Privacy Policy

Pursuant to Art. 13 of Regulation (EU) 2016/679 ("GDPR"), this notice describes how personal data are processed when consulting this digital menu, which is provided through the MenuLampo technology platform.

1. Who processes your data

When you consult this menu, two separate and independent data controllers are involved, each within its own sphere. This does not constitute joint controllership within the meaning of Art. 26 GDPR: the two parties pursue different purposes by their own means.

a) RAD LAB — technical and security data
RAD LAB di Riccardo M'Rad, P.IVA 11078251219, C.F. MRDRCR99M12E396O, registered office at Via Chiummano n. 47, 80072 Barano d'Ischia (NA). Privacy contacts: riccardo@radlab.it — PEC (certified email): riccardomrad@pec.it.
It is the independent data controller of the technical data only (IP addresses, log data, connection data) necessary to provide and secure the web infrastructure of the menu. RAD LAB has not appointed a Data Protection Officer (DPO), as the conditions under Art. 37 GDPR are not met.

b) The Restaurateur — content and contacts
Quarantotto S.r.l., P.IVA 02165220670, registered office at Via Nazionale 106, 64026 Roseto degli Abruzzi (TE), e-mail quarantottosrl@gmail.com.
It is the independent data controller of the data concerning it and of the data arising from direct contact with customers: where the menu provides buttons to call, to write on WhatsApp, or to open Google Maps, using them the interaction and the related data are managed by the Restaurateur (or by the providers of the external services) in accordance with their respective notices.

2. What data we process, purposes and legal bases (the part for which RAD LAB is responsible)

a) Technical browsing and log data
During access, and as a result of the real-time menu-update technology (Server-Sent Events), RAD LAB's systems and the Cloudflare security service automatically collect: IP address, date and time of the request, requested URL, information about the browser and device (user-agent) and, where applicable, the page of origin (referrer).

• Purpose: provision, stability and security of the service (e.g. prevention of anomalous or malicious activity, protection against automated attacks and DDoS, troubleshooting of malfunctions).
• Legal basis: RAD LAB's legitimate interest in network and information security (Art. 6(1)(f) GDPR; Recital 49 GDPR). RAD LAB has carried out and documented internally a Legitimate Interests Assessment (LIA).

b) Technical preferences stored in the browser (localStorage)
The chosen language, the dismissal of interface notices and — where the menu provides filters — allergen/dietary preferences are stored as technical tools on your device (in the browser's localStorage; failing that, where the browser does not allow it, in an equivalent technical cookie) and are not used for profiling. Purpose: to remember your menu display preferences. Legal basis: legitimate interest in providing a usable interface (Art. 6(1)(f) GDPR); the storage is exempt from consent as a technical tool (Art. 122(1) of Legislative Decree no. 196/2003 (Italian Privacy Code)). Details in the Cookie & Storage Policy.

Nature of the provision of data. The processing of technical connection data is necessary to enable the menu to be displayed: in their absence the site cannot be provided to you. You are not required to voluntarily provide any other data.

3. No profiling

This menu does not use cookies or profiling tools, nor any third-party analytics or marketing tools (for example Google Analytics or Meta Pixel). No profiling or automated decision-making producing legal effects on the user is carried out.

4. Interactions with external platforms

The menu may contain, where the Restaurant has configured them, buttons that redirect you to external services: the phone app, the Google Maps app, and the Restaurant's WhatsApp channel. If present, when you click on them you are redirected to those services: the resulting processing of data is governed by the notices of the respective providers (e.g. Meta, Google) or of the Restaurateur who receives your contact. Messages sent to the Restaurant's WhatsApp number may pass through RAD LAB's technical infrastructure (see the WhatsApp Notice): RAD LAB does not determine the purposes of such processing, does not use it for profiling, and does not ordinarily access the content of the telephone or WhatsApp conversations between you and the Restaurant. The retention periods for such data are determined independently by the Restaurateur, in its capacity as data controller, in accordance with its own notice.

5. Recipients and data processors

The technical data may be processed, on behalf of RAD LAB and in the capacity of data processors (Art. 28 GDPR), by the following infrastructure providers:

• Hetzner Online GmbH (Germany, EU) — server hosting and backups. The data remain within the European Union.
• Cloudflare, Inc. (USA) — reverse proxy, WAF, CDN and security; it processes visitors' IP addresses.

6. Transfers to third countries

The use of Cloudflare, Inc. may entail the transfer of technical data (IP addresses) to the United States. Cloudflare, Inc. adheres to the EU-U.S. Data Privacy Framework, recognised by the European Commission's adequacy decision (EU) 2023/1795: pursuant to Art. 45 GDPR the transfer is based on that adequacy decision. As a precautionary measure, and to ensure the continuity of protection even should the legal framework evolve, RAD LAB maintains the Standard Contractual Clauses adopted by the European Commission (Art. 46 GDPR) as an alternative transfer basis, without prejudice to the technical and organisational security measures adopted. The servers hosting the primary infrastructure are located in the European Union (Hetzner, Germany).

7. Retention period

The technical access logs generated at origin by RAD LAB are anonymised: the IP address is masked (the last portion is zeroed) before being written to disk, so that it cannot be traced back to the individual visitor; they are also subject to automatic technical rotation with periodic overwriting. The visitor's full IP address is processed solely by Cloudflare, as a processor (see sec. 5-6), in accordance with the periods and criteria of its own notice. Further retention, limited to the strictly necessary data, remains permissible solely in the event of documented security incidents or requests from the Authority. The preferences stored in the browser (localStorage or, as a fallback, an equivalent technical cookie) remain on the device until deleted by the user.

8. Your rights

Pursuant to Arts. 15–22 GDPR you may request access to your data, rectification, erasure, restriction of processing, data portability (where applicable), and you may object to processing based on legitimate interest. You may contact:

• RAD LAB (riccardo@radlab.it) for the technical and log data;
• the Restaurateur (quarantottosrl@gmail.com) for the data relating to the relationship with customers and to contacts.

IP addresses and identifiability (Art. 11 and Art. 12(2) GDPR): IP addresses and technical log information are personal data. As a rule, RAD LAB does not directly identify the visitor and does not collect further data for the sole purpose of identifying them. We may therefore be unable to identify a specific individual unless you provide us with additional information (for example the date, time and IP address of the connection). In such cases, pursuant to Art. 11 GDPR, we are not obliged to acquire additional data for the sole purpose of identifying you; we will assess the information you provide and will respond within the technical limits of the processing.

You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) (Art. 77 GDPR), Piazza Venezia 11, 00187 Roma — www.garanteprivacy.it.

9. Updates

This notice may be updated in the event of technical or regulatory changes. Last updated: 22/06/2026 14:15 CEST.