Privacy Policy
Last updated: June 2026
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) and the Maltese Data Protection Act (Cap. 586) is:
ClarityBuilds Ltd
Registration Number: C 113250 (Malta Business Registry)
VAT Number: MT32239919
Director: Christian Bakker
Centris Business Gateway, Level 4/W
Triq is-Salib tal-Imriehel, Zone 3
Central Business District
Birkirkara, CBD 3020, Malta
Email: info@dealsdelivery.com
2. Data Protection Officer
The appointment of a Data Protection Officer is not required. ClarityBuilds Ltd does not meet any of the criteria set out in Art. 37(1) GDPR: the core activities consist neither of the large-scale regular and systematic monitoring of individuals nor of the large-scale processing of special categories of personal data. Maltese law (Cap. 586) does not impose any additional obligation on companies of this size.
For any data protection inquiries, please contact: privacy@dealsdelivery.com
3. Overview of Data Processing
DealsDelivery.com is a platform that aggregates current offers and deals from food delivery services and presents them to you in a clear overview. Below we provide detailed information about the type, scope and purpose of the processing of personal data.
4. Server Log Files
When you visit our website, the server automatically collects and stores information in server log files: IP address, browser type and version, operating system, referrer URL, date and time of access, and HTTP status code.
Purpose: Delivery of the website, ensuring system stability and security, error analysis.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring IT security, detecting and preventing attacks, and maintaining system stability.
Retention period: 30 days. Longer retention only occurs for the investigation of specific security incidents.
5. Hosting (Microsoft Azure)
Our website is hosted on Microsoft Azure App Service. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA.
The servers are located in the Azure region “West Europe” (Netherlands).
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the reliable and secure provision of our website.
Third country transfer: Microsoft may access data from the USA in the context of support services. The transfer is based primarily on the EU-US Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR); Microsoft Corporation is certified under the Data Privacy Framework. For any transfers not covered by the Data Privacy Framework, Standard Contractual Clauses apply as a fallback (Art. 46(2)(c) GDPR).
We have concluded a Data Processing Agreement with Microsoft pursuant to Art. 28 GDPR.
6. Cookies and Consent Management
6.1 Strictly Necessary Cookies
We currently use a single cookie:
| Cookie | Purpose | Retention | Provider |
|---|---|---|---|
| NEXT_LOCALE | Language preference (German/English) | Session | DealsDelivery (first party) |
This cookie is strictly necessary and is set without consent. Legal basis: Art. 5(3) of the ePrivacy Directive 2002/58/EC, transposed into Maltese law by Regulation 10 of the Processing of Personal Data (Electronic Communications Sector) Regulations (S.L. 399.35).
6.2 Consent-Based Cookies
Services such as Google Analytics and the Google Ads conversion and remarketing tag (see section 11) set cookies or use comparable technologies that are only activated after your explicit consent. Consent is obtained via our cookie consent banner.
Legal basis: Art. 6(1)(a) GDPR in conjunction with Art. 5(3) ePrivacy Directive 2002/58/EC (Regulation 10 S.L. 399.35, Malta).
You can withdraw your consent at any time via the cookie banner or by adjusting your browser settings.
7. Local Storage (localStorage)
When you select a city, this selection is stored in your browser’s localStorage (city name, coordinates, country). The city selection alone is not transmitted to our server.
Purpose:User-friendly experience — you do not need to select the city again on subsequent visits.
Legal basis:Art. 5(3) ePrivacy Directive (S.L. 399.35, Malta) — strictly necessary for the service you have requested.
Deletion: You can delete this data at any time via your browser settings.
8. Geocoding and Address Search
When you enter an address, the search text is transmitted to external geocoding services. Your IP address is also transmitted to the respective service.
8.1 OpenStreetMap Nominatim
Provider: OpenStreetMap Foundation (OSMF), St John’s Innovation Centre, Cowley Road, Cambridge CB4 0WS, United Kingdom.
Third country transfer: Adequacy decision of the European Commission for the United Kingdom (Art. 45 GDPR).
Privacy policy: osmfoundation.org/wiki/Privacy_Policy
8.2 Photon (Komoot)
Provider: komoot GmbH, Friedrich-Wilhelm-Boelcke-Strasse 2, 14473 Potsdam, Germany. Processing within the EEA.
Privacy policy: komoot.de/privacy
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in providing a location-based restaurant search, which constitutes the core purpose of our service.
Storage: We do not store your geocoding queries on our own servers.
9. Restaurant Images
The restaurant images displayed on our website are cached by us and served from our own servers. No hotlinking takes place — your browser loads the images from our servers, not from the servers of the delivery platforms. Your IP address is not transmitted to the original platforms.
Legal basis:Art. 6(1)(f) GDPR. Our legitimate interest lies in the visually appealing presentation of restaurant offers and the protection of our users’ privacy by avoiding direct data transmission to third-party platforms.
Retention period: Maximum 24 hours, followed by automatic deletion and re-fetching.
10. Platform Logos (logo.dev)
To display the logos of delivery platforms, we embed images from img.logo.dev. When fetching these images, your IP address is transmitted to the provider.
Provider: HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the visual identification of delivery platforms for better orientation.
Third country transfer: EU-US Data Privacy Framework (Art. 45 GDPR). HubSpot is certified under the Data Privacy Framework.
Privacy policy: legal.hubspot.com/privacy-policy
11. Google Analytics and Google Ads
We use Google Analytics 4 (measurement ID G-6MWFS11CJL) for reach and usage analysis, as well as the Google Ads conversion and remarketing tag (conversion ID AW-18172020526) to measure the success of our advertising campaigns and to build remarketing audiences. Both services use cookies and similar technologies.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Purpose: Reach and usage analysis, conversion measurement, and remarketing.
Data collected: Usage and device data, IP address, pseudonymous identifiers (cookie identifiers), and the consent signals you set via the cookie consent banner (analytics_storage, ad_storage, ad_user_data, ad_personalization).
Consent control (Google Consent Mode v2):The gtag tags are present on the page but remain inactive until you consent: without consent they set no cookies and transmit no personal data. The consent signals named above are set to “denied” by default; only upon your consent are they switched to “granted” and the tags activated.
Legal basis: Exclusively based on your consent (Art. 6(1)(a) GDPR in conjunction with Art. 5(3) ePrivacy Directive / S.L. 399.35 Malta).
Third country transfer: Insofar as data is transferred to Google LLC, USA, the transfer is based primarily on the EU-US Data Privacy Framework (adequacy decision of the European Commission pursuant to Art. 45 GDPR); Google LLC is certified under the Data Privacy Framework. For any transfers not covered by the Data Privacy Framework, Standard Contractual Clauses apply as a fallback (Art. 46(2)(c) GDPR).
Withdrawal and opt-out: Cookie banner or Google Ads Settings.
Privacy policy: policies.google.com/privacy
12. Account, Sign-in, and Payment Processing
An account is required to use the personalised feed. Sign-in works via magic link: you provide your email address and receive a one-time sign-in link; no password is set. Data processed: email address, delivery address, subscription or trial status.
Legal basis (account): Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures).
The Subscription is subject to a charge (4.99 EUR per month or 39 EUR per year); a fourteen-day free trial without entering payment details is available to get started.
Payment processing (Stripe):The subscription and service contract is with the Operator (ClarityBuilds Ltd); the Operator is the seller of the Subscription and issues invoices and receipts itself. For payment processing we use the payment service provider Stripe; the EU contracting party is Stripe Payments Europe, Limited (SPEL), 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. Stripe processes the data required for the payment process (in particular payment and billing data) and, for the payment processing, is a separate controller under data protection law in accordance with its own privacy policy; contractually, Stripe does not become a party to the Subscription (see Terms § 5).
We do not store any credit card data. Payment data is processed directly by Stripe.
Legal basis (payment): Art. 6(1)(b) GDPR (performance of a contract). Fraud prevention by Stripe: Art. 6(1)(f) GDPR.
Third country transfer: Stripe Payments Europe, Limited is a company established in the EEA (Ireland). Insofar as Stripe transfers data to Stripe, Inc. in the USA, the transfer is based on the adequacy decision under the EU-US Data Privacy Framework (Art. 45 GDPR) or on Standard Contractual Clauses (Art. 46 GDPR).
Retention period: For the duration of the contractual relationship, followed by deletion unless Maltese retention obligations apply (Income Tax Act Cap. 123 and Companies Act Cap. 386: up to 9 years for tax-relevant records).
Privacy policy: stripe.com/privacy
13. Contact and Deal email (Email)
13.1 Contact
When you contact us by email, your email address, name (if provided) and the content of your message are stored.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in responding to your inquiries and maintaining the business relationship. For contract-related inquiries: Art. 6(1)(b) GDPR.
Retention period: Your inquiry and the associated data will be deleted after final processing, unless retention is required for the fulfilment of legal obligations or for the establishment, exercise or defence of legal claims.
13.2 Deal email (email digest for signed-in users)
The deal email is a setting in your user account. When you turn it on, we email you the best deals near you at the frequency you choose (daily, every three days or weekly) to your account email address. For this we store your chosen frequency and, if set, your cuisine filter. Your delivery address and email address are already processed as part of your account (see the account and sign-in section).
Legal basis: Art. 6(1)(a) GDPR (your consent, given by turning on the deal email).
Retention / unsubscribe: You can switch the deal email off at any time in your account or via the unsubscribe link at the bottom of every email; it takes effect immediately.
Delivery: Emails are sent via our email service provider IONOS SE (Montabaur, Germany).
14. Your Rights as a Data Subject
Under the GDPR, you have the following rights:
- Right of access (Art. 15 GDPR): You have the right to obtain confirmation as to whether and which personal data we process.
- Right to rectification (Art. 16 GDPR): You have the right to rectification of inaccurate data.
- Right to erasure (Art. 17 GDPR): You have the right to erasure of your data, provided the legal requirements are met.
- Right to restriction of processing (Art. 18 GDPR): You have the right to request the restriction of processing.
- Right to data portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used and machine-readable format.
- Right to object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, to the processing based on Art. 6(1)(f) GDPR.
To exercise your rights, please contact: privacy@dealsdelivery.com. We will process your request within one month (Art. 12(3) GDPR).
15. Withdrawal of Consent
Where processing is based on your consent (Art. 6(1)(a) GDPR), you may withdraw it at any time with effect for the future, without affecting the lawfulness of processing carried out prior to the withdrawal (Art. 7(3) GDPR).
Cookie withdrawal: Via the cookie consent banner on our website.
Other withdrawal: By email to privacy@dealsdelivery.com.
16. Right to Lodge a Complaint with a Supervisory Authority
Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data violates the GDPR.
The supervisory authority responsible for us is:
Office of the Information and Data Protection Commissioner (IDPC)
Floor 2, Airways House
High Street
Sliema SLM 1549
Malta
Website: idpc.org.mt
Email: idpc.info@idpc.org.mt
You may also lodge a complaint with the supervisory authority of your habitual residence, your place of work, or the place of the alleged infringement (Art. 77(1) GDPR).
17. Obligation to Provide Data
The provision of personal data is neither legally nor contractually required. However, not providing it may result in you being unable to use our website or its full range of features (e.g. no address search without entering an address, no account and no personalised feed without an email address, no paid Subscription without payment data).
18. Automated Decision-Making
No automated decision-making, including profiling, within the meaning of Art. 22 GDPR takes place.
19. SSL/TLS Encryption
Our website uses SSL/TLS encryption. You can recognise an encrypted connection by “https://” in your browser’s address bar and the lock icon.
20. Changes to this Privacy Policy
We reserve the right to amend this privacy policy to ensure it always complies with current legal requirements or to reflect changes to our services. The version in effect at the time of your visit shall apply.
21. Validity
This privacy policy is currently valid as of June 2026.