Early access open · Launching Q3 2026
Back to home
LEGAL

Data Processing Agreement (DPA)

pursuant to GDPR Article 28

Last updated · Last updated: April 2026

Data Controller

The customer who registers a Gastrolie account and uses the service (hereinafter "Controller").

Data Processor

Gastrolie, owner Timur Aynacı, Krifteler Straße 15, 60326 Frankfurt am Main, Germany (hereinafter "Processor" or "Gastrolie").

§ 1 Subject Matter and Duration

The Processor processes personal data on behalf of the Controller in connection with the provision of the Gastrolie platform. Processing includes the storage, organization, retrieval, and provision of data entered by the Controller into the platform.

The duration of processing corresponds to the term of the service agreement. After termination, data will be deleted within 90 days, unless statutory retention obligations apply.

§ 2 Nature and Purpose of Processing

Processing is carried out solely for the purpose of providing the contractually agreed services:

  • User management and authentication
  • Audit and inspection data
  • Financial and cash report data
  • Workforce management (shifts, attendance)
  • Ticket management and task tracking
  • Notifications and communication
  • Reporting and analytics

§ 3 Types of Personal Data

The following categories of personal data are processed:

  • Identity data: Name, email address, phone number
  • Access data: Password (hashed), 2FA configuration
  • Usage data: Login times, IP addresses, device information
  • Employment data: Check-in/check-out times, shift schedules, payroll
  • Content data: Audit results, comments, uploaded photos

§ 4 Categories of Data Subjects

  • Employees of the Controller (platform users)
  • Administrators and managers
  • External inspectors and auditors

§ 5 Obligations of the Processor

  • Process data only on documented instructions from the Controller
  • Ensure that persons authorized to process data are bound by confidentiality
  • Implement all necessary technical and organizational measures pursuant to Art. 32 GDPR
  • Not engage sub-processors without prior consent of the Controller
  • Assist the Controller in fulfilling obligations regarding data subject rights
  • Delete or return all personal data after the end of processing
  • Make available all information necessary for audits and inspections

§ 6 Technical and Organizational Measures

The Processor has implemented the following measures:

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Access control: Role-based access control (RBAC) with 25+ roles
  • Tenant isolation: Logical separation of all customer data via tenant ID
  • Logging: Complete audit trail of all access and modifications
  • Backup: Automatic daily backups with 30-day retention
  • Availability: Container-based infrastructure with automatic restart
  • Pseudonymization: Ability to anonymize data upon deletion requests
  • Resilience: Isolated container environment with resource limits

§ 7 Sub-processors

The following sub-processors are used:

  • Hetzner Online GmbH, Gunzenhausen, Germany — Server hosting and infrastructure
  • Amazon Web Services (AWS SES), EU Region — Email delivery
  • Stripe, Inc. — Payment processing (paid plans only)
  • OpenAI, Inc. — AI features (anonymized data only, no personal data)

The Controller consents to the use of the above sub-processors. The Controller will be informed in advance of any new sub-processors.

§ 8 Breach Notification

The Processor shall notify the Controller without undue delay of any personal data breach. The notification shall include at minimum:

  • Nature of the breach and affected data categories
  • Approximate number of affected individuals and records
  • Description of likely consequences
  • Description of measures taken to address the breach

§ 9 Data Subject Rights

The Processor assists the Controller in fulfilling data subject rights:

  • Right of access (Art. 15 GDPR) — Data export function in platform
  • Right to rectification (Art. 16) — Users can modify their own data
  • Right to erasure (Art. 17) — Anonymization and deletion via settings
  • Right to data portability (Art. 20) — JSON export of all personal data
  • Right to restriction (Art. 18) — User account deactivation

§ 10 Data Transfers

Processing takes place exclusively within the European Union. Servers are located in Germany (Hetzner, Gunzenhausen). No transfer to third countries occurs, unless the Controller uses features requiring such transfer (e.g., OpenAI for AI analysis). In such cases, only anonymized data is transmitted.

§ 11 Term and Termination

This DPA applies for the duration of the Gastrolie platform usage. Upon termination, all personal data will be deleted within 90 days. Upon request, the Controller will receive a complete data export before deletion.

§ 12 Final Provisions

German law applies. Place of jurisdiction is Frankfurt am Main. Amendments to this DPA require written form. Should individual provisions be invalid, the validity of the remaining provisions shall not be affected.

Contact for Data Protection Inquiries

datenschutz@gastrolie.com

Gastrolie Owner: Timur Aynacı Krifteler Straße 15, 60326 Frankfurt am Main, Germany

DPA | Gastrolie