top of page

Privacy Notice

Last updated: June 2026

Part A — How we process your personal data
1. Who we are

This Notice explains how LT Food & Beverage S.à r.l. (“OiO”, “we”, “us” or “our”), a Luxembourg limited liability company with its registered office at 48, Montée de Clausen, L-1343 Luxembourg, registered with the Luxembourg Trade and Companies Register (RCS) under number B-248612, processes your personal data as data controller.

We are not required by law to appoint a Data Protection Officer and have not appointed one. For any question about this Notice, or to exercise your rights, you may contact us at info@oio.lu. Requests may be made in French or English.

This Notice applies to our guests and customers, visitors to our website, and the individual contacts of our suppliers and business partners. The processing of our employees’ personal data is addressed in a separate notice. Video surveillance is addressed in Part B below.

2. The personal data we process, and where it comes from

We process the following categories of personal data:

  • Identification and contact data: name, postal address, email address, telephone number.

  • Reservation and service data: booking details, number of guests, preferences, attendance history, and any comments you share with us.

  • Allergy and dietary information that you choose to disclose (see section 5).

  • Transaction data: orders, gift vouchers, participation in events or classes, invoices, and payment-related information. We do not store full payment card numbers; card details are handled by our payment provider.

  • Marketing data: your contact details and your consent status, where you have subscribed to our communications.

  • Technical data relating to your use of our website (see section 9).

We obtain this data primarily from you, directly. We may also receive data about you from a person who makes a reservation or purchase on your behalf, and from public platforms where you interact with us (for example, when you leave an online review).

Providing your identification, contact and reservation data is necessary to enter into and perform our services. If you do not provide it, we may be unable to confirm a reservation or fulfil an order. All other data is optional.

3. Why we process your data, and on what legal basis

  • Managing reservations, orders, gift vouchers, events and classes, and communicating with you about them. Legal basis: performance of a contract with you, or steps taken at your request before entering into a contract (Art. 6(1)(b) GDPR).

  • Taking and managing card guarantees, and processing payments. Legal basis: performance of a contract (Art. 6(1)(b)) and compliance with legal obligations (Art. 6(1)(c)).

  • Issuing invoices and maintaining accounting records. Legal basis: compliance with our legal obligations (Art. 6(1)(c)).

  • Preventing and addressing fraud, non-payment and misuse, and recovering debts. Legal basis: our legitimate interests in protecting our business (Art. 6(1)(f)).

  • Personalising and improving your experience and our services, including preparing for your visit using information already known to us. Legal basis: our legitimate interests in operating and improving a quality service (Art. 6(1)(f)).

  • Sending you marketing communications about OiO. Legal basis: your consent (Art. 6(1)(a)), which you may withdraw at any time (see section 6).

  • Establishing, exercising or defending legal claims, responding to competent authorities, and complying with applicable law. Legal basis: our legitimate interests (Art. 6(1)(f)) and compliance with legal obligations (Art. 6(1)(c)).

Where we rely on legitimate interests, we have assessed that those interests are not overridden by your interests or fundamental rights. You may ask us for more information about that assessment.

4. How long we keep your data

We keep your personal data only for as long as necessary for the purposes for which it was collected. As a general rule, we retain reservation and service data for the duration of our relationship with you and for a reasonable period afterwards. Accounting and tax records are kept for ten years in accordance with Luxembourg law. We may keep certain data for longer where this is necessary for the establishment, exercise or defence of legal claims, or where a longer period is required or permitted by law. At the end of the applicable period, your data is deleted or anonymised.

5. Allergy and dietary information

If you choose to tell us about an allergy, intolerance or dietary requirement, this may constitute health-related data. We process it solely to accommodate your request and to serve you safely, on the basis of your explicit consent (Art. 9(2)(a) GDPR), which you give by providing the information to us for that purpose. You are not obliged to provide it, and you may ask us to delete it at any time.

6. Marketing communications

We send marketing communications only to people who have subscribed. You can withdraw your consent and unsubscribe at any time, using the link in each message or by contacting info@oio.lu. Withdrawing your consent does not affect the lawfulness of any processing carried out before the withdrawal.

7. Who we share your data with

We do not sell your personal data. We share it only as necessary, with the following categories of recipient:

  • Service providers acting on our behalf and on our instructions, in particular our reservation-management provider, our payment provider, our point-of-sale provider, our accounting and business-management provider, our email and communication providers, our website host, and providers of automation and AI-assisted tools that support our operations. These providers act as our processors under contract.

  • Professional advisers, such as accountants and lawyers, where necessary.

  • Competent public authorities, courts and law-enforcement bodies, where required by law or to defend our rights.

The identity of the specific providers we use is available on request.

8. International transfers

Most of our providers process your data within the European Economic Area (EEA). A limited number of providers, in particular our payment provider and our AI-assisted tools, may process data in the United States or in other countries outside the EEA. Where this occurs, we ensure an appropriate safeguard is in place, namely an adequacy decision of the European Commission (including, where applicable, the recipient’s certification under the EU–US Data Privacy Framework) or the European Commission’s Standard Contractual Clauses. You may request further information about these safeguards.

9. Cookies and similar technologies

Our website uses cookies and similar technologies. A cookie is a small file placed on your device when you visit a website. We use the following categories:

  • Strictly necessary cookies, required for the website to function and to keep it secure. These are always active, do not require your consent, and are set by our website platform.

  • Functional cookies, which remember your preferences and choices.

  • Analytics cookies, which help us understand how the website is used so that we can improve it.

  • Marketing cookies, which may be used to measure or tailor communications.

Strictly necessary cookies are used on the basis of our legitimate interest in operating a secure and functioning website. All other cookies are optional and are placed only with your consent.

You give, refuse or withdraw your consent through the cookie banner shown when you first visit the site, and you can change your choices at any time through the banner settings or your browser settings. Refusing optional cookies does not prevent you from using the essential functions of the website. Cookies remain on your device for differing periods depending on their type: some expire at the end of your session, others persist for a defined period.

10. Automated decision-making

We do not take decisions producing legal effects concerning you, or similarly significantly affecting you, based solely on automated processing.

11. Security and personal data breaches

We implement appropriate technical and organisational measures to protect your personal data against loss, misuse and unauthorised access, in line with Art. 32 GDPR. Where a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you and the competent supervisory authority as required by law.

12. Your rights

Subject to the conditions and exceptions provided by applicable law, you have the right to:

  • access your personal data and obtain a copy of it;

  • have inaccurate or incomplete data corrected;

  • have your data erased in the circumstances set out in Art. 17 GDPR;

  • restrict the processing of your data in the circumstances set out in Art. 18 GDPR;

  • receive certain data in a structured, commonly used and machine-readable format and have it transmitted to another controller, where the processing is based on consent or on a contract and carried out by automated means (data portability);

  • object, on grounds relating to your particular situation, to processing based on our legitimate interests, and to object at any time to processing for direct-marketing purposes;

  • withdraw your consent at any time, where processing is based on your consent.

To exercise any of these rights, contact info@oio.lu. We may ask you to confirm your identity before responding. We will respond within the time limits set by law.

You also have the right to lodge a complaint with the Commission nationale pour la protection des données (CNPD), www.cnpd.lu, or with the supervisory authority of your habitual residence, and to seek a judicial remedy.

13. Changes to this Notice

We may update this Notice from time to time. The version published on our website is the version in force. This Notice does not create any contractual right.

Part B — Video surveillance

 

OiO operates a video surveillance system on its premises. This Part explains how we process images captured by that system. It applies to anyone present on the premises, including guests, visitors, staff and contractors.

What we collect. Images captured by cameras at and around the premises, indicated by pictograms displayed at the entrance and on the premises, together with the date and time of the recording. No sound is recorded. Recording takes place outside the restaurant’s operating hours.

Purpose and legal basis. We use the system to control access to the premises and to protect the security and safety of persons and property, and, where permitted, as evidence in the investigation of incidents or offences. We process these images on the basis of our legitimate interests (Art. 6(1)(f) GDPR) in securing our premises and protecting persons and property. Where the system processes staff data, it complies with Article L. 261-1 of the Luxembourg Labour Code.

Storage and retention. Recordings are stored on a recording device located on our premises. We retain them for a maximum of eight days from the date of recording, after which they are automatically overwritten or deleted, except where an image must be kept longer in connection with an incident or legal proceedings.

Recipients. Images may be accessed by our management and, where necessary, by providers that maintain the system. We may disclose images to the police or other competent authorities upon lawful request, or to defend our rights.

Your rights. The rights described in section 12 above apply. To exercise them, contact info@oio.lu. You may also lodge a complaint with the CNPD.

LT Food & Beverage S.à r.l. — 48, Montée de Clausen, L-1343 Luxembourg — info@oio.lu

bottom of page