Privacy
Policy

For personal data that we collect directly about our users and platform visitors, PickupChef Limited (“Pickup Chef”, “we”, “us”) is the data controller within the meaning of UK GDPR Article 4(7).

Where Pickup Chef processes personal data provided by Home Chefs about their own customers, Pickup Chef acts as a data processor on behalf of the Home Chef (who is the data controller). This arrangement is governed by the Data Processing Agreement in Section 20 and by UK GDPR Article 28.

We process personal data in accordance with the seven principles of UK GDPR Article 5. We commit that all personal data we collect will be:

• Processed lawfully, fairly, and transparently — we always have a lawful basis and tell you what it is;
• Collected for specified, explicit, and legitimate purposes — we do not use data for purposes incompatible with why it was collected;
• Adequate, relevant, and limited to what is necessary — we collect only what we need;
• Accurate and kept up to date — we take reasonable steps to correct inaccuracies;
• Kept no longer than necessary — our retention periods are set out in Section 13;
• Processed securely — we apply appropriate technical and organisational security measures (Section 14);
• Subject to accountability — we maintain records of our processing activities and can demonstrate compliance.

When you register and operate a Home Chef Account, we collect the following categories of personal data:

• Identity data: full name, business name (if applicable);
• Contact data: email address, phone number;
• Billing and financial data: billing address, payment method details (processed securely by our payment processor; we do not store full card numbers on our servers); bank account details provided for payment tracking purposes (stored securely and encrypted);
• Profile and menu data: food descriptions, images, prices, allergen information, and other content you upload;
• Account credentials: username, hashed and salted password (we never store plain-text passwords);
• Account activity data: login timestamps, feature usage, order history, payment records;
• Communications: messages sent to our support team.

When a Customer places an order through the Platform, we collect and process the following data, acting as data processor on behalf of the relevant Home Chef (see Section 20):

• Identity data: customer name;
• Contact data: email address and/or phone number (as required by the Home Chef’s menu configuration);
• Order data: items ordered, quantities, special instructions, order status, and timestamps;
• Dietary notes: any dietary information voluntarily provided by the Customer in order notes (see Section 7 on sensitive data);
• Payment method selected: payment type (cash, bank transfer, etc.) — we do not collect card details unless an integrated payment solution is expressly used.

This data is made available to the relevant Home Chef for the purpose of fulfilling the order. The Home Chef is the data controller for this data. Please see the Home Chef’s own privacy notice for details of how they use your data.

When any person accesses or uses the Platform, we may automatically collect technical data, including:

• IP address (which may identify your approximate location and/or your internet service provider);
• browser type, version, and operating system;
• device type and screen resolution;
• pages visited on the Platform, time spent on each page, and navigation paths;
• referring URLs (the page or service from which you arrived at the Platform);
• session identifiers and cookie data (see Section 18);
• server log data and error reports.

Where this data can be used to identify you directly or indirectly (for example, because it is linked to your account), it constitutes personal data and is processed in accordance with this Privacy Policy. Where it is fully anonymised and cannot be linked to any individual, UK GDPR does not apply to it.

If you contact us by email, through a support form, via social media, or by any other means, we collect your name, contact details, and the full content of your communications with us, including any attachments. We retain this data for support, complaint-handling, and legal record-keeping purposes.

We do not intentionally collect or request special category personal data (also called sensitive data) as defined by UK GDPR Article 9. Special category data includes information about a person’s health, religion, ethnicity, biometric data, or sexual orientation.

However, a Customer may voluntarily disclose health-related information in an order note (for example, a food allergy or intolerance). Where such data is provided, it is processed under the lawful basis of explicit consent (Article 9(2)(a)), being the Customer’s voluntary act of providing it, and is used solely to fulfil the specific order. This data is not used for any other purpose, shared with third parties other than the relevant Home Chef, or retained beyond the order retention period.

If you inadvertently include sensitive data in a communication that does not require it, please let us know and we will delete it.

UK GDPR Article 6 requires us to have a lawful basis for every use of your personal data. The table below sets out each purpose, the data used, and the lawful basis we rely on.

*Where we rely on Legitimate Interests, we have conducted a Legitimate Interests Assessment (LIA) and are satisfied that our interests do not override your fundamental rights and freedoms. You have the right to object to processing on this basis — see Section 16.

We will only send you marketing emails or other promotional communications if you have given us your explicit, informed consent to do so — for example, by actively opting in during registration or account settings. We will never pre-tick marketing consent boxes.

You may withdraw your marketing consent at any time, at no cost and without giving any reason, by:

• clicking the “unsubscribe” link in any marketing email we send;
• updating your notification preferences in your account settings; or
• contacting us at legal@pickupchef.app.

Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Withdrawing marketing consent does not affect your ability to use the Platform or receive essential service communications (such as billing notices, security alerts, and subscription renewal reminders), which are sent under a different lawful basis.

We comply with the Privacy and Electronic Communications Regulations 2003 (PECR) in respect of all electronic marketing. We do not sell your data to third parties for their marketing purposes.

We do not sell, rent, or commercially exploit your personal data. We share personal data only in the limited circumstances set out below.

10.1 Home Chef — Customer Data Sharing

When a Customer places an order through a Home Chef’s menu link, the Customer’s name, contact details, and order details are shared with the relevant Home Chef. This sharing is necessary to enable the Home Chef to confirm and fulfil the order. By placing an order, a Customer consents to this sharing as part of the ordering process.

10.2 Legal Disclosures

We may disclose personal data to law enforcement agencies, regulatory bodies (including the ICO), courts, or other public authorities where we are legally required to do so, or where we have a good faith belief that disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend the rights or property of Pickup Chef; or (c) protect the safety of Users or the public. We will, where permissible by law, notify you of any such request before complying with it.

10.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, your personal data may be transferred as part of that transaction. We will provide you with notice of any such transfer via email and/or a prominent notice on the Platform prior to the transfer taking effect. Where required by law, we will seek your consent before transferring your data. Any acquirer will be required to honour the commitments made in this Privacy Policy.

We share data with carefully selected third-party service providers (“sub-processors”) who process data on our behalf and under our documented instruction. We enter into written data processing agreements with all sub-processors as required by UK GDPR Article 28(3). Our current key sub-processors are:

• Cloud hosting: Vercel (United States; UK/EU regions used for inference where supported) — for hosting the Platform.
• Database: Neon (serverless PostgreSQL) — for storing application data.
• Payments: Stripe and Stripe Connect (United States/Ireland) — for processing Subscription payments and (where enabled) Home Chef customer payments. Payment processors have their own PCI-DSS obligations and privacy policies.
• Transactional email: Resend (United States) — for sending order notifications, billing emails, and service communications.
• Corporate email & support inboxes: Microsoft 365 (Microsoft Ireland Operations Limited; data centres in the UK/EU) — for receiving and responding to messages sent to our support, legal, and privacy mailboxes (e.g. support@pickupchef.app, legal@pickupchef.app, privacy@pickupchef.app). Covered by Microsoft’s Products and Services Data Protection Addendum.
• File storage: Vercel Blob — for storing menu images and other uploaded media.
• Authentication: Better Auth (self-hosted on our infrastructure — no external transfer) — for managing logins and sessions.
• Analytics: Google Tag Manager / Google Analytics 4 (United States) — for understanding Platform usage patterns. Loaded only with cookie consent.

All sub-processors are contractually required to: process data only on our documented instructions; apply appropriate technical and organisational security measures; not engage further sub-processors without our prior written approval; assist us in meeting our UK GDPR obligations; and delete or return data at the end of the service relationship.

We will update this section and notify you of any material changes to our sub-processor arrangements. You may request an up-to-date list of sub-processors at any time by emailing legal@pickupchef.app.

We aim to store and process personal data within the United Kingdom and/or the European Economic Area (EEA), which the UK treats as adequate for data transfer purposes. However, some of our sub-processors (such as cloud hosting or payment providers) may process data outside the UK.

Where personal data is transferred outside the UK to countries not covered by an adequacy decision made by the UK Secretary of State, we ensure adequate protections are in place through one of the following mechanisms as required by UK GDPR Chapter V:

• the UK International Data Transfer Agreement (IDTA), issued by the ICO on 21 March 2022;
• the International Data Transfer Addendum (UK Addendum) to the EU Standard Contractual Clauses; or
• another approved transfer mechanism recognised under UK GDPR.

You may request information about the specific safeguards in place for international transfers of your data by contacting legal@pickupchef.app.

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law (including HMRC record-keeping obligations). Our retention schedule is as follows:

When a retention period expires, personal data is securely and irreversibly deleted or anonymised so that it can no longer be linked to any individual. You may request early deletion of your data by exercising your Right to Erasure (Section 16), subject to our legal obligations to retain certain data.

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with UK GDPR Article 32. Our security measures include:

• Encryption in transit: all data transmitted between your browser and the Platform is encrypted using TLS (HTTPS);
• Encrypted storage: passwords are stored using bcrypt or equivalent one-way hashing with salting — we cannot recover your password;
• Access controls: access to personal data within Pickup Chef is limited on a need-to-know basis, with role-based access controls and audit logging;
• Infrastructure security: we use reputable, security-audited cloud infrastructure providers with relevant certifications (e.g. ISO 27001, SOC 2);
• Regular security review: we periodically review our security practices and address vulnerabilities promptly.

While we take all reasonable steps to protect your data, no method of transmission over the internet or electronic storage is 100% secure. If you believe your Pickup Chef account has been compromised, please contact us immediately at legal@pickupchef.app.

We maintain a documented Data Breach Response procedure. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals:

• we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33, unless the breach is unlikely to result in a risk to individuals;
• where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay under UK GDPR Article 34, providing details of the breach, our contact for further information, the likely consequences, and the measures taken or proposed to address the breach.

Home Chefs who act as data controllers for their customer data must maintain their own breach response procedures. Where a breach affecting customer data held on the Platform is detected, Pickup Chef (as data processor) will notify the relevant Home Chef without undue delay to enable them to fulfil their obligations to the ICO and to their customers.

To exercise any of your data subject rights, contact us at legal@pickupchef.app with the following information: your full name, the email address associated with your account (if applicable), and a clear description of the right you wish to exercise. We may ask you to verify your identity before we process your request — this is to protect your data from unauthorised access.

We will respond to all valid requests within one calendar month. Where a request is complex or we receive a large number of requests, we may extend this by up to a further two months. We will always inform you within the initial one-month period if this applies. We will not charge a fee for responding to requests unless they are manifestly unfounded or excessive, in which case we will explain why and what fee applies.

Our use of cookies and similar technologies is governed by the Privacy and Electronic Communications Regulations 2003 (PECR) alongside UK GDPR. PECR takes precedence over UK GDPR on matters relating to the storage of and access to information on a user’s device.

18.1 Types of Cookies We Use

18.2 Consent & Cookie Management

On your first visit to the Platform, we display a cookie consent banner. Only strictly necessary cookies are placed without your consent. You can accept, decline, or customise non-essential cookies at any time via your cookie preferences, accessible from the footer of every page. Declining non-essential cookies will not prevent you from using the Platform.

Consent records are stored for 13 months, after which we will ask for your consent again, in line with ICO guidance. You can also manage cookies through your browser settings — visit allaboutcookies.org for guidance on your specific browser.

The Platform is not directed at or intended for use by children under the age of 18. We do not knowingly collect personal data from anyone under 18 years of age. If you are a parent or guardian and believe that a child under 18 has provided personal data to Pickup Chef without your consent, please contact us immediately at legal@pickupchef.app and we will promptly investigate and, where confirmed, delete the relevant data.

20.1 Data Processing Agreement (DPA)

By accepting these Terms & Conditions, you (the Home Chef, as data controller) and Pickup Chef (as data processor) enter into a Data Processing Agreement under UK GDPR Article 28. Under this DPA:

1. Pickup Chef will process customer data only on your documented instructions, as necessary to provide the Platform services described in these Terms. Pickup Chef will not process that data for any other purpose;
2. Pickup Chef will ensure that persons authorised to process your customer data are subject to appropriate confidentiality obligations;
3. Pickup Chef will implement the technical and organisational security measures described in Section 14 of this Privacy Policy;
4. Pickup Chef will not engage any sub-processor to process your customer data without your general prior consent, which you provide by accepting these Terms. A list of current sub-processors is set out in Section 11. We will notify you of any material changes;
5. Pickup Chef will, taking into account the nature of the processing, assist you by appropriate technical and organisational measures where possible to fulfil your obligation to respond to requests from your customers exercising their UK GDPR data subject rights;
6. Pickup Chef will notify you without undue delay upon becoming aware of a personal data breach affecting your customer data, providing you with sufficient information to enable you to fulfil your own breach notification obligations to the ICO and to your customers;
7. Pickup Chef will, at your choice, delete or return all customer personal data upon termination of the service relationship, and delete existing copies, unless UK law requires us to retain certain data;
8. Pickup Chef will make available to you all information necessary to demonstrate compliance with UK GDPR Article 28 and will allow for and contribute to audits and inspections conducted by you or an auditor mandated by you, subject to reasonable advance notice and confidentiality protections.

20.2 Your Obligations as Data Controller

As a Home Chef and data controller for your customers’ personal data, you are responsible for:

• providing your customers with a clear privacy notice informing them that their data will be processed via Pickup Chef (acting as your data processor);
• ensuring you have a lawful basis for processing customer data (typically the performance of a contract — i.e. fulfilling their food order);
• responding to any data subject rights requests from your customers within the required timescales;
• not using customer data collected through the Platform for any purpose other than fulfilling food orders and managing your food business, without obtaining appropriate consent;
• registering with the ICO and paying the data protection fee if you are required to do so (most businesses processing personal data must register — check ico.org.uk).

Pickup Chef accepts no liability for a Home Chef’s failure to comply with their own data controller obligations under UK GDPR or any other applicable data protection law.

We review and update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or the Platform. If we make changes that are material to how we use your personal data, we will notify you by email to your registered address and by a prominent notice on the Platform at least 30 days before the changes take effect.

The “Effective date” at the top of this Policy reflects the date of the most recent update. Your continued use of the Platform after the effective date of any update constitutes acknowledgement of the updated Policy. If you do not agree with changes to this Policy, you should stop using the Platform and may request deletion of your data under Section 16.

Where changes are required to comply with a legal obligation or to address an urgent security matter, we may implement them without 30 days’ advance notice and will notify you as soon as reasonably practicable.

If you are unhappy with how Pickup Chef has handled your personal data or responded to a data subject rights request, we encourage you to contact us first at legal@pickupchef.app so we have the opportunity to resolve the matter. We take all data protection complaints seriously.

However, you have the right at any time to lodge a complaint with the Information Commissioner’s Office (ICO), which is the supervisory authority for data protection in the UK:

Making a complaint to the ICO does not affect your right to pursue a civil remedy through the courts. Under UK GDPR Article 82, you may be entitled to claim compensation from us for material or non-material damage suffered as a result of our non-compliance with UK GDPR.

For any queries about this Privacy Policy, to exercise your data subject rights, to report a security concern, or for any other data protection matter, please contact us:

This Privacy Policy was drafted to reflect the UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), the Data (Use and Access) Act 2025, and ICO guidance as of April 2026. Key legislation referenced: UK GDPR Arts. 4–7, 12–23, 25, 28, 32–34, 44–49 · DPA 2018 · PECR 2003 · Taxes Management Act 1970 (s.34 record-keeping).