Legal & Compliance

1. Introduction to Data Governance

HAFFNER KITCHEN LTD (referred to as "we", "us", "the Company") is committed to maintaining the highest standards of data integrity and transparency. This policy outlines our methodologies for collecting, storing, and processing Personal Data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. As a food delivery and logistics provider based in Basildon, we recognize the sensitivity of the data we handle, including health-related dietary requirements and physical delivery addresses.

2. Information We Collect

We collect and process the following categories of data:
- **Identity Data**: Names, titles, and professional affiliations.
- **Contact Data**: Billing addresses, delivery coordinates, email addresses, and telephonic identifiers.
- **Financial Data**: Encrypted payment tokens processed via PCI-DSS compliant third-party gateways (e.g., Stripe, Adyen).
- **Health & Bio-Data**: Allergies, caloric requirements, and dietary preferences explicitly provided for meal planning.
- **Technical Data**: IP addresses, browser fingerprints, and interaction telemetry gathered via our proprietary platform.

3. Lawful Basis for Processing

Under Article 6 of the UK GDPR, we rely on the following legal bases:
- **Contractual Necessity**: To fulfill your food orders and logistics agreements.
- **Legal Obligation**: To comply with UK tax, employment, and food safety regulations.
- **Legitimate Interest**: To improve our kitchen efficiency and marketing effectiveness, provided your rights are not overridden.
- **Explicit Consent**: Specifically required for the processing of sensitive health data (Allergy information).

4. Data Retention and Deletion

We maintain a strict Data Retention Schedule. Customer identity and transaction history are retained for a period of six (6) years following the conclusion of our business relationship to comply with HMRC financial auditing requirements. Marketing data is retained for eighteen (18) months unless a withdrawal of consent is received. Upon the expiration of these periods, data is destroyed using secure cryptographic erasure methods.

5. International Transfers

While our primary servers are located within the United Kingdom, some tertiary processing (e.g., email automation) may occur within the European Economic Area (EEA) or the United States under standard contractual clauses (SCCs) that ensure equivalent levels of protection.

6. Your Rights Under UK Law

You possess the following rights:
- **The Right of Access**: You may request a copy of all data we hold regarding you.
- **The Right to Erasure (Right to be Forgotten)**: You may request the deletion of your data where no overriding legal obligation exists for its retention.
- **The Right to Data Portability**: You may request your dietary and transaction data in a machine-readable format.

This document represents a summary of our full 12,000-word Internal Data Governance Framework. For inquiries, contact our Data Protection Officer at dpo@outbackfp.sbs.