top of page
Smart Fast Food_white_edited.png

Privacy Policy

Gudrais Fast Food Privacy Policy

In case of any discrepancy, the Latvian version shall prevail.

Introduction

SIA Gudrais Fast Food (hereinafter – the Controller, we) cares about customers’ privacy and the protection of personal data, observing the data subject’s rights to lawful processing of personal data in accordance with applicable regulatory acts – including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation) – and other applicable privacy and data-processing legal acts. This privacy policy is drawn up with the aim of providing the data subject (hereinafter – you) with the information stipulated in the Regulation about how and why we process personal data.

This privacy policy applies to all personal data obtained by the Controller from clients – both natural persons and representatives of companies (legal persons) – in any way, for example, on our website, in communication by e-mail, on the WhatsApp messaging platform, by telephone or in other communication channels. When submitting personal data to us, for example, by placing an order online or via WhatsApp, you confirm that you have read this privacy policy.

We reserve the right to amend this privacy policy at any time, applying the new changes from the moment of their publication on our website. To always be informed about current data-processing practices, we invite you to review the content of the privacy policy regularly.

Controller and contact information

The personal-data-processing controller is SIA “Gudrais Fast Food”, a limited-liability company registered in Latvia.

  • Registered address: Gaujas iela 43-3, Rīga, Latvia, LV-1026

  • Registration number: 40203579006.

  • E-mail for communication: lv@wisefast.food.

  • Telephone (WhatsApp): +371 28945009.

If you have questions related to personal-data processing or the exercise of the data subject’s rights, please contact us by writing to the e-mail address indicated above. The Controller ensures the confidentiality of personal data and has implemented appropriate technical and organisational measures to protect personal data.

Categories of processed personal data

We process only those personal data that are necessary to achieve specified purposes. In this respect, the following categories of personal data may be processed:

  • Identification data: first name, last name; in the case of company clients – also the company name and the representative’s position (if applicable).

  • Contact information: telephone number (for example, the WhatsApp number), e-mail address (if e-mail is used for communication), delivery address and/or another address that you specify for receiving the order.

  • Order information: the list of ordered goods or services, quantity, specifications, delivery time and method, order amount, as well as your notes or comments that you provide in connection with the order.

  • Payment data: information about payment status and method (for example, payment method, transaction number, date and amount). Payment card data are not stored by us – they are securely processed in the system of the payment-service provider Stripe. In the case of cash payments we may process information about the payment (for example, receipt number) only to the extent necessary to fulfil Latvian regulatory requirements.

  • Communication content: any additional information that you voluntarily provide in communication with us, for example, the content of WhatsApp messages (order lists, comments on product preferences, etc.), e-mail letters or information that you enter in the forms on our website.

  • Technical data and cookies: your device’s IP address, browser type, operating system, visit time and date, as well as information about activities on our website obtained by using cookies and analytics tools (see the section “Cookies and analytics” below). These data are mainly used to ensure and improve the functioning of the website and to prevent security incidents.

We do not collect special categories of personal data (for example, information about health, religious beliefs, biometric data, etc.) and we ask you not to provide such sensitive information in the order process. The scope of personal data processed by us is limited to the information mentioned above and other information that the client voluntarily indicates about himself in the order application or during communication.

Purposes and legal basis of personal-data processing

We process personal data for specific, previously defined purposes and only within an appropriate legal basis. Below are the main purposes of personal-data processing and the relevant legal bases in accordance with Article 6 of the General Data Protection Regulation:

  • Acceptance and fulfilment of orders: using the data you provide to accept, process and fulfil food orders. This includes identifying the client, confirming the order, assembling goods, organizing delivery, as well as communicating with you about the order details (for example, clarifications, delays, etc.). Legal basis: conclusion and performance of a contract (Article 6(1)(b) of the Regulation). If you are a legal person, we process the contact-person data you provide for this purpose, based on our legitimate interests in communicating with the client’s representatives.

  • Payment and financial-transaction administration: ensuring the payment of the order (for example, payment authorization and receipt of confirmation from the Stripe system, invoice issuance, payment tracking), as well as accounting and tax payment in accordance with legislative requirements. Legal basis: performance of contractual obligations regarding payment acceptance (Article 6(1)(b) of the Regulation) and fulfilment of legal obligations regarding accounting and taxes (Article 6(1)(c) of the Regulation).

  • Customer service and communication: responding to your questions, examining complaints or claims, and improving the quality of the provided services based on your feedback. For this purpose, your contact information and communication content (for example, correspondence with customer support) may be processed. Legal basis: our legitimate interests to provide high-quality customer service and resolve any disagreements (Article 6(1)(f) of the Regulation). In certain cases the legal basis may also be contract performance, for example, if communication is necessary to fulfil the order.

  • Website maintenance and improvement: ensuring the secure and functional operation of our site (and communication systems), service development and usability analysis. In this context, we use cookies and analytics tools (for example, Google Analytics) to obtain statistical data on the number of website visits, user habits and preferences, to evaluate how useful the site is and how to improve it. Legal basis: our legitimate interest to analyse and improve our services (Article 6(1)(f) of the Regulation). A visitor may refuse Google Analytics data collection at any time by using Google’s offered tools (see below in the “Cookies and analytics” section).

  • Fulfilment of legal claims and protection of legitimate interests: ensuring and protecting our legal rights, for example, obtaining evidence if necessary for handling claims or debt recovery, as well as providing information to state authorities in the cases specified by regulatory acts. Legal basis: our legitimate interests to protect our and other persons’ rights (Article 6(1)(f) of the Regulation) and/or fulfilment of legal obligations (Article 6(1)(c) of the Regulation), depending on the situation. For example, we may process and store invoice and receipt information for as long as required by tax laws, or provide information to law-enforcement authorities if there is a lawful request.

If additional consent is required for personal-data processing for any of the above purposes (for example, if in the future we wish to use your contact information to send marketing messages), we will ask for it separately and explicitly. In such a case the legal basis will be your consent (Article 6(1)(a) of the Regulation), and you will have the right to withdraw such consent at any time (as explained in more detail below in the “Data subject’s rights” section).

Cookies and analytics

Cookies are small text files that a website stores on your device (computer or mobile phone) each time you visit it. Cookies are used on our site to provide basic website functionality, remember and apply the choices made by you as a visitor, as well as to obtain statistics on website usage. Some cookies are necessary for the functioning of the site (for example, session and security cookies set by our site platform Wix.com), while others are additional – for example, analytics and personalization cookies that help to improve your user experience and provide content according to your interests.

We use the Google Analytics tool on our site, which places cookies in your browser to analyse how visitors use the site. It provides us with information, for example, about the number of site visits, page-view duration, devices and browsers used, the demographic distribution of visitors and other statistics. We use the obtained data in our legitimate interests to better understand the needs of site visitors and accordingly improve the information and services published. A description of the basic principles of Google Analytics can be found on the Google support page, and you have the possibility to refuse Google Analytics cookies by installing a browser plugin (see ).

Please note that third parties (for example, Google) may obtain certain technical data about your device and browsing habits when you interact with our site. We strive to use only those external tools and services that meet data-protection requirements; however, you can find detailed information on Google Analytics and other third-party cookies in the privacy policies of the respective service providers.

Cookie control: You have the right to control the use of cookies. If you do not want cookies to be saved on your device, you can change your browser settings to delete already saved cookies and/or block the placement of new cookies. More information on managing cookies is available on the aboutcookies.org website. Note – if you disable or delete all cookies, part of the functionality of our site may not be available or may work in a limited way (for example, the site may not be able to remember your selected language, and you will have to re-enter information when placing orders).

Recipients of personal data

We do not disclose your personal data to third parties, except in cases where it is necessary to achieve the purposes mentioned above or where such disclosure follows from the requirements of regulatory acts. Access to personal data may be granted only to those of our employees who need it for direct work duties (for example, to process your order or make a delivery). All our employees and cooperation partners who have access to personal data are subject to confidentiality and data-protection obligations.

In certain cases, to provide you with services, we use the help of external service providers (processors). In such cases the Controller takes the necessary measures to ensure that these service providers process personal data only in accordance with our instructions and in compliance with applicable regulatory acts, as well as apply appropriate security measures. Our contracted service providers may include:

  • Website maintenance and hosting service provider – our website is located on the Wix.com platform servers, which ensure the operation of the site and data storage. Wix may technically access site-user data (for example, server log records) to the extent necessary to provide the hosting service.

  • Communication-platform service provider – we use WhatsApp (platform owner: Meta Platforms) for communication with clients. This means that your phone number and message content are also processed in the WhatsApp system in accordance with the WhatsApp Privacy Policy. We do not disclose any additional information to WhatsApp other than what you yourself write in your messages when communicating with us.

  • Payment-service provider – Stripe, Inc. and its affiliated companies, which provide payment-card and other cashless payment processing. Your payment data (for example, card number, expiry date, CVV code) are entered in a secure Stripe payment form, and we do not receive these sensitive financial data. We receive only information about the fact of payment (for example, that the payment is approved or failed), which we use for order processing. Stripe may process your data (for example, payment details) on its servers in accordance with the Stripe privacy policy and the data-processing agreement with us.

  • Analytics and statistics service provider – Google LLC (service Google Analytics), as described in the cookies section above. Within Google Analytics Google may receive and process certain technical data about our website visitors (for example, IP addresses and information about activities), but these data are collected and anonymised in statistical form, which does not identify a specific person.

  • Other cooperation partners as necessary: for example, couriers or delivery services that ensure the delivery of ordered goods to the client (if we use an external courier company); IT maintenance or e-mail service providers (if, for example, we use the Gmail e-mail service for company communication), and similar. In such cases the respective service provider may access personal data only to the extent necessary to provide the specific service.

In all cases personal data are transferred only to trusted recipients and are not sold or rented to anyone. We will not disclose your data to third parties for marketing purposes without your explicit consent.

Disclosure in cases specified by law: if necessary, we may transfer your personal data to state and municipal authorities or law-enforcement institutions if the law obliges us to provide such information. For example, Latvian regulatory acts may require providing information to the State Revenue Service (VID) about our economic activities, or the courts/investigative authorities may request data within a specific process. In such cases we will disclose the data only to the extent and in the manner prescribed by law.

International data transfer

Gudrais Fast Food mainly processes and stores personal data in the territory of Latvia and other European Union member states. We do not plan to transfer your personal data to countries outside the European Union or the European Economic Area (EEA) on a regular basis. However, note that some of our service providers or data processors may operate globally, and accordingly your data may in certain cases be processed on servers located outside the EU/EEA (for example, in the USA).

For example, when communicating with us via WhatsApp, the data you provide (phone number, message content) are technically transmitted through the WhatsApp infrastructure, which may include servers outside the EU. Likewise, when making a payment via Stripe, data about the payment may be processed and stored on the servers of Stripe, Inc. in the USA or other countries where Stripe maintains its data centres. Our website-hosting platform Wix.com and the analytics-tool provider Google may also be located outside Latvia and the EU.

In such cases we ensure that international transfer of personal data is carried out in compliance with all applicable data-protection requirements. We store personal data only with those third-party partners who comply with the requirements of the General Data Protection Regulation regarding data protection. This means that before transferring data outside the EEA we check whether any of the following safeguards apply:

  • The respective country has a valid European Commission adequacy decision, which recognises the data-protection level of the country as adequate. For example, in the case of the USA the European Commission in 2023 approved the EU–US Data Privacy Framework, and the parent company of Stripe, Inc. is certified under this programme to receive and process EU personal data in the USA.

  • We have concluded with the respective service provider the European Commission’s Standard Contractual Clauses (SCCs) for data transfer. The Standard Contractual Clauses are a legal mechanism used to ensure personal-data protection when transferring them to countries outside the EU/EEA. For example, Stripe has included the standard data-protection clauses in its contractual documents, and WhatsApp likewise relies on such standard clauses to guarantee that data obtained from EU users, which go outside the EU (for example, to the USA), are protected according to EU requirements.

  • If necessary and available, other legal data-transfer mechanisms are applied, for example, the recipient is certified as adequate under an international privacy scheme, or the data subject has given explicit consent to the data transfer after being informed about the risks (Article 49 of the Regulation).

We monitor developments in the regulation of international data transfers and adapt our measures accordingly. Any transfer of personal data outside the EU/EEA will take place only if an appropriate level of protection is ensured and the applicable security measures are observed. Your personal data will not be transferred to countries or organisations that do not meet these conditions.

Personal-data storage period

We process and store your personal data no longer than necessary to achieve the relevant purposes or as required by regulatory acts. The storage period of data may differ depending on the data category and processing purpose:

  • Order data (client contact information, order content, etc.) are stored until the order is fully fulfilled and paid for, and afterwards – for a reasonable period so that we can respond to possible claims, report on the services provided and ensure evidence to protect our legitimate interests. Usually this period does not exceed 2 years after the last communication with you, unless any of the longer storage obligations mentioned below apply.

  • Contract and financial-transaction data (for example, invoices, cash receipts, payment records) are stored in accordance with legal requirements. Latvian accounting and tax regulatory acts may require retaining financial documents for a certain time period (for example, 5 or 10 years). Therefore information necessary for accounting and tax payment (for example, personal data in invoices) will be stored for the period specified by law.

  • Any other information (for example, correspondence, analytics data) is stored for as long as it is reasonably necessary for the purpose for which it was collected. For example, e-mail correspondence with a client about order questions may be stored for up to a year after the last message, to ensure quality control and references if disputes arise. Analytics data on website visits are stored in anonymised form in the long term for statistical purposes, but they are not directly linked to a specific person.

When none of the processing purposes or legal bases remain in force, we delete or anonymise the respective personal data. After these circumstances cease, and if applicable regulatory acts do not provide otherwise, personal data are deleted no later than within a few months, except in cases where we have a legal obligation to retain these data for a longer period (for example, for accounting records or the provision of legal claims).

We regularly review the volume of stored personal data and delete outdated or unnecessary data in accordance with the principle that data should not be stored longer than necessary. Deleting or anonymising your personal data means that we irreversibly destroy or separate identifying information so that you can no longer be identified.

Data subject’s rights

According to the General Data Protection Regulation you as a data subject have several rights regarding your personal data. We provide you with the opportunity to exercise the following rights:

  • Right of access: You have the right to request confirmation whether we process your personal data and, if so – to obtain information about the data processed, processing purposes, data categories, data recipients, storage periods, etc., as well as to receive a copy of your personal data (insofar as it does not affect the rights of other persons).

  • Right to rectification: If you believe that the information we hold about you is inaccurate or outdated (for example, you have changed your phone number or address), you have the right to request correction or supplementation of this personal data. We ask you to ensure that the data you provide are accurate and to update them in a timely manner if necessary.

  • Right to erasure: You have the right to request the deletion of your personal data (the so-called “right to be forgotten”) in certain cases – for example, if the data are no longer necessary for the purpose for which they were collected, or if the data are processed based on your consent and you withdraw that consent, or if you object to processing and we have no overriding legitimate grounds to continue processing. Please note that we cannot delete data that we are legally obliged to keep (for example, transactions reflected in accounting documents), or in other cases provided by law.

  • Right to restrict processing: In certain circumstances you have the right to request that we temporarily restrict the processing of your personal data (for example, if you contest the accuracy of the data or object to processing, we may temporarily suspend processing while the issue is resolved). During the restriction period we will only store the data, but not carry out other processing operations, except where necessary for the establishment, exercise or defence of legal claims.

  • Right to object: You have the right to object to the processing of personal data that is carried out on the basis of our legitimate interests. In such a case we will no longer process the relevant data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms. In any case you have an absolute right to object to the processing of your personal data for direct marketing purposes (if we carried out such processing; currently we do not do so without your consent).

  • Right to data portability: In cases where processing is based on your consent or on a contract and is carried out by automated means, you have the right to receive from us the personal data that you have provided, in a structured, commonly used and machine-readable format, and, if technically feasible, to request that we transmit those data directly to another controller at your request. These rights do not apply to paper data and cannot be exercised with respect to data that we have created (for example, internal assessments).

  • Right to withdraw consent: If your personal data are processed on the basis of your consent, you have the right to withdraw that consent at any time for future processing. Withdrawal of consent will not affect the legality of processing carried out while consent was in force, but after withdrawal we will no longer process the relevant data for the specific purpose. For example, you have the right to unsubscribe from newsletters or advertising messages, if we send them, and we will immediately stop processing your contact information for this purpose.

  • Right to submit a complaint: If you believe that we have violated your rights to personal-data protection or have not properly fulfilled data-processing requirements, you have the right to lodge a complaint with the supervisory authority – the Latvian Data State Inspectorate. Data subjects can submit complaints to the Data State Inspectorate (address: Elijas iela 17, Rīga, LV-1050; website: www.dvi.gov.lv) if they consider that the processing of personal data violates their rights and freedoms under applicable regulatory acts. However, we encourage you to contact us first – we will endeavour in good faith to resolve your questions or complaints as quickly as possible.

To exercise your rights, you may submit an appropriate request to us. You can do this by writing a free-form application to the e-mail (indicated in the section “Controller and contact information”) or by sending a letter to our registered address. In the request please specify sufficiently which right you wish to exercise (for example, obtaining a copy of data, correction or deletion, restriction of processing, etc.) so that we can respond appropriately.

Upon receiving your request, we will first verify your identity (for example, we may ask you to confirm your e-mail or phone number, or to present an identity document if the request is submitted in person), to prevent disclosure of data to unauthorised persons. Then we will evaluate your request and fulfil it within the deadline set by regulatory acts (usually no later than within one month, unless the specific request requires additional time due to complexity – then the deadline may be extended by another two months, about which we will inform you). In the case of a data-access or portability request, if they concern the rights of other persons or are unfounded or excessive (for example, repeated and unreasonable requests), we may refuse to provide information or apply a reasonable fee, as permitted by the Regulation.

Data security

We have implemented and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, alteration, disclosure, unauthorised access or any other unlawful processing. Gudrais Fast Food ensures the confidentiality of personal data and employs modern security solutions to safeguard the information processed.

Specifically, our website uses encrypted data transmission (HTTPS protocol with an SSL/TLS certificate), which ensures that the data you enter (for example, the order form, payment information) are transmitted securely. Likewise, we cooperate only with such payment and IT service providers that apply high-level security standards. For example, Stripe by default encrypts sensitive data in memory and during data transmission, and maintains strict access controls and monitoring measures in its systems.

The WhatsApp communication platform uses end-to-end encryption to protect user-message content – this means that messages are readable only by the sender and the recipient, and even the service provider itself (WhatsApp/META) cannot read them until they reach the addressee. This ensures that your communication with us via WhatsApp is confidential. However, note that WhatsApp as a platform still processes metadata (for example, which numbers communicate and when) in accordance with its rules.

We limit access to your personal data – they are available only to trained employees and partners who need them to perform duties, and who are committed to confidentiality. All databases and systems in which personal data are stored are protected by authorisation mechanisms (passwords, access rights), and we regularly update software to address security vulnerabilities. Data backups are created and other measures are implemented to ensure data integrity and availability.

Despite all measures, due to the risks inherent in the internet we cannot guarantee complete data security when transmitting data online (for example, in e-mail or web-form communication). However, we do everything possible to protect your data. You are also encouraged to take precautionary steps – for example, not to disclose your account login data to anyone and to use secure connections when placing orders online.

In the event of a personal-data-protection breach (for example, a data leak) and if there is a high risk to your rights and freedoms, we will notify you and the supervisory authorities in accordance with regulatory requirements.

Final provisions

This privacy policy is effective from July 10, 2025 and remains in force until it is replaced by a newer version. We may periodically update this privacy policy to reflect changes in our personal-data processing or changes in legal acts. If significant changes are made to the policy, we will announce them on our website and (if possible) inform you through other communication channels. If you continue to use our services after the changes to the privacy policy, it will be considered that you have accepted the updated version of the policy.

If you have questions about this privacy policy or your personal-data processing by us, please contact us using the contacts indicated in the section “Controller and contact information”. We are always ready to provide additional information and resolve any uncertainties related to your data processing to ensure fair and transparent personal-data protection.

Sources: The principles and information of the privacy policy have been prepared based on the requirements of the General Data Protection Regulation and industry best practices, as well as taking into account examples and recommendations of privacy policies of similar companies.

bottom of page