Privacy Policy

Last updated: May 2026

ICO registration is in progress. This page will be updated within 5 business days of confirmation.

1. Who we are

Feastpot Ltd is the data controller for personal data processed through this platform. We are registered with the UK Information Commissioner’s Office.

ICO Registration Number:

Contact our data team: privacy@feastpot.co.uk.

2. What data we collect

Account: name, email, phone number, account password (hashed), user role.
Delivery: delivery addresses, postcodes, delivery instructions.
Orders: order history, order notes, dispute evidence you upload.
Payments: Stripe customer reference and last 4 digits of card. We do not store full card numbers — these stay with Stripe.
Communications: messages you send to vendors or support, push/SMS/WhatsApp opt-in state.
Technical: IP address, device/browser, cookies for session and CSRF.

3. How we use it (legal bases)

Contract performance — taking and fulfilling orders, processing refunds, customer support.
Legitimate interests — fraud prevention, platform analytics in aggregate, improving the service. You can object at any time.
Legal obligation — VAT/tax records, food-safety incident records, complying with ICO/HMRC requests.
Consent — marketing emails, push notifications, WhatsApp messages. You can withdraw consent at any time from your account settings.

4. Sharing

We share the minimum data needed:

Vendors — name, delivery address, order details, contact phone for the active order.
Stripe (payments processor — US, with adequate transfer mechanisms in place).
Supabase (database hosting — EU, no third-country transfer).
Twilio / Resend (SMS / email delivery providers — US, with SCCs).
Authorities, where legally compelled.

We never sell your data and we do not run advertising cookies.

5. International transfers

Where a processor (e.g. Stripe, Twilio, Resend) is based outside the UK/EEA, transfers are protected by the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) plus supplementary measures.

6. Retention

Order & tax records — 6 years from order date (HMRC requirement).
Account data — until you request deletion, or 24 months of inactivity.
Audit logs — 6 years for fraud investigation and regulatory compliance.
Marketing consent records — until withdrawn, plus 12 months for evidence.

7. Your rights under UK GDPR

You have the right to:

Access the personal data we hold about you.
Rectify inaccurate data.
Erase your data (subject to our legal retention obligations above).
Receive your data in a portable format.
Object to processing based on legitimate interests.
Withdraw consent for marketing at any time.
Lodge a complaint with the Information Commissioner’s Office if you believe we have mishandled your data.

To exercise any right, email privacy@feastpot.co.uk. We respond within one calendar month.

8. Cookies

We only use strictly-necessary cookies — session, CSRF and basket state. Under PECR these do not require prior opt-in, but we display a clear notice on first visit. We do not use advertising or cross-site tracking cookies.

9. Changes

We’ll update this page when our practices change and notify you by email if the changes are material.