Privacy Policy

Last updated:April 11, 2026

Privacy Policy

This Privacy Policy applies to the processing of personal data of customers who place an order or book a dining experience on one of the Gustaio platforms (Android App, Web-app or Website). Gustaio is responsible for the processing of this personal data and takes your privacy very seriously. Gustaio therefore complies with the requirements of the General Data Protection Regulation (GDPR) when processing personal data.

Data Controller

The data controller for the processing of your personal data is:

KulinariQ S.r.l. Via Anton Steger 11 39031 Bruneck (BZ), Italy P.IVA / VAT: IT 03291090219 Email: info@kulinariq.com Website: www.gustaio.app

For questions about data protection, you can contact us at: info@gustaio.ai

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) at www.garanteprivacy.it.

Which personal data do we use?

Gustaio processes your data because you use one of our services. The following data is used for the following purposes.

Ordering process

We process the personal data that you provide to us when placing an order. This personal data is required to forward your order to the delivery service so that it can confirm and execute your order. The legal basis for this processing of personal data is that it is required for the fulfillment of a contract within the meaning of the GDPR. We process the following personal data during the ordering process:

Ordered goods
Name
Telephone number for queries from the delivery service and for online payments via Stripe and PayPal
Full address
Payment details (if applicable)

Experience booking process

When you book a dining experience through Gustaio, we process additional personal data beyond the standard ordering data. This data is necessary to create and manage your reservation and to enable the Restaurant to provide the booked experience. The legal basis for this processing is the fulfillment of a contract (Art. 6(1)(b) GDPR). We process the following personal data during the booking process:

Name, email address, and telephone number
Number of adult and child guests
Selected date, time slot, and stay duration
Selected menu, course preferences, and à la carte item choices per guest
Selected add-ons and wine selections
Occasion notes and general notes provided by the guest
Answers to custom questions defined by the Restaurant
Preferred language for guest communication
Accommodation requests (high chairs, stroller space, dog accommodation)

Health-related data (dietary preferences and allergens)

During the Experience Booking process, you may voluntarily provide information about dietary preferences (e.g., vegan, vegetarian, pescatarian, keto, paleo, halal, kosher, gluten-free, lactose-free) and food allergens for yourself or other guests in your party. This information may constitute health-related data within the meaning of Art. 9 GDPR.

The processing of this data is based on your explicit consent (Art. 9(2)(a) GDPR), which you provide when you submit the booking. By submitting the booking with dietary and allergen information, you expressly consent to the processing of this data for the purpose of enabling the Restaurant to prepare suitable food and beverages and to ensure the safety and well-being of you and your guests.

You are not required to provide dietary preference or allergen information. If you choose not to provide this information, we recommend communicating any dietary needs directly to the Restaurant upon arrival.

Guest preferences

If the Restaurant has configured custom guest preference options (e.g., seating preferences, wine pairing preferences), the selections you make during the booking process will be collected and shared with the Restaurant. The legal basis for this processing is the fulfillment of a contract (Art. 6(1)(b) GDPR).

Prevention of fraud

We also process some of the aforementioned personal data to prevent fraud and other forms of misuse. The legal basis for this processing is that it must pursue a legitimate interest of Gustaio (prevention of fraud) within the meaning of the GDPR.

Analysis

We also use some of the aforementioned data to improve and further develop our service. We ensure that only data that cannot be traced back to you is used for this purpose. The legal basis for this processing is that it must pursue a legitimate interest of Gustaio (analysis) within the meaning of the GDPR.

Age

Our platform is not intended for persons under the age of 16, and we do not intend to collect personal data from customers who are younger than 16 years of age. However, we cannot verify the age of customers and therefore advise parents to monitor their children's online activities to prevent their personal data from being collected without parental consent. If you believe that we have collected personal data of a minor without consent, please contact us at info@gustaio.ai. We will then proceed to delete this data.

How long is the data stored?

Gustaio retains your personal data for the following periods:

Data Category	Retention Period	Reason
Order data (items, prices, address)	10 years from order date	Italian tax and accounting obligations (Art. 2220 Codice Civile)
Experience Booking data (reservation details, guest selections)	10 years from booking date	Italian tax and accounting obligations
Health-related data (dietary preferences, allergens)	Until the Experience is completed, then deleted within 30 days	Minimization of special category data
Account data (name, email, phone)	Until account deletion or 3 years of inactivity	Legitimate interest in service provision
Payment data	Retained by Stripe/PayPal per their respective policies	We do not store full payment card details
Server log data	90 days	System security and troubleshooting
Analytics data (pseudonymized)	26 months	Firebase Analytics default retention

You may request deletion of your personal data at any time by contacting info@gustaio.ai. We will process your request within 30 days, subject to any legal retention obligations.

Forwarding to restaurants

Gustaio shares your personal data (name, telephone number, email address, and ordered goods or booking details) with the restaurant you have selected so that the restaurant can prepare and deliver your order or fulfill your Experience Booking. For Experience Bookings, this includes the sharing of guest selections, dietary preferences, allergen information, guest preferences, menu choices, accommodation requests, and any notes you have provided. Because you are a direct customer of the restaurant, it has its own responsibility for handling your data. If you have any questions about this, you should contact the restaurant directly.

Disclosure of your data

Gustaio will never sell your data and will only pass it on to third parties if this is necessary for the platform to improve our service or if it is required by law. If data is passed on, Gustaio ensures that the personal data is processed in accordance with the GDPR and that all security standards are complied with. The third parties with whom the data is shared include:

Partner restaurants: To process your order or fulfill your Experience Booking
IT service providers (Firebase by Google): For the purpose of data storage and analysis
Payment service providers (Stripe, PayPal): To process payments, including upfront payments, pre-authorizations, and refunds for Experience Bookings
Google Cloud Platform (Vertex AI): For advanced analytics and machine learning applications to improve our service.
OpenStreetMap: For displaying maps and calculating routes, whereby no directly personal data is passed on to OpenStreetMap.

Vercel

Our web platform is hosted by Vercel. Vercel provides the infrastructure and services necessary to host our website and ensure its availability. As a hosting provider, Vercel may have access to personal data processed through our web platform. The legal basis for this processing is our legitimate interest in providing a reliable and secure web platform. For more information about Vercel's privacy practices, please visit https://vercel.com/legal/privacy-policy.

Google Maps

If you allow the use of location data, we process your location data to retrieve your address using Google Maps. This address is then used to pre-fill the order form and make the ordering process more convenient for you. The legal basis for this processing of personal data is your consent, which you give when you allow the use of location data. We process the following personal data for this purpose:

Location data
Retrieved address

The use of Google Maps is subject to the Google Privacy Policy, which you can find at https://policies.google.com/privacy. By allowing the use of location data, you consent to the processing of your data in accordance with Google's Privacy Policy.

Firebase

To continuously improve and optimize our offering, we use so-called tracking technologies. For this purpose, we use the services of Google Firebase. Google Firebase is a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Our Firebase project is configured to store data in the European Union (EU/EEA region). Google Firebase uses tracking technologies that enable an analysis of your use of our offer. Google will use this information to evaluate your use of our app and to provide us with further services related to the use of apps. Google processes data in accordance with the GDPR and has committed to appropriate data protection safeguards. Further information on Google Firebase and data protection can be found at https://www.google.com/policies/privacy and https://firebase.google.com/.

Stripe

To offer online payments, we need a payment service provider that processes the transactions and forwards them to the restaurant. For this purpose, we use the services of Stripe. Stripe payments in the European Union are processed by Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland. For Experience Bookings, Stripe is also used to process upfront payments (charges), pre-authorizations (holds for no-show fees), and refunds on behalf of the Restaurant. Stripe processes payment data within the EU/EEA and has committed to complying with the GDPR and applicable European data protection regulations. Further information on Stripe and its privacy can be found at https://stripe.com/privacy.

PayPal

To offer you another option for online payment, we use the payment service provider PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. If you select payment via PayPal, you will be redirected directly to PayPal during the order or booking process. There you can enter your payment details and authorize the payment. This will be made directly to the respective partner restaurant. For Experience Bookings, PayPal may be used for full upfront payments or pre-authorizations, depending on the payment methods activated by the Restaurant. The processing of your personal data by PayPal is carried out in accordance with PayPal's privacy policy, which you can view here: https://www.paypal.com/en/legalhub/paypal/privacy-full. The legal basis for the processing of your data in connection with PayPal is the performance of the contract and our legitimate interest in providing various payment methods.

Google Cloud Platform (Vertex AI)

We use services of the Google Cloud Platform, in particular Vertex AI, from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"), to carry out advanced data analyses and train machine learning models that help to improve our service. Pseudonymized or anonymized data may be processed in this context, for example to make predictions about user behavior or to optimize our recommendation systems. Direct identification of individual users does not usually take place. Insofar as personal data is processed, this is done on the basis of our legitimate interest in improving and further developing our offer (Art. 6 para. 1 lit. f GDPR). Google has committed to complying with privacy regulations and offers appropriate security measures. Further information on privacy in the Google Cloud Platform can be found at: https://policies.google.com/privacy. Information on Vertex AI specifically can be found at: https://policies.google.com/terms/generative-ai/use-policy.

OpenStreetMap

Our platform uses map data from OpenStreetMap (OSM). OpenStreetMap is a collaborative project to create a free, editable map of the world. When you use map functions on our platform, no directly personal data is passed on to OpenStreetMap. However, your IP address and other technical information may be collected when your device retrieves map tiles from the OpenStreetMap servers. The processing of this data by OpenStreetMap is carried out in accordance with their privacy policy, which you can view at https://osmfoundation.org/wiki/Privacy_Policy. The use of OpenStreetMap is based on our legitimate interest in providing accurate and up-to-date map information for our users.

Push Notifications

So-called push notifications are messages that are displayed on the home screen of your mobile device, provided you have not deactivated them in the settings of your mobile device. In order to be able to send you push notifications or so-called in-app messages (messages that are only displayed to you within the app), we use the technology of Google Firebase (see Firebase in this Privacy Policy). Your mobile device is assigned a pseudonymized push reference. This serves as the target for push notifications or in-app messages and is used by us to display push notifications or in-app messages on your mobile device.

Server Log Data

When you use our platform, the following data is transmitted from your end device and temporarily stored in a log file:

End device type and operating system used
Accessed pages/screens
IP address of the requesting end device
Date and time of the server request

Such storage in so-called server log files is necessary for technical reasons and to ensure system security. This data is evaluated anonymously for statistical purposes and to improve the quality of our app. This data is neither assigned to a specific or identifiable natural person by us nor by third parties on our behalf. Personal user profiles are also not created using this data.

Use of Cookies

For the needs-based design of the online platform, we work with pseudonymized and anonymized usage profiles, which we subsequently no longer merge with your name or other information that identifies you. To make our offer as pleasant as possible for you, we therefore use so-called cookies, like many well-known companies. Cookies are small text files that enable the user to be recognized so that users do not have to register again each time. In addition, cookies can help to enable the offers to be adapted to your interests. We use cookies to analyze the use of the offer and to provide you with interesting information. Of course, you can also use our offers without cookies. End devices can be set so that cookies are generally rejected.

Your Rights

You have the right to receive information free of charge about the personal data we have stored about you. In addition, you have the following rights:

Right of access the right to know which data has been collected and how it is processed.

Right to rectification the right to request the modification of personal data if it is not up-to-date or incorrect.

Right to erasure the right to request the deletion of personal data.

Right to restriction of processing the right to limit the processing of personal data.

Right to data portability the right to receive personal data in a machine-readable format and/or to transmit it to another controller.

Right to object the right to withdraw consent given or to object to the processing of personal data.

Right to withdraw consent for health-related data If you have provided dietary preference or allergen information during an Experience Booking, you have the right to withdraw your consent to the processing of this health-related data at any time. Please note that withdrawing consent does not affect the lawfulness of processing carried out prior to the withdrawal. To withdraw consent, please contact us at info@gustaio.ai.

If you do not give Gustaio your consent to the processing of your data, our service will no longer function for you and you will not be able to use the platform to order from restaurants or book dining experiences.

International Data Transfers

Your personal data is primarily stored and processed within the European Union / European Economic Area (EU/EEA). Our infrastructure providers (Firebase, Stripe, Vercel) are configured to use EU-based data centers.

Provider	Data Location	Entity
Google Firebase	EU (europe-west)	Google Ireland Limited, Dublin, Ireland
Stripe	EU	Stripe Payments Europe, Ltd., Dublin, Ireland
PayPal	EU	PayPal (Europe) S.à r.l., Luxembourg
Vercel	EU	Vercel Inc. (EU region deployment)
OpenStreetMap	EU	OpenStreetMap Foundation, UK

In exceptional cases, limited data may be accessed by service providers from outside the EU/EEA for support or maintenance purposes. Such access is protected by Standard Contractual Clauses (SCCs) adopted by the European Commission and/or the EU-US Data Privacy Framework, where applicable.

Automated Decision-Making

We may use automated processing, including machine learning (via Google Vertex AI), to improve our service, such as optimizing recommendations and predicting demand patterns. These processes use pseudonymized or anonymized data and do not produce legal effects or significantly affect you as an individual. No fully automated decisions with legal or similarly significant effects are made about you.

Summary of Legal Bases

Processing Activity	Legal Basis	GDPR Article
Processing orders	Contract performance	Art. 6(1)(b)
Processing Experience Bookings	Contract performance	Art. 6(1)(b)
Dietary/allergen data	Explicit consent	Art. 9(2)(a)
Fraud prevention	Legitimate interest	Art. 6(1)(f)
Analytics (pseudonymized)	Legitimate interest	Art. 6(1)(f)
Push notifications	Consent	Art. 6(1)(a)
Location data (Google Maps)	Consent	Art. 6(1)(a)
Cookies (non-essential)	Consent	Art. 6(1)(a)

Changes to the Privacy Policy

Gustaio reserves the right to change this Privacy Policy at any time in compliance with the applicable data protection regulations and other legal provisions.

Privacy Policy

Last updated:April 11, 2026

Privacy Policy

Data Controller

The data controller for the processing of your personal data is:

KulinariQ S.r.l. Via Anton Steger 11 39031 Bruneck (BZ), Italy P.IVA / VAT: IT 03291090219 Email: info@kulinariq.com Website: www.gustaio.app

For questions about data protection, you can contact us at: info@gustaio.ai

Which personal data do we use?

Gustaio processes your data because you use one of our services. The following data is used for the following purposes.

Ordering process

Ordered goods
Name
Telephone number for queries from the delivery service and for online payments via Stripe and PayPal
Full address
Payment details (if applicable)

Experience booking process

Name, email address, and telephone number
Number of adult and child guests
Selected date, time slot, and stay duration
Selected menu, course preferences, and à la carte item choices per guest
Selected add-ons and wine selections
Occasion notes and general notes provided by the guest
Answers to custom questions defined by the Restaurant
Preferred language for guest communication
Accommodation requests (high chairs, stroller space, dog accommodation)

Health-related data (dietary preferences and allergens)

Guest preferences

Prevention of fraud

Analysis

Age

How long is the data stored?

Gustaio retains your personal data for the following periods:

Data Category	Retention Period	Reason
Order data (items, prices, address)	10 years from order date	Italian tax and accounting obligations (Art. 2220 Codice Civile)
Experience Booking data (reservation details, guest selections)	10 years from booking date	Italian tax and accounting obligations
Health-related data (dietary preferences, allergens)	Until the Experience is completed, then deleted within 30 days	Minimization of special category data
Account data (name, email, phone)	Until account deletion or 3 years of inactivity	Legitimate interest in service provision
Payment data	Retained by Stripe/PayPal per their respective policies	We do not store full payment card details
Server log data	90 days	System security and troubleshooting
Analytics data (pseudonymized)	26 months	Firebase Analytics default retention

You may request deletion of your personal data at any time by contacting info@gustaio.ai. We will process your request within 30 days, subject to any legal retention obligations.

Forwarding to restaurants

Disclosure of your data

Partner restaurants: To process your order or fulfill your Experience Booking
IT service providers (Firebase by Google): For the purpose of data storage and analysis
Payment service providers (Stripe, PayPal): To process payments, including upfront payments, pre-authorizations, and refunds for Experience Bookings
Google Cloud Platform (Vertex AI): For advanced analytics and machine learning applications to improve our service.
OpenStreetMap: For displaying maps and calculating routes, whereby no directly personal data is passed on to OpenStreetMap.

Vercel

Google Maps

Location data
Retrieved address

Firebase

Stripe

PayPal

Google Cloud Platform (Vertex AI)

OpenStreetMap

Push Notifications

Server Log Data

When you use our platform, the following data is transmitted from your end device and temporarily stored in a log file:

End device type and operating system used
Accessed pages/screens
IP address of the requesting end device
Date and time of the server request

Use of Cookies

Your Rights

You have the right to receive information free of charge about the personal data we have stored about you. In addition, you have the following rights:

Right of access the right to know which data has been collected and how it is processed.

Right to rectification the right to request the modification of personal data if it is not up-to-date or incorrect.

Right to erasure the right to request the deletion of personal data.

Right to restriction of processing the right to limit the processing of personal data.

Right to data portability the right to receive personal data in a machine-readable format and/or to transmit it to another controller.

Right to object the right to withdraw consent given or to object to the processing of personal data.

International Data Transfers

Provider	Data Location	Entity
Google Firebase	EU (europe-west)	Google Ireland Limited, Dublin, Ireland
Stripe	EU	Stripe Payments Europe, Ltd., Dublin, Ireland
PayPal	EU	PayPal (Europe) S.à r.l., Luxembourg
Vercel	EU	Vercel Inc. (EU region deployment)
OpenStreetMap	EU	OpenStreetMap Foundation, UK

Automated Decision-Making

Summary of Legal Bases

Processing Activity	Legal Basis	GDPR Article
Processing orders	Contract performance	Art. 6(1)(b)
Processing Experience Bookings	Contract performance	Art. 6(1)(b)
Dietary/allergen data	Explicit consent	Art. 9(2)(a)
Fraud prevention	Legitimate interest	Art. 6(1)(f)
Analytics (pseudonymized)	Legitimate interest	Art. 6(1)(f)
Push notifications	Consent	Art. 6(1)(a)
Location data (Google Maps)	Consent	Art. 6(1)(a)
Cookies (non-essential)	Consent	Art. 6(1)(a)

Changes to the Privacy Policy

Gustaio reserves the right to change this Privacy Policy at any time in compliance with the applicable data protection regulations and other legal provisions.

Legal Information

Select a Document

Privacy Policy

Data Controller

Which personal data do we use?

Ordering process

Experience booking process

Health-related data (dietary preferences and allergens)

Guest preferences

Prevention of fraud

Analysis

Age

How long is the data stored?

Forwarding to restaurants

Disclosure of your data

Vercel

Google Maps

Firebase

Stripe

PayPal

Google Cloud Platform (Vertex AI)

OpenStreetMap

Push Notifications

Server Log Data

Use of Cookies

Your Rights

International Data Transfers

Automated Decision-Making

Summary of Legal Bases

Changes to the Privacy Policy

Legal Information

Select a Document

Privacy Policy

Data Controller

Which personal data do we use?

Ordering process

Experience booking process

Health-related data (dietary preferences and allergens)

Guest preferences

Prevention of fraud

Analysis

Age

How long is the data stored?

Forwarding to restaurants

Disclosure of your data

Vercel

Google Maps

Firebase

Stripe

PayPal

Google Cloud Platform (Vertex AI)

OpenStreetMap

Push Notifications

Server Log Data

Use of Cookies

Your Rights

International Data Transfers

Automated Decision-Making

Summary of Legal Bases

Changes to the Privacy Policy