Privacy Policy

 

Mersey Eats – Privacy Notice (Customers)

Last updated: October 2025

1. Who we are and what this Notice covers

This Privacy Notice explains how Merseyside Eats Group Pvt Ltd ("Mersey Eats”, "we”, "us”, or "our”) collects, uses, discloses and otherwise processes personal data when customers use our platforms and products to place orders with independent restaurant partners ("Restaurants”) for delivery by the Restaurant or collection.

• Controller: Merseyside Eats Group Pvt Ltd (Company No. 16724575)
• Registered office: 3.16 Universal Square, Business Centre, Manchester, United Kingdom, M12 6JH
• Contact (privacy & support): support@mersey-eats.co.uk
• Territory (phase 1): Wirral (Merseyside), United Kingdom

This Notice applies to our website, apps and related services (the "Services”). It also covers guest checkout and account users. Separate privacy notices may apply to merchants and couriers engaged by Restaurants.

Mersey Eats operates as a marketplace/agent. The contract for food and drink is between you and the Restaurant that accepts your order. Restaurants are independent controllers of personal data they receive to prepare and fulfil orders. This Notice explains our processing; Restaurants have their own privacy notices.

This Notice should be read with our Terms & Conditions and our Cookie Policy.

Legal framework: UK GDPR and the Data Protection Act 2018.

2. What personal data we process and why (purposes & lawful bases)

Below we set out the categories of data we process, for what purposes, and our lawful bases under UK GDPR (Article 6, and Article 9 where special category data is involved). Where we rely on legitimate interests, we do so only after a balancing test.

2.1 Ordering & payments (Contract; Legitimate Interests; Legal Obligation)

Data: name, contact details (email, phone), delivery/collection address, order contents, order notes, prices/fees, timestamps, payment token details (from our payment provider), IP/device metadata for order integrity.
Why: to let you browse menus, place/track orders, process payments/refunds, send confirmations/receipts, provide customer support, prevent duplicate/erroneous orders and abuse.
Bases: performance of contract (provide the order), legitimate interests (run our platform, fraud monitoring), legal obligation(accounting/record-keeping).

Age-restricted items: If a Restaurant sells alcohol or other restricted items, the Restaurant is responsible for ID checks on delivery/collection. Where Mersey Eats facilitates age/ID prompts in-app, processing is based on legal obligation and/or legitimate interests(prevent unlawful sales).

Allergy/dietary notes: If, and only if, you choose to include allergy or dietary details in free-text order notes, this may reveal special category data (health/religion). We transmit your note to the Restaurant as your explicit instruction; processing is based on your explicit consent(Article 9(2)(a)) and contract (to transmit your order). Do not include more than is necessary.

2.2 Account & authentication (Contract; Legitimate Interests; Consent where social login)

Data: name, email/phone, hashed credentials, addresses, favourites, past orders; optional social login identifiers (Google/Facebook/Apple) per your choice.
Why: to create/manage your account, store preferences/addresses, speed checkout, show past orders.
Bases: contract; legitimate interests (account security, service continuity). Social login uses your consent with that provider; you can disconnect in settings.

2.3 Customer support & complaints (Contract; Legitimate Interests; Legal Obligation)

Data: identity/contact details, order/transaction data, your messages, attachments (e.g., photos), our internal notes; limited call/chat logs.
Why: to respond, investigate, resolve issues, handle chargebacks and legal claims, improve service quality.
Bases: contract; legitimate interests (quality, dispute handling); legal obligation (consumer law).

2.4 Reviews & ratings (Consent; Legitimate Interests)

Data: first name/initial (or display name), rating, written review, order metadata (to verify you ordered).
Why: to publish genuine reviews, compute aggregate ratings, and allow Restaurants to improve.
Bases: consent (to publish), legitimate interests(platform integrity, anti-spam). You may withdraw consent; removal may be limited where the review is already published in anonymised/aggregated form.

2.5 Marketing & service communications (Consent; Legitimate Interests)

Service messages (non-marketing): order confirmations, status, policy updates – sent under contract/legitimate interests.
Marketing (email/SMS/push/in-app): offers from Mersey Eats or participating Restaurants.

• Bases: consent, or legitimate interests where UK "soft opt-in” applies (similar services to existing customers).
• You can opt out anytime via message footer, app settings, or by emailing support@mersey-eats.co.uk.
  Profiling for relevance: limited audience segmentation using your order history/locale under legitimate interests (you can object at any time).

2.6 Analytics, performance & product improvement (Legitimate Interests; Consent where required)

Data: device and app identifiers, IP address, coarse location (from address/postcode), event logs, crash data, cookie IDs (see Cookie Policy).
Why: to understand usage, improve reliability and UX, measure campaigns, prevent misuse.
Bases: legitimate interests (efficient, secure operation). For non-essential cookies/SDKs we rely on consent.

2.7 Fraud prevention & platform security (Legitimate Interests; Legal Obligation)

Data: device fingerprint signals, IP, failed logins, chargeback markers, order velocity/behavioural signals.
Why: to detect and prevent fraud, spam, abuse, and to protect users, Restaurants and Mersey Eats.
Bases: legitimate interests; and legal obligation where applicable (e.g., responding to lawful requests).

2.8 Campaigns, contests & vouchers (Consent; Contract)

Data: identity/contact details, eligibility info, entry/participation data, limited order metadata to validate eligibility.
Why: to run promotions, contests and voucher programmes; award benefits; publish winners where rules permit.
Bases: consent (entering is voluntary) and contract (apply rules).

2.9 Loyalty (future feature) (Consent; Contract)

If we introduce loyalty/stampcard programmes, we’ll process participation data to administer rewards under contract; marketing around loyalty is consent/soft opt-in. Details will be provided at launch.

3. HOW WE COLLECT YOUR PERSONAL DATA

Mersey Eats obtains personal data from three main sources:

1. Directly from you – when you interact with our website, app or customer service.
2. Automatically – via cookies, device and usage tracking for security and analytics.
3. From third-party sources – such as payment processors, social-login providers, and technical service partners that support our Services.

3.1 Data you provide directly

You provide data when you:

• Create or update your Mersey Eats account;
• Place an order or request a refund;
• Contact customer service;
• Submit a review or feedback;
• Enter a promotion, voucher campaign or survey;
• Sign up to marketing communications;
• Communicate with us via email, chat or social media.

This data typically includes:
your name, contact details, delivery addresses, order notes, payment authorisation details (handled by Stripe—see below), messages and feedback.

3.2 Data collected automatically

When you visit or use the Platform, we may automatically collect:

• Technical data – IP address, device type, operating system, browser version, device identifiers;
• Usage data – time and date of visits, click paths, viewed pages, items added to basket, search terms, response times, interaction logs;
• Cookie and similar technology data – as described in our [Cookie Policy].

We use this data to operate and secure the Platform, prevent fraud, ensure compatibility, and perform aggregate analytics.
For non-essential cookies (e.g. analytics or marketing), we rely on your consent.

3.3 Data received from third parties

(a) Payment processor – Stripe

Payments made on the Platform are processed by Stripe Payments UK Ltd ("Stripe”).
When you submit your card details, they are transmitted directly to Stripe; Mersey Eats does not store full card numbers or security codes.
Stripe acts as an independent controller for payment processing and fraud prevention.
Stripe may share limited payment status information (e.g. success/failure codes, token references) with Mersey Eats to confirm transactions, issue refunds, or investigate chargebacks.
For more information, see Stripe’s Privacy Policy.

(b) Social-login providers

If you log in via Google, Facebook, or Apple, those services may share limited profile data (e.g. name, email address, profile photo) per your privacy settings with the respective provider.
Mersey Eats uses this solely to authenticate you and create your account.

(c) Restaurants (Partners)

When you place an order, Mersey Eats transmits your relevant data (name, order details, delivery address, contact number, notes) to the selected Restaurant.
Restaurants may confirm order status, delivery updates, and issues (e.g. substitutions, unavailability) back to Mersey Eats.
Restaurants are independent controllers responsible for their own use of that data.

(d) Technical, marketing and analytics providers

We may receive aggregated or pseudonymised information from:

• Website analytics (e.g. Google Analytics, Meta Pixel, or equivalents);
• Email/SMS marketing platforms;
• Error and crash reporting tools;
• Fraud-prevention or anti-spam vendors.
  These parties act as processors under our instructions or, where applicable, as independent controllers with whom we have appropriate contractual safeguards (data-processing agreements or UK-GDPR-approved clauses).

(e) Customer feedback platforms

If you complete satisfaction surveys or feedback forms, we may receive your responses via our service providers. Participation is voluntary and based on consent or legitimate interests.

3.4 Combined and derived data

We may combine data from different sources (for example, link your order history to feedback or marketing preferences) to improve your experience and to ensure the integrity of our Platform.
Any profiling or segmentation for marketing or analytics purposes is limited, subject to your rights to object or opt out (see Section 8).

3.5 Children and minors

Our Services are not intended for individuals under 18. We do not knowingly collect data from minors.
If you believe that a minor has provided personal data to us without consent, please contact support@mersey-eats.co.uk, and we will delete the data promptly.

4. HOW LONG WE KEEP YOUR PERSONAL DATA

4.1 General principle

Mersey Eats retains personal data only for as long as necessary to fulfil the purposes for which it was collected, including to:

• provide and support your orders and account;
• meet legal, accounting and tax obligations;
• resolve disputes and enforce our agreements; and
• maintain platform integrity and security.

Once the relevant purpose no longer applies, data is either deleted, anonymised, or securely archived.

4.2 Typical retention periods

Category of data	Purpose	Typical retention period	Legal basis / comments
Account data (profile, login, contact details)	Maintain your account and enable ordering history	While your account is active and up to 12 months after last activity, then deleted or anonymised	Contract / legitimate interests
Order and transaction data	Process orders, refunds, resolve disputes, comply with financial regulations	6 years from end of tax year of transaction	Legal obligation (tax & accounting)
Payment identifiers / Stripe tokens	Verify payments and handle chargebacks	Retained by Stripe per its own legal obligations; Mersey Eats stores only transaction reference and status for 6 years	Contract / legal obligation
Customer-service correspondence	Handle complaints and support	3 years after closure of enquiry	Legitimate interests
Reviews & ratings	Maintain genuine order feedback	For life of related Restaurant listing, then anonymised	Consent / legitimate interests
Marketing preferences	Manage opt-ins/outs	Until you unsubscribe or withdraw consent	Consent / legitimate interests
Device logs & security data	Fraud prevention, diagnostics	12 months from creation, then aggregated	Legitimate interests
Back-ups & archives	Disaster recovery and legal hold	Rolled retention (typically 30–90 days)	Legitimate interests / legal obligation

4.3 Retention for legal claims

Where reasonably necessary to establish, exercise, or defend legal claims (for example, a dispute with a Restaurant or card chargeback), relevant records may be retained until the limitation period for such claims expires under applicable law.

4.4 Anonymisation and deletion

At the end of each retention period:

• identifiable data are securely deleted or anonymised so they can no longer be linked to you;
• backups are overwritten on a scheduled cycle; and
• anonymised statistics (e.g. order volumes, cuisine trends) may be retained for business analytics.

If deletion is not immediately possible (e.g. archived backups), access is restricted and data is placed beyond routine use until secure erasure is feasible.

4.5 Your right to request deletion

You may request deletion of your personal data at any time (see Section 8 – Your privacy rights).
Where we are unable to delete immediately due to legal or accounting obligations, we will restrict further processing and erase the data as soon as the retention requirement ends.

4.6 Stripe and third-party retention

Stripe, our payment processor, retains payment-related personal data as an independent controller for as long as required under its own legal and financial-compliance obligations.
You can review Stripe’s retention and deletion practices in the Stripe Privacy Policy.

4.7 Data-minimisation commitment

We conduct periodic reviews of stored personal data and remove information that is no longer necessary. Retention schedules are documented in Mersey Eats’ internal data-protection procedures and reviewed annually.

5. COOKIES AND SIMILAR TECHNOLOGIES

5.1 Use of Cookies

5.1.1 Mersey Eats uses cookies and similar tracking technologies (collectively, "cookies”) to operate, secure, and improve our website and apps.
5.1.2 Cookies are small data files placed on your device that allow us or our partners to recognise your browser and collect certain information about your visit or usage.
5.1.3 Cookies help us remember your preferences (such as saved addresses and language), enable the checkout process, analyse traffic patterns, prevent fraud, and—where you agree—deliver personalised content or marketing.

5.2 Types of Cookies We Use

Type	Purpose	Legal basis
Strictly Necessary Cookies	Essential for core site functionality such as login, security, basket management and order processing.	Legitimate interests / PECR exemption (no consent required).
Functional Cookies	Remember user preferences (e.g. location, saved addresses) and enhance usability.	Consent (where not strictly necessary).
Analytics / Performance Cookies	Collect aggregated statistics on usage and performance to help us improve the Platform.	Consent (obtained via cookie banner).
Marketing / Advertising Cookies	Enable personalised offers, promotions, and advertising based on interests or previous orders.	Consent (you may withdraw at any time).

5.3 Consent Management

5.3.1 When you first visit our Platform, a cookie bannerwill appear requesting your consent for non-essential cookies.
5.3.2 You can accept all, reject all, or customise categories of cookies.
5.3.3 Your choices are stored for twelve (12) months or until you clear cookies or change settings.
5.3.4 You can modify or withdraw consent at any time via our [Cookie Settings] link in the website footer or app menu.

5.4 Third-Party Cookies and Tracking

5.4.1 We use analytics and advertising services provided by trusted partners such as Google Analytics, Meta (Facebook/Instagram), and TikTok Ads (where applicable).
5.4.2 These providers may set their own cookies or similar identifiers and process information about your interactions for aggregated reporting or targeted marketing.
5.4.3 For further information, you can review the privacy policies of:

• Google Analytics – https://policies.google.com/privacy
• Meta Platforms – https://www.facebook.com/policy.php
• TikTok – https://www.tiktok.com/legal/privacy-policy
  5.4.4 We do not permit these partners to use data obtained via our Platform for their own unrelated marketing unless you have separately consented through their platforms.

5.5 Cookies Placed by Stripe and Other Processors

5.5.1 Our payment provider Stripe Payments UK Ltd may set cookies or similar technologies to enable secure payment processing and fraud prevention.
5.5.2 These are classed as strictly necessary for transaction security and therefore do not require separate consent.
5.5.3 For details, see Stripe’s Cookie Policy.

5.6 Device Identifiers and App Analytics

5.6.1 Our mobile apps may use SDKs and device identifiers that function similarly to cookies for analytics, push-notification delivery, crash diagnostics, and fraud prevention.
5.6.2 Where required, you will be prompted for in-app consent or can manage permissions in your device settings.

5.7 Impact of Disabling Cookies

5.7.1 If you disable or reject non-essential cookies, some parts of the Platform may become unavailable or may not function correctly (e.g. saved basket, remembered login).
5.7.2 Essential cookies cannot be turned off because they are necessary for core functionality such as payment security and session management.

5.8 More Information

For a full list of cookies used on our Platform, including provider names, expiry periods and purposes, please refer to our [Cookie Policy], available from the footer of our website.

Next, we’ll move to Section 6: Sharing Your Personal Data, which will detail:

• how Mersey Eats shares data with Restaurants, Stripe, and trusted processors,
• conditions for legal disclosures,
• and how we ensure contracts and safeguards are in place.

6. SHARING YOUR PERSONAL DATA

6.1 Overview

6.1.1 Mersey Eats limits disclosure of personal data to what is strictly necessary for operating our Platform and fulfilling your orders.
6.1.2 We share data only with trusted parties that:

• require it to perform contractual services for you or for us;
• are bound by written data-processing agreements meeting UK GDPR standards; and
• agree to handle data lawfully, securely, and confidentially.

6.2 Restaurants (Our Partners)

6.2.1 When you place an order, we transmit to the selected Restaurant:
(a) your name and contact details (phone/email);
(b) delivery or collection address;
(c) order contents, prices, and any notes you provide (including allergy or dietary comments); and
(d) payment confirmation status.
6.2.2 The Restaurant uses this information to prepare, package, and deliver your order or make it ready for collection.
6.2.3 Restaurants act as independent data controllers for the data they receive. They are solely responsible for their own compliance, including food-safety and delivery obligations.
6.2.4 For questions about how a specific Restaurant handles your data, please contact the Restaurant directly using its details on the Platform.

6.3 Payment Processing – Stripe

6.3.1 All online payments are processed securely by Stripe Payments UK Ltd ("Stripe”).
6.3.2 When you pay by card, your card details are transmitted directly to Stripe over an encrypted connection.
Mersey Eats does not store or access full card numbers, CVV codes, or magnetic-stripe data.
6.3.3 Stripe acts as an independent controller for payment processing, settlement, fraud detection, and regulatory compliance.
6.3.4 Stripe may share limited transaction metadata (authorisation codes, tokens, status) with Mersey Eats to confirm payment or issue refunds.
6.3.5 For further information, please see the Stripe Privacy Policy.

6.4 Service Providers and Processors

6.4.1 We use carefully selected service providers who act asdata processors on our behalf to:
(a) host and maintain our website and apps;
(b) provide customer-support systems (e.g. email, ticketing, chat);
(c) send transactional or marketing emails/SMS (where permitted);
(d) provide analytics, crash-reporting and performance monitoring;
(e) store backups and maintain cybersecurity; and
(f) support fraud-prevention and identity-verification processes.
6.4.2 These providers may only process data under our documented instructions and are contractually required to implement appropriate technical and organisational safeguards.

6.5 Marketing and Analytics Partners

6.5.1 Where you consent to non-essential cookies or marketing, we may share pseudonymised identifiers or aggregated data with digital-advertising and analytics partners (for example, Google Analytics or Meta Ads Manager).
6.5.2 Such sharing is limited to what is necessary for measuring performance and delivering targeted promotions; partners are not permitted to use the data for unrelated purposes.

6.6 Customer-Support and Survey Vendors

6.6.1 When you contact our support team, your enquiry may be routed through our ticketing or call-centre provider.
6.6.2 If you participate in feedback or satisfaction surveys, responses may be processed by approved research firms acting under confidentiality obligations.

6.7 Professional Advisers and Authorities

6.7.1 We may disclose limited personal data to:
(a) our professional advisers (lawyers, accountants, auditors) where necessary for business operations or defence of claims;
(b) law-enforcement or regulatory authorities where required by law, subpoena, or court order;
(c) tax authorities to satisfy statutory reporting requirements; or
(d) any other person if we believe disclosure is legally required or reasonably necessary to protect our rights or the safety of others.

6.8 Business Transfers

6.8.1 If Mersey Eats undergoes a business sale, merger, reorganisation, or asset transfer, personal data may be transferred as part of that transaction.
6.8.2 In such cases, we will ensure that the recipient agrees in writing to process the data in accordance with this Privacy Notice and applicable data-protection laws.

6.9 Aggregated and Anonymised Data

6.9.1 We may share statistical or aggregated data that cannot reasonably identify any individual—for example, cuisine trends or geographic order volumes—with Restaurants or business partners for analytical purposes.

6.10 No Unauthorised Disclosure

6.10.1 We do not sell, rent, or trade your personal data to third parties.
6.10.2 Any sharing beyond the circumstances listed above will occur only with your explicit consent or where required by law.

 

7. INTERNATIONAL TRANSFERS AND SAFEGUARDS

7.1 Where your data may be processed

7.1.1 Mersey Eats primarily stores and processes personal data within the United Kingdom.
7.1.2 However, some of our trusted service providers—including Stripe Payments UK Ltd and other technical, analytics, or support vendors—may process data in or from locations outside the UK (for example, within the European Economic Area (EEA) or the United States).
7.1.3 Such cross-border processing may involve the transfer of limited categories of personal data (for example, transaction identifiers, device metadata, or customer-support logs) that are necessary to provide our Services.

7.2 Legal framework for international transfers

7.2.1 Whenever personal data is transferred outside the UK, we ensure that an adequate level of protection is maintained in line with the requirements of the UK GDPR, the Data Protection Act 2018, and any relevant adequacy decisions issued by the UK Government.
7.2.2 Where a destination country is not recognised by the UK Government as providing an adequate level of data protection, we implement appropriate safeguards, including:

• UK International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU Standard Contractual Clauses (SCCs);
• technical measures such as encryption in transit and at rest; and
• strict access controls and data-minimisation principles.

7.3 Transfers to Stripe and other payment processors

7.3.1 Stripe Payments UK Ltd may transfer limited payment-related data to its parent company, Stripe Inc., and affiliated entities in the United States and other jurisdictions as necessary to perform payment processing, fraud prevention, and compliance operations.
7.3.2 Stripe relies on the EU–U.S. Data Privacy Framework and the UK Extension to that Framework (as approved by the UK Information Commissioner’s Office) as a lawful transfer mechanism, supplemented by Standard Contractual Clauses where applicable.
7.3.3 For further information, please see Stripe’s Privacy Policy and Data Transfers Statement.

7.4 Transfers to analytics, cloud, and communications providers

7.4.1 Certain analytics, hosting, and email-delivery providers we use (e.g., Google Cloud, Microsoft Azure, Amazon Web Services, or comparable UK/EEA vendors) may store or access limited data from regional data centres located outside the UK.
7.4.2 All such transfers are governed by IDTAs or SCCs and are subject to contractual and technical safeguards consistent with UK GDPR standards.

7.5 Organisational and technical measures

To protect your personal data during any international transfer, we apply the following controls:
(a) encryption of data in transit and at rest;
(b) strict access controls and multi-factor authentication;
(c) data-minimisation and pseudonymisation where feasible;
(d) regular security audits of third-party processors; and
(e) mandatory privacy and security training for staff handling data.

7.6 Obtaining more information

7.6.1 You may request a copy of the relevant contractual safeguards (for example, IDTA or SCC clauses) by contacting us at support@mersey-eats.co.uk.
7.6.2 Copies provided may be redacted to protect commercial terms or confidential information.

Next, we’ll move to Section 8: Your Privacy Rights, which will outline all user rights under the UK GDPR (access, rectification, erasure, restriction, objection, portability, and complaint routes), plus how customers can exercise them with Mersey Eats.

 

8. YOUR PRIVACY RIGHTS

8.1 Overview

8.1.1 Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have a number of rights in relation to the personal data we hold about you.
8.1.2 These rights apply regardless of whether data is processed directly by Mersey Eats Group Pvt Ltd or by our service providers (such as Stripe) acting on our behalf.
8.1.3 You may exercise your rights at any time by contacting us at support@mersey-eats.co.uk.
We aim to respond within one (1) month of receipt of your request, in accordance with legal requirements.

8.2 Verification

8.2.1 To protect your information, we may need to verify your identity before processing a rights request.
8.2.2 This may include confirming account ownership or requesting limited additional information.
8.2.3 We will not charge a fee unless a request is manifestly unfounded, excessive, or repetitive; in such cases, we may refuse or charge a reasonable administrative fee.

8.3 Your individual rights

(a) Right of access

You have the right to request:

• confirmation that we process your personal data;
• a copy of the personal data we hold about you; and
• related information about how and why it is processed.

Where your data is processed by a Restaurant acting as independent controller, we will identify that Restaurant so you may contact them directly.

(b) Right to rectification

You can request correction of inaccurate or incomplete data held about you.
You may also update certain details (for example, delivery address or phone number) directly through your account dashboard.

(c) Right to erasure ("right to be forgotten”)

You may request deletion of your personal data where:

• it is no longer necessary for the purpose collected;
• you withdraw consent (where consent was the legal basis);
• you successfully object to processing (see below); or
• we are required to erase it by law.

We may retain limited information where required for legal, tax, or dispute-resolution purposes, after which it will be securely deleted or anonymised.

(d) Right to restrict processing

You may ask us to restrict the processing of your data—for example, while a correction or objection request is being reviewed, or where processing is unlawful but you prefer restriction to deletion.

(e) Right to data portability

You may request a machine-readable copy (e.g. CSV or JSON) of personal data you have provided to us under a contract or consent, or ask us to transfer it to another controller where technically feasible.

(f) Right to object

You have the right to object at any time to:

• processing carried out under legitimate interests, including profiling; and
• direct-marketing communications (including related profiling).

If you object to direct marketing, we will immediately cease sending marketing communications.
You can also use the "unsubscribe” link in our emails or adjust notification settings in the app.

(g) Right to withdraw consent

Where we rely on your consent (for example, marketing or certain analytics cookies), you may withdraw it at any time without affecting the lawfulness of prior processing.
Withdrawal may limit some features (e.g. personalised offers).

(h) Rights in relation to automated decision-making and profiling

Mersey Eats does not engage in automated decision-making that produces legal or similarly significant effects solely based on automated processing.
Where limited personalisation or segmentation occurs (for marketing relevance or location-based restaurant suggestions), you have the right to request human review, express your view, and contest any automated decision.

8.4 Exercising your rights

8.4.1 Requests can be made by email to support@mersey-eats.co.ukwith the subject line "Data Protection Request”.
8.4.2 Please include sufficient details to identify yourself and the information sought (e.g. registered email, order ID).
8.4.3 We will respond as soon as practicable and within the statutory one-month period.

8.5 Complaints and supervisory authority

8.5.1 If you are unhappy with how we handle your data, please contact us first so we can attempt to resolve your concern.
8.5.2 You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
www.ico.org.uk | 0303 123 1113

8.6 Data controlled by Restaurants

Where personal data has been provided to a Restaurant to fulfil your order (e.g. delivery address, contact details, allergy notes), that Restaurant is the controller of that data for its own purposes (order fulfilment, records, etc.).
To exercise data-subject rights in relation to Restaurant-controlled data, please contact the Restaurant directly using the contact information listed on your receipt or its website.

9. SECURITY OF YOUR PERSONAL DATA

9.1 Our commitment

9.1.1 Mersey Eats takes the confidentiality, integrity, and availability of your personal data seriously.
9.1.2 We maintain appropriate technical and organisational measures to protect your data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
9.1.3 These measures are designed to provide a level of security appropriate to the risks presented by the nature of the data and our processing activities.

9.2 Technical safeguards

To secure your data, we implement (among other measures):

• Encryption in transit and at rest for all personal-data transmissions between your device and our servers;
• Secure Sockets Layer (SSL) and HTTPS for all website communications;
• Tokenisation of payments – all card data handled directly by Stripe using PCI-DSS Level 1–certified systems;
• Firewall and intrusion-detection systems to prevent unauthorised access;
• Regular vulnerability testing and patch management on servers and applications;
• Multi-factor authentication (MFA) and least-privilege access for staff accounts;
• Data-backup and recovery procedures to ensure service continuity.

9.3 Organisational safeguards

We also maintain strict administrative and procedural protections, including:

• Access control: personal data accessible only to authorised staff on a need-to-know basis;
• Staff training: mandatory onboarding and annual refresher courses on data-protection, cybersecurity, and confidentiality;
• Policies: internal information-security and data-protection policies reviewed annually;
• Confidentiality undertakings: all employees, contractors, and processors are bound by confidentiality agreements;
• Due-diligence of vendors: service providers (e.g. hosting, analytics, marketing) are vetted for GDPR compliance and required to sign Data Processing Agreements (DPAs).

9.4 Payment security

9.4.1 All online transactions are processed securely by Stripe Payments UK Ltd.
9.4.2 Stripe complies with Payment Card Industry Data Security Standard (PCI DSS) and employs strong encryption and tokenisation.
9.4.3 Mersey Eats does not store or have access to your full card number, CVV, or magnetic-stripe information.
9.4.4 For details, please refer to Stripe’s Privacy Policy.

9.5 Incident response

9.5.1 In the unlikely event of a personal-data breach, Mersey Eats will:
(a) contain and assess the incident promptly;
(b) notify the Information Commissioner’s Office (ICO) within 72 hours where required by law; and
(c) inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
9.5.2 We maintain an internal Data-Breach Response Plan reviewed at least annually.

9.6 Shared responsibility

9.6.1 While we take strong security measures, the safety of your data also depends on you.
Please:

• keep your account credentials confidential;
• log out from shared devices;
• use up-to-date antivirus and secure Wi-Fi; and
• contact us immediately if you suspect unauthorised access to your account.

10. CONTACT US

10.1 Data Controller

The data controller responsible for your personal data is:
Merseyside Eats Group Pvt Ltd
Registered Office: 3.16 Universal Square, Business Centre, Manchester, United Kingdom, M12 6JH
Company Number: 16724575
Email: support@mersey-eats.co.uk
Telephone: [optional – add if you have a dedicated support line]

Mersey Eats is responsible for processing personal data in connection with the operation of the Mersey Eats website and app in the United Kingdom.

10.2 Data Protection Contact

For any privacy-related questions, to exercise your data-protection rights, or to make a complaint about our processing of personal data, you can contact:
Data Protection Contact – Mersey Eats
Email: support@mersey-eats.co.uk
Subject line: Data Protection Enquiry

We encourage you to contact us first with any concerns so that we can resolve them promptly.

10.3 Complaints to the Supervisory Authority

If you remain dissatisfied with our handling of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data-protection regulator:

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

11. UPDATES TO THIS PRIVACY NOTICE

11.1 Periodic updates

11.1.1 We may update this Privacy Notice from time to time to reflect operational, legal, or regulatory changes.
11.1.2 The most current version will always be available via the Privacy Policy link in the footer of our website and within our mobile app.

11.2 Notification of changes

11.2.1 If we make material updates (for example, expanding data-sharing categories or introducing new processing purposes), we will notify you by:

• email (to the address associated with your account), or
• an in-app or website notice before the change takes effect.
  11.2.2 Continued use of our Services after the updated Privacy Notice takes effect constitutes acceptance of the revised version.

11.3 Version control

Version: 1.0
Effective Date: October 2025
Jurisdiction: England and Wales

 

We value your privacy and are committed to protecting your data.