Privacy Policy

PRIVACY POLICY

Website wedely.com and Wedely mobile application
Last updated: April 29, 2026

1. Identity of the data controller

This policy applies to the processing of personal data carried out by:

Wedely S.à r.l.
Private limited liability company under Luxembourg law
Registered office: 5, rue Aldringen, L-1118 Luxembourg
RCS Luxembourg: B233559
Intra-community VAT number: LU31754380

Data Protection Officer: privacy@wedely.com

2. Legal framework

The processing of personal data by Wedely is governed by:

• Regulation (EU) 2016/679 of 27 April 2016 (« GDPR »);
• the Luxembourg Law of 1 August 2018 organising the National Commission for Data Protection and the general data protection regime;
• the amended Law of 30 May 2005 on electronic communications (relating to cookies and other identifiers);
• the guidelines and recommendations of the Luxembourg supervisory authority and the European Data Protection Board (EDPB).

3. Data processed and purposes

Wedely processes your personal data solely to the extent necessary for the purposes stated. The data we process comes from:

• You: when you create an account, place an order, leave a review, contact support or choose to log in via an external login service (Google, Apple);
• Your device: when you use the website or the app, we automatically collect certain technical information (IP address, device type, browser, operating system, connection parameters, anonymous identifiers);
• Third-party services you have explicitly linked to your account: when you choose to register or log in via a social account, we receive from the external provider only the minimum information necessary for authentication (name and e-mail). We do not retrieve or store any other information that the provider may make available (such as profile pictures, contacts or shared content).

Below are the categories of data processed with their respective purposes, legal bases and retention periods:

Our website may contain links to third-party sites. This policy applies solely to data processed by Wedely; we invite you to consult the privacy policies of those third-party sites.

4. Recipients and sub-processors

For the purposes indicated above, your data may be communicated:

For the performance of the contract and the delivery of your order:

• Partner restaurant responsible for preparation: receives via its printing system the order content, your name, delivery address, phone number, any intercom instructions and the notes you entered — information necessary to prepare the order correctly and to contact you if needed.
• Independent courier responsible for delivery: receives your name, delivery address (text), phone number, any access instructions and the order content, to the extent strictly necessary to deliver the shipment correctly.

To technical service providers acting as sub-processors:

• LeaseWeb Deutschland GmbH (Frankfurt, Germany — EU) — main hosting and technical infrastructure of wedely.com;
• Amazon Web Services (AWS, EU) — ancillary cloud storage services (e.g. for images and files);
• Google LLC and Google Ireland Ltd. — office services (Google Workspace), mapping (Google Maps Platform), audience measurement (Google Analytics 4) and authentication (Google Sign-In);
• Apple Inc. (United States) — authentication via « Sign in with Apple » (website and mobile app) and, limited to the mobile app, install attribution measurement from the App Store;
• Stripe Payments Europe Ltd. (Ireland / United States) — PCI-DSS certified payment services provider, acting as an independent controller for fraud prevention functions;
• Brevo (formerly Sendinblue, France) — sending of transactional e-mails and newsletters;
• Twilio Inc. (United States) — sending of notification SMS;
• Meta Platforms Ireland Ltd. (Facebook, United States) and Microsoft Ireland Operations Ltd. (Bing Ads, United States) — online advertising services, activated only with your prior marketing cookie consent;
• Hotjar Ltd. / Contentsquare (United States / EU) — user experience analysis tools, activated only with your prior functional cookie consent.
• OpenAI Ireland Ltd. (Ireland / United States) — provides the language model powering the conversational customer support assistant (see section 9). The data we send is pseudonymised upstream by replacing first name, last name, phone number, street address, intercom name and delivery notes with opaque placeholders: the assistant thus works on a context free of direct identifiers. OpenAI acts as a processor under Art. 28 GDPR on the basis of the Data Processing Addendum signed with Wedely, does not use API data to train its models, and applies a maximum technical retention of 30 days for abuse-prevention purposes.

The updated list of sub-processors and their respective DPA agreements is available on request at privacy@wedely.com. To recipients for legal purposes:

• Luxembourg tax administration (DAC7 — Directive (EU) 2021/514);
• Judicial or administrative authorities, upon a legally founded request.

5. Transfers outside the European Union

Some of our technical service providers are established in, or may process your data in, third countries outside the European Union, in particular in the United States (Google, Apple, Stripe, Twilio, Meta, Microsoft, Hotjar/Contentsquare). In such cases, the transfer is governed:

• by the EU-US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023), where the recipient is validly certified;
• or by the standard contractual clauses adopted under Commission Implementing Decision (EU) 2021/914, supplemented where appropriate by additional measures in accordance with the Schrems II judgment and EDPB Recommendations 01/2020.

6. Cookies and tracking technologies

On your first visit, a banner informs you of the presence of cookies and allows you to refuse, accept or customise your choice. Strictly necessary cookies are set without consent; functional, non-exempt audience measurement and marketing cookies are set only with your prior consent.

You can change your preferences at any time on the page wedely.com/cookies_consent. The detailed list of cookies is available in our Cookie Policy.

7. Your rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights:

• Right of access to your data and to obtain a copy;
• Right to rectification of inaccurate or incomplete data;
• Right to erasure of your data in the cases provided for by Article 17 GDPR;
• Right to restriction of processing;
• Right to data portability in a structured, machine-readable format;
• Right to object to processing, in particular for direct marketing purposes;
• Right to withdraw your consent at any time, without affecting the lawfulness of prior processing;
• Right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or significantly affects you.

Wedely may use automated tools to improve the service (for example to suggest relevant restaurants, route your order to the nearest courier, prevent fraud and abuse). We do not take decisions based solely on automated processing that produce significant legal effects concerning you: any decision affecting your contractual rights (e.g. account suspension or order refusal) is subject to human intervention.

To exercise your rights, contact our DPO at privacy@wedely.com indicating your name, the e-mail address associated with your Wedely account and the right you wish to exercise. Your request will be handled within one month of verification of your identity, extendable by two months for complex requests (Art. 12.3 GDPR). We may request additional information to confirm your identity for security purposes.

If you believe that your rights are not being respected, you may lodge a complaint with the Commission nationale pour la protection des données (CNPD): https://cnpd.public.lu, 15 boulevard du Jazz, L-4370 Belvaux.

8. Direct marketing

You have the right to object at any time to the processing of your data for direct marketing purposes, including any profiling carried out for marketing. You can do so:

• by clicking the « Unsubscribe » link at the bottom of every commercial e-mail you receive;
• by updating your preferences in your Wedely account settings;
• by writing to privacy@wedely.com.

Objecting to direct marketing is free of charge and takes effect immediately. You will continue to receive only service communications strictly necessary for the performance of orders (confirmations, delivery notifications, invoices).

8.1. Profiling and personalisation

In order to offer you a useful and relevant experience, Wedely carries out the following levels of processing:

• Website and app personalisation: we use your order history and your interactions to suggest relevant restaurants and to improve your browsing experience (legal basis: legitimate interest);
• Communication segmentation: if you have given consent to the newsletter, we may send you selected offers based on your interests and ordering habits (legal basis: consent);
• Cross-site advertising tracking: if you have accepted marketing cookies, our advertising partners (Meta, Google Ads, Microsoft Bing Ads) and mobile advertising identifiers (IDFA/AAID) allow us to measure the effectiveness of our campaigns and to show you relevant ads on other websites and applications you visit (legal basis: consent to marketing cookies).

What we do NOT do: we do not carry out high-risk automated decisions (e.g. social scores, credit scores, automatic account exclusion, discriminatory assessments). Any decision affecting your contractual rights is always subject to human review.

You have the right to object at any time to profiling for direct marketing purposes, using the same methods described above (unsubscribe link in e-mails, account settings, e-mail to the DPO).

9. Support communications (chatbot and chat)

Wedely makes available several support tools accessible from the website and the app:

• Artificial intelligence-based conversational assistant (chatbot). When you contact support from the website or the app, your questions are processed by a language model provided by OpenAI Ireland Ltd. (model currently in use: GPT from the o-mini family, subject to updates). To reduce the exposure of your personal data, before sending to the model we apply automatic pseudonymisation: first name, last name, phone number, street address, intercom name and delivery notes are replaced by opaque placeholders (e.g. <<NAME>>, <<PHONE>>); the actual value is reinserted only in the response you read, on Wedely's side. The assistant therefore receives only the operational information necessary to respond to you (order code, restaurant, delivery status, courier distance, amounts, etc.) but not the direct identifiers of who you are. The chatbot provides information and does not take decisions with legal effects concerning you within the meaning of Art. 22 GDPR: refunds, cancellations and order changes are always handled by human staff. You can ask to speak with an operator at any time by typing «agent» or using the form on the contacts page.
• Free messages linked to an order. To report an issue or request assistance you can send a short free-text message (maximum 256 characters) linked to a specific order. The message is stored together with the order for traceability and dispute management purposes and may be read by our support staff.
• Chat with the courier during delivery. From the moment a courier accepts your order until delivery, they may communicate with you via an in-app chat limited to the execution of the delivery. The chat remains viewable for a short period after the order for the handling of any disputes and is not processed by artificial intelligence systems.

Legal basis for the AI chatbot. Performance of contract and pre-contractual measures (Art. 6.1.b GDPR) for requests linked to an ongoing order, and our legitimate interest (Art. 6.1.f GDPR) in providing scalable support and reducing response times, balanced by automatic pseudonymisation and the ability to switch to a human operator at any time. Transfers. If OpenAI processes data outside the European Economic Area, the transfer is covered by the Data Privacy Framework and/or the standard contractual clauses (SCC) under Art. 46 GDPR. Retention. Chatbot conversations are stored in our systems together with the reference order for the duration of the corresponding retention period; OpenAI retains API data for a maximum of 30 days solely for abuse-prevention purposes and does not use it to train its models. Distinction from section 11. The optional integration with external AI assistants (Model Context Protocol) described in section 11 is a separate channel that you activate by connecting a connector to your personal AI assistant: it does not receive or read the content of the support conversations described here.

10. Security

Wedely adopts appropriate technical and organisational measures to ensure the security of your data: encryption of communications in transit, strict access management, regular backups, activity logging, staff awareness and periodic security testing.

Security measures and fraud prevention. To protect the service from abuse and automated access, Wedely applies technical controls (stricter CAPTCHA, verification SMS rate limit, additional verification) whose intensity varies according to statistical risk indicators — including the approximate geolocation of the IP address, used as a risk signal and not as personal data relating to nationality. Legal basis: art. 6.1.f GDPR (legitimate interest in fraud prevention). These controls do not constitute an automated decision within the meaning of art. 22 GDPR; in case of automatic blocking we guarantee the intervention of a human operator by writing to info@wedely.com. You can object to the processing under art. 21 GDPR by writing to privacy@wedely.com. Risk criteria are based on statistical abuse data and not on nationality as such.

11. Integration with AI assistants (Model Context Protocol)

Wedely offers an optional integration with third-party AI assistants via the Model Context Protocol (MCP). The integration is strictly opt-in and is activated only if you explicitly connect Wedely as a custom connector within your AI assistant.

No access to your Wedely account. The integration does not read your name, e-mail, phone number, saved addresses, payment methods, order history or any data from your Wedely profile. Every AI ordering session is anonymous from our perspective, identified only by an opaque random token generated for the individual order attempt.

What we receive via MCP. The AI assistant sends us only the operational data necessary to build the order, namely the data you yourself typed in the conversation: delivery address (and corresponding geocoded coordinates), cart contents, chosen delivery time, a random session token and an anonymous identifier of the AI platform used.

What we return. In response to the AI assistant's calls, Wedely provides only public information (names and addresses of restaurants, menus, prices, opening hours, delivery options). No personal data of any user is ever included in MCP responses.

Retention. The temporary AI session is retained for a maximum of 2 hours of inactivity, after which it expires automatically; expired sessions are deleted within 24 hours. If you confirm the order on wedely.com, the order is created on your account in accordance with section 3 of this policy. If no order is confirmed, the session and its content are deleted upon expiry and never become part of a user account.

Separate controllers and international transfers. The AI assistant provider is an independent data controller for the conversation you conduct with its tool. Wedely and the AI assistant provider are not joint controllers nor linked by an Art. 28 GDPR relationship. When the provider operates outside the European Economic Area, the data you type into the AI assistant is processed in accordance with its privacy policy and transfer mechanisms (DPF, standard contractual clauses). Wedely does not transfer your personal data to the AI assistant provider.

Legal basis. Pre-contractual measures at your request (Art. 6.1.b GDPR) combined with explicit consent (Art. 6.1.a GDPR), given by connecting the MCP connector. You may withdraw consent at any time by removing the connector from your AI assistant's settings. No automated decision-making under Art. 22 GDPR: orders are always manually confirmed by you on wedely.com.

12. Content generated or retouched with artificial intelligence

Some illustrative images published on the website and the app — in particular photos of dishes and cuisine categories — may be generated or retouched with artificial intelligence tools. These images are for purely illustrative purposes: they represent a visual idea of the dish and do not constitute an exact photograph of the product delivered, which may differ in plating, portioning, ingredients or presentation.

Human control. All images generated or retouched with AI go through a human editorial review by the Wedely team (or the partner restaurant/shop) before being published.

No personal data of customers. To produce these images, Wedely sends its AI providers exclusively the textual description of the dish, product, cuisine or shop and the photographic scene. No personal data of customers is communicated and no real face or person is depicted.

13. Changes to this policy

Wedely may amend this policy to reflect a regulatory, technical or organisational development. Any material change will be brought to your attention via a notice on the website or by e-mail.

14. Contact

For any question relating to this policy:

• E-mail: privacy@wedely.com
• Postal address: Wedely S.à r.l. — DPO, 5, rue Aldringen, L-1118 Luxembourg