Privacy Policy

Account information

• Name, email address, and phone number when you create an account
• Profile photo (optional, if you choose to upload one)
• Saved delivery addresses you add to your account

Orders

• Items ordered, order type (pickup, delivery, or dine-in), and order total
• Delivery address when you place a delivery order
• Special instructions or dietary requirements you provide

Reservations

• Name, email, phone number, date, time, party size, and any special requests

Contact enquiries

• Name, email address, and the content of your message when you use our contact form

Payment information

• Card payments are processed on our behalf by Stripe, who acts as our payment data processor. We never receive, store, or have access to your full card number, CVV, or expiry date — these are handled entirely by Stripe
• We retain a transaction reference and payment status for our financial records

Loyalty programme

• Points earned, tier status, and redemption history

Technical data

• Device type, operating system, and browser information
• IP address and approximate location (city-level, not precise)
• Pages visited and actions taken within our app or website

We use your personal data for the following purposes:

Contract performance

• To process and fulfil your food orders
• To confirm and manage your table reservations
• To send you order updates, delivery status notifications, and booking confirmations by email
• To process payments and issue refunds where applicable

Legitimate interests

• To respond to your contact form enquiries
• To maintain and improve our services, app, and website
• To prevent fraud and ensure the security of our systems
• To maintain financial records as required by law

Consent (where given)

• To send you promotional emails about offers, events, and new menu items
• To send you push notifications about your orders or special promotions

You can withdraw consent for marketing at any time via your account settings or by contacting us.

We share your personal data only where necessary:

• Stripe (data processor) — processes card payments on our behalf. Stripe is PCI DSS Level 1 certified and handles all card data directly. We never store or access your full card details. See Stripe's privacy policy
• Google / Firebase (data processor) — our cloud infrastructure provider, for authentication, database hosting, and analytics. Data is processed in the EU/UK under the Firebase Data Processing Terms. The UK has an adequacy decision recognising the EU as providing an adequate level of data protection.
• Apple / Google — when you download our mobile app from the App Store or Google Play

We do not sell your personal data to third parties. We do not share your data with advertisers.

• Account data — retained for as long as your account is active. Permanently deleted when you delete your account.
• Order and payment records — financial transaction data (amounts, dates, payment references) is retained for 7 years after the transaction date, as required by HMRC for tax and accounting purposes. When you delete your account, your personal details within these records are anonymised (name, email, phone, and delivery address are removed), but the anonymised financial records are preserved.
• Reservation records — retained for 7 years. Personal details are anonymised upon account deletion; the booking record (date, time, party size) is preserved.
• Contact enquiries — retained for up to 2 years after your enquiry is resolved.
• Marketing preferences — retained until you withdraw consent or delete your account.

Under UK GDPR, you have the following rights:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — ask us to correct inaccurate or incomplete data (you can also update your profile directly in the app)
• Right to erasure — request deletion of your personal data. You can delete your account directly from the app (see section 6 below), or by contacting us
• Right to restrict processing — ask us to limit how we use your data in certain circumstances
• Right to data portability — request your data in a commonly used, machine-readable format
• Right to object — object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us or email us at [email protected]. We will respond within 30 days.

You can delete your account at any time from the Profile tab in our mobile app (tap “Delete Account” at the bottom of the Profile screen). You will be asked to confirm your password before deletion proceeds.

When you delete your account, the following happens:

• Your personal information (name, email, phone, saved delivery addresses, and profile photo) is permanently deleted
• Your order and reservation history is anonymised — personal details (name, email, phone, delivery address) are stripped from the records, but the anonymised financial data is retained for 7 years as required by HMRC
• Your loyalty points, tier status, and redemption history are permanently deleted
• Your login credentials and authentication record are permanently deleted

If you are unable to access the app, you may request account deletion by emailing [email protected] from the email address associated with your account. We will process your request within 30 days.

Our website and app use the following technologies:

• Essential cookies — required for authentication and session management. These cannot be disabled as they are necessary for the service to function.
• Firebase Analytics — to understand how our app and website are used (e.g. popular menu items, page visits). This data is aggregated and does not personally identify you.

We do not use third-party advertising cookies or tracking pixels.

• All data is transmitted over HTTPS (TLS encryption)
• Passwords are hashed and never stored in plain text
• Payment card data is handled entirely by Stripe (PCI DSS Level 1) and never touches our servers
• Access to customer data is restricted to authorised staff only
• Our database and infrastructure are hosted on Google Cloud Platform with encryption at rest

Your data is primarily stored and processed within the UK and European Economic Area (EEA) via Google Cloud Platform (europe-west2, London). Where data is processed in the EU, this is covered by the UK's adequacy decision for the EEA. Stripe may process payment data in the US under their approved data processing agreement and Standard Contractual Clauses.

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. If we make significant changes that affect how we use your data, we will notify you by email or through a notice in our app.

If you have any questions about this privacy policy or how we handle your data, please contact us:

• Email: [email protected]
• Phone: 020 8749 6763
• Address: Sufi Restaurant, 70 Askew Road, London W12 9BJ

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent authority for data protection.