Privacy Policy
Last updated: May 2026.
1. Data Controller
Schmeckt. is a platform operated by Lisa Dietrich Design.
Lisa Dietrich
Egelseestraße 47
6800 Feldkirch
Austria
Email: hallo@lisadietrich.design
Phone: +43 660 5767719
2. General Notes
Schmeckt. is a digital menu platform for hospitality businesses. This privacy policy applies to the use of the platform at schmeckt.online and to all brand pages at schmeckt.online/b/[name].
For content published in the menu itself, the respective restaurant operator acts as data controller. Each brand page provides its own privacy notice and imprint, linked in the footer.
Processing is based on the General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG), and the Austrian Telecommunications Act 2021 (TKG 2021).
3. What Data Is Processed
3.1 Guests Visiting a Brand Page
When a guest opens a menu via Schmeckt. (QR code, direct link, or embedded iframe), the following technical data is transmitted:
IP address, date and time, browser type and version, operating system, page accessed, referrer.
This data is processed solely for technical operation and automatically deleted after 30 days. It is not linked into profiles.
Language preferences are stored in the browser's LocalStorage, exclusively on the device, without transmission to us.
3.2 Customers (Restaurant Operators)
When restaurant operators register and use the platform, the following data is processed:
Name, email address, phone number, restaurant address, VAT number if applicable, menu content configured by the operator, uploaded images.
For paid plans, invoicing and payment data are processed exclusively by Paddle as Merchant of Record (see section 6).
4. Purposes of Processing
Provision of the platform and individual brand pages. Menu maintenance by customers. Contract fulfilment. Technical support and maintenance. Platform security (abuse detection, attack mitigation).
5. Legal Basis
Contract initiation and performance under Art. 6(1)(b) GDPR (for customers). Legitimate interest under Art. 6(1)(f) GDPR (security, technical operation). Compliance with legal obligations under Art. 6(1)(c) GDPR (e.g., retention periods).
6. Sub-Processors
The following services are used in the operation of Schmeckt. The current full list is available at schmeckt.online/datenschutz/subdienstleister.
Lovable AB (Stockholm, Sweden): Platform hosting, backend infrastructure, AI features via the Lovable AI Gateway, and delivery of transactional emails (login confirmations, password reset) through the Lovable Cloud built-in mail infrastructure. EU-based servers. The Lovable AI Gateway provides access to selected AI models for text generation, translation, and image creation, including models from Google (Gemini family) and OpenAI (GPT family and GPT-Image). Model selection and integration are handled by Lovable as data processor; no direct contractual relationship exists between Schmeckt. and the underlying model providers.
Supabase Inc. (USA, with EU region): Database, authentication, and storage. EU region (Frankfurt) activated. Standard Contractual Clauses and EU-US Data Privacy Framework.
Paddle Payments Limited (Dublin, Ireland): Paddle acts as Merchant of Record and handles the complete processing of paid plans. This means: Paddle issues invoices to customers, processes payments, handles sales tax and VAT in all countries, and remits net amounts to Lisa Dietrich Design. Paddle acts as independent data controller for all payment and invoicing data. This data is processed directly between customer and Paddle and is not stored on Schmeckt. servers.
Address: The Academy, 42 Pearse Street, Dublin 2, D02 HV59, Ireland. Within the global Paddle group, data may be transferred to affiliated entities in the United Kingdom (Paddle.com Market Limited, London), the United States (Paddle.com Inc., New York), and Canada (Paddle.com Canada Ltd, Toronto), safeguarded by EU Commission Adequacy Decisions (UK, Canada) and Standard Contractual Clauses plus EU-US Data Privacy Framework (USA). Privacy: paddle.com/legal/privacy.
Data Processing Agreements under Art. 28 GDPR are in place with all sub-processors.
7. International Data Transfers
Transfers to providers outside the EU are based on the European Commission's Standard Contractual Clauses (Implementing Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework.
For AI requests routed through the Lovable AI Gateway, queries may be forwarded to models whose providers (such as Google or OpenAI) are based in the USA. Lovable ensures that appropriate transfer mechanisms are in place.
For payment processing via Paddle, data may be transferred within the Paddle group to locations in the United Kingdom, the United States, and Canada. UK and Canadian transfers rely on the respective EU Commission Adequacy Decisions; US transfers rely on Standard Contractual Clauses and the EU-US Data Privacy Framework.
8. Cookies and Similar Technologies
Schmeckt. uses only strictly necessary cookies and LocalStorage entries required for operation (e.g., to store language preference). No consent is required under § 165(3) TKG 2021.
No analytics, tracking, or marketing cookies are deployed. No data is sold or transferred for advertising purposes.
9. AI-Assisted Features
Schmeckt. offers AI-assisted features for image generation, translation, and text descriptions. All AI requests are routed through the Lovable AI Gateway. The specific model used depends on the respective feature and current configuration by Lovable. Currently, models from the Google Gemini and OpenAI GPT families are deployed.
These features are used exclusively by restaurant operators under their editorial control. Before publishing, AI-generated content must be approved by the operator.
AI-generated content is labelled on public brand pages (images as "AI image", machine translations with corresponding notice). Details: schmeckt.online/ki-transparenz.
10. Retention Periods
Guest access data: 30 days. Backups maximum 90 days.
Customer data: for the duration of the business relationship, then a 30-day grace period with export option, followed by deletion. Statutory retention obligations (Austrian Federal Tax Code, seven years for invoices) remain unaffected.
AI usage logs: 24 months, for compliance documentation toward the Austrian RTR AI Service Centre under the EU AI Act.
11. Your Rights
You have the following rights at any time:
Right of access (Art. 15 GDPR), right to rectification (Art. 16 GDPR), right to erasure (Art. 17 GDPR), right to restriction of processing (Art. 18 GDPR), right to data portability (Art. 20 GDPR), right to object (Art. 21 GDPR), right to withdraw consent (Art. 7(3) GDPR).
To exercise these rights, contact hallo@lisadietrich.design. We respond within one month (Art. 12 GDPR).
For requests regarding payment or invoicing data, please contact Paddle directly at privacy@paddle.com, as Paddle processes this data as independent controller.
12. Right to Lodge a Complaint
If you believe that the processing of your data violates applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority:
Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna, Austria
Phone: +43 1 521 52-25 69
Email: dsb@dsb.gv.at
Web: dsb.gv.at
Customers based in Germany may additionally contact their respective State Data Protection Authority.
13. AI Supervision
For questions regarding the implementation of the EU AI Act in Austria, the competent authority is the AI Service Centre at the RTR:
AI Service Centre at RTR
Mariahilfer Straße 77-79, 1060 Vienna, Austria
Email: ki-servicestelle@rtr.at
Web: rtr.at/ki
14. Notes for Customers in Switzerland
For restaurant operators based in Switzerland, the revised Swiss Federal Act on Data Protection (revFADP) applies in addition. The data protection standards described here meet the requirements of the revFADP.
Complaints may be filed with the Federal Data Protection and Information Commissioner:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, 3003 Bern, Switzerland
Web: edoeb.admin.ch
15. Security
Transmission is encrypted via HTTPS. We employ technical and organisational measures to protect data from unauthorised access, loss, alteration, and misuse. Backups are encrypted and held in EU data centres.
16. Changes to This Privacy Policy
We reserve the right to adapt this privacy policy when legal frameworks or technical implementation change. Customers will be notified of material changes by email in advance. The current version is always available at schmeckt.online/datenschutz.
Last updated: May 2026.