Política de Privacidad
Última actualización: mayo de 2026
Version 2026-05-05. This policy is written to satisfy Articles 12–14 of the General Data Protection Regulation (EU 2016/679, "GDPR"). If any section conflicts with mandatory local law (including the Lithuanian Law on Legal Protection of Personal Data, "ADTAĮ", and the Law on Electronic Communications), the local law prevails.
1. Data controller & contact
The data controller for personal data processed through the Cooqly marketplace, web app, and connected services (together, the "Platform") is MB SellixNet, a Lithuanian small partnership (MB) registered in the Republic of Lithuania. Full legal details — company code, VAT number and registered address — are published on our Rekvizitai page. References to "Cooqly", "we", "us" or "our" mean this controller.
You can reach us about this policy, or to exercise any data-subject right below, at:
- Email: support@cheffys.eu (or use the contact form on Help).
- Postal: MB SellixNet, Vilnius, Lithuania. A specific street address will be provided on written request.
We have not appointed a Data Protection Officer because we do not meet the mandatory thresholds in GDPR Article 37. The privacy mailbox above is monitored by a responsible officer inside the company.
2. What data we collect
The categories of personal data we process are:
- Account data — email address, full name, password hash, and profile role (customer or chef). Provided by you at sign-up.
- Chef onboarding data — business/license details, bio, specialty, service area, Stripe Connect account identifier, bank/payout data held by Stripe on our behalf.
- Order & delivery data — delivery address, phone number, delivery window, allergen acknowledgement, order notes, meal selections, timestamps.
- Payment data — handled by Stripe Payments Europe, Ltd. We receive only the last four digits of the card, the PaymentIntent id, the Checkout Session id, and refund metadata. We never see the full card number.
- Communications — transactional emails (Resend), support tickets, and live-session chat messages.
- Technical data — IP address, user-agent, device type, rough geolocation inferred from IP, cookie/session identifiers, product telemetry, and (where enabled) error diagnostics. Browser-side crash reporting via Sentry is loaded only when you opt in to analytics cookies. Server-side Sentry (see below) may process error payloads without that same cookie consent.
- Operational and support records — in-app notifications, consent history, webhook reconciliation/review entries, and customer-support tickets needed to run and secure the platform.
- Live-stream data — session metadata, viewer counts, stream playback identifiers. We do not record sessions unless the chef explicitly opts in.
A table-by-table inventory with legal basis and retention targets is maintained in docs/architecture/DATA_MAP.md. For GDPR erasure, portability, subprocessors, and technical gaps, see docs/audits/GDPR_AUDIT.md.
3. Purposes & legal bases (GDPR Art. 6)
| Purpose | Legal basis | Retention |
|---|---|---|
| Create and manage your account, authenticate you | Contract (Art. 6(1)(b)) | Until account closure + 30 days for restoration |
| Process orders, coordinate delivery, notify chefs | Contract (Art. 6(1)(b)) | 10 years (Lithuanian accounting law) |
| Tax, accounting, invoicing | Legal obligation (Art. 6(1)(c)) | 10 years |
| Fraud prevention, disputes, refund audit | Legitimate interests (Art. 6(1)(f)) | 3 years from the last relevant event |
| Send transactional email (order status, receipts) | Contract (Art. 6(1)(b)) | Log retained 18 months |
| Marketing email, waitlist follow-ups | Consent (Art. 6(1)(a)) | Until consent withdrawn |
| Analytics & product telemetry | Consent (cookie banner) | 13 months rolling |
| Server-side error monitoring (Sentry on our Node/Edge runtimes) | Legitimate interests (Art. 6(1)(f)) — network and information security, service reliability, and incident response. This is not tied to the optional analytics cookie; it runs on our servers to detect faults and abuse the same way application logs do. | Per Sentry project settings (typically 90 days) |
| Crash reporting, abuse detection, security logs | Legitimate interests | 90 days |
4. Recipients & processors
We share personal data with processors acting on our instructions under GDPR-compliant contracts:
- Supabase (Supabase, Inc., USA, with EU data residency) — application database, storage and authentication.
- Stripe Payments Europe, Ltd. (Ireland) — payment processing and Stripe Connect payouts. Stripe is an independent controller for anti-fraud and regulatory purposes.
- Resend Labs, Inc. (USA) — transactional email delivery.
- Mux Data, Inc. (USA) — live-streaming video infrastructure.
- Sentry (Functional Software, Inc., USA) — error monitoring.
- Anthropic (Anthropic PBC, USA) — optional AI coaching / recipe assistance. Prompts are sent only through server-side API routes; no Anthropic keys are exposed to the browser.
- Plausible Analytics (Plausible Insights OÜ, EU) — privacy-friendly web analytics, loaded only if you consent to analytics cookies.
- Vercel Inc. (USA, EU region) — application hosting.
- Upstash, Inc. (USA/EU) — rate-limit counters (non-PII keys).
We also disclose order-fulfilment details to the specific chef who is preparing your order. We do not sell personal data.
5. International transfers
Some processors are based in, or operate services from, countries outside the European Economic Area. Where we transfer data outside the EEA we rely on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where applicable, the EU–US Data Privacy Framework. Copies of the transfer mechanism for a specific processor are available on written request.
6. Automated decision-making
We do not carry out automated decision-making with legal or similarly significant effects within the meaning of GDPR Article 22. Recommendation surfacing (e.g. "popular chefs") is a content ranking and does not create legal consequences for you.
Tus datos: exportación y eliminación de la cuenta
Según el RGPD tienes derecho de acceso (incluida una copia portable) y de supresión cuando la ley lo permita. Los clientes con sesión iniciada pueden usar las herramientas siguientes. Para cualquier solicitud que no cubran, escríbenos al buzón de privacidad.
Descargar una copia de tus datos
Genera un archivo JSON con los datos personales vinculados a tu cuenta (perfil, pedidos como cliente, carrito, favoritos, seguimientos, reseñas y registros relacionados). Debes haber iniciado sesión.
Abrir exportación de datos →Eliminar tu cuenta
Cierra permanentemente tu cuenta Cooqly, anonimiza pedidos pasados por contabilidad y elimina datos que no debamos conservar por ley. No se puede deshacer. Debes iniciar sesión y confirmar en la página siguiente.
Iniciar eliminación de cuenta →
Estas páginas requieren una sesión activa. Si no has iniciado sesión, te redirigiremos al inicio de sesión.
7. Your rights
Subject to the conditions of the GDPR, you have the right to:
- Access your personal data (Art. 15);
- Rectify inaccurate or incomplete data (Art. 16);
- Request erasure (Art. 17), subject to our statutory retention obligations;
- Restrict or object to processing (Art. 18 & 21);
- Receive your data in a portable format (Art. 20);
- Withdraw consent at any time without affecting past processing;
- Lodge a complaint with a supervisory authority.
In Lithuania the competent supervisory authority is the Valstybinė duomenų apsaugos inspekcija (VDAI), L. Sapiegos 17, Vilnius. You may lodge a complaint with the authority in your EU/EEA country of residence or place of work.
Important distinction: the VDAI route concerns personal data processing. Complaints about orders, payments, refunds, food quality, or chef conduct are handled under our Terms of Service (including cancellations, disputes, and out-of-court options described there), not as a GDPR complaint to the VDAI.
To exercise any of these rights, email support@cheffys.eu. We respond within one month (GDPR Art. 12(3)), extendable by a further two months for complex requests.
8. Security
We use TLS in transit, encryption at rest through our processors, scoped service credentials, row-level security on customer-facing database tables, least-privilege admin access, and audit logs. Incidents that meet the GDPR threshold are reported to the VDAI within 72 hours and, where legally required, to affected users.
9. Cookies
See our dedicated Cookie Policy for the list of cookies, their purposes and retention.
10. Children
Cooqly is not directed at children under 16. If you believe we hold data about a minor without valid consent, contact support@cheffys.eu and we will delete it.
11. Changes to this policy
We may update this policy to reflect legal or operational changes. Material changes will be announced by email and by an in-app banner. Version: 2026-05-05.