Privacy Policy

• Account data: name, email address, password (hashed, never stored in clear text), phone number, and a default delivery address. Required so we can authenticate you, deliver orders, and send receipts.
• Order data: items ordered, takeaway, payment method, delivery or collection details, customer notes, allergy information, and order timestamps. Required to process and fulfil your order and to support our partner takeaways.
• Payment data: card payments are processed by Stripe (see Processors below). We never see, store, or transmit your card details directly — Stripe gives us a token that references your payment.
• Expression-of-interest data (takeaway owners only): if you submit the "list my takeaway" form, we collect business name, address, phone, contact name, your full legal name as the food business operator, date of birth, declared opening hours, and (if applicable) Companies House number, FHRS rating, and HMRC UTR. This is used solely to verify your business eligibility before we invite you onto the platform.
• Technical data: IP address, browser type, pages visited, and error/crash reports. We use this to keep the service secure, prevent abuse, and fix bugs.

• Performance of contract (UK GDPR Art 6(1)(b)): we need account, order, and payment data to take and deliver your order.
• Legal obligation (Art 6(1)(c)): we keep financial transaction records for at least 6 years to comply with HMRC requirements. EOI data is processed to comply with UK financial-sanctions and food-safety due-diligence rules.
• Legitimate interests (Art 6(1)(f)): we use limited technical data to operate, secure, and improve the service. You can object to processing on this basis — see "Your rights" below.
• Consent (Art 6(1)(a)): optional analytics and marketing cookies are only set with your explicit consent via the cookie banner. We do not currently load any third-party analytics or marketing scripts.

• Account: until you delete it, plus 30 days in a soft-deleted state to allow reversal of accidental closure.
• Orders: PII fields (name, phone, address, notes) are redacted after 365 days. Anonymised transaction records are kept for at least 6 years for HMRC compliance.
• Audit logs of platform admin actions: 365 days.
• EOI submissions: 365 days from submission, or until your takeaway is onboarded (in which case the data moves to your operator account).
• Error logs: 90 days, with PII (emails, phone numbers, postcodes, card-like digit runs) redacted at ingest.

We use carefully selected third-party processors. Each is bound by a Data Processing Agreement and processes data only on our instructions:

• Supabase (database, authentication, file storage) — EU region.
• Stripe (card payment processing, Connect payouts to takeaways) — separate UK/EU controller for payment data under Stripe's own policy.
• Resend (transactional email delivery) — EU region.
• Vercel (web hosting, request routing) — global edge with EU primary region.
• Companies House (UK gov), FSA Food Hygiene Rating Scheme (UK gov), and the OFSI consolidated sanctions list (UK gov) are consulted at EOI submission time. These are public registers; we send the minimum identifiers needed for the lookup and store only the verification result.
• Takeaway operators receive your order details, name, phone number, delivery address, and any allergy / dietary notes necessary to fulfil the order. They are independent controllers for the data they hold about you.

We do not sell your personal data. We do not share it for third-party advertising.

Our processors are EU- or UK-region by default. Any transfer outside the UK / EEA is covered by UK GDPR-approved transfer mechanisms (UK International Data Transfer Agreement or the EU Standard Contractual Clauses with the UK addendum).

You have the right to:

• Access a copy of the personal data we hold about you.
• Rectify inaccurate data — most fields can be edited directly from your account settings.
• Erase your account and associated personal data (HMRC-mandated financial records are retained in anonymised form).
• Object to processing based on legitimate interest.
• Restrict processing while a dispute is being resolved.
• Withdraw consent for optional cookies at any time via the "Cookie preferences" link in the footer.
• Complain to the UK Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint.

Email privacy@ayeorder.co.uk with subject "SAR" or "Erasure" and we will respond within 30 days as required by UK GDPR. You can also delete your account directly from Account settings — that flow handles both erasure and a data export.

Personal data is encrypted in transit (TLS) and at rest. Access controls follow least-privilege; database row-level security prevents one customer's data being visible to another. Payment card details never touch our servers. We log administrative actions for audit and notify the ICO and affected customers within 72 hours of becoming aware of any personal data breach involving high risk to your rights.

We use cookies to keep you signed in, hold your cart, and protect against CSRF. These are strictly necessary and don't require consent. We do not currently set analytics or marketing cookies. See our Cookie Policy for the full list.

We will update this page if the way we handle data changes. If we make material changes we will notify you by email before they take effect.