Last updated: 18 May 2026

Privacy Policy

This Privacy Policy applies to bookings and Services provided outside Italy through Chef On Demand. The Data Controller for these Services is FC – Fast Cast Services L.L.C.-FZ (Dubai, United Arab Emirates). Bookings for Services delivered in Italy are governed by a separate policy of COD S.r.l. available at iubenda.com/privacy-policy/13268835.

Data Controller

FC – Fast Cast Services L.L.C.-FZ
Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, United Arab Emirates
Tax Registration Number (TRN): 105008902600001
Contact email: info@chefondemand.it

FC – Fast Cast Services L.L.C.-FZ (“FC Services”, “we”, “us”, “the Owner”, “the Controller”) operates the Chef On Demand platform for Services delivered outside Italy, including the website www.chefondemand.it, the booking application booking.chefondemand.it and the operational platform app.chefondemand.it (jointly the “Application”).

1. Scope & applicable laws

This Privacy Policy describes how FC Services collects, uses, stores, shares and protects Personal Data of Users who interact with the Application in connection with Services delivered outside Italy (typically in the United Arab Emirates and other international destinations).

The processing of Personal Data is carried out in compliance with:

UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “UAE PDPL”) and its implementing regulations issued by the UAE Data Office;
Where applicable, Regulation (EU) 2016/679 (“GDPR”), when we process Personal Data of Users located in the European Economic Area or the United Kingdom, or when EU/UK contractual partners require it;
Other applicable data-protection laws of the jurisdictions where we operate.

2. Categories of Personal Data we process

We collect the following categories of Personal Data:

2.1 Data you provide directly

Identification & contact data: first name, last name, email address, phone number (including country code), nationality, language;
Booking data: event date and time, location and venue address, number of adults and children, dietary requirements, allergies, budget tier, type of service requested (e.g. private chef at home, cooking class), special notes;
Account & profile data (if you create an account): password (hashed), profile preferences, communication preferences;
Payment data: transaction reference, payment method, billing details. Card numbers are processed directly by our payment processors (Stripe) and are never stored on our servers;
Chat & correspondence: messages, attachments and any content you exchange with us via the Application, WhatsApp, email or contact forms.

2.2 Data collected automatically

Usage data: IP address, browser type and version, device identifiers, operating system, time zone, referrer URL, pages visited, clicks, scroll depth, session duration;
Cookies and similar Trackers: see our Cookie Policy for details on first- and third-party Trackers, durations and how to manage consent;
Approximate geographic location derived from the IP address (city/country level).

2.3 Data received from third parties

Information from chefs you have booked (e.g. confirmation of service delivery);
Information from analytics, advertising and CRM providers (HubSpot, Google, Meta) tied to your interaction with our marketing campaigns;
Public information you have made available on social platforms when you contact us through them.

3. Purposes & legal bases of processing

We process your Personal Data for the purposes described below. For each purpose we identify the legal basis under the UAE PDPL (Article 5) and, where applicable, the GDPR (Article 6).

Purpose	Data used	Legal basis (PDPL / GDPR)
Receiving and managing booking requests; matching you with available chefs; sending you quotes and proposals	Identification, contact, booking data	Performance of a contract or pre-contractual measures (PDPL Art. 5(2); GDPR Art. 6(1)(b))
Operating the Application; account creation; authentication; security; fraud prevention	Account data, usage data, IP address	Performance of a contract; legitimate interest of the Controller in ensuring service integrity (PDPL Art. 5(7); GDPR Art. 6(1)(b)(f))
Processing payments and issuing receipts/invoices	Payment data, identification data	Performance of a contract; compliance with a legal obligation (PDPL Art. 5(3); GDPR Art. 6(1)(b)(c))
Customer support (email, chat, WhatsApp, phone)	Contact data, correspondence	Performance of a contract; legitimate interest in providing assistance (PDPL Art. 5(2)(7); GDPR Art. 6(1)(b)(f))
Sending transactional emails (booking confirmations, status updates, payment receipts)	Contact data, booking data	Performance of a contract (PDPL Art. 5(2); GDPR Art. 6(1)(b))
Direct marketing — newsletter, promotional offers, retargeting and personalised advertising (e.g. Google Ads, HubSpot, Meta retargeting)	Contact data, usage data, cookies/Trackers	Consent (PDPL Art. 6; GDPR Art. 6(1)(a)). You may withdraw consent at any time.
Analytics, traffic measurement, A/B testing, heat-mapping and session recording to improve the Service	Usage data, cookies/Trackers, anonymised identifiers	Consent for non-essential analytics; legitimate interest for aggregated, anonymised statistics (PDPL Art. 5(7) and Art. 6; GDPR Art. 6(1)(a)(f))
Compliance with legal, tax, accounting and regulatory obligations	Identification, payment data, booking records	Compliance with a legal obligation (PDPL Art. 5(3); GDPR Art. 6(1)(c))
Defending legal claims, exercising or establishing rights before courts or authorities	Any of the above as strictly necessary	Legitimate interest; legal proceedings (PDPL Art. 5(6); GDPR Art. 6(1)(f))

About consent. Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing performed before the withdrawal. Withdrawing consent is as easy as giving it: use the unsubscribe link in any marketing email, update your cookie preferences via the consent banner, or contact us at info@chefondemand.it.

4. Third-party service providers (Processors)

To deliver the Service we use third-party providers that act as Data Processors on our behalf or as independent controllers for their own purposes. The main categories and providers are:

4.1 Hosting & infrastructure

Railway (Railway Corp., USA) — application hosting, database, background workers;
Backblaze B2 (Backblaze Inc., USA / EU region) — object storage for files and media;
Cloudflare (Cloudflare Inc., USA) — CDN, DNS, edge proxy and security;
WordPress (self-hosted) — marketing website infrastructure.

4.2 Payments

Stripe Payments Europe Ltd. (Ireland) and Stripe Payments UAE — card processing. Card data is collected and processed directly by Stripe under its own privacy policy.

4.3 Analytics, heat-mapping & product analytics

Google Analytics 4 and Google Analytics (Universal Analytics) with anonymised IP (Google LLC / Google Ireland Ltd.);
HubSpot Analytics (HubSpot Inc., USA / Germany);
Microsoft Clarity (Microsoft Corporation, USA) — session recording and heat-mapping;
VWO — Testing (Wingify Software Pvt. Ltd., India) — A/B testing;
Amplitude (Amplitude Inc., USA) — product analytics and session replay (booking application).

4.4 CRM, lead management & user database

HubSpot CRM and HubSpot Lead Management (HubSpot Inc., USA / Germany).

4.5 Advertising, remarketing & tag management

Google Ads conversion tracking and Google Ad Manager (Google LLC / Google Ireland Ltd.);
Google Ads Remarketing (Google LLC / Google Ireland Ltd.);
Meta Pixel (Meta Platforms Ireland Ltd.) — conversion tracking on the chef registration wizard only;
VWO — Notifications (Wingify Software Pvt. Ltd., India) — push notifications;
Google Tag Manager (Google LLC / Google Ireland Ltd.).

4.6 Forms, landing pages & surveys

Typeform (TYPEFORM S.L., Spain);
JotForm (JotForm Inc., USA / Germany);
Leadpages (Leadpages, USA).

4.7 Communications

WhatsApp Business Chat widget and WhatsApp Business direct marketing (WhatsApp Ireland Ltd. / Meta Platforms Ireland Ltd.);
Google Workspace / Gmail SMTP — transactional and marketing email delivery;
OpenAI (OpenAI L.L.C., USA) — AI assistance features inside the platform (chef-side and backoffice-side support assistants). Prompts and responses are not used by OpenAI to train models.

4.8 Consent management & fonts

iubenda Privacy Controls and Cookie Solution (iubenda srl, Italy);
Google Fonts (Google LLC / Google Ireland Ltd.).

A detailed list of cookies and similar Trackers (including durations and place of processing) is available in the Cookie Policy. The Owner may update this list from time to time as the Service evolves.

5. International transfers of Personal Data

Because some of our Processors are based outside the United Arab Emirates (notably the European Economic Area, the United Kingdom, the United States, India and other jurisdictions), your Personal Data may be transferred outside the UAE.

In accordance with UAE PDPL Articles 22 and 23, such transfers take place under one or more of the following safeguards:

Adequacy: transfer to a country recognised by the UAE Data Office as ensuring an adequate level of data protection;
Binding contractual measures: data processing agreements with our Processors that impose obligations equivalent to the UAE PDPL (and, where the recipient is in the EU/UK, EU Standard Contractual Clauses or UK IDTA);
Explicit consent of the data subject for the specific transfer;
Necessity to perform the contract between you and FC Services, or to take pre-contractual steps at your request;
Public interest or legal claims as specifically provided by the PDPL.

You may request a copy of the safeguards in place for a specific transfer by writing to info@chefondemand.it.

6. Retention periods

Booking and customer-care records: retained for the duration of the contract and for up to 10 years after the last booking, as required to comply with tax, accounting and statute-of-limitation obligations under UAE and EU law;
Marketing data and consents: retained until you withdraw consent or for a maximum of 24 months of inactivity, whichever comes first;
Cookies and Trackers: see durations indicated in the Cookie Policy (from session duration up to 24 months);
Analytics and aggregated statistics: anonymised or aggregated data may be kept indefinitely for historical and statistical purposes;
Backups: encrypted backups containing Personal Data are retained for up to 90 days after the active record has been deleted.

7. Your rights as a data subject

Under UAE PDPL Articles 13–19 — and, where applicable, under the GDPR — you have the following rights with respect to your Personal Data:

Right to be informed and to access the Personal Data we hold about you, the categories of data, the purposes of processing, the recipients, the storage period and the source of the data (PDPL Art. 13);
Right to data portability: to receive your Personal Data in a structured, commonly used and machine-readable format and to transmit it to another controller (PDPL Art. 14);
Right to rectification of inaccurate or incomplete data (PDPL Art. 15);
Right to erasure (“right to be forgotten”) when the data is no longer necessary, you withdraw consent or you object to processing (PDPL Art. 15);
Right to restriction of processing in defined situations such as when you contest the accuracy of the data (PDPL Art. 16);
Right to stop processing, including the right to opt out of direct marketing at any time (PDPL Art. 17);
Right not to be subject to automated decision-making that produces legal effects or similarly significant effects, including profiling (PDPL Art. 18);
Right to withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal;
Right to lodge a complaint with the UAE Data Office (see Section 10).

How to exercise your rights

To exercise any of the rights above, please write to info@chefondemand.it indicating: (a) the right you wish to exercise; (b) the Personal Data or processing activity concerned; (c) a copy of an identification document, where strictly necessary to verify your identity.

We will respond to your request within thirty (30) days from receipt. The period may be extended by an additional thirty (30) days for complex requests; we will inform you of the extension and the reasons.

8. Security measures

We implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful access, accidental loss, destruction, alteration or disclosure, in compliance with UAE PDPL Article 20. Such measures include:

Encryption of data in transit (TLS 1.2+) and at rest where supported by the storage provider;
Role-based access control, multi-factor authentication for privileged accounts and session isolation between chef, client and backoffice areas;
Regular security reviews, dependency updates, vulnerability monitoring and incident-response procedures;
Encrypted backups, geographic redundancy and tested restore procedures;
Contractual confidentiality and data-processing obligations imposed on all Processors;
Sandbox-isolated build environments and isolated production tenants (one container per deploy).

In the event of a Personal Data breach likely to result in a risk to your rights and freedoms, we will notify the UAE Data Office and, where required, affected data subjects without undue delay, in accordance with PDPL Article 9.

9. Children

The Application is intended for users aged 18 or above. We do not knowingly collect Personal Data from children. If you believe a child has provided us with Personal Data, please contact us at info@chefondemand.it and we will take prompt action to delete it.

10. How to file a complaint

If you believe that our processing of your Personal Data infringes the UAE PDPL or another applicable data-protection law, you have the right to lodge a complaint with the competent supervisory authority:

UAE Data Office
Federal authority established under UAE Federal Decree-Law No. 44/2021
u.ae – Data protection laws

If you are located in the European Economic Area or the United Kingdom, you may also lodge a complaint with your national data-protection authority. A list of EEA authorities is available at edpb.europa.eu.

11. Cookies & Trackers

The Application uses cookies and similar Trackers as described in the dedicated Cookie Policy, which forms an integral part of this Privacy Policy.

12. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time to reflect changes in the law, our Service or our internal practices. When the changes are material we will inform you in advance via email or a prominent notice within the Application. The “Last updated” date at the top of this document indicates the latest revision.

13. Contact

For any question concerning this Privacy Policy or the processing of your Personal Data, please contact us at info@chefondemand.it.

Definitions and legal references

Personal Data

Any information relating to an identified or identifiable natural person, in accordance with UAE PDPL Article 1.

Usage Data

Information collected automatically through the Application (including IP addresses, browser type, time of request, country of origin, pages visited, session details, device and operating-system characteristics).

User / Data Subject

The natural person to whom the Personal Data refers and who interacts with the Application.

Data Controller (Owner)

The natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For Services delivered outside Italy, the Owner is FC – Fast Cast Services L.L.C.-FZ.

Data Processor

The natural or legal person who processes Personal Data on behalf of the Controller, as defined by UAE PDPL Article 1.

Cookie / Tracker

Any technology — including cookies, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting — that enables the tracking of Users by accessing or storing information on the User's device.

UAE PDPL

UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, in force since 2 January 2022, together with its implementing regulations.

GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data.

This document was last reviewed on 18 May 2026 and replaces any prior version.