Legal

Support & legal centre

Your privacy

We built Feastpot for your community. We handle your data with the same care you’d expect from a trusted neighbour, not a faceless corporation.

ICO Registered Data Controller

Registration: ZC146267 · Verify ↗

Last updated: May 2026 · UK GDPR, Data Protection Act 2018, Data (Use and Access) Act 2025

1. Who we are

Feastpot is operated by Feastpot Ltd, a UK company. We are registered with the Information Commissioner’s Office (ICO) as a data controller.

ICO Registration Reference: ZC146267
Contact: privacy@feastpot.co.uk

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (in force from 19 June 2025).

2. What data we collect

A. Account data

Full name, email address, phone number, password (hashed, never stored in plaintext), and an optional profile photo.

B. Delivery data

Delivery addresses, postcodes, and geocoded coordinates.

C. Order data

Order history, basket contents, delivery slot selections, order notes, and reorder history.

D. Payment data

Stripe payment reference IDs, last 4 digits of your card (held by Stripe, not by Feastpot), and payout bank details for vendors (held by Stripe Connect).

E. Vendor data

Business name, business address, FSA registration number, hygiene certificate, insurance certificate, photo ID, and bank account details (held by Stripe).

F. Communications

Email and WhatsApp message history, support ticket content, and dispute evidence (photos, documents).

G. Technical data

IP address, device type, browser type, session tokens, and push notification subscription tokens.

H. Usage data

Pages visited, search queries, filter selections and click patterns. Used only for platform improvement, never sold or shared with advertisers.

3. Why we process your data (lawful bases)

Account creation and authentication

Basis: Contract performance (Article 6(1)(b) UK GDPR).
Retention: Until account deletion or 24 months of inactivity, then purged.

Order placement and fulfilment

Basis: Contract performance (Article 6(1)(b)).
Retention: 6 years (VAT and tax record obligation under HMRC rules).

Payment processing via Stripe

Basis: Contract performance (Article 6(1)(b)).
Feastpot does not store card numbers. Stripe is our payment processor and acts as a data processor under our Data Processing Agreement with them.

Vendor identity verification and compliance documents

Basis: Legal obligation (Article 6(1)(c)), Food Safety Act 1990, Food Information Regulations 2014, and Natasha’s Law (PPDS Regulation 2021).
Retention: Duration of vendor relationship + 6 years.

Sending transactional notifications (order updates, delivery status)

Basis: Contract performance (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)), the legitimate interest is ensuring customers and vendors receive essential operational communications.

Marketing communications (if opted in)

Basis: Consent (Article 6(1)(a)).
Retention: Until consent is withdrawn + 12 months for consent records.

Fraud prevention, security, and abuse detection

Basis: Legitimate interests (Article 6(1)(f)), recognised under the Data (Use and Access) Act 2025 Schedule 1 legitimate interests list.
Retention: 6 years (audit log retention).

Dispute resolution and audit log maintenance

Basis: Legal obligation (Article 6(1)(c)) and legitimate interests.
Retention: 6 years.

Analytics and platform improvement (anonymised / aggregated)

Basis: Legitimate interests (Article 6(1)(f)).
Individual user data is never sold to third parties or shared with advertisers. We do not use advertising cookies.

4. Who we share your data with

  • Stripe Inc (USA), payment processing and vendor payouts. Protected by the UK International Data Transfer Agreement (UK IDTA) and Stripe’s SCCs.
  • Supabase Inc (USA, EU infrastructure), database and authentication hosting. Feastpot data is stored in the EU (Frankfurt region). Protected by the UK IDTA.
  • Resend Inc (USA), transactional email delivery. Protected by the UK IDTA.
  • Twilio Inc (USA), SMS and OTP delivery. Protected by the UK IDTA.
  • Meta Platforms Ireland Ltd (Ireland / USA), WhatsApp Business API for order notifications. Protected by the EU-UK adequacy decision and SCCs.
  • Cloudflare Inc (USA), CDN, security and media storage. Protected by the UK IDTA.
  • Sentry Inc (USA), error monitoring (anonymised stack traces only; no personal data in error reports by design). Protected by the UK IDTA.
  • HMRC (UK), tax records as legally required.
  • Law enforcement / courts, when legally compelled by a valid court order or statutory authority.

We do not sell personal data. We do not share personal data with advertisers, data brokers, or marketing companies.

5. International transfers

Some of our service providers are based outside the UK. Where this is the case, we ensure transfers are protected by one of the following safeguards:

  • UK International Data Transfer Agreement (UK IDTA);
  • EU Standard Contractual Clauses (SCCs) under the EU-UK adequacy decision;
  • Adequacy regulations made under section 17A of the Data Protection Act 2018.

Transfers to the EU/EEA are covered by the UK’s adequacy decision for the EEA.

6. How long we keep your data

Orders and payments

6 years from order date

HMRC / VAT obligation

Audit logs

6 years

Legal obligation

Account data

Until deletion request or 24 months inactivity

Contract

Marketing consent

Until withdrawn + 12 months

Accountability

Vendor documents

Duration of relationship + 6 years

Food safety law

Support communications

2 years from resolution

Legitimate interest

Technical / session data

90 days

Security

7. Your rights under UK GDPR

  1. Right of access (Subject Access Request), email privacy@feastpot.co.uk.
  2. Right to rectification, update in account settings or email us.
  3. Right to erasure (“right to be forgotten”), subject to legal retention obligations.
  4. Right to restriction of processing.
  5. Right to data portability, machine-readable format on request.
  6. Right to object, including to direct marketing (always honoured).
  7. Right not to be subject to automated decision-making.
  8. Right to withdraw consent at any time (does not affect prior lawful processing).

Right to be informed

Know how and why we process your personal data - provided at the point of collection.

This page, our cookie banner, and our sign-up flow

Right of access

Request a copy of all data we hold

Email privacy@feastpot.co.uk

Right to rectification

Fix inaccurate or incomplete information

Account settings or email us

Right to erasure

Deletion, subject to legal obligations

Account settings or email

Right to restrict processing

Limit how we use your data

Email us

Right to data portability

Your data in machine-readable format

Email with your request

Right to object

Object to marketing, always honoured

Unsubscribe or email us

Rights related to automated decision-making

Not subject to automated-only decisions

Always applies

Some rights are subject to exemptions under the Data Protection Act 2018 and the Data (Use and Access) Act 2025, particularly where processing is required for legal compliance, fraud prevention, or public interest.

To exercise any right, email privacy@feastpot.co.uk with “Data Rights Request” in the subject line. We will respond within one calendar month (extendable by two further months for complex requests, we will notify you).

You also have the right to lodge a complaint with the ICO: ico.org.uk/make-a-complaint · 0303 123 1113.

8. Cookies

Feastpot uses strictly necessary cookies only:

  • Authentication session cookie (Supabase JWT, expires in 1 hour, refreshed);
  • CSRF protection token;
  • Basket persistence (localStorage, not a cookie, client-side only).

Under the Privacy and Electronic Communications Regulations (PECR), strictly necessary cookies do not require prior consent. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Our cookie banner is informational only for this reason.

9. Changes to this policy

We will notify registered users by email of material changes at least 14 days before they take effect. Minor changes (grammar, clarifications) take effect immediately. The “last updated” date at the top of this page will always reflect the most recent version.

10. Contact

privacy@feastpot.co.uk
Subject line: “Privacy enquiry”.
We aim to respond within 5 business days.

privacy@feastpot.co.uk
ICO Registration: ZC146267Lodge ICO complaint ↗

Local flavours

Support local kitchens

Great value

Fair prices, every time

Made with care

Real food, real people

Always here

24/7 customer support