This Privacy Policy is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "General Data Protection Regulation" or "GDPR"), the German Federal Data Protection Act (Bundesdatenschutzgesetz 2018, "BDSG"), and the German Telecommunications-Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutzgesetz 2021, "TTDSG"). It sets out, in complete and unambiguous terms, how Streat Grocery collects, uses, stores, discloses, and protects your personal data when you use the loyalty programme application.
Please read this policy carefully. If you have questions, contact us at info@streatgrocery.com before using the service.
Table of Contents
The natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data (the "Controller") within the meaning of Art. 4(7) GDPR is:
Streat Grocery
Hofmannstr 43, 81379 Munich
Email (general): info@streatgrocery.com
Email (data protection): info@streatgrocery.com
Phone: +4915213381322
The Controller does not currently meet the mandatory threshold for appointing a Data Protection Officer under Art. 37 GDPR read with § 38 BDSG (neither systematically processing special categories of data on a large scale, nor carrying out large-scale monitoring of individuals). All data protection enquiries should therefore be directed to info@streatgrocery.com, which is monitored by the person responsible for data protection within the organisation.
This policy applies to all personal data processing carried out by Streat Grocery in connection with the operation of the digital loyalty programme accessible via the application at Streat Grocery Loyalty App. It applies to registered customers, persons who have commenced the registration process, and visitors who access the public-facing pages of the application (login, policy pages) without creating an account.
This policy does not apply to processing activities conducted by third-party processors on their own account or on behalf of other controllers. Where we engage third-party processors, they are listed in Section 11 with links to their own privacy documentation.
This policy is provided in English. In the event of any inconsistency between a translation and the English text, the English text shall prevail. This policy is governed by German law and the GDPR.
For the purposes of this policy, the following terms have the meanings set out below:
We apply the principle of data minimisation (Art. 5(1)(c) GDPR): we collect only the personal data that is strictly necessary for each specified purpose. The table below lists every category of personal data we process, the specific data elements, the source, and whether provision is mandatory or optional.
| Category | Data elements | Source | Mandatory? |
|---|---|---|---|
| Identity data | First name, last name | You, at registration | Yes — required to operate your account |
| Contact data | Email address, mobile phone number | You, at registration | Yes — email required for authentication; phone required for account identification |
| Address data | Street address, apartment/floor, postal code, city, country | You, at registration or profile update | No — used to personalise local offers if provided |
| Optional profile data | Date of birth, wedding anniversary date, Indian state of origin (used to personalise culturally relevant offers for South Asian customers who choose to provide it) | You, voluntarily via profile page | No — processing requires your separate consent; removing these fields withdraws consent |
| Loyalty account data | Current stamp balance, lifetime stamps, total spend, total receipts submitted, total lifetime savings, last purchase date, vouchers issued and redeemed | Generated through your use of the service | Yes — core to the loyalty programme contract |
| Transaction data | Receipt images (photograph), extracted invoice number, invoice date, purchase total, line-item product names and prices, stamps awarded per receipt, rejection reasons | You (image upload); automated extraction and staff review | Yes — required to verify purchases and award stamps |
| Voucher data | Voucher code, voucher type, monetary value, issue date, expiry date (if applicable), redemption date, redeemed-by staff identifier | Generated automatically upon reaching reward threshold; updated on redemption | Yes — necessary to issue and honour rewards |
| Stamp adjustment data | Stamps delta, balance before and after, reason for adjustment, staff identifier, timestamp | Generated by authorised staff action | Yes — mandatory audit trail for all balance changes |
| Authentication data | One-time passcode (OTP) hashed value, OTP expiry timestamp (OTPs expire after 10 minutes), session token (hashed), session expiry timestamp | Generated by the system on each login attempt | Yes — necessary for secure access control |
| System and audit data | Actor role, action type, target entity type and identifier, action timestamp — recorded for all privileged operations (approvals, rejections, stamp adjustments, voucher redemptions, account deletions) | Automatically generated by the audit logging system | Yes — mandatory for operational integrity |
| Technical data | Session cookie identifier, session creation and expiry timestamps | Automatically generated upon login | Yes — strictly necessary for service functionality |
We do not process special categories of personal data within the meaning of Art. 9(1) GDPR, including health data, genetic data, biometric data used for unique identification, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning sex life or sexual orientation.
We do not collect or process any payment card data. No financial instrument data of any kind passes through or is stored by this application.
Every processing activity is grounded in a specific and identified legal basis under Art. 6 GDPR. Where processing serves multiple purposes, each purpose and its legal basis is stated separately. We will not process your personal data for purposes incompatible with those stated below (Art. 5(1)(b) GDPR — purpose limitation).
| Processing purpose | Data categories used | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Creating and maintaining your loyalty account; operating your stamp balance; generating your loyalty card and QR code | Identity, contact, loyalty account | Art. 6(1)(b) — performance of the contract between you and us (the loyalty programme Terms of Service) |
| Verifying purchase receipts and awarding stamps based on verified spend | Transaction data (receipt image, extracted fields), loyalty account | Art. 6(1)(b) — contract performance |
| Issuing reward vouchers when stamp thresholds are reached | Loyalty account, voucher data | Art. 6(1)(b) — contract performance |
| Processing voucher redemptions at the point of sale | Voucher data, loyalty account, stamp adjustment data | Art. 6(1)(b) — contract performance |
| Sending OTP authentication codes via email | Contact data (email), authentication data | Art. 6(1)(b) — contract performance (necessary for passwordless login) |
| Enabling staff to review disputed or unclear receipt images | Transaction data, identity data | Art. 6(1)(b) — contract performance (ensuring accurate stamp allocation) |
| Detecting and preventing duplicate receipt submissions, fraudulent receipts, and programme abuse | Transaction data (invoice number, date, amount), identity data | Art. 6(1)(f) — legitimate interests: protecting the financial integrity of the programme and the interests of all honest participants. See Section 6 for the balancing test. |
| Maintaining an immutable audit log of all privileged operations for accountability and dispute resolution | System and audit data | Art. 6(1)(f) — legitimate interests: operational security and the ability to investigate and resolve disputes fairly. See Section 6. |
| Retaining financial transaction records to comply with statutory accounting and tax obligations | Transaction data (amounts, dates), voucher data, identity data (for attribution) | Art. 6(1)(c) — compliance with a legal obligation: § 257 Handelsgesetzbuch (HGB) (6-year retention for business correspondence; 10-year retention for accounting documents and vouchers), § 147 Abgabenordnung (AO) (tax record obligations) |
| Sending personalised birthday offers or anniversary-related promotions | Optional profile data (date of birth, anniversary date) | Art. 6(1)(a) — your freely given, specific, informed consent, provided at the moment you voluntarily enter these dates in your profile. You may withdraw consent at any time by deleting these fields (see Section 16). |
| Personalising culturally relevant offers for customers who identify their Indian state of origin | Optional profile data (Indian state) | Art. 6(1)(a) — your freely given consent, provided when you voluntarily supply this field. You may withdraw at any time by deleting the field. |
| Providing analytics on your personal spending patterns and stamp history within the app ("My Spending" view) | Loyalty account data, transaction data | Art. 6(1)(b) — contract performance (this feature is an integral part of the service you signed up for) |
| Responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection) | All categories, as required to fulfil the specific request | Art. 6(1)(c) — compliance with a legal obligation (GDPR Chapter III rights); Art. 6(1)(f) — legitimate interests in maintaining records of how requests were handled |
We will never use your personal data for unsolicited direct marketing, advertising profiling, sale to third parties, or any purpose not listed in the table above.
Where we rely on Art. 6(1)(f) GDPR (legitimate interests), we have conducted a three-part balancing test in accordance with the guidance of the European Data Protection Board (EDPB) and the Article 29 Working Party Opinion 06/2014:
Purpose test: We have a legitimate interest in preventing duplicate receipt submissions, forged receipts, and systematic abuse of the stamp and voucher system. This protects the commercial viability of the programme and the fairness of it for all honest participants.
Necessity test: The processing (comparing invoice numbers, dates, and amounts against previously submitted receipts; checking that the submitting account matches the purchasing store) is strictly necessary for fraud prevention. No less privacy-intrusive method can achieve the same result.
Balancing test: The processing is limited to transactional data that you actively submit to us. We do not monitor your broader spending behaviour outside the receipts you choose to upload. Customers have a reasonable expectation that a loyalty scheme will verify the authenticity of submitted receipts. Our interest is not overridden by your fundamental rights and freedoms.
Purpose test: We have a legitimate interest in maintaining a complete and immutable audit log of all privileged actions (stamp adjustments, approvals, rejections, redemptions, account deletions) so that disputes can be investigated accurately and fairly.
Necessity test: The logging of actor identifier, action type, and timestamp is the minimum required for effective audit. No less intrusive means achieves the same accountability.
Balancing test: Access to audit logs is restricted to senior staff on a need-to-know basis. Logs are retained only for 2 years (see Section 10). Customers benefit from this processing because it is the mechanism that enables disputes to be resolved in their favour. Our interest is not overridden by your rights.
We collect only personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. Optional fields (address, date of birth, anniversary date, Indian state) are never required to create or use an account; they are provided solely at your discretion. We periodically review our data collection to assess whether any field has become unnecessary.
Personal data collected for the purposes listed in Section 5 will not be processed for any further purpose unless: (a) you have given specific consent to the new purpose; (b) the further processing is necessary for compliance with a legal obligation; or (c) a compatibility assessment under Art. 6(4) GDPR has determined that the new purpose is compatible with the original purpose, taking into account the nature of the data, the possible consequences for data subjects, and the existence of safeguards. We will inform you before any such further processing takes place.
We take reasonable steps to ensure that personal data we hold is accurate and, where necessary, kept up to date. You are responsible for keeping your profile data current; you may update your name, phone number, and address at any time via My Account → Personal Details. You may also request correction of any data you cannot update yourself (see Section 16). Inaccurate data will be rectified or erased without undue delay upon notification.
When you upload a receipt image, the image is first processed locally on our servers using open-source optical character recognition software. The purpose is to extract the invoice number, invoice date, total purchase amount, and, where possible, individual line items. This extraction enables automated stamp calculation. Extracted text is stored alongside the image to allow staff review.
Where local OCR produces insufficient confidence in the extracted data, the receipt image may be submitted to the Anthropic Claude API, an artificial intelligence vision service, for enhanced extraction. The following terms apply to this processing:
Where automated extraction fails or produces ambiguous results, a receipt is flagged for manual review by an authorised staff member. Staff members who review receipts are bound by confidentiality obligations and have access only to the data necessary for their review task (receipt image, extracted fields, customer account reference — not customer contact details).
The calculation of stamps based on verified spend is an automated process that produces a direct effect on your loyalty account balance. This processing falls within the scope of Art. 22 GDPR (automated decision-making). The legal basis for this automated decision is Art. 22(2)(a) GDPR — it is necessary for the performance of the contract between you and us, as the automated calculation of stamps is the core mechanism of the loyalty programme. You have the right to:
Automated checks compare submitted invoices against our database to identify duplicate submissions. A match results in automatic rejection of the duplicate receipt. This is likewise based on Art. 22(2)(a) GDPR (contract performance — preventing programme abuse), with the same human review rights as in 9.1.
We calculate aggregate statistics on your account (total spend, visit frequency, average basket size, time since last visit) to generate your personal "My Spending" dashboard. These calculations are used only to display your own statistics back to you. We do not currently use these statistics to make decisions about your eligibility for offers or to rank your account differently from other accounts. This processing does not constitute profiling that produces legal or similarly significant effects within the meaning of Art. 22(1) GDPR. We will update this section and notify you if this changes.
We retain personal data only for as long as necessary for the purpose for which it was collected, subject to any mandatory statutory retention obligations. The table below sets out our retention periods and their legal basis in full.
| Data category | Retention period | Legal basis / justification |
|---|---|---|
| Account profile data (name, email, phone, address, optional fields) | For the duration of your active account. Upon account deletion: erased within 30 days (the window is used to process any final in-flight stamp awards or voucher redemptions and to log the deletion event) | Art. 6(1)(b) — contract; erasure pursuant to Art. 17(1)(a) GDPR on account closure |
| Loyalty account data (stamp balances, lifetime figures) | For the duration of your active account; erased within 30 days of account deletion | Art. 6(1)(b) — contract |
| Transaction records: receipt metadata (invoice number, date, amount, stamps awarded, rejection reason) — excluding images | 10 years from the date of the transaction, even after account closure | Art. 6(1)(c) — § 257(1) Nr. 1 HGB (Handelsbücher / accounting records: 10-year statutory obligation); § 147(1) Nr. 1 AO (tax records: 10-year obligation) |
| Receipt images (photograph files) | 12 months from the date of upload, then automatically and permanently deleted | Art. 6(1)(f) — legitimate interest: images are retained for 12 months to enable dispute resolution within a reasonable window. After that period, the extracted metadata is sufficient; retention of the image itself is no longer necessary. |
| Voucher records (issuance and redemption) | 10 years from date of issuance (monetary instruments subject to commercial record-keeping obligations) | Art. 6(1)(c) — § 257(1) Nr. 1 HGB; § 147(1) Nr. 1 AO |
| Business correspondence records (emails we send you relating to your account, including OTP delivery confirmations) | 6 years from creation | Art. 6(1)(c) — § 257(1) Nr. 2 HGB (Handelsbriefe / business correspondence: 6-year statutory obligation) |
| Authentication data (OTP hashes, session tokens) | OTPs: expired and deleted after 10 minutes of issuance. Session tokens: deleted upon logout, or after 30 days if not revoked, or immediately on account deletion. | Art. 6(1)(b) — contract; Art. 6(1)(f) — security (minimal retention) |
| Audit log entries | 2 years from date of creation | Art. 6(1)(f) — legitimate interest: fraud prevention and dispute resolution. 2 years covers the limitation periods for most minor civil and commercial claims under German law (§ 195 BGB standard limitation). |
| Data subject rights request records (evidence that a request was received and how it was handled) | 3 years from date of response | Art. 6(1)(c) — GDPR accountability obligation (Art. 5(2) GDPR); § 195 BGB standard limitation period for civil claims |
| Data breach records | 5 years from date of breach discovery | Art. 6(1)(c) — Art. 33(5) GDPR mandatory documentation obligation |
During the period between an account deletion request and the actual erasure (up to 30 days), your data is flagged as "pending deletion" and is not accessible to you or used for any purpose other than completing outstanding transactions and logging the deletion event. You cannot use the service during this window. After erasure, only data retained under statutory obligation (transaction metadata, voucher records) remains, held in a restricted archive inaccessible to operational staff.
After any applicable retention period has elapsed, data is permanently and irreversibly deleted or anonymised using cryptographic erasure of all identifiers, such that re-identification is not reasonably possible.
We do not sell, rent, or trade your personal data. We share data only in the circumstances described below, and only to the minimum extent necessary.
Access to personal data within Streat Grocery is restricted on a strict role-based basis:
All staff with access to personal data are bound by written confidentiality obligations and receive data protection training appropriate to their role.
We engage the following third-party processors who handle personal data on our behalf under written Data Processing Agreements:
| Processor | Role | Data accessed | Location | Transfer safeguard |
|---|---|---|---|---|
| Render Services, Inc. render.com/privacy |
Cloud application hosting and managed infrastructure. The application server, database, and file storage all reside on Render's infrastructure. | All personal data stored in the application (effectively all categories in Section 4), including uploaded receipt images stored on persistent disk | United States (Oregon region, US-West). Render operates under EU SCCs. | Standard Contractual Clauses (EU Commission Decision 2021/914, Module 2); DPA executed with Render |
| Resend Inc. resend.com/legal/privacy-policy |
Transactional email delivery service. Used exclusively to send one-time passcode (OTP) emails for authentication. | Your email address and the content of the OTP email only. No other personal data is transmitted to Resend. | United States. Resend operates under EU SCCs. | Standard Contractual Clauses; DPA executed with Resend |
| Anthropic PBC anthropic.com/privacy |
AI-assisted OCR and data extraction for receipt images where local OCR is insufficient. | Receipt image files (JPEG/PNG/HEIC). No identity or contact data is transmitted alongside the image. | United States. Anthropic operates under EU SCCs. | Standard Contractual Clauses (Module 2); DPA executed; Transfer Impact Assessment completed; Anthropic contractually prohibited from training models on submitted data |
We may disclose personal data to competent public authorities (e.g., courts, law enforcement, tax authorities) where we are legally compelled to do so by a binding order or applicable law. Where permitted by law, we will notify you of such a disclosure before it occurs. We do not voluntarily disclose data to any government authority absent a legal compulsion.
In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, your personal data may be transferred to the acquiring entity, provided that the acquiring entity assumes all obligations of this Privacy Policy with respect to your personal data. We will notify you of any such transfer and of any material changes to how your data will be processed before the transfer takes effect, giving you the opportunity to delete your account if you do not consent.
The primary database storing your personal data is located in the European Economic Area (EEA). Three processors — Render Services, Inc., Resend Inc., and Anthropic PBC — are established in the United States, a country that has not received an adequacy decision from the European Commission under Art. 45 GDPR in respect of all categories of transfer.
Each international transfer is safeguarded by the following mechanisms, used in combination:
You may obtain a copy of the applicable SCCs by contacting us at info@streatgrocery.com.
The legal basis for the use of cookies and similar storage technologies is governed by § 25 TTDSG, which implements Art. 5(3) of Directive 2002/58/EC (ePrivacy Directive) as amended by Directive 2009/136/EC.
| Identifier | Type | Purpose | Duration | Legal basis |
|---|---|---|---|---|
session |
HTTP cookie (server-side session token, HttpOnly, Secure, SameSite=Lax) | Maintains your authenticated login state across page loads. Without this cookie, you would be required to re-authenticate on every page. The cookie stores only a cryptographically random token; no personal data is embedded in the cookie value itself. | 30 days from last use, or until explicit logout or account deletion | § 25(2) Nr. 2 TTDSG — strictly necessary for a service explicitly requested by the user. No consent is required for strictly necessary cookies under German and EU law. |
We do not use any of the following: analytics cookies, advertising or retargeting cookies, third-party tracking pixels, social media buttons that set cookies, browser fingerprinting, supercookies, localStorage for tracking, or any other technique for cross-site tracking. We do not use Google Analytics, Facebook Pixel, or any equivalent service.
Because we use only one strictly necessary cookie, no cookie consent banner is legally required under § 25(2) TTDSG and the applicable guidance of the German Data Protection Conference (Datenschutzkonferenz, DSK). This assessment is subject to review if our use of cookies changes.
We implement appropriate technical and organisational measures (TOMs) pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk, taking into account the state of the art, costs, nature, scope, context, and purposes of processing, as well as the likelihood and severity of risks to your rights and freedoms. Our current TOMs include:
In the event of a personal data breach within the meaning of Art. 4(12) GDPR (a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data), we will:
Notification to individuals will be made by email to the registered email address on your account. If direct notification is disproportionately costly (e.g., contact details for a large number of individuals are compromised), a prominent public notice will be published on the application login page.
You have the following rights under the GDPR, exercisable free of charge. We will respond to all valid requests within one calendar month of receipt (Art. 12(3) GDPR). In cases of complexity or a high number of concurrent requests, we may extend this period by a further two months, in which case we will notify you within the first month and explain the reason for the delay. We may request reasonable verification of your identity before fulfilling any request.
| Right | Description | How to exercise | Limitations |
|---|---|---|---|
| Right of access (Art. 15) | Obtain confirmation of whether we process your personal data, and if so, receive a copy of it along with information about the purposes, categories, recipients, retention periods, and your rights. | In-app: My Account → Download Data (produces an immediate JSON export of all your personal data). Or email info@streatgrocery.com if you require a different format. | The right to a copy must not adversely affect the rights and freedoms of others. We will redact third-party identifiers from audit log extracts. |
| Right to rectification (Art. 16) | Have inaccurate personal data corrected, and have incomplete personal data completed. | In-app: My Account → Personal Details → Save Changes (for name, phone, address). Email info@streatgrocery.com for data you cannot edit yourself (e.g., email address, transaction records). | We will verify the accuracy of corrected data where reasonably possible before accepting a rectification request. |
| Right to erasure (Art. 17) | Have your personal data erased ("right to be forgotten") where: (a) it is no longer necessary for the purpose it was collected; (b) you withdraw consent (where consent was the legal basis); (c) you object and there are no overriding legitimate grounds; (d) the data was unlawfully processed; or (e) erasure is required for compliance with a legal obligation. | In-app: My Account → Danger Zone → Delete My Account (confirmation required by typing "DELETE"). Erasure completed within 30 days. Or email info@streatgrocery.com for a partial erasure request (e.g., deletion of optional profile fields only). | The right to erasure does not apply where processing is necessary: (a) for compliance with a legal obligation (e.g., statutory retention of financial records); (b) for the establishment, exercise, or defence of legal claims. Data subject to statutory retention is pseudonymised and held in restricted archive after account closure. |
| Right to restriction of processing (Art. 18) | Have the processing of your data restricted (limited to storage only, no further use) while: (a) the accuracy of the data is contested; (b) processing is unlawful but you do not want erasure; (c) we no longer need it but you need it for a legal claim; or (d) you have objected and the balancing test is pending. | Email info@streatgrocery.com with the subject line "Restriction Request". We will confirm restriction within one month. | Where processing is restricted, we will notify you before lifting the restriction. |
| Right to data portability (Art. 20) | Receive your personal data in a structured, commonly used, machine-readable format (JSON), and transmit it to another controller, where processing is based on consent or contract and is carried out by automated means. | In-app: My Account → Download Data (JSON export, available immediately and at any time). The export includes all data listed in Section 4 that is held about you at the time of download. | Applies only to data processed on the basis of contract or consent (Art. 6(1)(a) or (b)), not to data processed under legal obligation (Art. 6(1)(c)) or legitimate interests (Art. 6(1)(f)). |
| Right to object (Art. 21) | Object at any time to processing based on Art. 6(1)(f) (legitimate interests), including profiling. We must cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. | Email info@streatgrocery.com stating clearly which processing activity you object to and your reasons. We will respond within one month. | An objection to fraud-detection processing would, in effect, make the service unavailable to you, as it is integral to programme integrity. |
| Right to withdraw consent (Art. 7(3)) | Withdraw consent at any time, without detriment, where processing is based solely on your consent (e.g., birthday/anniversary offers, Indian state personalisation). Withdrawal does not affect the lawfulness of processing before withdrawal. | In-app: My Account → Personal Details → delete the date of birth, anniversary date, or Indian state field and save. Withdrawal takes effect immediately. | Withdrawal of consent for optional fields does not affect your main loyalty account or any other processing activity. |
| Right not to be subject to solely automated decisions (Art. 22) | Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects, unless it is necessary for a contract, authorised by law, or based on explicit consent. | Automated stamp calculation and duplicate detection are based on Art. 22(2)(a) (contract necessity). To request human review of any automated decision, email info@streatgrocery.com or raise it in-store. | Human review will be completed within 5 working days. You may express your point of view and contest the outcome. |
The service is not directed at persons under the age of 16. Pursuant to Art. 8 GDPR and § 26 BDSG, the processing of personal data of a child under 16 requires parental or guardian consent for consent-based processing. The registration form requires confirmation of age eligibility. We do not knowingly collect personal data from children under 16 without verifiable parental consent.
If you become aware that a person under 16 has registered for an account without parental consent, please contact us at info@streatgrocery.com. Upon verification, we will: (a) immediately suspend the account; (b) notify the parent or guardian where contact details are available; and (c) erase all associated personal data without undue delay, unless we have a legal obligation to retain it.
We do not have a technical age-verification mechanism in place. This limitation is disclosed in the interest of transparency. We rely on self-declaration at registration and commit to acting promptly on any reported breach of this provision.
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or guidance from supervisory authorities. Changes are categorised as follows:
The version history of this policy is maintained internally. You may request prior versions by emailing info@streatgrocery.com. Continued use of the service after a notified material change takes effect constitutes acceptance of the revised policy.
You have the right to lodge a complaint with a competent data protection supervisory authority at any time, pursuant to Art. 77 GDPR. This right exists without prejudice to any other administrative or judicial remedy.
As our principal establishment is in Berlin, Germany, the competent lead supervisory authority is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219, 10969 Berlin, Germany
Telephone: +49 30 13889-0 · Fax: +49 30 2155050
Alternatively, you may lodge a complaint with the supervisory authority of the EU member state in which you habitually reside, work, or where the alleged infringement took place (Art. 77(1) GDPR). A full list of EU supervisory authorities is available at: edpb.europa.eu.
We encourage you to contact us first at info@streatgrocery.com so that we have the opportunity to resolve your concern directly before a formal complaint is filed.
For all privacy-related enquiries, data subject rights requests, or concerns about this Privacy Policy, please contact us using any of the following methods:
Email (preferred): info@streatgrocery.com — please use the subject line "Data Subject Request" or "Privacy Enquiry"
Post: Streat Grocery, Hofmannstr 43, 81379 Munich — marked: Att. Data Protection
In-app self-service: My Account → Download Data (portability / access) · My Account → Personal Details (rectification) · My Account → Danger Zone (erasure)
We will acknowledge receipt of all requests within 5 working days and provide a full response within one calendar month. All communications will be in English unless you specify a preference for German.
This Privacy Policy was prepared in accordance with: Regulation (EU) 2016/679 (GDPR); German Federal Data Protection Act (BDSG 2018, as amended); German Telecommunications-Telemedia Data Protection Act (TTDSG 2021); European Data Protection Board (EDPB) Guidelines on transparency (05/2020), legitimate interests (1/2024), automated decision-making (2022), and international data transfers (05/2021); Article 29 Working Party Opinion 06/2014 on legitimate interests; German Data Protection Conference (DSK) guidance on cookies (2021); and Commission Implementing Decision (EU) 2021/914 (Standard Contractual Clauses).