Privacy Policy

Bella & Bona GmbH
Last updated: 06 July 2026

1. Introduction

Bella & Bona GmbH (“Bella & Bona”, “we”, “us” or “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, disclose and otherwise process your personal data when you:

  • visit our website;
  • create and use an account on our ordering platform;
  • use our mobile application;
  • order meals or use our corporate meal-benefit services;
  • contact us for customer support;
  • subscribe to our marketing communications; or otherwise interact with us.

We process your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the German Telecommunications Digital Services Data Protection Act (TDDDG) and other applicable data protection laws. Please read this Privacy Policy carefully.

2. Data Controller and Data Protection Officer

The controller responsible for the processing of your personal data is:

Bella & Bona GmbH
Represented by its Managing Directors Mr Matteo Cricco and Mr Niccolò Lapini

Kapellenstraße 12, 85622 Feldkirchen, Germany

Email: legal@bellabona.com

Telephone: +49 151 54079664

We have appointed an external Data Protection Officer (DPO), whom you may contact directly on any matter relating to this Privacy Policy or the processing of your personal data, or to exercise any of your GDPR rights:

Alessandro Papini — Accademia Italiana Privacy
Email: alessandro.papini@accademiaitalianaprivacy.it

3. Scope of this Privacy Policy

This Privacy Policy applies to all processing of personal data carried out by Bella & Bona in connection with our website, our ordering platform, our mobile application, customer support, marketing communications, corporate meal-benefit programmes, and contractual or pre-contractual relationships with customers and users.

Where third-party websites or services are accessible through our platform, this Privacy Policy does not apply to processing carried out by those third parties. We encourage you to review their respective privacy policies.

4. Sources of Personal Data

Information you provide directly

You may provide personal data when you create an account, place an order, update your profile, provide dietary or allergen filters, contact customer support, subscribe to communications, or otherwise communicate with us.

Information provided by your employer

Where your employer offers Bella & Bona as part of a corporate meal-benefit programme, your employer may provide limited information needed to create and administer your account, such as your name, business email address, company affiliation, and meal-allowance entitlement. Your employer does not provide us with your meal choices, dietary preferences or order history.

Information collected automatically

When you use our website or app, we automatically collect technical information such as IP address, browser type and version, operating system, device information, technical and security log information, pages visited, timestamps, and identifiers generated by cookies or similar technologies. Further information is provided in Section 7.

Information received from service providers

In limited cases we may receive information from trusted service providers, such as payment confirmations from our payment provider or consent records from our Consent Management Platform.

5. Categories of Personal Data We Process

Account information

First name, last name, business email address, securely hashed authentication credentials, and account preferences.

Order information

Meals ordered, order dates, delivery location, order history, delivery instructions, invoices and transaction references. Bella & Bona does not store your complete payment-card details; all card and wallet payments are processed by our payment service provider (see Section 8).

Dietary preferences and allergen information

Our platform lets you filter and personalise your menu using dietary options. These fall into two groups, which we treat differently:

(a) Lifestyle and taste preferences (ordinary personal data). Options such as preferred cuisine, portion size, spice level and dietary form (e.g. vegetarian, vegan, pescatarian) reflect taste or lifestyle choices and are processed as ordinary personal data.

(b) Allergen- and belief-related dietary information (special category data). Options indicating what a dish should be made without (e.g. gluten, milk, egg, nuts, soy and other regulated allergens) may reveal information about your health, and options such as “halal” or “no pork” may reveal religious belief. Because we cannot distinguish the underlying reason, we treat this information as a special category of personal data under Art. 9 GDPR.

Providing any dietary information is entirely optional. Selecting a lifestyle or taste filter does not require consent. We will only save allergen- or belief-related filters to your profile after you have given separate, explicit consent at the point of selection, and you may withdraw that consent at any time in your profile settings, in which case we delete the saved information. These filters are personalisation preferences and do not guarantee that a dish is free from any given allergen.

Bella & Bona does not infer medical conditions or religious beliefs from your selections. We recommend that users with severe food allergies always review the allergen information provided for each meal and contact us where necessary before ordering.

Customer support information

Your name, email address, support requests, correspondence, attachments you provide, and records relating to the resolution of your request.

Marketing information

Where you have consented: your email address, marketing preferences, subscription status, newsletter interactions, and website interactions collected through marketing cookies.

Technical information

IP address, browser and device information, application version, technical and security logs, cookie and consent identifiers, and website usage information.

6. Legal Bases for Processing

Performance of a contract (Art. 6(1)(b) GDPR). To create and manage your account, process and deliver orders, provide support, administer your corporate meal benefit, and perform our contractual obligations.

Compliance with legal obligations (Art. 6(1)(c) GDPR). To meet accounting, tax, record-keeping and regulatory requirements under applicable German and European law.

Legitimate interests (Art. 6(1)(f) GDPR). To secure our systems, prevent fraud and misuse, improve our website, platform and services, maintain customer relationships, respond to enquiries, establish, exercise or defend legal claims, generate aggregated statistics, and personalise your experience where such processing does not produce legal or similarly significant effects. You may object to this processing (see Section 15).

Consent (Art. 6(1)(a) GDPR). For marketing communications, non-essential cookies and similar technologies, website analytics, and push notifications. You may withdraw consent at any time without affecting processing carried out beforehand.

Special categories of personal data (Art. 9(2)(a) GDPR). Where you choose to save allergen-related (health) or belief-related (e.g. halal) dietary filters to your profile, we process this special category data solely on the basis of your explicit consent, collected through a dedicated opt-in at the moment you select such a filter. You may withdraw your consent at any time with effect for the future; on withdrawal we delete the relevant data unless we are legally required to retain it.

7. Cookies and Tracking Technologies

Our website and platform use cookies and similar technologies to ensure proper functioning, improve user experience, analyse usage and, where you have consented, support marketing. Where required by law, we obtain your consent before storing or accessing information on your device in accordance with §25(1) TDDDG; subsequent processing follows the GDPR. You may change or withdraw your consent at any time through our Cookie Settings, accessible from every page of our website.

7.1 Consent Management Platform

We use Usercentrics GmbH as our Consent Management Platform to obtain valid consent before activating non-essential technologies, document consent under Art. 7(1) GDPR, allow you to modify or withdraw consent, and demonstrate compliance. Consent records may include consent status, timestamp, consent identifier, and browser/device information (and IP address where technically necessary).

Legal basis: §25(2) TDDDG where strictly necessary for providing the consent service; Art. 6(1)(c) and 6(1)(f) GDPR for documenting compliance and demonstrating accountability.

7.2 Strictly necessary cookies

Certain cookies are essential for authentication, session management, security, fraud prevention, load balancing, remembering cookie preferences and maintaining the ordering process. They cannot be disabled through the cookie banner.

Legal basis: §25(2) TDDDG; Art. 6(1)(f) GDPR where personal data is processed.

7.3 Analytics

Subject to your prior consent, we use Google Analytics 4 (GA4) to understand how visitors use our website. GA4 processes browser and device information, approximate location derived from IP address, pages visited, events and session statistics. IP addresses are processed only transiently by Google and are not stored in analytics reports. GA4 cookies are set only after you consent via our Consent Management Platform.

Legal basis: §25(1) TDDDG; Art. 6(1)(a) GDPR.

7.4 Marketing and website tracking

Subject to your prior consent, we use HubSpot to support customer relationship management, marketing automation and marketing analytics. HubSpot may process pages visited, forms submitted, newsletter subscriptions, marketing preferences, campaign interactions, and email engagement. These technologies are activated only after you consent via our Consent Management Platform.

Legal basis: §25(1) TDDDG; Art. 6(1)(a) GDPR.

7.5 Cookie Settings

You may withdraw or modify your consent at any time through our Cookie Settings. Withdrawal does not affect the lawfulness of processing carried out beforehand. A current, detailed list of cookies, providers, purposes, retention periods and legal bases is available through our Cookie Settings.

8. Sharing of Personal Data

We disclose personal data only where necessary to provide our services, comply with legal obligations, protect our legitimate interests, or where you have consented. We never sell your personal data. Where third parties process personal data on our behalf, we conclude data processing agreements in accordance with Art. 28 GDPR. Certain providers, such as payment service providers, may process personal data as independent controllers under their own privacy policies.

RecipientPurposeData sharedLocationTransfer mechanism
Amazon Web Services EMEA SARL (AWS)Cloud hosting, application infrastructure, databases, content delivery, logging, backup and disaster recoveryPlatform data: account, order, support and technical data (encrypted at rest and in transit)Frankfurt, Germany (eu-central-1)Data hosted within the EEA. Where exceptionally required for technical support, access from outside the EEA is subject to the EU Standard Contractual Clauses (SCCs).
Usercentrics GmbHConsent Management Platform: collecting, managing and documenting cookie/consent preferencesConsent status and identifier, browser and device information, IP address where technically requiredMunich, GermanyProcessing within the EEA.
PayPal (Europe) S.à r.l. et Cie, S.C.A.Payment processing for all card and wallet paymentsName, email, transaction and payment data required to complete the payment. Bella & Bona never receives or stores your complete payment-card details.Luxembourg (EU)Within the EEA. PayPal processes payment data as an independent controller under its own privacy policy.
HubSpot, Inc.Customer support ticketing, CRM, newsletter delivery and (with consent) marketing automation and marketing analyticsName, email, support content, marketing preferences and website interaction dataEU data residency (Germany)EU data residency with SCCs and, where applicable, the EU-US Data Privacy Framework (DPF).
Google LLC (Google Analytics 4)Website analytics and aggregated usage statistics (with consent only)Technical usage data, cookie identifiers and analytics eventsUnited StatesEU-US Data Privacy Framework (DPF) and, where applicable, SCCs.

9. International Transfers

Some of our service providers operate globally or may provide support from outside the European Economic Area (“EEA”). Where personal data is transferred outside the EEA, Bella & Bona maintains an adequate level of protection through one or more of the following:

  • an adequacy decision adopted by the European Commission;
  • the EU-US Data Privacy Framework, where applicable;
  • the European Commission’s Standard Contractual Clauses (SCCs);
  • supplementary technical and organisational measures where required following a transfer assessment.

Where required by applicable law, we perform transfer risk assessments before relying on an international transfer mechanism. You may obtain a copy of the applicable safeguards by contacting us.

Please note that transfers to third countries may involve risks that are not fully knowable in detail — for example, access to data by security authorities of the third country, the exact scope and consequences of which are unknown to us, over which we have no influence, and of which you may not become aware.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • TLS/SSL encryption (256-bit) for data transmitted between your browser and our servers;
  • encryption at rest for stored personal data;
  • access controls limiting access to authorised personnel only;
  • regular security reviews, vulnerability assessments and updates;
  • secure hosting within EU data centres.

While we implement strong security measures and update them in line with current standards, no method of electronic transmission or storage can be guaranteed to be entirely free from risk. We address any security incidents promptly in accordance with our internal data breach procedures.

11. Retention

We retain your personal data only for as long as necessary for the purposes described in this policy, or as required by applicable law. The specific retention periods are:

Data categoryRetention periodLegal basis for retention
Order and billing data10 years from end of fiscal yearArt. 6(1)(c) GDPR — legal obligation (§257 HGB, §147 AO)
User account dataDuration of account + 6 monthsArt. 6(1)(b) GDPR — contract performance
Allergen / health / religious dietary dataDuration of account; deleted immediately on consent withdrawalArt. 9(2)(a) GDPR — explicit consent
Technical and security logs30 daysArt. 6(1)(f) GDPR — legitimate interest in security
Support tickets (HubSpot)3 years after resolutionArt. 6(1)(f) GDPR — legitimate interest in quality and dispute resolution
Analytics data (Google Analytics)14 months (GA4 default)Art. 6(1)(a) GDPR — consent; automatic expiry
Marketing / newsletterUntil consent is withdrawnArt. 6(1)(a) GDPR — consent
Consent recordsDuration of the relationship + up to 3 years after withdrawalArt. 6(1)(c)/(f) GDPR — accountability / proof of consent (Art. 7(1))
Contact enquiries6 months after resolutionArt. 6(1)(b) GDPR where the enquiry relates to a contractual or pre-contractual relationship; otherwise Art. 6(1)(f) GDPR

When the retention period expires, personal data is securely deleted or anonymised. Backup data is purged within 30 days of the primary deletion.

12. Corporate Plans and B2B Data

Bella & Bona provides workplace food-benefit services to corporate clients. Our role depends on who determines the purposes and means of a given processing activity:

(a) As independent Controller, for your direct use of our platform. Where Bella & Bona independently determines the purposes and means of processing — for example managing user accounts, processing meal orders, providing customer support, ensuring platform security and improving our products — Bella & Bona acts as an independent Controller. This includes browsing menus, placing and managing orders, receiving deliveries, saving dietary preferences, and receiving any marketing you have opted into. This Privacy Policy governs that processing.

(b) As Processor, on behalf of your employer (Controller). Where your employer commissions the meal-benefit programme, we process a limited set of data strictly on your employer’s documented instructions — creating employee accounts from the data your employer provides (name, business email), administering meal subsidies and allowances, and producing aggregated usage and billing reports. For this limited processing your employer is the Controller and Bella & Bona acts as Processor under a data processing agreement pursuant to Art. 28 GDPR.

In all cases:

  • Your employer may provide us with your name and business email address to set up your account.
  • We share only aggregated, non-identifiable order statistics (e.g. total orders per day) with your employer for billing and planning purposes.
  • We do not share your individual order details, dietary preferences, or allergen/health information with your employer, except individual data strictly required for per-person subsidy billing.

Legal basis: The applicable legal basis depends on the specific processing activity and Bella & Bona’s role. Where Bella & Bona acts as Controller, the legal bases described in Section 6 apply. Where Bella & Bona acts as Processor, processing is carried out solely on the documented instructions of the relevant Controller pursuant to Art. 28 GDPR.

13. Automated Decision-Making and Profiling

Bella & Bona does not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you within the meaning of Art. 22 GDPR.

Where you have provided your consent, we may analyse your interactions with our website and marketing communications in order to improve our services and the relevance of the content shown on our website, and to personalise marketing communications. Such processing does not produce legal or similarly significant effects.

14. Children

Bella & Bona’s services are intended exclusively for employees and authorised users of our corporate customers. They are not designed for or directed at children.

We do not knowingly collect personal data from persons under the age of 16. If we become aware that an account has been created by, or personal data has been collected from, a person under the age of 16, we will take appropriate steps to delete such data without undue delay, unless we are required by applicable law to retain it.

If you believe that a person under the age of 16 has provided us with personal data, please contact us using the contact details provided in this Privacy Policy.

15. Your Rights Under the GDPR

Under the GDPR you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): to obtain confirmation of whether we process your data and a copy of it.
  • Right to rectification (Art. 16 GDPR): to have inaccurate or incomplete data corrected.
  • Right to erasure (Art. 17 GDPR): to have your data deleted where it is no longer necessary or where you withdraw consent.
  • Right to restriction (Art. 18 GDPR): to have processing limited in certain circumstances.
  • Right to data portability (Art. 20 GDPR): to receive your data in a structured, machine-readable format.
  • Right to object (Art. 21 GDPR): to object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent (Art. 7(3) GDPR): to withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise these rights, contact us at legal@bellabona.com or our DPO. We will respond without undue delay and in any event within one month of receipt; where necessary this period may be extended by up to two further months, in which case we will inform you.

16. Right to Lodge a Complaint

If you believe our processing infringes the GDPR, you may lodge a complaint with a supervisory authority. The competent authority for Bella & Bona GmbH is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany

Website: www.lda.bayern.de

Email: poststelle@lda.bayern.de

You may also lodge a complaint with the supervisory authority in your country of residence or place of work.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services or applicable law. The updated version is indicated by the “Last updated” date above. If we make material changes, we will notify you by email or by a prominent notice on our website, and where required by law we will seek your renewed consent. We encourage you to review this policy periodically.

18. Contact

For any questions about this Privacy Policy or to exercise your rights, please contact us:

Bella & Bona GmbH
Kapellenstraße 12, 85622 Feldkirchen, Germany

Email: legal@bellabona.com

Telephone: +49 151 54079664