercise any of these rights, please contact us at legal@bellabona.com. We will respond within 30 days.

 

 

8. Right to lodge a complaint

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent authority for Bella & Bona GmbH is:


Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 18, 91522 Ansbach, Germany

Website: www.lda.bayern.de

Email: poststelle@lda.bayern.de

You may also lodge a complaint with the supervisory authority in your country of residence or place of work.

 

 

9. Data security

We implement appropriate technical and organisational measures to protect your personal data, including:

1. TLS/SSL encryption (256-bit) for all data transmitted between your browser and our servers

2. Encryption at rest for stored personal data

3. Access controls limiting data access to authorised personnel only

4. Regular security reviews and updates

  • 5. Secure hosting within EU data centres

While we implement strong security measures and continuously update them in line with current technology standards, no method of electronic transmission or storage can be guaranteed to be entirely free from risk. We are committed to promptlyaddressing any security incidents in accordance with our internal data breach procedures.

 

 

10. Corporate plans and B2B data

Bella & Bona provides food delivery services to corporate clients. When your employer or organisation has a corporate account with us, the following applies:

  • 1. Your employer may provide us with your name and business email address to set up your account.
  • 2. We may share aggregated, non-identifiable order statistics (e.g., total orders per day) with your employer for billing and planning purposes.
3. We do not share your individual order details, dietary preferences, or allergy information with your employer unless strictly required for billing (e.g., individual meal subsidies).

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest of the employer in managing corporate meal plans).

 

 

11. Changes to this privacy policy

We may update this privacy policy from time to time to reflect changes in our practices, services, or applicable law. The updated version will be indicated by an updated “Last updated” date at the top of this page. If we make material changes, wewill notify you by email or by placing a prominent notice on our website.

We encourage you to review this policy periodically.

 

 

12. Contact

If you have any questions about this privacy policy or wish to exercise your rights, please contact us:

Bella & Bona GmbH

Kapellenstraße 12, 85622 Feldkirchen, Germany

Email: legal@bellabona.com

Phone: +49 151-54079664