Privacy policy

1. Controller and date
Last updated: 13 June 2026.
The controller for this website is JP One Franchise GmbH, Grindelallee 137, 20146 Hamburg, Germany, email: office@johnpeppo.de.
For location-specific requests concerning Bergedorf, Peppo Brothers GmbH, Alte Holstenstraße 30-32, 21031 Hamburg, Germany, may receive the request where this is necessary to handle it.
No company data protection officer is currently designated. Privacy requests can be sent to office@johnpeppo.de.
2. Website delivery and server log data
When the website is accessed, the web server processes technically necessary access data, especially IP address, date and time, requested URL, referrer URL, browser and operating system information, HTTP status code and transferred data volume.
The purposes are website delivery, system security, error analysis and abuse prevention. The legal basis is Art. 6(1)(f) GDPR; our legitimate interest is secure and stable website operation.
The Caddy configuration for this website does not deliberately enable permanent access log files. If system, security or provider logs are created, they are kept only as long as required for operation, security or evidence purposes, usually no longer than 14 days unless a security incident requires longer retention.
3. Hosting and technical service providers
The website is operated on self-managed server infrastructure at IONOS SE in Germany.
Website files, fonts, media and CMS content are delivered from this infrastructure.
If service providers can access personal data for hosting, maintenance or technical administration, this is done on the basis of a data processing agreement or a comparable data protection arrangement.
4. Contact by form, email or phone
The contact form creates an email in your local email client. Before your email client opens, the form content is not sent to our web server and is not stored in a website database.
If you contact us by email or phone, we process your information to handle the request and possible follow-up questions. The legal basis is Art. 6(1)(b) GDPR for pre-contractual or contractual matters and otherwise Art. 6(1)(f) GDPR.
Requests are deleted once they have been completed unless legal retention periods or legitimate evidence interests require longer storage.
5. Consent settings, local storage and cookies
This website stores necessary settings locally in your browser, in particular the theme choice in sessionStorage and your consent choice in localStorage under landr_privacy_consent_v1.
Optional services for audience measurement (Umami and/or Google Analytics) and external media (Google Maps) are loaded only after you actively consent in the consent banner. Optional categories are not preselected.
You can change or withdraw your choice at any time using the “Cookie settings” link in the footer.
The legal basis for necessary storage is Section 25(2) No. 2 TDDDG and Art. 6(1)(f) GDPR; for optional services, Section 25(1) TDDDG and Art. 6(1)(a) GDPR.
6. Local fonts and local media
Fonts are loaded locally from the /fonts directory. No Google Fonts or other external font CDN is requested.
Instagram videos on the homepage are delivered from locally stored video files. Merely visiting the website does not establish a connection to Instagram, Meta or TikTok.
7. Audience measurement with Umami and Google Analytics after consent
Where Umami or Google Analytics is technically enabled, we load the respective tracking scripts only after your consent to the “Audience measurement” category.
Umami records page views and usage events to evaluate reach and website usage. In particular, the visited page, referrer, browser, operating system, device type, timestamp and a session identifier derived from technical data may be processed; search parameters and URL hashes are not collected.
Analytics runs on our self-managed Umami instance. Umami is used without tracking cookies and respects your browser’s Do Not Track setting.
Google Analytics is used via the Google tag provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. In particular, page views, scrolls, outbound clicks, technical browser and device information, referrer, timestamps and shortened or Google-processed IP information may be transmitted to Google. Google may use cookies or comparable identifiers for this and may transfer data to Google LLC in the USA and other Google companies.
The legal basis is your consent under Art. 6(1)(a) GDPR and Section 25(1) TDDDG. You can withdraw consent at any time via “Cookie settings”.
8. Google Maps after consent
Google Maps is loaded in contact and location areas only after you have allowed the “External media” category in the consent banner. Before this consent, no Google Maps iframe is delivered.
The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When the map is loaded, Google may receive, in particular, your IP address, browser data, referrer and usage data; Google may also transfer data to Google LLC in the USA and other Google companies.
The legal basis is your consent under Art. 6(1)(a) GDPR and Section 25(1) TDDDG. You can change or withdraw consent at any time via “Cookie settings”.
Further information: https://policies.google.com/privacy and https://cloud.google.com/maps-platform/terms
9. Social media, ordering platforms and external links
Links to Google Maps, Instagram, TikTok, Lieferando, Uber Eats and Wolt are external links. These platforms are not loaded automatically when you merely visit this website.
If you click an external link, you leave our website. The respective provider then processes personal data under its own privacy information and responsibility.
Please review the privacy information and settings of external platforms before using them.
10. Recipients, third-country transfers and retention
Recipients of personal data are only the internally responsible persons and technical service providers, insofar as this is required for operation, maintenance, communication, consent-based audience measurement or legal obligations.
No transfer to third countries takes place during a normal page visit without optional consent. Third-country aspects may arise if you allow Google Analytics or Google Maps, or open external platforms such as Instagram, TikTok, Lieferando, Uber Eats or Wolt.
We store personal data only for as long as required for the stated purposes or statutory retention periods.
11. Your rights
Subject to the GDPR requirements, you have the rights of access, rectification, erasure, restriction of processing, data portability and objection to processing based on Art. 6(1)(f) GDPR.
Where processing is based on consent, you may withdraw consent at any time with future effect. The lawfulness of processing before withdrawal remains unaffected.
You also have the right to lodge a complaint with a data protection supervisory authority. In particular, you may contact: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany, mailbox@datenschutz.hamburg.de, https://datenschutz-hamburg.de.
12. Obligation to provide data and automated decisions
Providing personal data is neither legally nor contractually required for merely visiting the website. For contact requests, however, we need the information required to handle your request.
Automated decision-making, including profiling within the meaning of Art. 22 GDPR, does not take place.