Data policy

Data relating to the use of our services

Personal data relating to the Customer, collected in particular when Administrator Accounts are created, is processed by the Service Provider for the purpose of providing the Services and managing and monitoring the relationship with the Customer.

The Service Provider may transmit the Customer's data to the subcontractors it uses to perform the Services, subject to the Customer's express agreement.

The Service Provider undertakes to keep the data collected only for as long as is necessary for the purpose of processing.

In accordance with the regulations applicable to the protection of personal data and in particular European Regulation n°2016/679 of 27 April 2016 and the Data Protection Act of 6 January 1978 as amended, the Customer has:

- a right of access, rectification, deletion and portability of their data, - a right to limit the processing of their data,

- the right to object to the processing of their data and its use for commercial prospecting purposes,

- the right to define directives concerning the fate of his or her data post-mortem,

- the right not to be subject to automated decision-making, including profiling,

which may be exercised by sending a letter to the address of the Service Provider's establishment as referred to in the terms of comparison hereof. The Customer may also lodge a complaint with the Commission Nationale Informatique et Libertés ("CNIL").

Data relating to Users

The Service Provider undertakes to comply with the undertakings set out in this clause and to ensure that its permanent and non-permanent staff and any subcontractors comply with the terms thereof, in particular by passing on to them undertakings similar to those set out below.

The purpose of this clause is to define the conditions under which the Service Provider undertakes to carry out the operations defined below on behalf of the Customer, who is responsible for processing Users' personal data.

In this context, the Parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable from 25 May 2028 (or hereinafter the "GDPR").

The Service Provider is authorised to process, on behalf of the data controller, the Customer, the personal data of Users required to provide the Services subscribed to.

The nature of the operations performed on the data is recording, organisation, structuring, storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The purpose of the processing is the performance of the Service Provider's obligations to the Customer, as stipulated herein or in any documentation or appendix brought to the Customer's attention.

The User's data is that which is initially collected by the Customer when the User creates a personal account to use the Application, plus that which is necessary for the performance of these Terms and Conditions. The data concerned is the surname, first name, date of birth, profile photo, food preferences, mobile phone number, email address, bank details and TRD information. For the performance of this Agreement, the Customer undertakes to provide the Service Provider with the aforementioned information, in addition to any other information that may prove necessary during the performance of this Agreement.

The Service Provider undertakes to:

1. process the data solely for the sole purpose(s) for which it is outsourced;

2. process the data in accordance with the data controller's documented instructions. If the processor considers that an instruction constitutes a breach of the European Data Protection Regulation or of any other provision of Union or Member State law relating to data protection, it shall immediately inform the controller. In addition, if the processor is obliged to transfer data to a third country or to an international organisation, by virtue of Union law or the law of the Member State to which it is subject, it must inform the controller of this legal obligation prior to processing, unless the law concerned prohibits such information on important grounds of public interest.

3. guarantee the confidentiality of personal data processed under this contract;

4. ensure that persons authorised to process personal data under this contract :

- undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality

- receive the necessary training in the protection of personal data

5. to take into account, with regard to its tools, products, applications or services, the principles of data protection by design and data protection by default;

6. Sub-contracting: the Service Provider, the sub-contractor, may call upon another sub-contractor (hereinafter referred to as "the sub-contractor") to carry out specific processing activities.

The subsequent processor is required to comply with the obligations of this contract on behalf of and in accordance with the instructions of the controller. It is the responsibility of the initial processor to ensure that the subsequent processor presents the same sufficient guarantees regarding the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the European Data Protection Regulation. If the subsequent processor does not fulfil its data protection obligations, the original processor remains fully liable to the controller for the performance by the other processor of its obligations.

In the event of recourse to a subsequent sub-contractor, the Service Provider shall inform the data controller in advance and in writing of any change envisaged concerning the addition or replacement of other sub-contractors. The data controller has a minimum of FIFTEEN (15) DAYS from the date of receipt of this information to present its objections.

Such subcontracting may only be carried out if the data controller has not raised any objections within the agreed period.

The Customer, the data controller, is hereby informed that, for the time being, the Service Provider uses the following service providers to ensure the payment of User Orders: EDENRED FRANCE, (S.A.S. au capital de 464.966.992 €, dont le siège social est situé 166-180, boulevard Gabriel Péri, 92240 Malakoff - 393 365 135 R.C.S. Nanterre ; SWILE (S.A.S. au capital de 49.171.20, having its registered office at 7 centre, Immeuble l'Atlis, Bâtiment A, 561 rue Georges Meliés - 34000 Montpellier, registered with the Montpellier Trade and Companies Register under no. 824 012 173; OCTOPLUS, a simplified joint stock company with capital of €88.593.70, having its registered office at 33, Rue du Temple, 75004 Paris, registered in the Paris Trade and Companies Register under number 531 601 136 RCS Paris; UP, Société Coopérative et Participative à forme Anonyme et à capital variable, registered in the NANTERRE Trade and Companies Register under number 642 044 366, having its registered office at Z.A.C. des Louvresses, 27-29 avenue des Louvresses - 92230 GENNEVILLIERS; SODEXO PASS FRANCE, a Société Anonyme with share capital of €61,623,908, registered with the Nanterre Trade and Companies Registry under number 340 393 065, having its registered office at 19 Rue Ernest Renan, 92022 Nanterre Cedex; NATIXIS INTERTITRES, a Société Anonyme with share capital of €380.800, registered in the PARIS Trade and Companies Register under no. B 718 503 386, having its registered office at 30, avenue Pierre Mendès France 75013 Paris; AGENCE NATIONALE CHEQUES VACANCES, having its registered office at 36, Bd Henri Bergson - 95200 Sarcelles.

7. It is the responsibility of the data controller to provide information to data subjects at the time of data collection.

8. Where data subjects make requests to the data processor to exercise their rights, the data processor shall send such requests immediately upon receipt by e-mail to Pokawa's contact address.

9. The processor shall notify the controller of any personal data breach within a maximum of TWENTY-FOUR (24) hours of becoming aware of it by any means. This notification shall be accompanied by any useful documentation to enable the data controller, if necessary, to notify this breach to the competent supervisory authority.

10. Subject to the stipulations of article 7.1 above, the subcontractor undertakes to implement the following safety measures:

- pseudonymisation and encryption of personal data

- the means of guaranteeing the confidentiality, integrity, availability and resilience of processing systems and services at all times;

- the means to restore the availability of personal data and access to it within an appropriate timeframe in the event of a physical or technical incident, subject to having subscribed to the support option;

11. Upon completion of the services relating to the processing of such data, the sub-processor undertakes to: (choose) (i) destroy all personal data or (ii) return all personal data to the controller or (iii) return the personal data to the processor appointed by the controller ;

12. The processor declares that it keeps written records of all categories of processing activities carried out on behalf of the controller;

13. The data controller undertakes to :

- provide the sub-contractor with the data required by the Service Provider in accordance with the terms and conditions set out herein.

- document in writing any instructions concerning data processing by the processor.

- ensure that the processor complies with the obligations set out in the European Data Protection Regulation beforehand and throughout the processing period.

- supervise processing, including carrying out audits and inspections of the processor.

The Customer is therefore responsible for the processing of Users' personal data carried out by the Service Provider for the performance of these Terms and Conditions.

The Service Provider, for its part, is directly liable for any actions of its subcontractors that do not comply with the state of the art or the relevant regulations.

The Service Provider undertakes not to exploit or use, copy or create files of the Customer's data for its own purposes or on behalf of third parties.

At the Customer's request, the Service Provider undertakes to specify at any time the geographical locations of data processing, storage and transit that will be used to provide the Services to the Customer so that the Customer can comply with the applicable legal requirements.

The Service Provider also undertakes to:

- use its best endeavours, in its own name and in the name and on behalf of any subcontractors, to collaborate with and assist the Customer, in particular by providing it with any useful information to enable it to comply with the legal requirements or those of the regulators concerning the protection of personal data, or by organising the implementation, where applicable, of the rights of access, rectification, etc., granted to the Customer's customers;

- take all necessary measures to protect the security and confidentiality of data and personal data, particularly in the event of processing, storage, archiving or transfer to countries outside the European Union that are not considered to have "adequate" protection of personal data according to an official decision of the European Commission.

If the subcontractor is located in countries outside the European Union which do not have an adequate level of protection, the Service Provider undertakes to ensure that the subcontractor adheres to all the provisions of this Article and to the contractual clauses for the transfer of Personal Data to subcontractors established in third countries in the context of the aforementioned legislation and regulations, by signing a specific Contract relating to the transfer of Personal Data to a country outside the European Union which does not have an adequate level of protection, a model of which will be sent by the Customer.

This contract will be signed by three parties: the Customer (data controller), the Service Provider (data exporter) and the non-EU processor (data importer).