Privacy Policy

Privacy Policy

Last updated: 2 March 2026

Your data matters. This policy explains how foodfacts CONNECT collects, uses, and protects your personal information in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

foodfacts CONNECT is operated by FoodFacts Ltd, a company registered in England and Wales. We are the data controller for personal data collected through this platform. For data protection enquiries, contact us at [email protected].

2. What Data We Collect

When you join our waitlist, we collect:

  • Full name — to personalise communications
  • Email address — to notify you about platform updates and launch
  • Phone number — for optional follow-up communications
  • Professional role (Registered Dietitian or Registered Nutritionist) — to tailor your onboarding experience
  • Date and time of registration — for our records

When you create an account, we additionally collect profile information, appointment history, and payment references (Stripe IDs only — we never store full card details).

3. How We Use Your Data

PurposeLegal Basis
Managing your waitlist registrationConsent (Art. 6(1)(a) UK GDPR)
Sending launch notifications and platform updatesConsent (Art. 6(1)(a) UK GDPR)
Processing bookings and paymentsContract (Art. 6(1)(b) UK GDPR)
Complying with legal obligationsLegal obligation (Art. 6(1)(c) UK GDPR)
Improving platform security and functionalityLegitimate interests (Art. 6(1)(f) UK GDPR)

4. Data Retention

Waitlist data is retained until the platform launches or until you request deletion, whichever comes first. Account data is retained for the duration of your account plus 7 years to comply with financial record-keeping obligations. You may request deletion at any time (see Your Rights below).

5. Data Sharing

We do not sell your data. We share data only with:

  • Stripe — for payment processing (subject to Stripe's Privacy Policy)
  • MailerSend — for transactional email delivery
  • Cloud infrastructure providers — for secure data storage (all data stored in the UK/EEA)
  • Law enforcement — only when legally required

6. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — request a copy of the data we hold about you
  • Right to rectification — request correction of inaccurate data
  • Right to erasure ("right to be forgotten") — request deletion of your data. Delete my data →
  • Right to restrict processing — request we limit how we use your data
  • Right to data portability — receive your data in a machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — withdraw consent at any time without affecting prior processing

To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

7. Cookies

We use essential session cookies required for authentication and security. We do not use tracking or advertising cookies. You can disable cookies in your browser settings, though this may affect platform functionality.

8. Security

We implement industry-standard security measures including HTTPS encryption, rate limiting, input validation, and regular security reviews. Payment data is handled exclusively by Stripe and never stored on our servers. In the event of a data breach that poses a risk to your rights, we will notify you and the ICO within 72 hours as required by UK GDPR.

9. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users. Continued use of the platform after changes constitutes acceptance of the updated policy.

10. Contact Us

For any privacy-related questions or to exercise your rights, contact our Data Protection Officer at [email protected].