Privacy Policy
MealShift Privacy Policy
Effective date: 28 May 2026
Version: 2.0
Last reviewed: 28 May 2026
Next review: 28 May 2027
MealShift Ltd (“MealShift”, “we”, “us”, “our”) respects your privacy and is committed to processing personal data lawfully, fairly and transparently under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
This policy explains what personal data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have over it.
If you have any questions, contact us at [email protected] or by post at MealShift Ltd, 1 Assam Street, London E1 7QL, United Kingdom.
1. Who we are
MealShift Ltd is a company registered in England and Wales (company number 12793366) with its registered office at 1 Assam Street, London E1 7QL.
We operate a commission-free delivery network for UK independent restaurants. We provide:
- The MealShift web platform and mobile applications used by restaurants (“Clients”) and self-employed couriers (“Drivers”)
- Operational dispatch, billing and reporting services to Client restaurants
- A direct sales and marketing function targeting independent restaurant businesses in the UK
We are the data controller for personal data we process about: Client restaurant contacts, Driver applicants and couriers, end-customers of Client restaurants whose delivery details we process to fulfil orders, and prospective business leads we contact for sales purposes.
We are registered with the UK Information Commissioner’s Office (ICO).
2. The categories of people we collect data about
| Category | Examples |
|---|---|
| Driver applicants and couriers | Name, contact details, date of birth, driving licence number, vehicle insurance details, vehicle details, right-to-work documents, bank account details for payment, location data while on shift, ratings, in-app activity, communication history |
| Client restaurant contacts | Restaurant business name, contact name(s), business email, business phone, business address, business activity, in-app activity, communication history, weekly invoicing data |
| End-customers of Client restaurants | Delivery address, contact phone number, order details — strictly used to fulfil the delivery, then minimised |
| Business prospects | Name and business contact details of named individuals at UK limited-company restaurants, takeaways and food businesses we believe could benefit from our service. Sources: public Companies House records, public business directories, our own website forms, Calendly bookings, inbound WhatsApp, scraped business listings, manual entry by our sales team |
| Website visitors | IP address, browser type, device type, pages visited, referrer, basic analytics |
| Support contacts | Anyone who contacts us via email, WhatsApp, phone or web form |
3. What we collect, why, and the lawful basis we rely on
We process personal data only where we have one of the lawful bases set out in UK GDPR Article 6.
| Purpose | Data | Lawful basis | Retention |
|---|---|---|---|
| Operating the MealShift platform and mobile apps for Drivers and Clients | Account, identity, vehicle, payment, activity, location | Article 6(1)(b) — performance of a contract | Active account + 7 years after account closure (tax and HMRC retention requirements) |
| Fulfilling deliveries on behalf of Client restaurants (end-customer delivery details) | End-customer name, address, phone, order details | Article 6(1)(b) — performance of the delivery contract between MealShift and the Client restaurant | 12 months from delivery, then anonymised |
| Processing weekly invoices and payments to Clients and to self-employed Drivers | Bank details, billing address, transaction history | Article 6(1)(b) — performance of a contract, and Article 6(1)(c) — legal obligation (UK tax and accounting law) | 7 years from end of relevant tax year |
| Driver onboarding, identity verification and right-to-work checks | Driving licence, insurance docs, ID documents, DBS where relevant | Article 6(1)(c) — legal obligation under UK employment and right-to-work law | Active relationship + 2 years; right-to-work records 2 years after end of work |
| Customer support and complaint handling (across email / WhatsApp / phone) | Communication history, account details | Article 6(1)(b) — performance of a contract, and Article 6(1)(f) — legitimate interests (resolving disputes, improving service quality) | 3 years from last interaction |
| Sending operational communications to existing Clients and Drivers (service updates, shift availability, statement of earnings, billing reminders, dispatch alerts) | Email, phone, app push tokens | Article 6(1)(b) — performance of a contract. These are service messages, not direct marketing | Lifetime of the account |
| Sending marketing communications to existing Clients (newsletter, product updates, upsells) | Article 6(1)(a) — consent (opt-in at signup), with right to withdraw at any time. Soft opt-in under PECR for similar products and services | Until consent is withdrawn | |
| Sending cold business-to-business marketing communications to prospective UK limited-company Client contacts (cold email, Calendly outreach, follow-up calls) | Business name, business contact name, business email, business phone, business address, communication history | Article 6(1)(f) — legitimate interests. We have completed a Legitimate Interests Assessment (LIA) confirming this. We rely on the corporate-subscriber exemption under PECR Regulation 22(2) for direct marketing to corporate subscribers by electronic mail. We do not send unsolicited marketing to sole traders or personal email addresses. | 24 months from last engagement, then anonymised |
| Website analytics and improvement | IP address, browser, pages visited, referrer | Article 6(1)(f) — legitimate interests in understanding how visitors use our site, with cookie consent where required | 26 months (Google Analytics default) |
| Fraud prevention, abuse detection, and security | Account activity, IP address, device fingerprint, communication metadata | Article 6(1)(f) — legitimate interests in protecting MealShift, Drivers, Clients and end-customers from fraud and abuse | 24 months |
| Compliance with legal requests from law enforcement or regulators | Whatever is requested | Article 6(1)(c) — legal obligation | As required by the request |
We do not process special category data (Article 9 — health, race, religion, sexual orientation, genetic, biometric) other than where a Driver voluntarily discloses it as part of an accessibility request, in which case Article 9(2)(a) — explicit consent applies.
4. Who we share your data with
We only share personal data with third parties where there is a clear purpose, a lawful basis, and an appropriate written data processing agreement in place.
Our service providers (data processors acting on our instructions)
| Provider | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Odoo SA | CRM, helpdesk, marketing email, billing records | Belgium (EU) | UK GDPR adequacy decision for EU |
| Microsoft Corporation (Microsoft 365) | Internal email, OneDrive document storage, Outlook calendar, SMTP relay for outbound email | EU / UK / US | UK GDPR-approved SCCs + UK Addendum |
| Meta Platforms (WhatsApp Business Cloud API) | WhatsApp customer support channel | EU / US | UK GDPR-approved SCCs + UK Addendum |
| Calendly LLC | Sales call booking | US | UK GDPR-approved SCCs + UK Addendum |
| Stripe, Inc. | Card payment processing for Client billing | US / EU / UK | UK GDPR-approved SCCs + UK Addendum |
| Google LLC (Firebase, Crashlytics, Cloud Messaging, Google Analytics, Google Search Console) | App crash reporting, push notifications, anonymous web analytics, search visibility analytics | US / EU | UK GDPR-approved SCCs + UK Addendum |
| DigitalOcean LLC | Production database and application hosting | UK / EU | Hosted in EU regions; UK GDPR adequacy / SCCs |
| Ringover SAS | Business voice telephony | France (EU) | UK GDPR adequacy decision for EU |
| Cloudflare, Inc. | Content delivery network, edge workers, DDoS protection | Global edge network | UK GDPR-approved SCCs + UK Addendum |
| FoodHub, Deliverect, Otter, Flipdish, GloriaFood, Nash (where the Client uses these integrations) | Order intake from third-party ordering platforms | UK / EU / US (varies) | Each operates under its own privacy terms; we exchange only order fulfilment data |
| HMRC and professional accountants | UK statutory tax and accounting | UK | Legal obligation |
Other recipients
- The Driver assigned to fulfil a delivery — sees the relevant end-customer name, address and phone in their app
- Law enforcement, courts or regulators where we are legally required to disclose
- Buyers of MealShift’s business in the event of a sale, merger or restructuring — recipients are bound to the same confidentiality and data protection obligations
We do not sell personal data to any third party for advertising or any other purpose.
5. International data transfers
Some of our service providers are located outside the United Kingdom. Where data is transferred outside the UK, we use one or more of the following safeguards:
- The UK government’s adequacy regulations (covers the EEA, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, and US organisations certified to the UK-US Data Bridge)
- The UK Addendum to the EU Standard Contractual Clauses (UK SCCs)
- Binding Corporate Rules of the recipient organisation, where applicable
A list of which provider uses which safeguard is in Section 4 above.
6. How long we keep your data
Retention periods are listed against each processing purpose in Section 3.
In addition, we apply the following rolling clean-up:
- Inactive Driver applications (no completed onboarding within 6 months) are anonymised
- Business prospects with no engagement after 24 months are auto-archived in our CRM
- Communication records (email, WhatsApp, call recordings) are retained for 3 years from last interaction unless subject to a longer statutory requirement
- Marketing suppression lists (records of people who have opted out) are kept indefinitely so that we never re-email them
7. Your rights under UK GDPR
You have the following rights in relation to your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — ask us to correct inaccurate or incomplete data
- Right to erasure (“right to be forgotten”) — ask us to delete your data, subject to legal retention requirements
- Right to restrict processing — ask us to stop a particular use of your data while a dispute is resolved
- Right to data portability — ask for a machine-readable copy of data you provided to us, or have it transferred to another controller
- Right to object — object to processing based on legitimate interests, including a right to object at any time to direct marketing which we will always honour
- Right to withdraw consent — where we process data based on your consent, you can withdraw it at any time
- Right not to be subject to automated decision-making that produces legal or similarly significant effects — we do not currently make such decisions
To exercise any of these rights, email [email protected] with “Data subject request” in the subject line. We will respond within one month (extendable to three months for complex requests, with notice).
If you are unhappy with how we have handled your request, you have the right to lodge a complaint with the UK Information Commissioner’s Office:
- Web: https://ico.org.uk/make-a-complaint/
- Phone: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
8. Direct marketing and your right to opt out
If you are receiving marketing email from MealShift, every email contains an unsubscribe link. Clicking it stops all future marketing email immediately. We honour opt-outs within 24 hours.
You can also opt out at any time by emailing [email protected] with “Unsubscribe” in the subject line.
For B2B marketing to corporate subscribers under PECR Regulation 22(2), you have the same right to object. We will treat any “stop” / “unsubscribe” reply as a request to suppress.
9. Cookies and tracking technologies
Our website https://mealshift.co.uk uses a small number of cookies:
- Strictly necessary cookies for site functionality and security — no consent required
- Analytics cookies (Google Analytics 4) — only set if you accept the cookie banner. Used to understand aggregate visitor behaviour. IP addresses are pseudonymised at collection
- Functionality cookies (chat widget, embedded Calendly booking widget) — only set if you accept the cookie banner
Our mobile apps do not use browser cookies but do use mobile equivalents (advertising ID, instance ID, push token) for Firebase Crashlytics and Firebase Cloud Messaging. You can reset these in your device settings.
10. Security
We protect personal data using technical and organisational measures appropriate to the risk, including:
- Encryption in transit (HTTPS / TLS) for all web traffic and API calls
- Encryption at rest for production databases
- Role-based access control to internal systems
- Least-privilege access for staff
- Multi-factor authentication on administrative accounts
- Regular vulnerability scanning and security updates
- Staff training on data handling and incident response
- Documented breach notification procedure (notification to the ICO within 72 hours of becoming aware of a notifiable breach)
No system can be 100% secure. If you believe your data has been compromised, contact us immediately at [email protected].
11. Children’s data
MealShift’s services are not directed at children. We do not knowingly collect data about anyone under the age of 13. If you are a parent or guardian and believe we hold data about a child, contact us at [email protected] and we will delete it.
12. Links to other sites
Our website and apps may contain links to third-party websites. This policy does not apply to those sites — please read their own privacy policies.
13. Changes to this policy
We review this policy at least annually and update it whenever our processing changes materially. Changes are published on this page with an updated Effective date at the top. Where the change is significant, we will notify affected users by email or in-app notice.
Previous versions are kept in our internal records for audit purposes.
14. Contact us
For all data protection queries, including subject access requests, complaints, or to update your preferences:
MealShift Ltd
1 Assam Street
London E1 7QL
United Kingdom
Email: [email protected]
We aim to respond to data protection enquiries within 5 working days and complete formal requests within one month.
This policy was last reviewed on 28 May 2026. Next scheduled review: 28 May 2027.