Support & legal centre
Your privacy
We built Feastpot for your community. We handle your data with the same care you’d expect from a trusted neighbour, not a faceless corporation.
ICO Registered Data Controller
Registration: ZC146267 · Verify ↗
Last updated: May 2026 · UK GDPR, Data Protection Act 2018, Data (Use and Access) Act 2025
1. Who we are
Feastpot is operated by Feastpot Ltd, a UK company. We are registered with the Information Commissioner’s Office (ICO) as a data controller.
ICO Registration Reference: ZC146267
Contact: privacy@feastpot.co.uk
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (in force from 19 June 2025).
2. What data we collect
A. Account data
Full name, email address, phone number, password (hashed, never stored in plaintext), and an optional profile photo.
B. Delivery data
Delivery addresses, postcodes, and geocoded coordinates.
C. Order data
Order history, basket contents, delivery slot selections, order notes, and reorder history.
D. Payment data
Stripe payment reference IDs, last 4 digits of your card (held by Stripe, not by Feastpot), and payout bank details for vendors (held by Stripe Connect).
E. Vendor data
Business name, business address, FSA registration number, hygiene certificate, insurance certificate, photo ID, and bank account details (held by Stripe).
F. Communications
Email and WhatsApp message history, support ticket content, and dispute evidence (photos, documents).
G. Technical data
IP address, device type, browser type, session tokens, and push notification subscription tokens.
H. Usage data
Pages visited, search queries, filter selections and click patterns. Used only for platform improvement, never sold or shared with advertisers.
3. Why we process your data (lawful bases)
Account creation and authentication
Basis: Contract performance (Article 6(1)(b) UK GDPR).
Retention: Until account deletion or 24 months of inactivity, then purged.
Order placement and fulfilment
Basis: Contract performance (Article 6(1)(b)).
Retention: 6 years (VAT and tax record obligation under HMRC rules).
Payment processing via Stripe
Basis: Contract performance (Article 6(1)(b)).
Feastpot does not store card numbers. Stripe is our payment processor and acts as a data processor under our Data Processing Agreement with them.
Vendor identity verification and compliance documents
Basis: Legal obligation (Article 6(1)(c)), Food Safety Act 1990, Food Information Regulations 2014, and Natasha’s Law (PPDS Regulation 2021).
Retention: Duration of vendor relationship + 6 years.
Sending transactional notifications (order updates, delivery status)
Basis: Contract performance (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)), the legitimate interest is ensuring customers and vendors receive essential operational communications.
Marketing communications (if opted in)
Basis: Consent (Article 6(1)(a)).
Retention: Until consent is withdrawn + 12 months for consent records.
Fraud prevention, security, and abuse detection
Basis: Legitimate interests (Article 6(1)(f)), recognised under the Data (Use and Access) Act 2025 Schedule 1 legitimate interests list.
Retention: 6 years (audit log retention).
Dispute resolution and audit log maintenance
Basis: Legal obligation (Article 6(1)(c)) and legitimate interests.
Retention: 6 years.
Analytics and platform improvement (anonymised / aggregated)
Basis: Legitimate interests (Article 6(1)(f)).
Individual user data is never sold to third parties or shared with advertisers. We do not use advertising cookies.
4. Who we share your data with
- Stripe Inc (USA), payment processing and vendor payouts. Protected by the UK International Data Transfer Agreement (UK IDTA) and Stripe’s SCCs.
- Supabase Inc (USA, EU infrastructure), database and authentication hosting. Feastpot data is stored in the EU (Frankfurt region). Protected by the UK IDTA.
- Resend Inc (USA), transactional email delivery. Protected by the UK IDTA.
- Twilio Inc (USA), SMS and OTP delivery. Protected by the UK IDTA.
- Meta Platforms Ireland Ltd (Ireland / USA), WhatsApp Business API for order notifications. Protected by the EU-UK adequacy decision and SCCs.
- Cloudflare Inc (USA), CDN, security and media storage. Protected by the UK IDTA.
- Sentry Inc (USA), error monitoring (anonymised stack traces only; no personal data in error reports by design). Protected by the UK IDTA.
- HMRC (UK), tax records as legally required.
- Law enforcement / courts, when legally compelled by a valid court order or statutory authority.
We do not sell personal data. We do not share personal data with advertisers, data brokers, or marketing companies.
5. International transfers
Some of our service providers are based outside the UK. Where this is the case, we ensure transfers are protected by one of the following safeguards:
- UK International Data Transfer Agreement (UK IDTA);
- EU Standard Contractual Clauses (SCCs) under the EU-UK adequacy decision;
- Adequacy regulations made under section 17A of the Data Protection Act 2018.
Transfers to the EU/EEA are covered by the UK’s adequacy decision for the EEA.
6. How long we keep your data
6 years from order date
HMRC / VAT obligation
6 years
Legal obligation
Until deletion request or 24 months inactivity
Contract
Until withdrawn + 12 months
Accountability
Duration of relationship + 6 years
Food safety law
2 years from resolution
Legitimate interest
90 days
Security
7. Your rights under UK GDPR
- Right of access (Subject Access Request), email privacy@feastpot.co.uk.
- Right to rectification, update in account settings or email us.
- Right to erasure (“right to be forgotten”), subject to legal retention obligations.
- Right to restriction of processing.
- Right to data portability, machine-readable format on request.
- Right to object, including to direct marketing (always honoured).
- Right not to be subject to automated decision-making.
- Right to withdraw consent at any time (does not affect prior lawful processing).
Right to be informed
Know how and why we process your personal data - provided at the point of collection.
This page, our cookie banner, and our sign-up flowRight of access
Request a copy of all data we hold
Email privacy@feastpot.co.ukRight to rectification
Fix inaccurate or incomplete information
Account settings or email usRight to erasure
Deletion, subject to legal obligations
Account settings or emailRight to restrict processing
Limit how we use your data
Email usRight to data portability
Your data in machine-readable format
Email with your requestRight to object
Object to marketing, always honoured
Unsubscribe or email usRights related to automated decision-making
Not subject to automated-only decisions
Always appliesSome rights are subject to exemptions under the Data Protection Act 2018 and the Data (Use and Access) Act 2025, particularly where processing is required for legal compliance, fraud prevention, or public interest.
To exercise any right, email privacy@feastpot.co.uk with “Data Rights Request” in the subject line. We will respond within one calendar month (extendable by two further months for complex requests, we will notify you).
You also have the right to lodge a complaint with the ICO: ico.org.uk/make-a-complaint · 0303 123 1113.
8. Cookies
Feastpot uses strictly necessary cookies only:
- Authentication session cookie (Supabase JWT, expires in 1 hour, refreshed);
- CSRF protection token;
- Basket persistence (localStorage, not a cookie, client-side only).
Under the Privacy and Electronic Communications Regulations (PECR), strictly necessary cookies do not require prior consent. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Our cookie banner is informational only for this reason.
9. Changes to this policy
We will notify registered users by email of material changes at least 14 days before they take effect. Minor changes (grammar, clarifications) take effect immediately. The “last updated” date at the top of this page will always reflect the most recent version.
10. Contact
privacy@feastpot.co.uk
Subject line: “Privacy enquiry”.
We aim to respond within 5 business days.
Local flavours
Support local kitchens
Great value
Fair prices, every time
Made with care
Real food, real people
Always here
24/7 customer support