Last Updated: February 27, 2026
This privacy policy is provided in accordance with Regulation (EU) 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, and describes how BESTIE BITE srl collects, uses, stores and protects the personal data of users of the Bestie Bite website and mobile application (hereinafter, the "Platform").
The Data Controller is BESTIE BITE srl, with registered office at Via Franco Sacchetti 127 — 00137 Rome (RM), Italy. For any information or request regarding the processing of personal data, you can contact the Data Controller by writing to info@bestiebite.it.
This privacy policy is drawn up pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, "GDPR") and Italian Legislative Decree No. 196 of 30 June 2003, as amended by Legislative Decree No. 101 of 10 August 2018 (Personal Data Protection Code).
This privacy policy applies to all personal data collected through the website bestiebite.com, the Bestie Bite mobile application (available for iOS and Android) and all related services. The terms "user", "users" or "data subject" refer to all natural persons who interact with the Platform.
The following personal data may be collected by the Platform, organised by category:
Email address, phone number, username, profile photo, date of birth, dietary preferences and food categories of interest, city, preferred language, marketing consent.
Real-time GPS coordinates (latitude/longitude) during app use, background location (even when the app is closed, with explicit user consent) for restaurant visit detection, history of detected visits (arrival and departure times, associated restaurant), GPS metadata extracted from recorded videos, and user's current city.
Recorded videos uploaded to the Platform (hosted on a third-party CDN), video metadata (resolution, orientation, duration, frame rate), photos of receipts, and screenshots from the device gallery.
Reviews (video, text descriptions, star ratings across various parameters such as food, location, service and price), location verification status, review status (pending, approved, rejected) and "helpful" votes given and received.
Points balance and transaction history, total earned and redeemed in EUR, PayPal redemption request status, monthly redemption limits, and PayPal email address.
Follower and following lists, taste compatibility score (Taste Match), personal referral code and invitation status, multi-step referral progress.
Unlocked badges and achievements, current daily streak and record, crew tier and level in the weekly ranking, weekly score, skill rating, active point multiplier, and mystery box prizes.
Device model and operating system version, app version and package identifier, FCM token for push notifications, advertising identifier (IDFA on iOS, requested via App Tracking Transparency), IP address, connection time, and User Agent.
Individual settings for the various push notification categories, including: video approval and rejection, new missions available, unlocked badges, crew promotions, completed referral steps, new followers, reviews from followed users, taste matches found, payments made, and weekly digest.
The Bestie Bite mobile application may collect device location data, including background location data (even when the app is closed or not in use), with the user's explicit consent. This data is used exclusively to detect visits to restaurants and to send reminders to leave a review after the visit. Location data is processed in real time on the device to determine proximity to restaurants and is not stored on our servers. The user can revoke consent to background location collection at any time from their device settings.
Personal data is processed for the following purposes, with the respective legal basis under Article 6 of the GDPR:
Account registration and management, service provision — Legal basis: performance of a contract (Art. 6.1.b GDPR)
Foreground location (map, restaurant search) — Legal basis: performance of a contract (Art. 6.1.b GDPR)
Background location (visit detection) — Legal basis: explicit user consent (Art. 6.1.a GDPR)
Video and review upload and management — Legal basis: performance of a contract (Art. 6.1.b GDPR)
Payments and point redemption via PayPal — Legal basis: performance of a contract (Art. 6.1.b GDPR)
Analytics and service improvement (Amplitude, Firebase Analytics) — Legal basis: legitimate interest (Art. 6.1.f GDPR)
Advertising tracking (Facebook SDK, IDFA) — Legal basis: explicit user consent (Art. 6.1.a GDPR)
Push notifications — Legal basis: user consent (Art. 6.1.a GDPR)
Direct marketing communications — Legal basis: explicit user consent (Art. 6.1.a GDPR)
Diagnostics and error resolution (Crashlytics) — Legal basis: legitimate interest (Art. 6.1.f GDPR)
AI technologies (concierge, video labelling, personalisation) — Legal basis: legitimate interest (Art. 6.1.f GDPR)
Personal data is retained for the time strictly necessary to achieve the purposes for which it was collected:
Account and profile data: retained for the duration of the account and deleted within 30 days of the deletion request
Videos and reviews: retained until deleted by the user. Videos for which compensation has been recognised remain on the Platform pursuant to section 4.2 of the Terms and Conditions
Location data: processed in real time on the user's device and not stored on Bestie Bite's servers
Analytics data (Amplitude, Firebase Analytics): retained for a maximum of 26 months
Payment and tax data: retained for 10 years in compliance with tax law obligations
Diagnostics data (Crashlytics): retained for 90 days
Aggregated or anonymised data: may be retained indefinitely for statistical purposes, as it cannot be traced back to the user
To provide the service, Bestie Bite uses the following sub-processors:
Firebase Auth (Google LLC) — User authentication (email, Google Sign-In, Apple Sign-In) — USA
Firebase Storage (Google LLC) — Profile photo and receipt storage — USA
Firebase Analytics (Google LLC) — Event analytics and user properties — USA
Firebase Crashlytics (Google LLC) — Diagnostics and error reporting — USA
Firebase Cloud Messaging (Google LLC) — Push notification delivery — USA
Amplitude Inc. — Primary analytics — USA/EU
Meta Platforms Inc. (Facebook SDK) — Advertising tracking and conversions — USA
BunnyWay d.o.o. (Bunny.net) — Video content hosting and delivery — EU
PayPal (Europe) S.à r.l. et Cie, S.C.A. — Payment processing — USA
Google Maps (Google LLC) — Map service on Android — USA
Apple MapKit (Apple Inc.) — Map service on iOS — USA
Google Sign-In (Google LLC) — Social authentication — USA
Apple Sign-In (Apple Inc.) — Social authentication — USA
Some of the sub-processors listed in the previous section are based in or operate servers outside the European Economic Area (EEA), particularly in the United States of America. In such cases, data transfers are carried out on the basis of appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions where applicable, or other transfer mechanisms provided for by the GDPR. Users may request detailed information about the safeguards in place by contacting the Data Controller at info@bestiebite.it.
The Platform uses automated processes that may influence the user experience:
Scoring algorithm: determines the point value of each video based on parameters such as quality, duration, mission completion and other objective criteria
Weekly ranking (Crew): ranking algorithm that classifies users based on weekly activity and determines promotions, demotions and prizes
AI Concierge: intelligent search system based on artificial intelligence models that provides personalised restaurant recommendations based on the user's questions, dietary preferences, location and language
Taste Match: algorithm that calculates taste compatibility between users based on review history
AI video labelling: artificial intelligence models that analyse video content to generate automatic labels and categorisations
None of these automated decisions produce significant legal effects on the user. The user has the right to request human intervention, express their point of view, and contest any automated decision by contacting the Data Controller.
Under Articles 15-22 of the GDPR, the user has the following rights:
Right of access (Art. 15): obtain confirmation of the existence of processing of their data and access related information
Right to rectification (Art. 16): obtain the correction of inaccurate personal data or the completion of incomplete data
Right to erasure (Art. 17): obtain the deletion of their personal data in the cases provided for by the GDPR ("right to be forgotten")
Right to restriction of processing (Art. 18): obtain the restriction of processing of their data in certain circumstances
Right to data portability (Art. 20): receive their personal data in a structured, commonly used and machine-readable format
Right to object (Art. 21): object at any time to the processing of their personal data based on legitimate interest
Right not to be subject to automated decisions (Art. 22): not to be subject to decisions based solely on automated processing, including profiling, that produce significant legal effects
To exercise their rights, the user may contact the Data Controller at info@bestiebite.it. The user also has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali — www.garanteprivacy.it).
The Service is intended for users of legal age (18 years). Minors may use the Platform only with the authorisation and under the supervision of parents or legal guardians, who shall be responsible for the processing of the minor's data. Bestie Bite does not knowingly collect data from children under 14 years of age. If it becomes aware of having collected data from a child under 14 without parental consent, it will promptly delete such data.
For information on the use of cookies by the website, please consult our Cookie Policy available on the Platform.
The app collects the user's device FCM (Firebase Cloud Messaging) token for sending push notifications. Notifications may relate to: video approval or rejection, new missions available, unlocked badges, crew ranking promotions, completed referral steps, new followers, reviews from followed users, taste matches found, payments made, and a weekly digest. The user can customise notification categories within the app or completely disable push notifications from their device settings.
The Data Controller reserves the right to modify this privacy policy at any time. Changes will be published on the Platform with an indication of the last updated date. Users are advised to periodically consult this policy to review any updates.
Use of the Platform and registration for the Service imply acceptance of this privacy policy. For processing that requires explicit consent (background location, advertising tracking, direct marketing, push notifications), consent is requested separately and may be revoked at any time.