🇬🇧 EN🇫🇷 FR🇩🇪 DE

VZ Labs Privacy Notice

Version 1.0

1. What is this Privacy Notice about?

This Privacy Notice explains how we process personal data, primarily in relation to our business and with our website. If you would like more information about our data processing, please feel free to contact us (sec. 2).

2. Who is the controller for the data processing?

For each data processing activity, there is a party that is primarily responsible for ensuring compliance, the "controller". For the processing described in this Privacy Notice, the controller (also referred to as "we") is:

VZ Labs Sàrl
c/o EHL Hospitality Business School SA
Route de Berne 301
1000 Lausanne 25
Switzerland

If you have any questions regarding data protection, please feel free to contact us at:

Email: [email protected]

You may provide us with data about other individuals (for example when you work for one of our partners and you provide us with contact details of colleagues or representatives). We assume this data is accurate and that you are authorized to share it with us. As we may not directly contact these individuals or inform them about our data processing, we ask you to do so (e.g., by referring them to this Privacy Notice).

3. How do we process data in relation to our services?

When you use our food ordering services, we process all personal data that is necessary to process and place your order, and all information that you provide to us in this context:

  • When you register for our services for the first time, we need certain master data and contact data such as your name, contact details including phone number and delivery address, date of birth, and payment information;
  • We also process certain preferences such as language settings and payment preferences, geographic area, food preferences, allergies and dietary restrictions;
  • When you use our services, we process your order details and all other information such as preferences, communication data, order details, that you provide to us via the WhatsApp messenger.

We may also process the above data for statistical purposes (e.g., order frequency and timing patterns, popular menu items and customizations, average order values, peak ordering hours by day and location, customer retention rates, delivery zone performance, restaurant popularity rankings, seasonal ordering trends, and response rates to promotions). These statistics help improve and develop our services and inform business strategy, and they can also be provided to our partners on an anonymous basis. We may also use this data on an identifiable basis for marketing; see sec. 4 for details. In particular, we may advertise our services, for example through newsletters. More details are set out in sec. 4.

If we are in contact with partners (e.g. restaurants) in view of an agreement, we process name and contact details of the contact person, details of services requested. If we enter into an agreement with partners, we process the data from the onboarding and information on the agreement (e.g. the date and the content of the agreement). We may also process personal data during and after the agreement, including details on services, payments, service interactions, claims, complaints, agreement terminations, and any related disputes or proceedings. These data processing activities are necessary for the performance of our agreements and the provision of our services.

For corporate partners such as restaurants, we process limited personal data, as data protection law applies only to individuals. However, we handle data of individuals we interact with, such as names, contact details, professional information, communication details, and information about management personnel, as part of the general data on companies we work with.

4. How do we process data in relation with advertising?

We also process personal data in order to advertise our services and services of our restaurant partners:

Newsletter: We send out electronic information and newsletters, which may include advertising for our services. We will ask for your consent before sending out electronic marketing, except for certain offers to existing customers.

WhatsApp Marketing Messages: We may send promotional messages, special offers, and updates about our services and partner restaurants directly through WhatsApp. These may include:

  • Exclusive deals and discounts from your favorite restaurants
  • New restaurant partners in your area
  • Seasonal promotions and limited-time offers
  • Order reminders and personalized recommendations

We track your marketing preferences (opt-in/opt-out status) and respect your choices. You can opt out of marketing messages at any time by:

  • Using the "unsubscribe" (can vary by language) button on any marketing message
  • Updating your preferences by communicating it with our chatbot
  • Contacting us directly at [email protected]

Market research: We process data to improve and develop new services, such as information on purchases, reactions to newsletters, customer surveys, polls, social media, media monitoring services, and public sources.

5. How do we disclose personal data?

We may disclose personal data to various bodies within the scope of our activities. These include the following categories:

  • The restaurants that process your order;
  • service providers, in particular for IT services (such as our payment provider Stripe, the messenger service WhatsApp, certain cloud service providers, large language models providers for natural language processing – in this respect see also sec. 7 below – and others), administration and consulting services, our our delivery partners (such as Uber Direct, Chaskis, and restaurant-managed delivery services) with whom we share only the information necessary to complete your delivery, including:
    • Delivery address and any special delivery instructions
    • Your first name and phone number (for delivery coordination only)
    • Order contents (to ensure accurate delivery)
    • Order value (for cash-on-delivery orders)
    • Preferred delivery time
    We do not share your payment information, order history, or marketing preferences with delivery partners. Delivery partners are contractually obligated to use this information solely for completing your delivery and must delete it afterwards, as well as other shipping and logistics services, or services of banks, the post office, etc. These service providers may process personal data to the extent necessary. For providers used for our website, see section 8.
  • if we engage intermediaries for our services, we may share your information with them to enable direct contact with you;
  • persons associated with you, e.g. authorized representatives, deputies and relatives, and in the case of contact persons of companies, employees and the company itself;
  • credit agencies and other databases to which we may disclose the necessary information about you as part of an information request;
  • offices, authorities and courts within the scope of our legal obligations and in connection with proceedings in which we are a party or third party;
  • third parties, e.g. in connection with the acquisition or sale of assets by us.

6. Can we disclose data abroad?

Not all data recipients are located in Switzerland. This includes certain service providers, particularly in IT. These providers or their subsidiaries may be based in the EU or EEA (e.g., in Ireland) or in other countries worldwide (e.g., in the USA). We may also share data with foreign authorities if legally required or in connection with asset sales or legal proceedings (see sec. 10). Not all these countries offer adequate data protection. To address this, we implement appropriate safeguards, particularly the EU standard contractual clauses, available here. In some cases, data may be shared abroad without such safeguards as allowed by applicable law – for instance, with your consent or if necessary to perform a contract, assert or defend legal claims, or serve overriding public interests.

7. How do we use artificial intelligence?

New technologies like artificial intelligence (AI) and machine learning offer significant potential but also present challenges. We ensure these technologies are used in alignment with our values and carefully weigh opportunities and risks in each case. We use AI technology to facilitate order processing and customer communication. While we strive for accuracy, users acknowledge that AI-generated responses may occasionally contain errors. We maintain human oversight for significant decisions and provide mechanisms to correct any issues. If an AI we use interacts directly with you, we will inform you.

In particular, we use an AI chatbot to communicate with you when you use our services: When you send a text or voice message via WhatsApp, third-party AI language processing services process this natural language input and return a structured format that our system can understand, so that the order can be placed at the relevant restaurant and be delivered to you. The chatbot will also communicate with you in order to clarify any open questions regarding the order or its delivery.

We may also use AI to improve our products and services, increase the efficiency of internal processes, enhance security, prevent misuse, or for any other purpose outlined above. AI applications may process personal data, but this is not always the case. Possible uses of AI include:

  • Assisting in the creation of stock images, product texts, and similar non-personalized content;
  • processing customer requests and analyzing customer feedback automatically to address needs more effectively;
  • improving customer experience when using our products and services through targeted advice and tailored information.

8. How do we process data in relation with our website?

For technical reasons, each time you use our website, certain data is temporarily stored in log files, including your device's IP address, information about your internet service provider, operating system, browser, referring URL, date and time of access, and content accessed. We use this data to operate the website, ensure security and stability, optimize the site, and for statistical purposes.

Our website uses one strictly necessary cookie (i18n_redirected) to remember your language preference across sessions. This cookie is essential for the website's functionality and does not track or identify you for marketing purposes. We also use sessionStorage (temporary browser storage) for UI states such as animation controls and demo interface states. SessionStorage data is automatically deleted when you close your browser tab.

We do not use any tracking, analytics, or advertising cookies. We do not share data with third-party advertising networks or analytics providers for marketing purposes.

You can adjust your browser settings to block certain cookies or delete cookies and other stored data. For more information, refer to your browser's help pages (usually under "privacy"). Note that blocking the language preference cookie may affect your experience by requiring you to select your language on each visit.

9. How do we process data via social media?

We maintain presences on social networks and platforms (e.g., Instagram pages). If you communicate with us, comment on, or share content there, we collect information for communication, marketing, and statistical purposes (see sec. 4 and 10). Please note that platform providers also collect and use data (e.g., user behavior) independently, potentially combining it with other data they hold (e.g., for marketing or content personalization). Where joint responsibility with the provider applies, we enter into an agreement, details of which can be obtained from the provider.

10. Are there other processing purposes?

Yes. Typical (though not necessarily frequent) cases are as follows:

  • Communication: When we are in contact with you (e.g. when you communicate with us on social media), we process the content as well as information about the nature, time, and location of the communication. For your identification, we may also process information about proof of identity. Telephone conversations with us may be recorded [and listened to]; we will inform you of this at the beginning of each conversation. If you do not want us to record such conversations, you have the option at any time to terminate the conversation and contact us by other means (e.g. by e-mail).
  • Job applications: We process personal data provided by applicants during the application process, including contact details, CVs, references, and other supporting documents. This data is used to assess suitability for the position, communicate with applicants, and manage the recruitment process. If necessary, data may be shared with third parties, such as background check providers, in accordance with applicable law. Applicant data is stored securely and retained only as long as necessary for the recruitment process or as required by law. Unsuccessful applications are deleted after an appropriate retention period unless consent is given for longer storage.
  • Compliance with legal requirements: We may disclose data to authorities as required by law or to meet internal regulations.
  • Prevention: Data is processed to prevent crime or misuse, such as fraud prevention or internal investigations.
  • Legal proceedings: If involved in legal proceedings (e.g., court or administrative), we process and disclose data about parties, witnesses, and others involved to courts, authorities, or other relevant entities, including abroad.
  • IT security: We process data to monitor, control, analyze, secure, and assess IT infrastructure and manage backups and archives.
  • Competition: We process data on competitors and the market (e.g., political environment, associations) and key individuals, including names, contact details, roles, and public statements.
  • Transactions: In asset, business unit, or company sales or acquisitions, we process data to prepare and execute transactions, including disclosing customer or employee data to potential buyers or sellers.
  • Other purposes: Data is processed for training, administration (e.g., contract management, accounting, claims management, process improvement), anonymous statistics, or securing other legitimate interests.

11. How do we protect your data?

We implement appropriate technical and organizational measures to ensure the security of your personal data is commensurate with the respective risk. However, absolute data security cannot be guaranteed, and some residual risks may remain.

12. How long do we process personal data?

We process your personal data as long as necessary for the relevant purpose (e.g., for contracts, typically the duration of the contractual relationship), as long as we have a legitimate interest in its retention (e.g., to enforce legal claims, for archiving, or IT security), or as required by statutory retention obligations (e.g., a ten-year retention period for certain data). Once these periods expire, we delete or anonymize your data. Order data is generally anonymized two years after the end of our business relationship with you.

13. Anything else to consider?

Depending on the applicable law, data processing is permitted only if explicitly authorized. This restriction does not apply under the Swiss Data Protection Act but under the European General Data Protection Regulation (GDPR), if applicable. In such cases, we rely on the following legal bases for processing your personal data:

  • Art. 6 para. 1 lit. b GDPR for processing necessary to perform a contract with the data subject or to take pre-contractual measures (see para. 3).
  • Art. 6 para. 1 lit. f GDPR (and Art. 9 para. 2 lit. f GDPR for special-category data, if applicable) for processing necessary to protect our or third parties' legitimate interests, unless overridden by the data subject's fundamental rights and freedoms. This includes compliance with Swiss law, ensuring sustainable, user-friendly, secure, and reliable operations, and the purposes outlined in Section 7.
  • Art. 6 para. 1 lit. c GDPR for processing necessary to comply with a legal obligation under the laws of an EEA Member State. The EEA includes EU member states, Iceland, Norway, and Liechtenstein.
  • Art. 6 para. 1 lit. a GDPR (and Art. 9 para. 2 lit. b GDPR for special-category data, if applicable) for processing based on your separate consent.

In general, you are not required to disclose data to us, except in specific cases (e.g., fulfilling contractual obligations that necessitate data disclosure). However, we may need to process data for legal or contractual purposes. The use of our website would also not be possible without some data processing (see sec. 8).

14. What are your rights?

You have certain rights, subject to conditions and restrictions under applicable law:

  • You can request a copy of your personal data and further information about our data processing.
  • You can object to our data processing, especially in relation with direct marketing.
  • You can have incorrect or incomplete personal data corrected or completed or supplemented by a note of dispute.
  • You also have the right to receive the personal data that you have provided to us in a structured, common, and machine-readable format, insofar as the corresponding data processing is based on your consent or is necessary for the performance of the contract.
  • To the extent that we process data based on your consent, you can withdraw your consent at any time. The withdrawal is only valid for the future, and we reserve the right to continue to process data based on another basis in the event of a withdrawal.

If you wish to exercise such a right, please feel free to contact us (sec. 2). We will usually have to verify your identity (e.g. by means of a copy of your ID card). You are also free to file a complaint against our processing of your data with the competent supervisory authority, in Switzerland the Federal Data Protection and Information Commissioner (FDPIC).