Cribnosh Logo
  • Home
    Home
  • Create
    Create
  • Order
    Order
  • Deliver
    Deliver
  • Start Cooking
    Start Cooking
LogoLogo

Personalized home-cooked meals, matched to your taste, cooked by real people near you.

Features

  • All Features
  • Cuisines
  • Food Creators
  • Dietary Memory
  • Allergen Safeguard
  • Smart Ordering

Company

  • About Us
  • Founders Story
  • Careers
  • History
  • Manifesto
  • Blog

Web Apps

  • Cribnosh Web
  • Food Creator Web

Community

  • Work with Cribnosh
  • Community
  • Contact
  • Support

Safety

  • Food Creator Certification
  • Food Safety Compliance
  • FSA Rating

Legal

  • Privacy Policy
  • Terms of Service
  • Community Guidelines
  • Cookie Policy
  • Refund Policy
  • Food Creator Terms
  • Driver Terms
  • Moderation & Appeals
  • Copyright Policy
  • Data Protection
  • Modern Slavery Statement

© 2026 CribNosh. All rights reserved.

X (Twitter)InstagramFacebook

CRIBNOSH LTD is a company registered in Scotland (Company No. SC834534).
| Registered Office: 50 Southhouse Broadway, Edinburgh, EH17 8AR.

Privacy Policy

Last updated: 19 June 2026

Effective Date: 19 June 2026

1. Data Controller

CribNosh Ltd ("CribNosh", "we", "our", or "us"), registered in Scotland under company number SC834534, is the data controller responsible for your personal information unless we tell you otherwise.

Registered Office: 50 Southhouse Broadway, Edinburgh, EH17 8AR, United Kingdom

Privacy Email: privacy@cribnosh.co.uk

Data Protection Contact: dpo@cribnosh.co.uk

2. Scope of This Policy

This Privacy Policy explains how we collect, use, store, share, protect, retain, and otherwise process personal information when you use our website, mobile applications, social or community features, creator tools, driver tools, support flows, family-account features, and related services (together, the "Platform").

This Policy applies to customers, Food Creators, Drivers, guests, support users, and other people who interact with the Platform, unless we provide a separate notice for a specific service or relationship.

3. Age and Eligibility Context

  • Customers must be at least 13 years old to use general customer ordering features.
  • Customers must be at least 16 years old to use social, community, or similar UGC-driven features where we require a higher minimum age.
  • Food Creators must be at least 18 years old.
  • Drivers must be at least 18 years old.

We may apply stricter age, eligibility, verification, or feature-access rules in particular cases. We do not knowingly allow underage users into account types or features that require a higher minimum age.

4. The Personal Information We Collect

We collect personal information directly from you, automatically from your use of the Platform, from other Platform participants, from service providers, and from devices or systems you use with the Platform.

4.1 Account and profile information

This may include:

  • full name;
  • username or display name;
  • email address;
  • phone number;
  • date of birth or age-band information;
  • password or other login information;
  • profile photo;
  • account preferences and settings;
  • saved addresses;
  • dietary preferences, allergies, restrictions, and related profile information;
  • family-account settings, member relationships, approval preferences, and spending controls; and
  • any information you include in your profile, account forms, or onboarding flows.

4.2 Customer order and transaction information

This may include:

  • order history;
  • meal, creator, and cart information;
  • order notes, handoff notes, and support notes;
  • delivery address and related delivery information;
  • billing information;
  • payment method tokens and payment status information handled through our payment providers;
  • refund, cancellation, issue-report, compensation, and support history;
  • voucher, reward, promotion, loyalty, or credit information;
  • review, rating, or reaction information; and
  • information connected to disputes, chargebacks, or fraud checks.

4.3 Food Creator information

If you use the Platform as a Food Creator, we may collect:

  • menu, pricing, availability, and listing information;
  • kitchen, premises, location, or approved-location information;
  • compliance, registration, rating, training, or readiness information;
  • onboarding records;
  • safety evidence, spotcheck materials, and review notes;
  • bank, payout, tax, or similar financial setup information;
  • creator support, reliability, and enforcement history; and
  • profile, media, recipes, stories, videos, or other creator content.

4.4 Driver information

If you use the Platform as a Driver, we may collect:

  • driving licence and eligibility information;
  • insurance information;
  • work-right or identity-verification information;
  • vehicle information where relevant;
  • live, background, or recent location information while using delivery features, where enabled or required;
  • proof-of-delivery information, handoff evidence, and issue-report submissions;
  • delivery history, route context, and related support or dispute information;
  • call-related metadata for customer-driver or operations-related calling features; and
  • payout or banking setup information where relevant.

4.5 User-generated content and communications

This may include:

  • photos, videos, recipes, comments, reviews, ratings, stories, live content, and messages where relevant;
  • AI chat inputs, prompts, selections, feedback, and related output interaction data where we offer AI-assisted features;
  • customer support messages and feedback;
  • creator and driver support submissions;
  • copyright, takedown, counter-notice, or appeal submissions;
  • moderation reports and related explanations;
  • safety, fraud, compliance, or legal-evidence submissions; and
  • any personal information contained in content you choose to upload, post, transmit, or otherwise provide.

4.6 Technical, device, and usage information

This may include:

  • device type, operating system, browser, app version, device identifiers, and network information;
  • IP address;
  • approximate or precise location, depending on your settings, permissions, and use case;
  • crash, diagnostics, and performance information;
  • feature usage, page views, taps, timing, and interaction patterns;
  • cookies, SDK events, local storage, and similar tracking or attribution information;
  • notification preferences and delivery status;
  • tracking permission choices and advertising or campaign measurement signals where permitted;
  • advertising, attribution, and campaign information where permitted; and
  • device motion or related device-sensor information where a feature, platform integration, or fraud/safety flow reasonably requires it;
  • logs relating to account access, fraud prevention, abuse prevention, or system security.

4.7 Device permissions and sensitive interface data

Depending on your device, account type, settings, and use of the Platform, we may collect information linked to your use of:

  • camera access;
  • microphone access;
  • photo library access;
  • location access, including background location for driver or operational delivery use cases;
  • device biometrics or secure authentication features, such as Face ID or fingerprint-backed login, although biometric matching may be performed locally by your device or operating system and we may only receive confirmation tokens or related authentication results;
  • discoverability, map visibility, online status, or similar account-visibility settings you choose to use;
  • notifications;
  • maps and geolocation services; and
  • calling or communications features.

Unless we expressly tell you otherwise for a specific feature, we do not seek to collect or store the raw Face ID, fingerprint, or other biometric template used by your device for local authentication.

4.8 Health-related or special category information

Some information you choose to provide, such as allergy details, dietary restrictions, or health information in a complaint or safety report, may amount to special category data under data protection law.

Where required by law, we rely on your explicit consent, your manifest choice to provide the information for a specific purpose, legal claims handling, substantial public interest, or another lawful condition that applies to the circumstances.

5. How We Use Your Personal Information

We use personal information where necessary to operate, improve, protect, and support the Platform. This may include using your information:

  • to create, verify, and manage your account;
  • to provide ordering, fulfilment, delivery, support, creator, driver, community, and family-account features;
  • to process payments, refunds, payouts, chargebacks, credits, and related financial events;
  • to power search, discovery, recommendations, personalization, reminders, and profile features;
  • to apply approved-location, geofencing, delivery-area, or creator-premises controls;
  • to manage customer support, creator support, driver support, disputes, and issue resolution;
  • to investigate moderation reports, safety concerns, fraud, abuse, legal claims, and compliance issues;
  • to review and enforce our Terms, Community Guidelines, and other platform rules;
  • to communicate with you about orders, deliveries, safety issues, support cases, account changes, legal notices, and policy updates;
  • to administer promotions, rewards, loyalty programs, or experiments;
  • to provide, quality-check, secure, and improve AI-assisted or automated features where lawful and proportionate;
  • to improve our services, develop new features, analyse usage, and measure performance;
  • to protect the Platform, users, creators, drivers, partners, and the public;
  • to comply with legal, regulatory, tax, accounting, insurance, audit, or court-related obligations; and
  • to establish, exercise, or defend legal claims.

6. Our Legal Bases for Processing

Depending on the context, we process personal information under one or more of the following legal bases under UK GDPR:

6.1 Contract

We process personal information where necessary to enter into or perform our contract with you, including:

  • account setup and login;
  • order processing;
  • payment processing;
  • creator and driver tooling;
  • delivery coordination;
  • support handling; and
  • family-account features you choose to use.

6.2 Legitimate interests

We process personal information where necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. These interests may include:

  • platform safety and security;
  • fraud prevention;
  • abuse prevention;
  • moderation and reporting review;
  • product improvement;
  • service reliability;
  • support quality;
  • recommendation and discovery quality;
  • business analytics;
  • legal risk management;
  • enforcement of our policies and rights; and
  • operational administration.

6.3 Consent

We rely on consent where required, including for example:

  • certain marketing communications;
  • non-essential cookies or similar technologies;
  • some personalised advertising or attribution uses where applicable;
  • some processing of special category information you choose to provide; and
  • other cases where the law requires consent.

You can withdraw consent at any time, although this does not affect processing already carried out lawfully before withdrawal.

6.4 Legal obligation

We process personal information where necessary to comply with legal or regulatory obligations, including obligations relating to tax, accounting, anti-fraud, safety, investigations, law enforcement, court orders, and similar requirements.

6.5 Vital interests or legal claims contexts

In limited circumstances, we may process information to protect someone from serious harm, to address urgent safety incidents, or to establish, exercise, or defend legal claims.

6.6 Examples of category-to-purpose mapping

To make our use of data clearer, the following are common examples of how categories and legal bases fit together:

  • account, identity, login, and contact data: contract, legitimate interests, and legal obligation where relevant;
  • order, payment, refund, delivery, and family-approval data: contract, legitimate interests, and legal obligation where relevant;
  • creator and driver onboarding, compliance, location, readiness, and payout data: contract, legitimate interests, legal obligation, and legal claims handling where relevant;
  • AI interaction, prompt, feedback, and feature-improvement data: contract, legitimate interests, and consent where required;
  • authentication, account-security, and biometric-confirmation-result data: contract, legitimate interests, and legal obligation where relevant;
  • proof-of-delivery, route, handoff, and fulfilment-evidence data: contract, legitimate interests, legal obligation, and legal claims handling where relevant;
  • recommendation, ranking, search, reminders, and personalization data: contract, legitimate interests, and consent where required;
  • marketing, tracking, and some advertising or attribution data: consent where required and legitimate interests where allowed by law;
  • moderation, copyright, fraud, support, issue-report, safety, and enforcement data: legitimate interests, legal obligation, vital interests in limited cases, and legal claims handling where relevant;
  • allergy, dietary, or health-related complaint data: explicit consent where required, your manifest choice to provide the information for a requested service, legal claims handling, substantial public interest, or another lawful condition that applies; and
  • analytics, diagnostics, and product-improvement data: legitimate interests and consent where required by law.

7. Sharing Your Personal Information

We share personal information only where we believe it is necessary, appropriate, and lawful.

7.1 Platform participants

Depending on the workflow:

  • Food Creators may receive customer name, order details, delivery details, notes, and related fulfilment context;
  • Drivers may receive customer name, delivery details, contact context, route context, and issue-resolution information;
  • family-account participants may see certain information based on the permissions and settings used in that family-account flow; and
  • support, trust and safety, finance, or operations staff may access relevant information to perform their roles.

7.2 Service providers and processors

We may share information with service providers acting on our instructions, such as:

  • payment providers, including Stripe;
  • cloud hosting, storage, and infrastructure providers;
  • database and backend service providers;
  • analytics, diagnostics, and attribution providers;
  • communications and notification providers;
  • mapping, routing, and geolocation providers;
  • customer-support tooling providers;
  • moderation, fraud, and safety tooling providers;
  • AI or automation providers;
  • delivery integration partners;
  • identity, verification, or compliance tooling providers; and
  • insurers, auditors, and professional advisers acting on our instructions or in support of our lawful operations where relevant; and
  • other vendors reasonably required to operate or improve the Platform.

7.3 Professional, commercial, and legal counterparties

We may share information with:

  • lawyers;
  • auditors;
  • insurers;
  • bankers;
  • accountants;
  • potential investors or corporate transaction counterparties;
  • regulators;
  • tax authorities;
  • courts;
  • law enforcement; and
  • other governmental or competent authorities,

where reasonably necessary and lawful.

7.4 Business transactions

If we are involved in a merger, acquisition, financing, restructure, or sale of assets, personal information may be disclosed to relevant counterparties and advisers subject to appropriate safeguards.

8. International Transfers

Some service providers or counterparties may be located outside the UK. Where we transfer personal information internationally, we take steps designed to ensure a comparable level of protection, such as:

  • transfers to countries benefiting from adequacy regulations;
  • use of appropriate contractual safeguards, such as UK-approved transfer clauses;
  • other lawful transfer mechanisms recognised under applicable data protection law; and
  • additional technical or organisational safeguards where appropriate.

9. Retention of Personal Information

We retain personal information only for as long as reasonably necessary for the purposes described in this Policy, including for legal, accounting, tax, fraud-prevention, safety, moderation, copyright, payout, support, and dispute reasons.

Retention periods vary depending on the information and context. For example:

  • account information may be kept while your account is active and for a reasonable period afterwards;
  • deleted-account request records may be kept to honour, evidence, or defend deletion handling and to prevent abuse or repeated evasion;
  • transaction, tax, accounting, and payout records may be kept for several years where required;
  • creator and driver compliance, verification, insurance, safety, premises, payout, or operational-eligibility records may be kept while relevant to the account and for a reasonable period afterwards;
  • location, proof-of-delivery, routing, handoff, and operational incident records may be kept for as long as reasonably needed for fulfilment, support, fraud review, safety investigations, payout disputes, or legal claims;
  • support, dispute, safety, moderation, and fraud records may be kept for as long as needed to investigate issues, defend claims, or comply with obligations;
  • copyright, takedown, counter-notice, repeat-infringer, and appeal records may be kept for as long as needed for legal, moderation, and repeat-violation purposes;
  • food-safety, allergen-complaint, injury, incident, or serious order-risk records may be kept for as long as reasonably required to investigate, defend, or comply with applicable obligations;
  • technical logs may be kept for shorter periods for security and troubleshooting;
  • marketing or consent records may be kept until you withdraw consent or after a period of inactivity;
  • suppression, opt-out, and preference-management records may be kept for as long as reasonably necessary to honour your choices and demonstrate compliance;
  • deleted content or deleted accounts may remain in backups or disaster recovery systems for a limited cycle-based period; and
  • some information may be retained longer where there is an active dispute, investigation, legal claim, regulatory request, or legitimate need to preserve evidence.

We may also retain derived records, audit trails, redaction logs, payout adjustments, moderation outcomes, and similar operational records where necessary.

10. Automated Decision-Making, Profiling, and AI-Assisted Features

We may use automated systems, rules, ranking models, or AI-assisted systems to help with:

  • recommendations;
  • search and discovery;
  • fraud detection;
  • moderation triage;
  • route optimisation;
  • support routing;
  • feature personalisation; and
  • operational prioritisation.

These systems may use information such as account activity, preferences, location, order history, reliability signals, safety signals, and related Platform context.

These tools help us operate and improve the Platform, but they do not replace all human judgment. If you believe an automated process has affected you unfairly, you may contact us to request review and, where applicable, human intervention.

Some automated or partially automated processes may contribute to eligibility, fraud, payout, moderation, recommendation, visibility, routing, or support outcomes, although human review may also be involved depending on the workflow.

Where applicable, you may also ask us for more information about the relevant decision process, the main categories of information involved, and the available review options.

AI-generated or AI-assisted outputs may be incomplete or wrong and should not be treated as medical, dietary, allergy, food-safety, legal, or other professional advice.

11. Cookies, Tracking, and Similar Technologies

We and our partners may use cookies, SDKs, pixels, local storage, and similar technologies to:

  • keep the Platform working;
  • remember preferences;
  • understand usage;
  • improve performance;
  • measure campaigns;
  • detect fraud or abuse; and
  • support personalisation or marketing where permitted.

Your account or device settings may also let you control certain data uses such as analytics, marketing, personalization, discoverability, map visibility, or online-status sharing, but some service and safety uses remain necessary for the Platform to function.

You can manage cookies and similar technologies through our cookie controls, your browser settings, device settings, and other mechanisms we make available. Some features may not work properly if certain technologies are disabled.

12. Your Rights

Subject to applicable law, you may have the right to:

  • request access to personal information we hold about you;
  • request correction of inaccurate or incomplete information;
  • request deletion of certain information;
  • request restriction of processing in some circumstances;
  • object to some processing, including some legitimate-interest processing and direct marketing;
  • request portability of certain information in a structured, machine-readable format;
  • withdraw consent where we rely on consent; and
  • complain to the UK Information Commissioner's Office.

To exercise your rights, contact us using the details at the end of this Policy. We may need to verify your identity before we can fully respond. We may also need to retain or refuse deletion of some information where the law allows or requires us to do so.

13. Security

We use technical and organisational measures designed to protect personal information, including measures such as:

  • encryption in transit and, where appropriate, at rest;
  • access controls and authentication measures;
  • monitoring, logging, and security review processes;
  • training and internal access limitations;
  • vendor review and security assessments where appropriate; and
  • incident response and breach handling procedures.

No system can be guaranteed completely secure. You are also responsible for using unique passwords or secure sign-in methods and keeping your credentials and devices secure.

14. Third-Party Services and Links

The Platform may contain third-party services, links, content, or integrations. We are not responsible for the privacy practices of third parties acting outside our instructions. Their own notices and policies may apply.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the Platform, our practices, legal requirements, or other operational reasons.

Where legally required, we will provide appropriate notice of material changes. Your continued use of the Platform after the effective date of an update means you accept the updated Policy, except where applicable law requires another form of consent.

16. Complaints

If you have concerns about how we handle your personal information, you may contact us first and we will try to resolve them.

You also have the right to complain to the UK Information Commissioner's Office:

ICO Website: www.ico.org.uk

Helpline: 0303 123 1113

Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

17. Contact Us

If you have questions about this Privacy Policy, want to exercise your rights, or want to contact us about privacy, safety, moderation, or retention issues, please contact us:

Email: privacy@cribnosh.co.uk

Data Protection Contact: dpo@cribnosh.co.uk

Address: CribNosh Ltd, 50 Southhouse Broadway, Edinburgh, EH17 8AR, United Kingdom

Privacy Policy

Last updated: 19 June 2026

Effective Date: 19 June 2026

1. Data Controller

CribNosh Ltd ("CribNosh", "we", "our", or "us"), registered in Scotland under company number SC834534, is the data controller responsible for your personal information unless we tell you otherwise.

Registered Office: 50 Southhouse Broadway, Edinburgh, EH17 8AR, United Kingdom

Privacy Email: privacy@cribnosh.co.uk

Data Protection Contact: dpo@cribnosh.co.uk

2. Scope of This Policy

This Privacy Policy explains how we collect, use, store, share, protect, retain, and otherwise process personal information when you use our website, mobile applications, social or community features, creator tools, driver tools, support flows, family-account features, and related services (together, the "Platform").

This Policy applies to customers, Food Creators, Drivers, guests, support users, and other people who interact with the Platform, unless we provide a separate notice for a specific service or relationship.

3. Age and Eligibility Context

  • Customers must be at least 13 years old to use general customer ordering features.
  • Customers must be at least 16 years old to use social, community, or similar UGC-driven features where we require a higher minimum age.
  • Food Creators must be at least 18 years old.
  • Drivers must be at least 18 years old.

We may apply stricter age, eligibility, verification, or feature-access rules in particular cases. We do not knowingly allow underage users into account types or features that require a higher minimum age.

4. The Personal Information We Collect

We collect personal information directly from you, automatically from your use of the Platform, from other Platform participants, from service providers, and from devices or systems you use with the Platform.

4.1 Account and profile information

This may include:

  • full name;
  • username or display name;
  • email address;
  • phone number;
  • date of birth or age-band information;
  • password or other login information;
  • profile photo;
  • account preferences and settings;
  • saved addresses;
  • dietary preferences, allergies, restrictions, and related profile information;
  • family-account settings, member relationships, approval preferences, and spending controls; and
  • any information you include in your profile, account forms, or onboarding flows.

4.2 Customer order and transaction information

This may include:

  • order history;
  • meal, creator, and cart information;
  • order notes, handoff notes, and support notes;
  • delivery address and related delivery information;
  • billing information;
  • payment method tokens and payment status information handled through our payment providers;
  • refund, cancellation, issue-report, compensation, and support history;
  • voucher, reward, promotion, loyalty, or credit information;
  • review, rating, or reaction information; and
  • information connected to disputes, chargebacks, or fraud checks.

4.3 Food Creator information

If you use the Platform as a Food Creator, we may collect:

  • menu, pricing, availability, and listing information;
  • kitchen, premises, location, or approved-location information;
  • compliance, registration, rating, training, or readiness information;
  • onboarding records;
  • safety evidence, spotcheck materials, and review notes;
  • bank, payout, tax, or similar financial setup information;
  • creator support, reliability, and enforcement history; and
  • profile, media, recipes, stories, videos, or other creator content.

4.4 Driver information

If you use the Platform as a Driver, we may collect:

  • driving licence and eligibility information;
  • insurance information;
  • work-right or identity-verification information;
  • vehicle information where relevant;
  • live, background, or recent location information while using delivery features, where enabled or required;
  • proof-of-delivery information, handoff evidence, and issue-report submissions;
  • delivery history, route context, and related support or dispute information;
  • call-related metadata for customer-driver or operations-related calling features; and
  • payout or banking setup information where relevant.

4.5 User-generated content and communications

This may include:

  • photos, videos, recipes, comments, reviews, ratings, stories, live content, and messages where relevant;
  • AI chat inputs, prompts, selections, feedback, and related output interaction data where we offer AI-assisted features;
  • customer support messages and feedback;
  • creator and driver support submissions;
  • copyright, takedown, counter-notice, or appeal submissions;
  • moderation reports and related explanations;
  • safety, fraud, compliance, or legal-evidence submissions; and
  • any personal information contained in content you choose to upload, post, transmit, or otherwise provide.

4.6 Technical, device, and usage information

This may include:

  • device type, operating system, browser, app version, device identifiers, and network information;
  • IP address;
  • approximate or precise location, depending on your settings, permissions, and use case;
  • crash, diagnostics, and performance information;
  • feature usage, page views, taps, timing, and interaction patterns;
  • cookies, SDK events, local storage, and similar tracking or attribution information;
  • notification preferences and delivery status;
  • tracking permission choices and advertising or campaign measurement signals where permitted;
  • advertising, attribution, and campaign information where permitted; and
  • device motion or related device-sensor information where a feature, platform integration, or fraud/safety flow reasonably requires it;
  • logs relating to account access, fraud prevention, abuse prevention, or system security.

4.7 Device permissions and sensitive interface data

Depending on your device, account type, settings, and use of the Platform, we may collect information linked to your use of:

  • camera access;
  • microphone access;
  • photo library access;
  • location access, including background location for driver or operational delivery use cases;
  • device biometrics or secure authentication features, such as Face ID or fingerprint-backed login, although biometric matching may be performed locally by your device or operating system and we may only receive confirmation tokens or related authentication results;
  • discoverability, map visibility, online status, or similar account-visibility settings you choose to use;
  • notifications;
  • maps and geolocation services; and
  • calling or communications features.

Unless we expressly tell you otherwise for a specific feature, we do not seek to collect or store the raw Face ID, fingerprint, or other biometric template used by your device for local authentication.

4.8 Health-related or special category information

Some information you choose to provide, such as allergy details, dietary restrictions, or health information in a complaint or safety report, may amount to special category data under data protection law.

Where required by law, we rely on your explicit consent, your manifest choice to provide the information for a specific purpose, legal claims handling, substantial public interest, or another lawful condition that applies to the circumstances.

5. How We Use Your Personal Information

We use personal information where necessary to operate, improve, protect, and support the Platform. This may include using your information:

  • to create, verify, and manage your account;
  • to provide ordering, fulfilment, delivery, support, creator, driver, community, and family-account features;
  • to process payments, refunds, payouts, chargebacks, credits, and related financial events;
  • to power search, discovery, recommendations, personalization, reminders, and profile features;
  • to apply approved-location, geofencing, delivery-area, or creator-premises controls;
  • to manage customer support, creator support, driver support, disputes, and issue resolution;
  • to investigate moderation reports, safety concerns, fraud, abuse, legal claims, and compliance issues;
  • to review and enforce our Terms, Community Guidelines, and other platform rules;
  • to communicate with you about orders, deliveries, safety issues, support cases, account changes, legal notices, and policy updates;
  • to administer promotions, rewards, loyalty programs, or experiments;
  • to provide, quality-check, secure, and improve AI-assisted or automated features where lawful and proportionate;
  • to improve our services, develop new features, analyse usage, and measure performance;
  • to protect the Platform, users, creators, drivers, partners, and the public;
  • to comply with legal, regulatory, tax, accounting, insurance, audit, or court-related obligations; and
  • to establish, exercise, or defend legal claims.

6. Our Legal Bases for Processing

Depending on the context, we process personal information under one or more of the following legal bases under UK GDPR:

6.1 Contract

We process personal information where necessary to enter into or perform our contract with you, including:

  • account setup and login;
  • order processing;
  • payment processing;
  • creator and driver tooling;
  • delivery coordination;
  • support handling; and
  • family-account features you choose to use.

6.2 Legitimate interests

We process personal information where necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. These interests may include:

  • platform safety and security;
  • fraud prevention;
  • abuse prevention;
  • moderation and reporting review;
  • product improvement;
  • service reliability;
  • support quality;
  • recommendation and discovery quality;
  • business analytics;
  • legal risk management;
  • enforcement of our policies and rights; and
  • operational administration.

6.3 Consent

We rely on consent where required, including for example:

  • certain marketing communications;
  • non-essential cookies or similar technologies;
  • some personalised advertising or attribution uses where applicable;
  • some processing of special category information you choose to provide; and
  • other cases where the law requires consent.

You can withdraw consent at any time, although this does not affect processing already carried out lawfully before withdrawal.

6.4 Legal obligation

We process personal information where necessary to comply with legal or regulatory obligations, including obligations relating to tax, accounting, anti-fraud, safety, investigations, law enforcement, court orders, and similar requirements.

6.5 Vital interests or legal claims contexts

In limited circumstances, we may process information to protect someone from serious harm, to address urgent safety incidents, or to establish, exercise, or defend legal claims.

6.6 Examples of category-to-purpose mapping

To make our use of data clearer, the following are common examples of how categories and legal bases fit together:

  • account, identity, login, and contact data: contract, legitimate interests, and legal obligation where relevant;
  • order, payment, refund, delivery, and family-approval data: contract, legitimate interests, and legal obligation where relevant;
  • creator and driver onboarding, compliance, location, readiness, and payout data: contract, legitimate interests, legal obligation, and legal claims handling where relevant;
  • AI interaction, prompt, feedback, and feature-improvement data: contract, legitimate interests, and consent where required;
  • authentication, account-security, and biometric-confirmation-result data: contract, legitimate interests, and legal obligation where relevant;
  • proof-of-delivery, route, handoff, and fulfilment-evidence data: contract, legitimate interests, legal obligation, and legal claims handling where relevant;
  • recommendation, ranking, search, reminders, and personalization data: contract, legitimate interests, and consent where required;
  • marketing, tracking, and some advertising or attribution data: consent where required and legitimate interests where allowed by law;
  • moderation, copyright, fraud, support, issue-report, safety, and enforcement data: legitimate interests, legal obligation, vital interests in limited cases, and legal claims handling where relevant;
  • allergy, dietary, or health-related complaint data: explicit consent where required, your manifest choice to provide the information for a requested service, legal claims handling, substantial public interest, or another lawful condition that applies; and
  • analytics, diagnostics, and product-improvement data: legitimate interests and consent where required by law.

7. Sharing Your Personal Information

We share personal information only where we believe it is necessary, appropriate, and lawful.

7.1 Platform participants

Depending on the workflow:

  • Food Creators may receive customer name, order details, delivery details, notes, and related fulfilment context;
  • Drivers may receive customer name, delivery details, contact context, route context, and issue-resolution information;
  • family-account participants may see certain information based on the permissions and settings used in that family-account flow; and
  • support, trust and safety, finance, or operations staff may access relevant information to perform their roles.

7.2 Service providers and processors

We may share information with service providers acting on our instructions, such as:

  • payment providers, including Stripe;
  • cloud hosting, storage, and infrastructure providers;
  • database and backend service providers;
  • analytics, diagnostics, and attribution providers;
  • communications and notification providers;
  • mapping, routing, and geolocation providers;
  • customer-support tooling providers;
  • moderation, fraud, and safety tooling providers;
  • AI or automation providers;
  • delivery integration partners;
  • identity, verification, or compliance tooling providers; and
  • insurers, auditors, and professional advisers acting on our instructions or in support of our lawful operations where relevant; and
  • other vendors reasonably required to operate or improve the Platform.

7.3 Professional, commercial, and legal counterparties

We may share information with:

  • lawyers;
  • auditors;
  • insurers;
  • bankers;
  • accountants;
  • potential investors or corporate transaction counterparties;
  • regulators;
  • tax authorities;
  • courts;
  • law enforcement; and
  • other governmental or competent authorities,

where reasonably necessary and lawful.

7.4 Business transactions

If we are involved in a merger, acquisition, financing, restructure, or sale of assets, personal information may be disclosed to relevant counterparties and advisers subject to appropriate safeguards.

8. International Transfers

Some service providers or counterparties may be located outside the UK. Where we transfer personal information internationally, we take steps designed to ensure a comparable level of protection, such as:

  • transfers to countries benefiting from adequacy regulations;
  • use of appropriate contractual safeguards, such as UK-approved transfer clauses;
  • other lawful transfer mechanisms recognised under applicable data protection law; and
  • additional technical or organisational safeguards where appropriate.

9. Retention of Personal Information

We retain personal information only for as long as reasonably necessary for the purposes described in this Policy, including for legal, accounting, tax, fraud-prevention, safety, moderation, copyright, payout, support, and dispute reasons.

Retention periods vary depending on the information and context. For example:

  • account information may be kept while your account is active and for a reasonable period afterwards;
  • deleted-account request records may be kept to honour, evidence, or defend deletion handling and to prevent abuse or repeated evasion;
  • transaction, tax, accounting, and payout records may be kept for several years where required;
  • creator and driver compliance, verification, insurance, safety, premises, payout, or operational-eligibility records may be kept while relevant to the account and for a reasonable period afterwards;
  • location, proof-of-delivery, routing, handoff, and operational incident records may be kept for as long as reasonably needed for fulfilment, support, fraud review, safety investigations, payout disputes, or legal claims;
  • support, dispute, safety, moderation, and fraud records may be kept for as long as needed to investigate issues, defend claims, or comply with obligations;
  • copyright, takedown, counter-notice, repeat-infringer, and appeal records may be kept for as long as needed for legal, moderation, and repeat-violation purposes;
  • food-safety, allergen-complaint, injury, incident, or serious order-risk records may be kept for as long as reasonably required to investigate, defend, or comply with applicable obligations;
  • technical logs may be kept for shorter periods for security and troubleshooting;
  • marketing or consent records may be kept until you withdraw consent or after a period of inactivity;
  • suppression, opt-out, and preference-management records may be kept for as long as reasonably necessary to honour your choices and demonstrate compliance;
  • deleted content or deleted accounts may remain in backups or disaster recovery systems for a limited cycle-based period; and
  • some information may be retained longer where there is an active dispute, investigation, legal claim, regulatory request, or legitimate need to preserve evidence.

We may also retain derived records, audit trails, redaction logs, payout adjustments, moderation outcomes, and similar operational records where necessary.

10. Automated Decision-Making, Profiling, and AI-Assisted Features

We may use automated systems, rules, ranking models, or AI-assisted systems to help with:

  • recommendations;
  • search and discovery;
  • fraud detection;
  • moderation triage;
  • route optimisation;
  • support routing;
  • feature personalisation; and
  • operational prioritisation.

These systems may use information such as account activity, preferences, location, order history, reliability signals, safety signals, and related Platform context.

These tools help us operate and improve the Platform, but they do not replace all human judgment. If you believe an automated process has affected you unfairly, you may contact us to request review and, where applicable, human intervention.

Some automated or partially automated processes may contribute to eligibility, fraud, payout, moderation, recommendation, visibility, routing, or support outcomes, although human review may also be involved depending on the workflow.

Where applicable, you may also ask us for more information about the relevant decision process, the main categories of information involved, and the available review options.

AI-generated or AI-assisted outputs may be incomplete or wrong and should not be treated as medical, dietary, allergy, food-safety, legal, or other professional advice.

11. Cookies, Tracking, and Similar Technologies

We and our partners may use cookies, SDKs, pixels, local storage, and similar technologies to:

  • keep the Platform working;
  • remember preferences;
  • understand usage;
  • improve performance;
  • measure campaigns;
  • detect fraud or abuse; and
  • support personalisation or marketing where permitted.

Your account or device settings may also let you control certain data uses such as analytics, marketing, personalization, discoverability, map visibility, or online-status sharing, but some service and safety uses remain necessary for the Platform to function.

You can manage cookies and similar technologies through our cookie controls, your browser settings, device settings, and other mechanisms we make available. Some features may not work properly if certain technologies are disabled.

12. Your Rights

Subject to applicable law, you may have the right to:

  • request access to personal information we hold about you;
  • request correction of inaccurate or incomplete information;
  • request deletion of certain information;
  • request restriction of processing in some circumstances;
  • object to some processing, including some legitimate-interest processing and direct marketing;
  • request portability of certain information in a structured, machine-readable format;
  • withdraw consent where we rely on consent; and
  • complain to the UK Information Commissioner's Office.

To exercise your rights, contact us using the details at the end of this Policy. We may need to verify your identity before we can fully respond. We may also need to retain or refuse deletion of some information where the law allows or requires us to do so.

13. Security

We use technical and organisational measures designed to protect personal information, including measures such as:

  • encryption in transit and, where appropriate, at rest;
  • access controls and authentication measures;
  • monitoring, logging, and security review processes;
  • training and internal access limitations;
  • vendor review and security assessments where appropriate; and
  • incident response and breach handling procedures.

No system can be guaranteed completely secure. You are also responsible for using unique passwords or secure sign-in methods and keeping your credentials and devices secure.

14. Third-Party Services and Links

The Platform may contain third-party services, links, content, or integrations. We are not responsible for the privacy practices of third parties acting outside our instructions. Their own notices and policies may apply.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the Platform, our practices, legal requirements, or other operational reasons.

Where legally required, we will provide appropriate notice of material changes. Your continued use of the Platform after the effective date of an update means you accept the updated Policy, except where applicable law requires another form of consent.

16. Complaints

If you have concerns about how we handle your personal information, you may contact us first and we will try to resolve them.

You also have the right to complain to the UK Information Commissioner's Office:

ICO Website: www.ico.org.uk

Helpline: 0303 123 1113

Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

17. Contact Us

If you have questions about this Privacy Policy, want to exercise your rights, or want to contact us about privacy, safety, moderation, or retention issues, please contact us:

Email: privacy@cribnosh.co.uk

Data Protection Contact: dpo@cribnosh.co.uk

Address: CribNosh Ltd, 50 Southhouse Broadway, Edinburgh, EH17 8AR, United Kingdom