Privacy policy.
Last updated: June 2026 · Informal translation — the German version is legally binding.
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the EU Member States is:
Mi Peru Restaurant & Tapasbar
Owner: Maribel Bueno de Palomino
Heidelbergerstraße 40, 64285 Darmstadt, Germany
E-mail: info@miperu.de
Phone: +49 6151 276 5891
2. Data protection officer
We are not required by law to appoint a data protection officer. For data protection queries please contact the controller named in section 1 directly.
3. General information on data processing
We process personal data of our users only insofar as this is necessary to provide a functioning website and our content and services. Processing regularly takes place only with the user's consent (Art. 6 (1) (a) GDPR), for the performance of a contract (Art. 6 (1) (b) GDPR), to comply with a legal obligation (Art. 6 (1) (c) GDPR) or to safeguard legitimate interests (Art. 6 (1) (f) GDPR).
The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Storage may also take place if provided for by European or national legislation.
4. Server log files (hosting at Vercel)
This website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. With every access, the server automatically records information transmitted by your browser:
• IP address (truncated where technically possible)
• Date and time of the request
• URL accessed and HTTP status code
• Referrer URL
• Browser type, version and operating system
Legal basis is Art. 6 (1) (f) GDPR (legitimate interest in stable and secure operation). The data is automatically deleted after no more than 30 days. For the transfer to the USA an adequate level of data protection applies based on the EU-US Data Privacy Framework, to which Vercel Inc. is subject. Further information: vercel.com/legal/privacy-policy.
5. Cookies and comparable technologies
We use only technically necessary cookies and comparable storage mechanisms (e.g. localStorage) for the operation of the site:
• Language preference — stores the selected language (de/en) for future visits. Legal basis: Art. 6 (1) (f) GDPR in conjunction with § 25 (2) no. 2 TDDDG.
• Mini-game high score (local) — if you use the Spiel page, your score and chosen initials are stored exclusively locally in your browser (localStorage). No transmission to us takes place.
We do not use tracking, analytics or advertising cookies. A cookie banner is therefore not currently required. You can delete cookies at any time in your browser settings or refuse their storage.
6. Contact by e-mail, phone or form
If you contact us by e-mail, phone or via the contact form on the Kontakt page, we process the data you provide (e.g. name, e-mail address, phone number, message content) to deal with your enquiry.
Legal basis is Art. 6 (1) (b) GDPR (pre-contractual measures) or Art. 6 (1) (f) GDPR (legitimate interest in handling enquiries). We delete enquiries as soon as they are no longer required; statutory retention obligations (in particular commercial and tax law retention periods of up to ten years) remain unaffected.
For the technical delivery of the data submitted via our forms we use the processor Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA — the form data is delivered to us by e-mail. A data processing agreement is in place; EU standard contractual clauses apply to the transfer to the USA. Further information: resend.com/legal/privacy-policy.
7. Table reservation (dish.co)
For online reservations we use the widget of the third-party provider Hospitality.Digital GmbH (dish.co), Metro-Straße 1, 40235 Düsseldorf. When the reservation page is loaded, an iframe is fetched from dish.co and data such as your IP address is transmitted to dish.co.
The data you enter in the reservation form (date, time, party size, name, e-mail, phone, notes) is processed by dish.co on our behalf and forwarded to us for the purpose of the reservation. Legal basis: Art. 6 (1) (b) GDPR (contract performance). For further information see dish.co's privacy notice: dish.co/datenschutz/.
8. Map display (OpenStreetMap)
On our contact page we embed a map from the OpenStreetMap Foundation, St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom, as an iframe. When the map is loaded, your IP address is transmitted to the OpenStreetMap Foundation servers.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in a data-minimising, cookie-free display of our location). The map is deliberately lazy-loaded; OpenStreetMap does not set tracking cookies. Further information: osmfoundation.org/wiki/Privacy_Policy.
9. WhatsApp contact
You can reach us via WhatsApp. When you click the WhatsApp button you are forwarded to the WhatsApp app or web version — provider: WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, a subsidiary of Meta Platforms Ireland Ltd. When you contact us via WhatsApp the transmitted data (phone number, profile name, message content) is processed by WhatsApp/Meta.
We have no influence on this. Please refer to WhatsApp's privacy notice: whatsapp.com/legal/privacy-policy-eea. Legal basis for processing enquiries you send us via WhatsApp on our side is Art. 6 (1) (b) and (f) GDPR.
10. Fonts (self-hosted Google Fonts)
We use the fonts „Bricolage Grotesque“, „Manrope“ and „JetBrains Mono“. These are automatically copied to our server at build time via the Next.js component next/font and served exclusively from our own domain. No connection is made to Google servers when the page is loaded.
11. External links (social media & ordering platforms)
In the footer and on individual pages we link to external profiles and platforms — including Instagram, Facebook and TripAdvisor as well as the delivery/ordering platforms Lieferando and Wolt (the latter also for our sub-brand Paella Bar). Simply viewing our page does not transmit any data to these providers. Only when you click such a link do you leave our site and the respective platform may receive data in accordance with their privacy policies.
12. Recipients and data disclosure
Your personal data will only be transferred to third parties if (a) you have expressly consented, (b) disclosure is necessary for the performance of a contract (e.g. dish.co for reservations), (c) we are legally obliged to do so or (d) disclosure is necessary for the assertion, exercise or defence of legal claims and there is no reason to believe that you have an overriding legitimate interest in the non-disclosure of your data.
We do not sell, rent or otherwise commercially transfer personal data.
13. Storage period
We store personal data only for as long as it is necessary for the respective purpose or as required by statutory retention obligations. Once the purpose ceases or the retention period expires, the data is deleted or anonymised.
14. Rights of data subjects
You have the following rights vis-à-vis us at any time:
• Right of access (Art. 15 GDPR) regarding the data stored about you
• Right to rectification of inaccurate data (Art. 16 GDPR)
• Right to erasure of your stored data (Art. 17 GDPR), provided no statutory retention obligations apply
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing (Art. 21 GDPR)
• Right to withdraw consent (Art. 7 (3) GDPR) with effect for the future
You can send your request informally to info@miperu.de.
15. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority. The competent authority for us is:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
E-mail: poststelle@datenschutz.hessen.de
Web: datenschutz.hessen.de
16. SSL/TLS encryption
For security reasons and to protect the transmission of confidential content, this website uses SSL/TLS encryption. You can recognise an encrypted connection by the „https://“ prefix and the padlock symbol in your browser's address bar.
17. Validity and changes to this privacy policy
This privacy policy is currently valid. As a result of the further development of our website or due to legal or regulatory requirements, it may become necessary to amend it. The current version is always available at miperu.de/datenschutz.