Skip to content

Legal

Data Protection.

Note: This is a courtesy English translation of the legally binding German Privacy Policy (Datenschutzerklärung). In case of doubt, the German version prevails. References to the GDPR are translated as-is; the underlying legal framework is EU regulation.

This Privacy Policy informs you pursuant to Art. 13 GDPR about which personal data is processed when you visit the website nicolai-wiedmer.de, for what purposes, on what legal basis, and which rights you are entitled to.

1. Controller

The controller responsible for the data processing within the meaning of the GDPR is:

Eckert Restaurant WIO GmbH
Baslerstrasse 20
79639 Grenzach-Wyhlen
Germany
Phone: +49 (0) 7624 91720
Email: office@wio-group.de

Authorized representatives: Nicolai P. Wiedmer, Rainer Wiedmer. Further information can be found in the Imprint.

1a. Data Protection Officer

We are not legally required to appoint a data protection officer (§ 38 BDSG, German Federal Data Protection Act). For questions regarding data protection, please use the contact details listed under section 1 or contact presse@nicolai-wiedmer.de.

2. Hosting (Vercel) and server log files

This website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA ("Vercel"). Each time the website is accessed, Vercel, acting as a data processor on our behalf, automatically processes technical data transmitted by your browser (server log files):

  • IP address of the requesting device
  • Date and time of the request
  • Requested URL / path and HTTP status code
  • Amount of data transferred
  • Browser type and version used (User-Agent)
  • Operating system and language
  • Referrer URL (previously visited page)

Purpose: Delivery of the website, ensuring stability and IT security, defense against misuse and attacks.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stable, secure operation).
Storage period: Vercel stores runtime request logs only for a short time (Pro plan standard: up to a few days) and deletes them automatically afterwards. Vercel does not technically truncate the IP address; the data is processed exclusively on behalf of the controller.
Data transfer to third countries: Vercel is a US provider and is certified under the EU-U.S. Data Privacy Framework (EU Commission adequacy decision of 10 July 2023; Vercel entry at dataprivacyframework.gov). EU Standard Contractual Clauses apply additionally; a data processing agreement pursuant to Art. 28 GDPR is in place with Vercel (vercel.com/legal/dpa). Function execution takes place in the EU region Frankfurt (fra1). Global edge infrastructure may, for security/performance reasons, also process technical connection data outside the EU.
Further information: vercel.com/legal/privacy-policy · vercel.com/legal/subprocessors.

3. Cookies and local storage

This website does not set any cookies requiring consent. No advertising or profiling cookies are used; neither Google Analytics, Meta Pixel, Hotjar nor Vercel Web Analytics are deployed. No personal data is stored in the browser's local storage or session storage either.

For audience analytics, Cloudflare Web Analytics is used (provider: Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA). The tool operates cookie-less and without fingerprinting; it collects aggregated, anonymous metrics (page views, referrer, device class, approximate location via IP range). IP addresses are not stored. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in evaluating website usage). Cloudflare is certified under the EU-U.S. Data Privacy Framework.

If, in exceptional cases within the hosting (Vercel) context, strictly necessary cookies are set (e.g. for load balancing or DDoS defense), this occurs without consent pursuant to § 25(2) No. 2 TDDDG (German Telecommunications Digital Services Data Protection Act); the subsequent processing is based on Art. 6(1)(f) GDPR. A cookie banner is not required.

When submitting the inquiry form, Cloudflare Turnstile is used as bot protection (provider: Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA). In a challenge case, Turnstile sets a strictly necessary cookie (cf_chl_*) and transmits anonymized behavioral signals (mouse/keyboard patterns, browser properties) to Cloudflare. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in spam/bot defense) and § 25(2) No. 2 TDDDG for the strictly necessary cookie. Cloudflare is certified under the EU-U.S. Data Privacy Framework.

To limit form spam, an IP-based rate limit is additionally operated — either in the working memory of the Vercel function or, if configured, via Upstash Redis (Upstash Inc., USA; storage location optionally EU). Only a short-lived counter per IP is stored (lifetime 60 s); no personal content. Legal basis: Art. 6(1)(f) GDPR.

4. Fonts

This website uses exclusively system-native fonts of your device (e.g. Georgia, system-ui). No webfonts are loaded from Google Fonts, Adobe Typekit or other external font CDNs. Therefore, when the page is accessed, no transmission of your IP address for the purpose of font rendering takes place.

5. Contact (contact form and email)

A contact form is offered on this website. When using it, we process the data you enter:

  • Name
  • Email address
  • Subject / selection of inquiry category (Guest Chef, Consulting, Catering, Cooperation, Press, Other)
  • Optional: organization, phone number, desired date / time frame
  • Your message
  • Confirmation of acknowledgment of this Privacy Policy
  • Time of submission

Spam and misuse protection: To protect the form against automated requests, your IP address is held for a short time (no longer than 60 seconds) exclusively in the server's working memory upon submission (rate limit, max. 5 requests per 60 seconds). Additionally, we evaluate a hidden form field ("honeypot") and a timestamp of the form invocation to detect bot submissions. Recognized automated requests are silently discarded without storage and without forwarding. Legal basis: Art. 6(1)(f) GDPR.

Purpose: Processing of your inquiry and, where applicable, initiation of a contractual or business relationship (guest chef engagements, consulting, catering, cooperations, press).
Legal basis: Art. 6(1)(b) GDPR (initiation / performance of a contract or pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding to your inquiry). The explicit confirmation of the data protection notice in the form serves at the same time to inform you; consent within the meaning of Art. 6(1)(a) GDPR is not thereby replaced, provided that the processing can already be based on lit. b or lit. f.
Storage period: Your inquiry and the associated data will be deleted as soon as they are no longer required for processing your matter. If no contract is concluded, we generally delete inquiries no later than six months after the end of the correspondence. In the event of a contract conclusion, statutory retention periods apply (in particular § 257 HGB, German Commercial Code, up to six years; § 147 AO, German Fiscal Code, up to ten years).
Provision of data: The provision of your data is voluntary. Mandatory fields (name, email address, subject, message) are marked in the form. Without this information, processing of your inquiry is not possible. There is no statutory or contractual obligation to provide the data.

Dispatch via Resend (data processor): For the technical dispatch, we use Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Resend processes the content exclusively on behalf of and according to the instructions of the controller (Art. 28 GDPR); a data processing agreement is in place. By default, Resend stores sent email content for three days and deletes it automatically afterwards; dispatch metadata (sender, recipient, delivery status, timestamp) remain viewable in the dispatch account until they are deleted there. Resend, Inc. is certified under the EU-U.S. Data Privacy Framework (EU Commission adequacy decision of 10 July 2023); EU Standard Contractual Clauses apply additionally. Further information: resend.com/legal/privacy-policy · resend.com/legal/dpa · resend.com/legal/subprocessors.

You can of course also contact us directly by email or telephone. We process the data transmitted in this context for the same purposes and on the same legal basis.

6. External links

This website contains references to external offerings as pure HTML links (anchors) — not as iframe or JavaScript widget:

  • Restaurant Eckert reservations: opentable.de (OpenTable, Inc., USA)
  • Restaurant website: eckert-grenzach.de
  • Group and brands: wio-group.de, wio-catering.de, schlotzeria.de, wio-cheese.de
  • Professional association: jre.eu (Jeunes Restaurateurs)
  • Social network: instagram.com/nicolaiwiedmer
  • Authorities / legal: baden-wuerttemberg.datenschutz.de, loerrach-landkreis.de
  • Hosting / dispatch service providers: vercel.com, resend.com

Before your active click, no cookies are set and no IP address, referrer or other data is transmitted to the providers listed.

Note on OpenTable: When you click "Reserve a table", you will be redirected to opentable.de. There, OpenTable may set its own cookies and process data in accordance with its privacy policy — including transfer to the USA. The operators of linked third-party sites are solely responsible for their content and data processing.

7. Instagram

Link to the Instagram profile
We link to our Instagram profile @nicolaiwiedmer. Only when you actively click the link is data transmitted to Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (parent: Meta Platforms, Inc., USA — on the basis of EU Standard Contractual Clauses). Legal basis: Art. 6(1)(f) GDPR (external representation). Further information: privacycenter.instagram.com/policy.

8. Recipients / data processors at a glance

  • Vercel Inc., USA – hosting (data processor, DPF-certified)
  • Resend, Inc., USA – transactional email dispatch (data processor, DPF-certified)

Beyond this, your personal data is not transferred to third parties unless we are legally obliged to do so (e.g. to law enforcement or tax authorities).

9. Your rights as a data subject

You have the following rights vis-à-vis us at any time:

  • Right of access (Art. 15 GDPR): You learn whether and which data we process about you.
  • Right to rectification (Art. 16 GDPR): Correction of inaccurate or completion of incomplete data.
  • Right to erasure (Art. 17 GDPR): Erasure of your data, provided no statutory retention obligations conflict.
  • Right to restriction of processing (Art. 18 GDPR): We only store your data but do not process it further.
  • Right to data portability (Art. 20 GDPR): You receive your data in a structured, commonly used format.
  • Right to object (Art. 21 GDPR): You object to processing based on Art. 6(1)(f) GDPR.
  • Right to withdraw (Art. 7(3) GDPR): You withdraw a consent given with effect for the future.

To exercise these rights, an informal message to office@wio-group.de or presse@nicolai-wiedmer.de is sufficient. The information is free of charge for you. We respond without undue delay, at the latest within one month (Art. 12(3) GDPR). In the event of reasonable doubts about your identity, we may request proof.

10. Right to lodge a complaint with the supervisory authority

Without prejudice to other remedies, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for us is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
(State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg)
Heilbronner Straße 35
70191 Stuttgart
P.O. Box 10 29 32, 70025 Stuttgart
Phone: +49 711 615541-0
Fax: +49 711 615541-15
Email: poststelle@lfdi.bwl.de
www.baden-wuerttemberg.datenschutz.de · Online complaint form

Alternatively, you may contact the supervisory authority of your habitual residence or place of work.

11. No automated decision-making

We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR.

12. Data security

Data transmission via this website is encrypted using TLS / HTTPS. We also take appropriate technical and organizational measures to protect your data against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.

13. Currency and amendment of this Privacy Policy

We update this Privacy Policy in the event of factual or legal changes. The current version is always available on this page.

Note: This information has been prepared with care, but does not replace individual legal advice. Please have it reviewed by a lawyer before publication.

← Back to home