Privacybeleid
Privacy Policy
Last updated: 26/04/2026
Through our stores, apps and Website, we collect and process Personal Data. We use your Personal Data to provide and improve our Services. By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy.
We handle Personal Data with care and store it securely. We are committed to protecting the privacy and Personal Data of users of our Services and ensure that we comply with the requirements of privacy legislation, including the General Data Protection Regulation (GDPR).
This Privacy Policy describes our policies and procedures on the collection, use and disclosure of your information when you use our Service and informs you about your privacy rights and how to exercise them. If you have any questions after reading our Privacy Policy, please contact Us at papa@papajohns.co.nl.
1. Interpretation and Definitions
Interpretation
The words whose initial letter is capitalized have the meaning defined under the following conditions. The following definitions have the same meaning regardless of whether they appear in the singular or plural.
Definitions
For the purposes of this Privacy Policy:
Account means a unique account created for you to access our Service or parts of our Service.
Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to Papa John’s Netherlands (PAPA HOLDINGS NL BV). For the purposes of the GDPR, the Company is the data controller.
Cookies are small files placed on your computer, mobile device, or other device by a website, containing details of your browsing history on that website among many other applications.
Country refers to: the Netherlands
Data controller within the meaning of the GDPR (General Data Protection Regulation), refers to the Company as the legal entity that alone or jointly with others determines the purposes and means of the processing of Personal Data.
Device means any device that can access the Service, such as a computer, a mobile phone or a digital tablet.
Personal Data is any information that relates to an identified or identifiable individual. For the purposes of GDPR, Personal Data means any information relating to you such as a name, an identification number, location data, online identifier or one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity, which can be used to directly or indirectly identify you.
Services: provision of food and beverages, through pick-up in one of our Papa John’s locations or by delivery.
Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used. For the purposes of the GDPR, Service Providers are considered Data Processors.
Usage Data refers to data that is collected automatically, either generated by the use of the Service or from the infrastructure of the Service itself (for example, the duration of a page visit).
Website refers to Papa John’s Netherlands, accessible via: https://www.papajohns.co.nl/
2. Collection of Your Personal Data
This Privacy Policy applies to you and We collect your Personal data if you:
- are a customer of Papa John’s and place an order via our store, Website or App;
- make an online payment on our Website or our App;
- have created a personal account on our Website or our App;
- are subscribed to our newsletter;
- visit our Website;
- visit our App;
- contact us, for example to track your order or ask questions about our products.
3. GDPR privacy
Legal basis for the processing of Personal Data under GDPR
We may process Personal Data under the following conditions:
Consent: You have given consent to the processing of Personal Data for one or more specific purposes. We use this base for direct marketing messages.
Performance of a contract: Providing Personal Data is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof. We use this base to prepare and deliver your order.
Legal obligations: Processing of Personal Data is necessary to comply with a legal obligation to which the Company is subject.
Legitimate interests: The processing of Personal Data is necessary for the purposes of the legitimate interests pursued by the Company. Our legitimate interests include improving our products and services, maintaining customer relationships, and monitoring customer satisfaction. We can use this base for sending direct marketing messages and conducting satisfaction surveys. Our legitimate interest in sending satisfaction surveys has been balanced against the interests of data subjects; the processing involves minimal intrusion and data subjects can object at any time.
4. Automated decision-making and profiling
We do not use automated decision-making processes that produce legal effects or similarly significantly affect you. We do use profiling for direct marketing and personalization purposes (e.g. through Google Analytics and email marketing tools), based on your browsing behavior, order history and preferences. This profiling does not result in automated decisions with legal consequences. You have the right to object to this profiling at any time (see Section 11).
5. Types of data collected
Personal Data
While using our Service, we ask you to provide us with certain personally identifiable information that can be used to contact or identify you and provide our Services. Personally identifiable information that we process may include, depending on the actual Services requested:
- E-mail address
- First and last name
- Phone number
- Address, State, Province, Zip Code, City
- Financial information such as bank account number or credit card
- Date of birth
- IP address
- Location data
- Any other personal information you provide to us
Usage Data
Some of this information may be required for Us to provide our Services. This information may be indicated by an asterisk on the forms on the Website or App. The provision of such data is a contractual requirement necessary to enter into or perform an agreement with or by Us. If you do not provide the required data, we will not be able to provide the relevant Services. Certain data may also be required to comply with a legal obligation (e.g. financial record-keeping obligations). In that case, failure to provide such data may prevent Us from complying with applicable law.
To ensure that we have up-to-date information, you can notify us of any changes to your contact details or any other information by contacting us at the contact details mentioned in this Privacy Policy.
6. Use of your Personal Data
We use your Personal data for the following purposes.
To manage your Account and your registration as a user of the Service. The Personal Data you provide may give you access to various features of the Service that are available to you as a registered user. This processing is carried out on the basis of the contract between you and Us.
To contact you: To contact you by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as the push notifications of a mobile application regarding updates or informational communications related to the functionalities, products or contracted services, including security updates, when necessary or reasonable for their implementation. This processing is carried out on the basis of Our legitimate interest and/or your consent.
To manage your requests. To attend to and manage your requests to Us. This processing is carried out on the basis of the contract between you and Us and/or your consent.
To provide you with news, special offers, satisfactory surveys and general information about other goods, Services and events that we offer that are similar to those that you have already purchased or inquired about, unless you have chosen not to receive such information received. This processing is carried out on the basis of Our legitimate interest and/or your consent.
For business transfers: We may use your information to evaluate or effect a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Our assets, whether as a going concern or as part of a bankruptcy, liquidation, or similar process, in which Personal Data held by Us about our Service users is among the assets transferred. This processing is carried out on the basis of Our legitimate interest.
For other purposes: We may use your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of Our promotional campaigns, and to evaluate and improve our service, products, Services, marketing, and your experience. This processing is carried out on the basis of Our legitimate interest.
Usage Data collected automatically when visiting our Website and App.
The following categories of data are processed each time you visit our Website: IP address, browser information and other technical information such as browser version, the pages of our Service that you visit, the time and date of your visit, the time you spend on that pages, unique device identifiers, visitor patterns and website activity (such as your clicking behavior) and other diagnostic data.
This data is processed to evaluate, in particular through statistical analysis of audience and usage, and improve the Website and the Services We offer. This processing is carried out on the basis of Our legitimate interest, namely to determine the type of customer we have, develop Our business, and improve Our commercial and marketing strategy.
When you access the Service with or through a mobile device, We automatically collect information about the type of mobile device you use, your mobile device’s unique ID, your mobile device’s IP address, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data.
Data processing when registering and placing an order on the Website or App
If you place an order, you will be asked to provide identification data, including your first and last name, address, postal address, email address, payment details, and telephone number.
This data is used by Us for the performance of the contract(s) concluded between us, in particular for the following purposes:
- creating and using a personal account on the Website.
- making the ordering process as quick and efficient as possible,
- managing customer relations and your customer profile,
- to provide information on the status of your order and, more generally, to communicate with you,
- processing the order (such as payment, confirmation and delivery times),
- managing acceptance of the general terms of use and this Privacy Policy,
- provide customer service.
This data is necessary for the performance of the contract between you and Us.
If you have a customer account, you can change your choices at any time by going to your Personal Information in your Account.
Location data
We use location data for the purposes of operating the store locator on our Website and App, enabling us to display the stores closest to you. This feature can only be used if you have given your consent to this effect via the pop-up window in which we request your prior consent. This location data is not stored or shared with third parties.
Processing data to enforce our rights and prevent illegal activity
We also process your personal data to:
- detect, investigate, prevent or take action regarding illegal activities, abuse, suspected fraud,
- protect and defend our property, rights and interests, including in litigation before any court or administrative authority. The personal data processed above on the basis of necessity for the performance of the contract will, at the end of the contract, be processed on the basis of our legitimate interest, namely to preserve our rights in the event of legal action.
For this processing, our legitimate interest is to enforce Our rights and prevent fraud and any illegal activity.
Processing of data to comply with our legal obligations
We process your personal data for the following purposes:
- comply with the legal and regulatory obligations to which we are subject,
- manage your requests regarding your personal data rights.
This processing is necessary to comply with Our legal obligations.
7. Tracking Technologies and Cookies
We use Cookies and similar tracking technologies to track activity on our Service and store certain information. This processing is carried out on the basis of Our legitimate interest, namely to determine the type of customer we have, develop our business, and improve our commercial and marketing strategy. Certain processing requires your consent, and will only be carried out if you have consented. You can revoke your consent at any moment, as further specified in our Cookie Statement.
8. Transfer of your Personal Data
Your information, including Personal Data, is processed by the Company and by its service providers. This means that this information may be transferred to – and maintained on – computers located outside the Netherlands, where the data protection laws may differ than those from your jurisdiction.
The Company will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place. Transfers to third countries are based on: (i) an adequacy decision of the European Commission; (ii) Standard Contractual Clauses (SCCs) as adopted by the European Commission; or (iii) the EU-US Data Privacy Framework (DPF), where applicable. Specifically: Mailchimp (The Rocket Science Group LLC, USA) is certified under the EU-US Data Privacy Framework. Google Analytics (Google LLC, USA) is certified under the EU-US Data Privacy Framework. We have implemented additional configuration measures for Google Analytics (including IP anonymization). For further information on the applicable transfer mechanism for a specific Service Provider, please contact us at papa@papajohns.co.nl.
9. Retention of your Personal Data
The Company will only retain your Personal Data for as long as necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data as necessary to comply with our legal obligations (for example, if we are required to retain your information to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
We use the following retention periods:
| Data referring to | Retention Period |
|---|---|
| Creating an Account and managing the relationship with the customer | For as long as the account is active and for a period of 2 years after the account is closed. |
| Placement and fulfilment of an order | For a period of 7 years after the order has been delivered. |
| Personalization of services and user experience | For a period of 2 years after the Data has been collected. |
| Improvement of our Website and products and Services | For a period of 2 years after the Data has been collected. |
| Data collected by cookies | As specified in the Cookie Statement. |
| Compilation of statistics | For a period of 2 years after the Data has been collected. |
| Legal obligations | For a period of 7 years after our Services have been delivered. |
The Company will also retain Usage Data for internal analytics purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or improve the functionality of Our Service, or when We are required by law to retain this data for a longer period of time.
10. Disclosure of your Personal Data
Business transactions
If the Company is involved in a merger, acquisition or sale of assets, your Personal Data may be transferred. We will notify you before your Personal Data becomes subject to a different Privacy Policy.
Law enforcement
Under certain circumstances, the Company may be required to disclose your Personal Data if required to do so by law or in response to valid requests from public authorities (e.g. a court or government agency).
Other legal requirements
The Company may disclose your Personal Data in the good faith belief that such action is necessary to:
- Complying with a legal obligation
- Protect and defend the rights or property of the Company
- Prevent or investigate possible violations in connection with the Service
- Protect the personal safety of Users of the Service or the public
- Protect against legal liability
Use of Service Providers
We may third party Service Providers to monitor, analyze and improve (the use of) our Services. This includes Amazingfood, FoodTrac (food delivery service provider), Inforu (client management system) and POVIS (Cash register system).
The Service Providers We use may have access to your Personal Data. These third-party providers collect, store, use, process and transfer information about your activities on Our Service in accordance with their Privacy Policies. We have however agreements in place to guarantee compliance with applicable laws, including GDPR.
With Affiliates
We may share your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.
With business partners
We may share your information with Our business partners to offer you certain products, services or promotions. This includes our Franchise partners of the Papa John’s formula.
Google Analytics
Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the collected data to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the advertisements of its own advertising network.
You may opt out of having your activity on the Service made available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js and dc.js) from sharing information about visitor activity with Google Analytics.
For more information about Google’s privacy practices, please visit the Google Privacy & Terms web page.
Email Marketing
We may use your Personal Data to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from Us by following the unsubscribe link or instructions in any email We send or by contacting Us.
We may use Email Marketing Service Providers to manage and send emails to you.
Mailchimp
Mailchimp is an email marketing service offered by The Rocket Science Group LLC. For more information about Mailchimp’s privacy practices, please visit their Privacy Policy.
With your consent
We may disclose your Personal Data for any other purpose with your consent.
11. Security of your Personal Data
The security of your Personal Data is important to Us. We take appropriate technical and organizational measures to prevent misuse, loss, unauthorized access, unwanted disclosure, and unauthorized modification. Access to Personal Data is only granted to the parties and employees on a need to know base. Our Website is protected by the SOC2 standard. If you feel that your data is not properly secured or there are indications of misuse, please contact our customer service or via papa@papajohns.co.nl.
12. Your rights under the GDPR
We undertake to respect the confidentiality of your Personal Data and to ensure that you can exercise your rights.
You have the right under this Privacy Policy, and by law, to:
Request access to your Personal Data. The right to access, update or delete the information we have about you. Where enabled, you can access, update or request deletion of your Personal Data directly within your account settings section. If you are unable to perform these actions yourself, please contact Us to assist you. This also enables you to receive a copy of the Personal Data that We hold about you.
Request correction of the Personal Data We hold about you. You have the right to have any incomplete or inaccurate information We hold about you corrected.
Object to the processing of your Personal Data. This right exists where We rely on a legitimate interest as the legal basis for Our processing and there is something about your particular situation which makes you want to object to Our processing of your Personal Data on this ground. You also have the right to object when We process your Personal Data for direct marketing purposes.
Request restriction of the processing of your Personal Data. You have the right to request that We restrict the processing of your Personal Data where: (i) you contest the accuracy of the data; (ii) the processing is unlawful but you oppose erasure; (iii) We no longer need the data but you require it for legal claims; or (iv) you have objected to processing and the verification of Our legitimate grounds is pending.
Request deletion of your Personal Data. You have the right to ask Us to delete or remove Personal Data where there is no good reason for Us to continue processing it.
Request transfer of your Personal Data. We will provide your Personal Data to you, or to a third party you choose, in a structured, commonly used, machine-readable format. This right only applies to automated information that you initially gave us permission to use or where We used the information to perform a contract with you.
Withdraw your consent. You have the right to withdraw your consent to the use of your Personal Data. If you withdraw your consent, We may no longer be able to provide you with access to certain specific features of the Service.
13. Exercising your GDPR data protection rights
You can exercise your rights of access, rectification, cancellation and opposition by contacting Us by email at papa@papajohns.co.nl. Please note that we may ask you to verify your identity before responding to such requests. If you submit a request, we will do our best to respond to you as quickly as possible.
You have the right to complain to a Data Protection Authority about Our collection and use of your Personal Data. The Data Protection Authority for The Netherlands is the Autoriteit Persoonsgegevens.
14. Children’s Privacy
Our Service is not directed to persons under the age of 16. We do not knowingly collect personally identifiable information from anyone under the age of 16. If you are a parent or guardian and you are aware that your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 16 without verification of parental consent, We will take steps to delete that information from Our servers.
If you are under the age of 16 and we rely on consent to process your information, We must require your parent’s consent before We collect and use that information.
15. Links to other websites
Our Service may contain links to other websites that are not operated by Us. If you click on a third party link, you will be directed to that third party’s site. We strongly advise you to read the Privacy Policy of every site you visit.
We have no control over, and assume no responsibility for, the content, privacy policies or practices of any third party sites or services.
16. Changes to this Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.
We will notify you via email and/or a prominent notice on Our Service prior to the change becoming effective and update the “Last updated” date at the top of this Privacy Policy.
You are advised to check this Privacy Policy regularly for any changes. Changes to this Privacy Policy will be effective when they are posted on this page.