MyFoodFast Privacy Policy
Effective Date: 9 May 2025
This policy applies to myfoodfast.com, all sub‑domains, and every iOS/Android application published by MyFoodFast Ltd (collectively, the “Services”). It does not replace the joint privacy notices displayed on individual takeaway ordering sites.
1. Who We Are
MyFoodFast Ltd (“MyFoodFast”, “we”, “our”, “us”) is a UK‑registered company (No. 16196256).
Registered office & principal place of business:
483 Green Lanes, London N13 4BS, United Kingdom
Email: [email protected]
We act as the data controller for the personal information collected through the Services.
2. What Data We Collect
| Category | Examples |
|---|---|
| Account data | Name, email, phone, hashed password, language, marketing preferences |
| Profile & loyalty | Saved addresses, allergies, favourite items, loyalty points |
| Order & transaction | Basket contents, price, discounts, tokenised card details, Stripe payment IDs |
| Device & usage | IP, device model, OS version, app version, crash logs, interaction events |
| Location (optional) | Approximate GPS or postcode when you allow location permissions, for nearby restaurant search |
| Marketing & comms | Push‑token, email/SMS opt‑in status, campaign interactions |
| Support | Chat or email transcripts, complaint details, call recordings |
We do not collect or store full payment‑card numbers; these are handled by Stripe Connect Express.
3. How and Why We Use Your Data
| Purpose | Details | Legal basis |
|---|---|---|
| Provide and personalise the Services | Create your account, remember preferences, suggest nearby takeaways | Contract performance |
| Process payments | Via Stripe Connect Express; handle refunds and chargebacks | Contract performance & legitimate interests |
| Fulfil orders & communicate status | Send confirmations, ETA updates, digital receipts, loyalty balance | Contract performance |
| Improve and secure our platform | Monitor performance, debug crashes (Firebase Crashlytics), prevent fraud | Legitimate interests |
| Marketing with your consent | Send offers by email/SMS/push; show personalised ads | Consent (can be withdrawn) |
| Regulatory compliance | Accounting, KYC/AML checks on partner takeaways, HMRC VAT records | Legal obligation |
4. Cookies & Mobile Tracking
On our website we use:
- Essential cookies for login and basket.
- Analytics cookies (Google Analytics 4) to understand traffic.
- Advertising cookies (Meta Pixel, Google Ads) only if you opt‑in.
In our apps we use equivalent SDKs. You can reset your mobile advertising identifier in your device settings.
5. Sharing Your Data
We share personal data only when necessary and under data‑processing contracts:
| Recipient | Reason |
|---|---|
| Partner takeaways (joint controllers for each order) | To prepare and deliver your food |
| Stripe Payments Europe Ltd / Stripe Payments UK Ltd | Card processing & payout (independent controller for card data) (stripe.com) |
| Cloud hosting & infrastructure (AWS EU‑West, Cloudflare) | Serve the website and APIs |
| Analytics & crash reporting (Google LLC, Firebase, Mixpanel) | Improve reliability and user experience |
| Messaging providers (Twilio, OneSignal, SendGrid) | Send SMS, email and in‑app notifications |
| Regulators & law‑enforcement | When legally required |
We do not sell or rent your personal data.
6. International Transfers
Where data leaves the UK/EEA (e.g., to the US‑based services above) we rely on:
- UK Addendum to EU Standard Contractual Clauses (SCCs), or
- UK‑US Data Bridge where available.
7. Data Security
- HTTPS/TLS encryption in transit and AES‑256 encryption at rest.
- Role‑based access control with multi‑factor authentication.
- Annual penetration testing and continuous vulnerability scanning.
- Stripe is PCI‑DSS Level 1 certified. (docs.stripe.com)
8. Data Retention
| Data type | Retention |
|---|---|
| Accounts with no orders | Delete after 2 years of inactivity |
| Order & payment records | 6 years (tax & financial regulations) |
| Marketing consents | Until withdrawn or 2 years inactivity |
| Crash & analytics logs | 14 months (Google settings) |
9. Your Rights
Under the UK GDPR you can:
- Access the personal data we hold about you;
- Rectify inaccurate data;
- Erase data (right to be forgotten);
- Restrict or object to processing;
- Port data to another service;
- Withdraw consent at any time.
Contact us at [email protected]. You can also complain to the Information Commissioner’s Office (ICO).
10. Children’s Privacy
Our Services are not directed to children under 16. If we learn we’ve collected data from a child without parental consent, we will delete it.
11. Changes to This Policy
We may update this notice to reflect legal, technical or business changes. We’ll post the new version here and, if material, notify you via email or in‑app pop‑up.
Driver App Addendum
This addendum applies to the MyFoodFast Driver mobile application used by couriers and delivery staff associated with partner takeaways.
What Extra Data We Collect
- Driver identity: name, phone number, profile photo, vehicle details, proof of right‑to‑work documentation.
- Real‑time location: GPS coordinates while the driver is clocked in and delivering orders.
- Delivery events & route data: timestamps (accepted, picked‑up, delivered), mileage, proof‑of‑delivery photos/e‑signatures.
- Device diagnostics: device model, OS version, crash logs (as per §2).
How and Why We Use Driver Data
| Purpose | Legal basis |
|---|---|
| Assign deliveries & show ETA | Contract performance (service contract with takeaway/driver) |
| Real‑time navigation & safety monitoring | Legitimate interests |
| Proof of delivery & dispute resolution | Legitimate interests |
| Employment/contractor record‑keeping & HMRC requirements | Legal obligation |
Sharing Driver Data
Driver location and status are shared only with:
- The takeaway that dispatched the order (store dashboard)
- The customer receiving that order (limited to current delivery)
- MyFoodFast operations/support staff
We never reveal the driver’s personal phone number to customers; calls are routed through a masked number.
Retention Periods
| Data | Retention |
|---|---|
| GPS traces | 30 days, then anonymised |
| Delivery event logs & proof of delivery | 6 years (aligned with order records) |
| Driver identity & compliance documents | 6 years after last active contract |
12. Contact Us
Data Protection Lead
MyFoodFast Ltd
483 Green Lanes, London N13 4BS, UK
Email: [email protected]