Legal
Privacy Policy
Last updated: 13 April 2026
1Introduction
GOOOD (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This Privacy Policy explains what data we collect, how we use it, and your rights.
2Data controller
The data controller responsible for your personal data is the business trading as GOOOD. Contact details are available on the Platform or upon request.
3What data we collect
3.1 Data you provide directly
- Order information: Name, email address, phone number, delivery address, order notes, and dietary/allergy requirements.
- Account information: Name, email, phone number when you create an account.
- Payment data: Payment card details are processed securely by Stripe and are never stored on our servers.
- Communications: Any messages or feedback you send to us.
3.2 Data collected automatically
- Device and usage data: IP address, browser type, operating system, pages visited, and interaction data.
- Cookies and similar technologies: See our Cookie Policy for details.
- Marketing attribution: UTM parameters and referral source to understand how you found us.
4How we use your data
We use your personal data for the following purposes:
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Processing and fulfilling your orders | Performance of a contract (Art. 6(1)(b)) |
| Sending order confirmations and updates | Performance of a contract (Art. 6(1)(b)) |
| Managing your account | Performance of a contract (Art. 6(1)(b)) |
| Improving the Platform and user experience | Legitimate interest (Art. 6(1)(f)) |
| Analytics and understanding usage patterns | Legitimate interest (Art. 6(1)(f)) |
| Sending marketing communications (with consent) | Consent (Art. 6(1)(a)) |
| Complying with legal obligations (e.g., food safety, tax) | Legal obligation (Art. 6(1)(c)) |
| Allergen and dietary safety | Vital interests / legitimate interest (Art. 6(1)(d)/(f)) |
5Who we share your data with
We may share your personal data with:
- Payment processors: Stripe processes card payments on our behalf. Stripe Privacy Policy.
- Hosting and infrastructure: Vercel (hosting) and Supabase (database) store and process data on our behalf, with appropriate safeguards.
- Analytics providers: Google Analytics (if enabled) collects anonymised usage data.
- Delivery partners: If you place a delivery order, your name, address, and phone number are shared with the delivery driver.
- Legal and regulatory authorities: Where required by law.
We do not sell your personal data to third parties.
6Data retention
- Order data: Retained for up to 7 years for tax and accounting purposes.
- Account data: Retained until you request deletion of your account.
- Analytics data: Retained for up to 26 months (Google Analytics default).
- Marketing consent: Retained until you withdraw consent.
7International transfers
Some of our service providers may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or adequacy decisions, in accordance with UK GDPR requirements.
8Your rights
Under UK GDPR, you have the following rights:
Right to access
Request a copy of the personal data we hold about you.
Right to rectification
Request correction of inaccurate data.
Right to erasure
Request deletion of your data (subject to legal retention requirements).
Right to restrict processing
Request that we limit how we use your data.
Right to data portability
Request your data in a machine-readable format.
Right to object
Object to processing based on legitimate interests or direct marketing.
Right to withdraw consent
Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, please contact us using the details on the Platform. We will respond within one month.
9Data security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (HTTPS/TLS), secure authentication, role-based access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure.
10Children's privacy
The Platform is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child, please contact us and we will delete it promptly.
11Changes to this policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. We encourage you to review this page periodically.
12Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Website: ico.org.uk|Helpline: 0303 123 1113
13Contact us
For any privacy-related questions or to exercise your rights, please contact us at the venue or via the contact details provided on the Platform.