Privacy Statement
This privacy statement (“Privacy Statement”) aims to clarify what personal data we process, why we process it, who receives your data and how you can exercise your legal rights.
In this Privacy Statement, “personal data” means any information which directly identifies you as a person (like the combination of your full name and address), or can be used to identify you as a person (like a user ID connected to your identity). Similarly, “processing” refers to any operation performed on your personal data, for example the collection, storage, use, disclosure, or destruction of your personal data. Please take enough time to carefully read this note.
1. Who are we and how can you reach us?
We are Talabat Holding ADGM, a company incorporated at Abu Dhabi Global Market (“ADGM”) located at Office Number 2341, 23rd Floor, Sky Tower, Shams Abu Dhabi, Al Reem Island, Abu Dhabi, United Arab Emirates (“Talabat” or the “Company” or “We”).
As regards your privacy, it is us who decide how and for what purposes your personal data is processed. In data protection language that makes us a so-called “data controller” (the party responsible for how your personal data is processed).
By accessing and/or using our mobile applications, platforms and/or websites, you agree to the terms of this Privacy Statement.
If you have any questions related to how your personal data is processed, you can contact us at dpo@talabat.com. If you would like to reach out to our data protection officer, please also contact dpo@talabat.com.
2. What categories of personal data do we process?
When you use our website, we process personal data actively provided by you, collected from your device when you interact with us, or obtained from third parties. Broadly speaking we will process the following categories of personal data:
| Contact data | including your name, address, email address, telephone number, country, language, communication, and content of our correspondence |
| Access and device data | including the date and time of website-access, device ID, IP address, session information, device configuration settings, operating system, website interactions such as data obtained through web-trackers (e.g. cookies, SDKs, pixels) |
| Capital market stakeholder data | including type of capital market stakeholder data, other information you provide to us in the course of our business relations and registration for the annual general meeting or voting by postal vote, as well as when ordering tickets and/or granting powers of attorney, such as: registration information provided at events, creating lists of participants or name badges and similar particulars. |
| Share register data | including name, date of birth, and address of the shareholder, as well as the number of shares or the share number and, in the case of par value shares, the amount. |
| Data obtained from publicly accessible sources | to the extent necessary to fulfill our obligations, data obtained from publicly accessible sources or which are legitimately transmitted by other third parties. |
3. What do we do with your personal data?
As you visit the website and the investor actions you take, within the legally permissible parameters we process certain personal data, and below is what we do with it and for how long.
Please note that the transmission of information via the internet is not completely secure, thus we cannot guarantee the security of any of your information transmitted to our website. Any transmission is at your own risk.
3.1. When you browse our website
We always strive to customise our website according to the wishes of the website users. To achieve this, we evaluate the use of our website in pseudonymous form. We record the name of the website accessed, the date and time of access, the browser type used, your IP address, geolocation, operating systems, and number of visits to our Website. This data is only processed for statistical purposes to optimise our website presence, improve the services, test our IT systems and to operate the website.
This processing is based on our legitimate interest under Art. 5(1)(f) Data Protection Regulations of Abu Dhabi Global Market (“Data Protection Regulations”) to provide you with a functional and demand-driven website. We will keep your personal data for seven days and then anonymize this information by deleting any personally identifiable content of the information collected, such as your IP address.
For this purpose we also use cookies that we will not drop on your device without consent. If you would like to learn more about cookies and web-tracking on this website, please refer to our Cookies Statement.
We use web tracking technologies (e.g., cookies, SDKs, measuring pixels) when you browse our web pages. These technologies enable us to facilitate the functioning of our platform, improve its performance and security, or understand how our users interact with our platform. In addition, these technologies allow us to deliver customised content or targeted advertising to our users.
Cookies and web tracking technologies may be used to collect data that we classify as device information, including your device ID, IP address, session information, preferences such as language settings, platform interactions such as items added to the cart, platform performance analytics, and crash reporting.
Our website may occasionally contain links to and from the websites of third parties including our partner network, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies.
You can find more information on these technologies (including on retention periods) in our Cookies, SDKs and Web-Tracking Statement, as well as in our consent management banner.
3.2. When you contact us
We will store the personal data (name, email address, telephone number, mobile phone number) you provide to us for contacting you and we will contact you as requested. This processing is based on our legitimate interest in accordance with Art. 5(1)(f) Data Protection Regulations to be able to contact you immediately, register you for our information calls and process your request. We will store the personal data you have transmitted for one year and then delete it unless legal retention periods arise from the processing.
3.3. When you visit our website for career opportunities
You may visit our website to discover career opportunities. The relevant career section in our website will lead you to our career platform and you can browse further details regarding your privacy as a job candidate embedded there.
3.4. When you visit our website in the context of investor relations
3.4.1 Share register
Talabat shares are registered shares. Registered shares must be entered in the company’s share register, stating the shareholder’s name, date of birth, date of registration, and address as well as the number of shares or the share number and, in case of par value shares, the amount.
The shareholder is generally obliged to provide the Company with this information. In addition, we process personal data that you provide to us when registering for the Annual General Meeting or voting by postal vote as well as when ordering tickets and/or granting powers of attorney. We use your personal data for the purposes specified in the Companies Regulations. These purposes include, in particular, keeping the share register, communicating with you as a shareholder and conducting the Annual General Meeting.
The legal basis for the processing of your personal data is the Companies Regulations in conjunction with Art. 5 (1) c) Data Protection Regulations. In addition, we may process your personal data to fulfill other legal obligations, such as regulatory requirements and/or stock corporation, commercial and tax retention obligations. In order to comply with the Companies Regulations, we may e.g. keep verifiable records of the data that serves as proof of authorisation and store them protected from unauthorised access when authorising the proxies nominated by the Company for the Annual General Meeting. We will store the data collected and stored in this context in accordance with the statutory retention periods and then destroy them.
3.4.2. Contact
If you would like to contact us via the contact form under the “Investor Relations” tab, we will use the personal data you have provided to us for contacting you (mandatory fields: Name, first name; optional: telephone number, address, e-mail address, country) and contact you as requested. This contact form is technically administered by our data processor EQS Group AG and incorporated into our website.
This processing is based on our legitimate interest in accordance with Art. 5 (1) (f) of Data Protection Regulations to be able to contact you immediately and process your request. We will store the personal data you have transmitted for one year and then delete it unless legal retention periods arise from the processing.
3.4.3 Managing relations
We will collect and process your personal data for the purpose of managing our business relations, which encompasses organising meetings and investor relations events, keeping you informed about the latest news and developments within the Company, handling inquiries related to the capital market, maintaining the investor relations website, and executing investor relations campaigns. In this regard, we will gather and process your personal data (e.g. name, gender, ID card number, place and date of birth, title, job title, email address, business address, telephone number, mobile phone number, user ID and bank details) that you share with us by filling out forms.
Such processing is legally permissible as it is necessary to pursue Talabat’s legitimate interests in accordance with Art. 5(1)(f) Data Protection Regulations or to perform a contract in accordance with Art. 5 (1) (b) Data Protection Regulations.
3.5 When we promote our brand
3.5.1. Online Marketing
We utilize marketing processes to reach as many potential customers as possible. These processes encompass a range of marketing strategies, including targeted advertisements, both on our own platform, or on online media properties (e.g, websites, social platforms) owned and operated by third-party publishers.
For this purpose, we process account data, location data, order and delivery data, and device data such as session information, your configuration settings, platform interactions such as items added to the cart, and data obtained through web-trackers (e.g. cookies, SDKs, pixels).
When we perform targeted advertisements for our platform, we use customer segmentation based on the data we collect from you. This segmentation may include predictions about our users’ demographics (e.g., age, gender) or consumption preferences. These insights are typically aggregated and pseudonymized, which means that we cannot identify you individually. We use these insights when defining our online marketing strategies.
Your prior explicit ‘consent’ under Art. 5(1)(a) Data Protection Regulations is requested to show you our online targeted advertisements. If you do not consent to personalized online advertisements, please note that you may still receive ads related to our service and products. However, these ads will be generic and not result from specific targeting processes.
We will keep this personal information for as long as you choose to share it with us but in any case we will delete the data we process within this purpose after deletion of your account.
3.5.2. Social Media Pages
We maintain profiles on various social media platforms through which we advertise our products and engage with customers. When you visit our pages on social media platforms such as Facebook and Instagram, the operators of these platforms process your personal data, as explained in their own privacy statements. For Facebook and Instagram the data controller is Meta Ireland Ltd. (“Meta”)
Meta provides us with aggregated statistics and insights about our social media pages, allowing us to understand the types of actions users take on their pages. Please be informed, however, that we at no point can attribute any page visit or other interaction to individual social media profiles.
In terms of collecting your personal data on our social media pages and analyzing the user interactions, both we and the respective operators of the social media platforms (such as Meta) act as joint controllers. To formalize this arrangement, we have entered into joint controller agreements with these operators.
For Facebook and Instagram, the following links will show you exactly which data is collected by Meta and how you can exercise your data subject rights in connection with the user insights:
The legal basis for processing of your data for the purpose of engaging with users and utilizing user insights is ‘legitimate interest’ in accordance with Art. 5(1)(f) Data Protection Regulations.
3.6 When we ensure the security of our website
We use state-of-the-art servers, network equipment, and cloud services to deliver our website that ensures high performance and uninterrupted service. All types of personal information you provide and the information we collect about you is stored and protected within the secure environment of our platform. We also use tools such as two-factor authentication, endpoint security detection, traffic monitoring, backup systems and data loss prevention solutions to keep your data secure at all times.
The legal basis for processing your data for the purposes of hosting and ensuring the security of your personal data is ‘legitimate interest’ under Art. 5(1)(f) Data Protection Regulations.
3.7 When we are required to comply with laws and regulations
As with any organisation, there are instances when we are required to share personal data with public authorities. Additionally, there might be instances where we have to process your personal data to initiate or defend legal claims and uphold our rights and interests. For this purpose, we may disclose and process certain data we hold about you, to the extent strictly necessary to conclude these legal proceedings and investigations.
The legal basis for processing your data for complying with public authority requests is ‘legal obligation’ under Art. 5(1)(c) Data Protection Regulations; and for initiating and defending legal claims is ‘legitimate interest’ under Art. 5(1)(f) Data Protection Regulations. We retain this information for as long as necessary to comply with legal obligations related to ongoing proceedings and investigations. After the final closing of the respective legal proceedings we will delete your data immediately.
Data protection laws grant you various legal rights. We are committed to respecting them at all times. When you exercise these rights, we must process your data to effectively address your request. For instance, if you choose to exercise your right to access, we need to gather all of the information we hold about you to meet our obligation to provide a response. To achieve this, we may process any type of data we hold about you, only to the extent necessary to comply with our obligations.
The legal basis for processing your data for complying with data subject requests is ‘legal obligation’ under Art. 5(1)(c) Data Protection Regulations. We retain this information for as long as necessary to comply with our legal obligations.
Under various regulatory frameworks in the United Arab Emirates, we are required to share certain aggregated data with the parties specified in the laws. While this data will originate from personally identifiable data, we are not required to share personal data with third parties under such laws. The processing of personal data is based on the legal basis of ‘legal obligation’ under Art. 5(1)(c) Data Protection Regulations.
What happens if you do not provide us with the information we had asked you for or if you ask us to stop processing your information?
Where it concerns processing operations related to the relationship with you (as described above), Talabat will not be able to adequately establish, conduct or terminate a business relationship with you or your company and generally perform the purposes described above without certain personal data. Although we cannot obligate you to share your personal data with us, please note that this then may have consequences that could affect the business relationship in a negative manner, such as not being able to invite you to investor relations events or provide you with requested materials or information.
4. Who will receive your data and under what circumstances?
You can trust that, within our Company, only those staff members will receive access to your personal data who need them in order to fulfill their professional duties, such as providing you with a great online experience, or looking into your support request. In certain scenarios, we also need to share your personal data with recipients outside of our Company. Please be assured that your data is shared with these recipients only to the extent necessary for the specified purposes and only as we are legally permitted to do so.
In addition to sharing data with the parties already specified above, we will only share your data as follows:
4.1. Delivery Hero group companies
We are part of an international group of companies with legal entities in many parts of the world, including our group’s headquarters located with Delivery Hero SE in Berlin, Germany. In order to utilise our resources efficiently and ensure that our business processes function properly, we utilise our group-wide shared technological support services that sometimes necessitate sharing personal data with our parent company, Delivery Hero SE, or with the locations of our global tech hubs. In certain situations, we might also share limited data with other group companies, for example, to assist with payment collection or to implement website security measures.
Delivery Hero group companies are bound by strict intra-group data transfer agreements ascertaining compliance with data protection requirements whenever sharing personal data with group companies.
4.2. Data processors
We use various third-party service providers to perform our operations. Many of these providers process your personal data as so-called “data processors”. This means they are only allowed to process your personal data under our instructions and have no claims whatsoever to process your personal data for their own, independent purposes. Our processors are strictly monitored and we only engage processors who meet our high data protection standards. The main data processor for cloud technology on our website is our group’s headquarters located in the United Arab Emirates. Also, Delivery Hero SE provides us with a wide range of services of technology, such as cloud hosting, website security, marketing or customer relationship management tools.
Talabat will also use data processors (as so-called “sub-processors”), as follows:
Our user platforms and databases run on cloud resources provided by the european subsidiaries of Google Cloud Platform and Amazon Web Services. We use marketing and communications tools by companies such as SalesForce or Braze. Our finance and accounting platforms are provided by SAP.
4.3. Other third parties and service providers
In addition to data processors, we also work with third parties, to whom we share your personal data, but who are not bound by our instructions and instead will process your data independently. These may be our consultants, lawyers or accountants who receive your data from us under a contract and process your personal data for legal reasons, or to protect our own interests. Under no circumstances will we sell or rent your personal data to third parties without your explicit, informed consent.
4.4. Mergers & acquisitions, change of ownership
In the event of a merger with, or acquisition by, another company or group of undertakings, we may need to disclose limited information to that company and their advisors who are under professional obligations to maintain the confidentiality of your personal data. This may occur in circumstances such as mutual due diligence assessments and regulatory disclosures.
In any event, we will ensure that we only disclose the minimum amount of information necessary to conduct the transaction, while also carefully considering the feasibility of removing or anonymising any data that could identify individuals.
4.5. Prosecuting authorities, courts and other public authorities
From time to time we may be requested to disclose personal data to public authorities. In some circumstances, we may disclose personal data with public bodies to bring or defend legal claims, to protect our rights and interests, or to address security concerns.
Examples of such situations include cooperating in the detection and prevention of crime, responding to legal processes such as court orders or subpoenas, or sharing data with tax authorities for tax-related purposes. The public authorities involved in these scenarios may include law enforcement agencies, courts, tax authorities, or other government bodies.
5. How do we transfer your personal data to other countries?
We and the parties we share your personal data with may transfer personal data to countries other than the country in which you use our services. Where such transfers take place, we take appropriate measures to ensure that your data is always afforded an adequate level of protection in the countries to which it is transferred.
For example, our processor or we may transfer your personal data to a controller or processor outside of ADGM or to an International Organisation if the controller or processor has provided appropriate safeguards to ensure that these transfers provide a level of protection that complies with data protection requirements. Specifically, as far as transfers from the ADGM to jurisdictions outside the ADGM are concerned, we rely on a number of appropriate safeguards:
· Adequacy decisions by the Commissioner of Data Protection. Such a transfer will not require any specific authorisation;
· Standard contractual clauses mutually agreed in our contract with the data recipient (including any supplementary measures, if required).
· Further appropriate safeguards, in accordance with Art. 42 of the Data Protection Regulations (for example, binding corporate rules).
If you would like to receive a copy of the appropriate safeguards securing the data transfer, please contact us at dpo@talabat.com.
6. What are your legal rights?
Under the data protection laws, you are entitled to the following rights:
| Right to access | You have the right to access your personal data and obtain additional information on how we process it. You may also request a copy of your personal data. |
| Right to rectification | If you notice that your personal data is incorrect, you can always request that we correct it. |
| Right to erasure | You have the right to ask us to delete your personal data. Please note that even if you exercise this right, we may be required to retain some of your information if we process it as part of our legal obligations, or in pursuit of our own (or a third party’s legitimate interests) such as the assertion of, or defense against, legal claims, preventing fraud or protecting ourselves or others against abusive behavior. |
| Right to restriction of processing | If you have requested the deletion of your personal data, but we are legally prevented from immediately deleting it, we will store your data in our archives and retain them for the sole purpose of meeting our legal obligations. However, you will not be able to use our services during this time, as this would require us to de-archive your personal data. |
| Right to data portability | You can ask us to provide you or another data controller with your personal data in a machine-readable format. However, please note that this right only applies to data that we process based on your consent. |
| Right to object | You have the right, for reasons arising from your particular situation, to object at any time to any processing of your personal data, which is processed on the basis of our legitimate interests or where processing is necessary for the performance of a task carried out by a public authority in the interests of ADGM. If you object, we will no longer process your personal data unless we can prove compelling grounds for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise, or defend against legal claims. You also have the right to object at any time, without giving any explanations, to the processing of your personal data for the purposes of direct marketing (including any associated profiling). |
| Right of complaint | You can raise a complaint about our processing with the data protection authority in the country of your habitual residence, place of work, or the place where you think a violation of data protection laws has occurred. In the case of cross-border data processing, you can also lodge a complaint with our lead supervisory authority in Berlin, Germany. |
| Right not to be subject to a decision based solely on automated processing | You have the right to object to a fully automated decision (i.e. without any human intervention in the decision-making process) that has legal effects or significantly affects you. |
| Right to withdraw consent | Where we rely on consent to process your personal data, you have the right to withdraw your consent at any time. If there is no other legitimate ground upon which Talabat Holding Group is allowed to process your personal data, we will immediately stop processing it. Withdrawal of consent does not affect the legality of the processing carried out before the withdrawal. |
To exercise your rights, we encourage you to use the functions available in your account at any time. For example, if you would like to delete your data, or receive a copy of it, you can directly do so by following the relevant steps in your profile. These self-service methods are designed to expedite the process of fulfilling your rights. Alternatively, you can also reach out to our investor relations team to assist you.
7. How long do we keep your data?
We retain your personal data for as long as it is necessary to achieve the purposes we described above. The duration for which we retain your personal data is determined by factors such as the scope, nature and purposes of the personal data processing, and whether we have legitimate interests or legal obligations that require us to retain your personal data.
8. How often do we update this Privacy Statement?
We regularly review and update this Privacy Statement. We expect most such changes to be minor, but there may be changes that are more significant. Where appropriate and possible we will notify you of such changes by email.
Disclaimer
The Arabic version of this Privacy Statement is a convenience translation. In case of deviations between the Arabic and the English version, the English version shall prevail.
This Privacy Statement is governed by the federal laws of the United Arab Emirates.
This Privacy Statement was last updated on: 02 October 2024