Privacy Policy

Effective from: 1st December 2025

This Privacy Policy explains how ChopNow (“we”, “us”, “our”) collects, uses, shares and protects personal data when you use our website, mobile apps, delivery platform and related services (the “Service”). It also explains your rights and how to contact us about your data.

If you have questions about this policy or how we use your data, contact our Data Protection Officer at: hello@chopnow.co.uk.

Who We Are and Scope

ChopNow operates a digital marketplace connecting customers with restaurants and registered home cooks offering African and Caribbean cuisine, plus a network of couriers who deliver. This policy covers personal data we collect about:

• Customers (people who order food)

• Visitors to our website and apps

• Restaurant and home-cook partners (prospective and active)

• Couriers and delivery agents (including contractors)

• Job applicants, employees and contractors (where relevant)

What Personal Data We Collect

We collect only what we need to run the Service and meet our legal obligations. Types of personal data include:

• Account and identity data — name, email, phone number, date of birth (where required), username, password and profile photo.
• Contact and delivery data — delivery addresses, billing address, contact phone, delivery instructions, recipient name.
• Order and transaction data — order details (items, special requests, dietary notes), payment and transaction records (payment provider reference, billing totals), refunds and receipts.
• Device and technical data — IP address, device identifiers, browser type, app/device logs and crash reports, cookie identifiers and geolocation when you use the app or request location-based delivery.
• Verification and compliance data — government ID or business documentation, food hygiene registration, proof of insurance, DBS or background checks for couriers where required.
• Communications and support — messages, chat logs, emails, complaints, recorded calls (only where we notify you).
• Marketing and preference data — marketing consents, interests, activity history and communication preferences.
• Special categories and sensitive data — we do not generally process special category personal data (racial or health data) except where necessary and lawful (for example, limited dietary allergy information you provide). If we process any special category data, we will do so only with explicit lawful basis and additional safeguards.

We collect personal data directly from you and from third parties such as payment processors, mapping services, identity verification providers, and public sources. We may also collect data from partner restaurants, couriers and other users (for example, reviews).

How and Why We Use Personal Data (Purposes & Lawful Bases)

We use personal data for clear operational and legal reasons. For each purpose we list the likely lawful basis under UK GDPR (Article 6) and any additional basis for special category data (Article 9) where relevant.

• To Provide the Service and Manage Orders
  Create accounts, process orders, accept payments, arrange delivery and provide receipts.
  Lawful basis: Contract (processing necessary to perform the contract between you and the partner).
• To Communicate With You
  Confirmations, delivery updates, account messages and customer service.
  Lawful basis: Contract and Legitimate Interests (operational communications necessary to run the service).
• To Process Payments and Prevent Fraud
  Payment authorisation, refunds, chargebacks, and fraud checks.
  Lawful basis: Contract and Legal Obligation (financial record keeping). We use trusted PCI-compliant payment processors and do not store raw card numbers.
• To verify partners and couriers
  Identity checks, background checks, business documents and hygiene registrations.
  Lawful basis: Legal Obligation and Legitimate Interests (safety, fraud prevention and regulatory compliance).

To Provide Personalised Recommendations and Marketing (With Consent Where Required)

Show relevant menus, offers and promotions.

Lawful basis: Consent (for direct marketing where required by law) and Legitimate Interests for personalised experiences where you have not opted out.

• To Improve and Secure The Service
  App diagnostics, analytics, testing and research to enhance stability and performance.
  Lawful basis: Legitimate Interests (service improvement and security)
• To Meet Legal and Regulatory Obligations
  Tax, accounting, dispute resolution, and law enforcement requests.
  Lawful basis: Legal Obligation.
• To Maintain Safety and Quality
  Incident reporting, complaint handling, food safety investigations and recalls. Lawful basis: Legitimate Interests and Legal Obligation (food safety law). We draw on Food Standards Agency guidance and local authority requirements when handling food-safety related data.

  If we rely on legitimate interests we will balance those interests against your rights and freedoms and document that assessment.

Cookies and Similar Technologies

We use cookies and similar technologies (including in-app identifiers) to operate the Service, remember preferences, measure performance and show relevant marketing. Under PECR we will obtain consent for non-essential cookies and provide clear information about cookie purposes. You can withdraw consent or change preferences via our cookie banner or browser settings. For detailed guidance we follow ICO and PECR recommendations.

Sharing and Disclosure of Data

We share personal data only where necessary and with appropriate safeguards:

• Service Providers and Processors
  Payment processors, cloud hosting, analytics, email and messaging providers, identity verification and background-check vendors (contractual data processing agreements in place).
• Restaurant Partners and Couriers
  We share order details and delivery information necessary for fulfilment; partners receive customer name, address and order details.
• Legal and Regulatory Bodies
  When required by law, court order or to prevent fraud or harm.
• Business Transfers
  If we merge, are acquired, or sell assets, we may share personal data with prospective buyers and the new owners, subject to contractual protections.
• Aggregated or Anonymised Data
  We may publish non-identifying, aggregated insights (for example, order volumes by city) for analytics and reporting.
• We do not sell personal data to third parties.
  When we use third-party processors outside the UK, we ensure adequate safeguards (standard contractual clauses, UK adequacy decisions or other appropriate measures) are in place, following ICO guidance on international transfers.

Retention: How Long We Keep Personal Data

We retain personal data only for as long as necessary to fulfil the purposes described, for legal obligations (e.g., tax records), and to resolve disputes. Typical retention periods (examples — replace with your actual policy)

• Account and order history: retained for the lifetime of the account plus 6 years for accounting/tax purposes.
• Payment and transaction records: 6 years (tax and accounting).
• Support and communications: 2–6 years depending on the nature of the enquiry.
• Recruitment records: 6 months to 6 years depending on legal requirements.
• CCTV or delivery dashcam footage: limited retention, typically 30–90 days unless required for an incident investigation.

We anonymise or delete data when no longer needed. Specific retention rules will depend on the category of data and legal obligations.

Security and Data Protection Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration or disclosure. Controls include encryption in transit (TLS), access controls, regular security testing, staff training, audit logs and processor contractual requirements. Payment data processing relies on certified PCI-compliant providers.

Despite these measures, no system is perfectly secure. If we identify a personal data breach that risks your rights and freedoms, we will follow UK GDPR breach notification rules and notify the ICO and affected individuals where required.

Your Rights and How to Exercise Them

Under UK GDPR you have several rights. To help us respond, contact hello@chopnow.co.uk

• Right to access — request a copy of your personal data.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure — request deletion where lawful (subject to retention obligations).
• Right to restrict processing — limit how we use your data in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent — where we process based on consent, you can withdraw it at any time.
• Right to complain — to the ICO if you believe we have breached data protection law.

We will respond to valid requests within one month, or sooner where required; complex requests may take longer and we will keep you informed.

Children and Age-Restricted Services

Our Service is intended for adults (18+). We do not knowingly collect personal data from children for ordering. If we discover a child under 18 has created an account, we will take steps to remove the account and delete the child’s data, subject to legal obligations.

Data We Collect About Partners and Couriers

We collect business and identity information necessary to verify partners and couriers, including business registration, food hygiene registration, DBS or background checks where required, proof of insurance and bank details for payments. We process this information for onboarding, fraud prevention and legal compliance. Lawful bases include Contract, Legal Obligation and Legitimate Interests (safety and platform integrity).

International Transfers

Some of our processors or service providers may transfer or store data outside the UK. When we do, we ensure legal safeguards are in place (UK adequacy, standard contractual clauses or other ICOapproved mechanisms) and document those transfers. You may request details of transfers and safeguards from our DPO.

Automated Decision-Making and Profiling

We use automated systems to personalise recommendations and offers (profiling). These systems do not make legal or similarly significant decisions about you. Where profiling significantly affects you, you have rights to obtain human review, express your point of view, and challenge the decision. If you wish to exercise these rights contact hello@chopnow.co.uk.

Marketing Communications and Your Choices

We will only send marketing messages where you have consented or where legitimate interests apply and you have not opted out. Every marketing message includes an easy way to opt out. You can manage your preferences via account settings or by contacting hello@chopnow.co.uk.

For email, you can also use standard “unsubscribe” links. For app push notifications, change preferences in the app or device settings.

Third-Party Services and Links

Our Service may contain links to third-party websites or services (e.g., social networks, third-party payment options). This policy does not cover their practices. We recommend reviewing their privacy policies before sharing personal data.

Data Protection Impact Assessments and Governance

For higher-risk processing (e.g., large-scale profiling, new products involving sensitive data), we conduct Data Protection Impact Assessments (DPIAs). We maintain records of processing activities and have appointed a DPO (or the contact point for data protection queries) to oversee compliance.

Complaints, Questions and Contact Detail

If you have questions or want to exercise your rights, contact:
Data Protection Officer
ChopNow Ltd

Changes to This Policy

We may update this Privacy Policy to reflect changes in our Service, legal obligations, or best practice. We will publish the updated policy with a new “Last updated” date and notify account holders of material changes.