Privacy Policy

The controller within the meaning of Art. 4 No. 7 GDPR is:

Sai Prashanth Diddi
Sole proprietor (trading as: Autovion Technologies, operating Loyal Hub)
Kurt-Tucholsky-Straße 73
16540 Hohen Neuendorf
Germany
Phone: +49 162 8857263
Email: sai.prashanth.diddi@autoviontech.com

For questions regarding data protection, please contact:

Sai Prashanth Diddi
Email: sai.prashanth.diddi@autoviontech.com

A data protection officer is not legally required, as the thresholds of § 38 BDSG (German Federal Data Protection Act) are not met.

We process personal data of our users only insofar as it is necessary for the provision of a functioning website and our content and services. The processing of personal data regularly takes place only with the user's consent or where the processing is permitted by law.

Each time our website is accessed, our hosting provider automatically collects information that your browser transmits to our server. The following data is collected:

• IP address (truncated / anonymised after processing)
• Date and time of access
• Requested URL or name of the requested file
• Volume of data transferred
• Notification of successful retrieval
• Browser type and version
• Operating system
• Referrer URL

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in the technical provision, stability and security of the website).

Storage period: Log files are stored for a maximum of 14 days and then deleted, unless security-relevant incidents require longer retention.

This website and the Loyal Hub application are hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. When the website is accessed, technical connection data (in particular IP address, browser information) is transmitted to Vercel for the purpose of delivering the application.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in reliable, secure and performant operation of the website).

Data Processing Agreement: A data processing agreement pursuant to Art. 28 GDPR is in place with Vercel.

Third-country transfer: Data is transferred to the USA. Vercel is certified under the EU-US Data Privacy Framework (DPF). The transfer is also based on the EU Commission's Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR.

Loyal Hub processes two distinct sets of personal data, with different legal roles for each.

(a) Restaurant accounts — we are the controller

When a restaurant signs up at /signup, we process the following data about the restaurant owner / account holder:

• Restaurant name and chosen URL slug
• Owner email
• Owner phone (optional)
• Hashed password (bcrypt; never stored in plain text)
• Timestamp and text-version of the Terms / Privacy acceptance (terms_accepted_at, terms_text_version)
• Account creation timestamp

Purpose: creation, authentication and administration of the account; sending operational emails (welcome, password reset).

Legal basis: Art. 6 (1) (b) GDPR (performance of the contract for use of Loyal Hub).

Storage period: for the duration of the account. Upon account closure, data is deleted within 30 days, except where statutory retention obligations require longer (in particular § 257 HGB / § 147 AO for billing- related correspondence, up to 6 or 10 years).

(b) Diner data — the restaurant is the controller, Loyal Hub is the processor

When a diner submits a referral, friend-redemption or direct-offer form on a restaurant's public Loyal Hub page, the data is captured for that restaurant. The restaurant is the data controller for that diner data; Loyal Hub acts as processor on the restaurant's behalf within the meaning of Art. 28 GDPR. Restaurants accept the corresponding data-processing terms at signup as part of the Terms of Service.

The following data is processed in this capacity:

• Diner name (referrer and, where applicable, friend / referee)
• Diner email
• Diner phone (only if collected by the restaurant)
• Any custom fields the restaurant configures on its public page (e.g. dietary preferences, visit frequency)
• Generated tokens for share / reward / coupon links
• Coupon code, redemption status and timestamps
• Consent timestamps and consent text version (referrer_consent_at, referee_consent_at, consent_text_version)

Purpose: issuing the offer to the diner, sending the corresponding emails on behalf of the restaurant, and making the resulting lead data available to the restaurant in its admin dashboard.

Legal basis: the diner's consent under Art. 6 (1) (a) GDPR, given via the consent checkbox on the restaurant's page (the wording and version are recorded; see lib/consent.ts CONSENT_TEXT_VERSION). Diners can withdraw consent at any time by contacting the restaurant or by writing to sai.prashanth.diddi@autoviontech.com.

Storage period: for as long as the restaurant maintains the campaign and uses the data for legitimate marketing follow-up, or until the diner withdraws consent. The restaurant can export and delete its lead records at any time from the admin dashboard.

Restaurants are responsible for providing their own privacy notice toward diners and for ensuring a lawful basis for any further use of the lead data outside Loyal Hub.

The marketing site provides a contact form through which you can reach us. The following data is processed when you use the form:

• Name
• Email address
• Restaurant name (optional)
• Phone (optional)
• Content of your message
• Consent timestamp and consent text version

Legal basis:

• Art. 6 (1) (a) GDPR (consent), confirmed by ticking the consent checkbox before submission.
• Art. 6 (1) (b) GDPR, where the request is aimed at concluding or performing a contract (pre-contractual measures).
• Art. 6 (1) (f) GDPR otherwise (legitimate interest in responding to inquiries).

Storage location: Data submitted via the contact form is stored in our database with Supabase (see Section 9). The data processing itself takes place in the EU region Frankfurt (Germany). A data processing agreement pursuant to Art. 28 GDPR is in place with Supabase.

Storage period: Data from contact requests is deleted as soon as the request has been fully processed and statutory retention obligations do not stand in the way. Business correspondence may be subject to retention obligations of up to 6 years (§ 257 HGB) or 10 years (§ 147 AO).

Loyal Hub uses cookies only for strictly necessary purposes — namely, to keep restaurant administrators and platform operators signed in to their accounts. These cookies are used on the basis of § 25 (2) No. 2 TDDDG and do not require consent.

The following cookies are set:

• restaurant_admin_session — signed authentication token for restaurant administrators. HttpOnly, secure (in production), SameSite=Lax, 7-day lifetime.
• platform_super_admin_session — signed authentication token for platform operators (internal use). HttpOnly, secure (in production), SameSite=Lax, 7-day lifetime.

We do not use any analytics, marketing, retargeting or audience- measurement cookies (no Google Analytics, no Plausible, no PostHog, no Meta Pixel, no Stripe-style fingerprinting). For this reason no cookie banner is shown.

Should we introduce non-essential cookies in the future, we will obtain your prior consent under § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR via a consent banner, and update this Privacy Policy accordingly.

We disclose your personal data only to the following categories of recipients:

• Vercel Inc. (USA) — hosting of the website and application. EU-US Data Privacy Framework certified; Standard Contractual Clauses in place. See Section 5.
• Supabase, Inc. — database and authentication infrastructure. Project data is processed in the EU region Frankfurt (Germany). Access by Supabase staff outside the EEA for support / maintenance cannot be fully ruled out; for that residual case, the EU Commission's Standard Contractual Clauses apply.
• Resend (Resend, Inc., USA) — delivery of transactional emails (welcome, password reset) and, on the restaurant's behalf, campaign emails (referrer share link, friend offer, referrer reward, direct offer). Data Processing Agreement under Art. 28 GDPR in place; Standard Contractual Clauses apply for the US transfer.
• IONOS SE (Germany) — operator mailbox at autoviontech.com for receiving data-subject requests and business correspondence. Data is processed in Germany.
• Restaurants — diner data captured through a restaurant's public Loyal Hub page is made available to that restaurant in its admin dashboard. The restaurant is the controller for that data (see Section 6).
• External advisors and authorities — where required by law or to safeguard legitimate interests (e.g. tax authorities; in future, tax advisors or lawyers if engaged).

Data processing agreements pursuant to Art. 28 GDPR are in place with all processors listed above.

You have the following rights vis-à-vis us with regard to the personal data concerning you:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing (Art. 21 GDPR)
• Right to withdraw consent with effect for the future (Art. 7 (3) GDPR)

Right to object

If we process your personal data on the basis of legitimate interests pursuant to Art. 6 (1) (f) GDPR, you have the right to object to such processing at any time on grounds relating to your particular situation.

Right to lodge a complaint with a supervisory authority

Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority. The competent authority is in particular:

Brandenburg State Commissioner for Data Protection and the Right of Access to Files (LDA Brandenburg)
Stahnsdorfer Damm 77, 14532 Kleinmachnow, Germany
https://www.lda.brandenburg.de

We employ appropriate technical and organisational measures (TOMs) to protect your data against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons. These include in particular TLS encryption of data transmission (HTTPS) and regular updates of the systems used.

No automated decision-making, including profiling, within the meaning of Art. 22 GDPR takes place.

This Privacy Policy is currently valid and has the status of April 2026. Due to the further development of our website or because of changes to legal or regulatory requirements, it may become necessary to amend this Privacy Policy. The current Privacy Policy can be accessed at any time on this page.