Privacy Policy
Last updated: 11 April 2026
1. Who We Are
The Sunset Society ("we", "us", "our") is the data controller responsible for your personal data.
- Address: 5 Old Tiverton Road, Exeter, EX4 6LD
- Email: [your email address]
- Phone: [your phone number]
2. What Data We Collect
| Category | Data | When Collected |
|---|---|---|
| Identity | Name, email address, phone number | When you place an order or sign up |
| Order | Items ordered, order history, dietary preferences, table number | When you use our ordering services |
| Payment | Transaction records (card details are processed by our payment provider — we do not see or store your full card number) | When you make a payment |
| Technical | IP address, browser type, device information | Automatically when you visit our website |
| Usage | Pages visited, features used, session data | Automatically when you browse our website |
| Marketing | Communication preferences, opt-in status | When you subscribe to our newsletter |
3. Why We Use Your Data & Our Legal Basis
| Purpose | Legal Basis |
|---|---|
| Processing and fulfilling your orders (click & collect, pre-order, order & pay, pay at table) | Contractual necessity |
| Processing payments | Contractual necessity |
| Managing your account and preferences | Contractual necessity |
| Recording allergen and dietary requirements you tell us about | Legitimate interest (food safety) |
| Sending marketing emails (where you have opted in) | Consent |
| Sending marketing about similar services (existing customers, soft opt-in) | Legitimate interest |
| Improving our website and services | Legitimate interest |
| Preventing fraud and ensuring security | Legitimate interest |
| Complying with legal and tax obligations | Legal obligation |
4. Who We Share Your Data With
We share your data only with the following categories of recipients who need it to provide our services:
- Payment processor — to process your card payments securely.
- Website hosting provider — to host and serve our website.
- Google reCAPTCHA — to protect our forms from spam and abuse. This service may collect hardware and software information. See Google's Privacy Policy.
- Analytics provider — to understand how our website is used (if analytics cookies are enabled with your consent).
- Law enforcement or regulators — where we are legally required to do so.
We do not sell your personal data to third parties.
5. International Transfers
Some of our third-party service providers are based outside the UK. Where your data is transferred internationally, it is protected by appropriate safeguards such as Standard Contractual Clauses, an adequacy decision, or the UK-US Data Bridge, as applicable.
6. How Long We Keep Your Data
| Data | Retention Period |
|---|---|
| Order records & payment records | 6 years (HMRC tax requirements) |
| Account data | Duration of your account plus 30 days after deletion |
| Marketing consent records | Duration of consent plus 6 months |
| Analytics data | Up to 26 months |
| Technical/usage data | Up to 12 months |
7. Your Rights
Under UK data protection law, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data (where there is no legal reason for us to keep it).
- Restrict processing — ask us to limit how we use your data.
- Data portability — receive your data in a structured, machine-readable format.
- Object — object to our processing of your data, including for marketing purposes.
- Withdraw consent — where processing is based on consent, you can withdraw it at any time.
To exercise any of these rights, contact us at [your email address]. We will respond within one month.
8. Marketing & Newsletters
- We will only send you marketing emails if you have opted in or if you are an existing customer and we are contacting you about similar services (soft opt-in).
- Every marketing email includes an unsubscribe link. You can opt out at any time.
- We do not share your email with third parties for their marketing purposes.
9. Cookies
Our website uses cookies. For full details, please see our Cookie Policy.
10. Security
We take appropriate technical and organisational measures to protect your personal data, including encryption, secure hosting, and access controls. Payment card data is handled entirely by our PCI-DSS compliant payment processor.
11. Children
Our services are not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
12. Complaints
If you are unhappy with how we handle your data, please contact us at [your email address]. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
13. Changes to This Policy
We may update this policy from time to time. The latest version will always be available on our website with the date of the last update shown above.