Privacy Policy

The controller within the meaning of Art. 4(7) GDPR is Email: info@papaturkish.sk · Phone: +421 917 772 432.

For privacy-related matters please contact us at info@papaturkish.sk.

When you place an order or contact us, we process the following categories of personal data:

• Identification: first and last name
• Contact: phone number, email address
• Order data: chosen items, pickup time, branch, notes
• Payment data: payment status and transaction reference (the card number itself is processed solely by Stripe Payments Europe, Ltd.)
• Technical data: IP address, browser type, anonymised analytics

We use your data for the following purposes:

• Processing and fulfilling your order — Art. 6(1)(b) GDPR (performance of a contract)
• Identity verification at pickup (SMS OTP) — performance of a contract and legitimate interest (fraud prevention)
• Issuing and storing accounting documents — legal obligation (Slovak Accounting Act 431/2002)
• Handling complaints — legal obligation (Consumer Protection Act 250/2007)
• Improving the website and analytics — legitimate interest (Art. 6(1)(f) GDPR), or consent for marketing cookies

We do not share your data with third parties except for the following processors that help us run the service:

• the website operator — internal handling of orders and complaints
• Google Ireland Limited — database hosting (Firebase / Google Cloud, EU)
• Stripe Payments Europe, Ltd. — card payment processing (Ireland)
• Resend, Inc. — transactional email delivery (USA, standard contractual clauses)
• Twilio Inc. — verification SMS delivery (USA, standard contractual clauses)
• Wolt Slovakia s.r.o. and Bolt Operations OÜ — only if you order via their platforms

No transfer outside the EU happens without appropriate safeguards under Chapter V of the GDPR.

We retain data only for the time necessary to achieve the purpose:

• Order data: 10 years from the end of the accounting period (legal obligation)
• Contact form messages: 1 year after the last interaction
• Technical logs and anonymised analytics: 14 months
• SMS verification: phone number kept only for the duration of the order

Under the GDPR you have the following rights:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure / „right to be forgotten" (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object to processing based on legitimate interest (Art. 21)
• Right to withdraw consent at any time, where processing is based on consent (Art. 7(3))
• Right to lodge a complaint with the Slovak Office for Personal Data Protection (https://dataprotection.gov.sk)

Send any request to info@papaturkish.sk. We respond within 30 days.

We apply appropriate technical and organisational measures: traffic is encrypted with TLS, database access is restricted to authorised staff, and we never process card data directly — payment is handled entirely within Stripe.

We may update this policy. The current version is always available on this page with the date of the last revision.