1. Who we are
ChowFlex Ltd ("ChowFlex", "we", "us") is the data controller for personal information collected through chowflex.co.uk. Our registered address and ICO registration number are available on our Contact page.
This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what your rights are under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
For questions about this policy or to exercise your rights, contact us at: privacy@chowflex.co.uk
2. What information we collect
Account information: name, email address, phone number, and password (stored encrypted) when you create an account.
Order information: delivery address, order history, payment method details (stored by Stripe — we do not store full card numbers), and any special instructions.
Dietary preferences and allergens: if you complete the ChowFlex preferences questionnaire, we store your dietary requirements (including halal, vegetarian, vegan preferences), allergens to avoid, and cuisine preferences. This information may constitute health-related data and is treated as special category data under UK GDPR Article 9.
Cook profile information: if you register as a Cook, we collect additional information including your home address (for delivery coordination), food hygiene certificates, food business registration details, and halal certification documents.
Usage information: pages visited, search queries, and interaction data, collected via cookies and analytics tools (see our Cookie Policy).
Communications: messages sent through the platform and any correspondence with our support team.
3. Why we use your information
We process your personal information on the following legal bases:
Contract performance (Article 6(1)(b)): to process your orders, arrange deliveries, process payments, and manage your account. This is the primary basis for our use of your data.
Legitimate interests (Article 6(1)(f)): to improve the platform, prevent fraud, resolve disputes, send service communications, and match customers with suitable Cooks. We have assessed that our legitimate interests do not override your rights.
Explicit consent (Article 9(2)(a)): for dietary preferences and allergen information (special category data), we ask for your explicit consent when you complete the preferences questionnaire. You can withdraw this consent at any time by deleting your preferences in account settings.
Legal obligation (Article 6(1)(c)): to comply with applicable laws including anti-money laundering requirements, tax obligations, and food safety regulations.
4. Who we share your information with
We share your information with the following third parties:
Stripe, Inc.: for payment processing. Stripe acts as a data processor. Your payment details are transmitted directly to Stripe and subject to their privacy policy (stripe.com/privacy).
Uber Technologies, Inc.: for delivery coordination. We share your delivery address and order reference with Uber Direct. Subject to Uber's privacy policy.
Resend, Inc.: for transactional emails (order confirmations, cook notifications). We share your email address and name.
Twilio, Inc.: for SMS notifications to Cooks. We share Cook phone numbers for order alert delivery.
Supabase, Inc.: our database provider. Supabase processes your data on our behalf as a data processor.
We require all processors to maintain appropriate security measures and comply with UK GDPR. We have Data Processing Agreements in place with each processor.
We do not sell your personal information to third parties. We do not share your information with advertisers.
5. How long we keep your information
Account information: retained for the duration of your account plus 6 years after closure (for tax and legal purposes).
Order history: retained for 7 years (Companies Act 2006 requirement).
Dietary preferences: retained until you delete them or close your account.
Cook certificates: retained for 3 years after a Cook leaves the platform.
Support communications: retained for 2 years.
Cookie data: as set out in our Cookie Policy.
6. Your rights
Under UK GDPR, you have the following rights:
Right to access: you can request a copy of all personal information we hold about you.
Right to rectification: you can ask us to correct inaccurate information.
Right to erasure: you can ask us to delete your personal information in certain circumstances (subject to our legal retention obligations).
Right to restriction: you can ask us to limit how we use your information.
Right to portability: you can request your data in a machine-readable format.
Right to object: you can object to processing based on legitimate interests.
Right to withdraw consent: for dietary preferences and marketing communications, you can withdraw consent at any time.
To exercise any of these rights, email privacy@chowflex.co.uk. We will respond within one month.
You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk if you are unhappy with how we handle your data.
7. Security
We take the security of your personal information seriously. We use industry-standard encryption (TLS) for data in transit, encrypted storage for sensitive data, access controls limiting who within ChowFlex can access personal data, and regular security reviews.
Despite these measures, no internet transmission is completely secure. If you become aware of any security vulnerability related to ChowFlex, please contact security@chowflex.co.uk immediately.
8. Cookies
We use cookies and similar technologies on ChowFlex. For full details, see our Cookie Policy at chowflex.co.uk/cookies.
9. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.