Providers and Sub-processors
This page supplements the Privacy Policy and describes the main technology providers used by RAD LAB to deliver the MenuLampo service. The list concerns the technical stack common to all restaurants that use the platform; any additional providers used by the individual Restaurant on its own (e.g. management systems, booking systems) do not fall within this page.
Roles
- The Restaurant is the data controller of the menu contents and of its own contacts.
- RAD LAB is the independent data controller of the technical and log data necessary for the security of the infrastructure, and the data processor (Art. 28 GDPR) for the activities carried out on behalf of the Restaurant.
- The providers listed below act as processors, sub-processors or recipients, as indicated.
List of providers
| Provider | Country (place of processing) | Role | Categories of data | Transfer outside the EU and safeguard |
|---|---|---|---|---|
| Hetzner Online GmbH | Germany (EU) | Hosting, database, backup (processor / sub-processor) | Technical logs, IP, menu configurations and contents, backup | None — the data remain within the EU |
| n8n (self-hosted on Hetzner) | Germany (EU) | Internal software component managed by RAD LAB (not a third-party provider) | Management WhatsApp message flows, execution logs | None — own infrastructure within the EU |
| Cloudflare, Inc. | USA | CDN, WAF, reverse proxy, security (processor / sub-processor) | Visitors' IP address, technical request metadata, technical security cookies | USA — EU-U.S. Data Privacy Framework (Art. 45) + Standard Contractual Clauses as an alternative safeguard (Art. 46) |
| Meta Platforms Ireland Ltd / WhatsApp LLC | Ireland (EU) + USA | WhatsApp Cloud API channel for menu management (recipient / channel provider) | Number and content of the Restaurateur's management messages | USA — EU-U.S. Data Privacy Framework (Art. 45) + Standard Contractual Clauses as an alternative safeguard (Art. 46) |
| Anthropic, PBC | USA | AI services only for the automatic translation of dish names/descriptions (processor / sub-processor); command parsing is deterministic, without AI | Only the names and descriptions of dishes — no diner data, no allergen data, no command text | USA — Standard Contractual Clauses (Art. 46), with minimisation of the data transmitted |
Transfers to the United States
Some providers (Cloudflare, Meta/WhatsApp, Anthropic) may process data in the United States. For providers adhering to the EU-U.S. Data Privacy Framework, the transfer is based on adequacy decision (EU) 2023/1795 (Art. 45 GDPR); as a precautionary measure, RAD LAB also maintains, as an alternative safeguard, the European Commission's Standard Contractual Clauses (Art. 46 GDPR). For Anthropic, which does not adhere to the Framework, the transfer takes place solely on the basis of the Standard Contractual Clauses, supplemented by minimisation measures. A copy of the safeguards adopted may be requested at the contact details indicated in the Privacy Policy.
Updates to the list
The list may be updated over time. In dealings with Restaurateurs, any addition or replacement of sub-processors is governed by the service contract and by the data processing agreement (DPA), which provides for the controller's authorisation and prior notice in the event of changes (Art. 28(2) GDPR). Last updated: 22/06/2026 14:15 CEST.