Privacy Policy

Effective date: 10/02/2026
Website: https://wholesale.foodstorycafe.co.uk

This Privacy Policy explains how we collect, use, store and share personal data when you use our website, create an account, place an order, or contact us. We are committed to protecting your information and handling it responsibly in line with the UK GDPR and the Data Protection Act 2018.

This website is intended for business-to-business wholesale customers.

1) Who we are

Data Controller: FOODSTORY LIMITED 
Registered office: 13–15 Thistle Street, Aberdeen, AB10 1XZ 
Contact (privacy enquiries): admin@foodstorycafe.co.uk
General contact: wholesale@foodstorycafe.co.uk

“Personal data” means information that identifies you or can be used to identify you.

2) What data we collect

A) Account and customer details

  • Name, business name, job title

  • Email address, phone number

  • Billing and delivery addresses

  • Account login details (e.g., username) and preferences

B) Order and transaction details

  • Products ordered, quantities, order history

  • Delivery instructions and order notes

  • Invoices, credits, and account status

C) Payment information (Square)

Payments are processed by Square. We do not store full payment card numbers on our servers. Square will process payment information and related identifiers needed to complete transactions and prevent fraud.

D) Compliance / verification details (KYC/AML)

Where appropriate (for example, to prevent fraud or meet legal/compliance requirements), we may request and process information to verify customers, such as:

  • Business identifiers (e.g., company number, VAT number)

  • Proof of identity and/or proof of address (only if needed)

  • Internal verification outcomes and risk indicators

We conduct KYC/AML checks internally and only collect what is necessary.

E) Communications

  • Messages you send us (forms, email)

  • Customer support queries and records of resolution

F) Website and device data

  • IP address, browser type, device information

  • Approximate location (derived from IP)

  • Pages viewed and interactions

  • Cookie and similar technology data (see Cookies section)

3) How we use your data and our lawful bases

We only process personal data where we have a valid legal basis.

We use your data to:

  1. Set up and administer accounts (including authentication and account security)
    Lawful basis: Contract; Legitimate Interests (security/admin)

  2. Process and fulfil orders (including delivery, returns, queries, invoicing)
    Lawful basis: Contract

  3. Take payments and manage transactions (via Square)
    Lawful basis: Contract; Legitimate Interests (fraud prevention)

  4. Carry out compliance checks (KYC/AML and fraud prevention where appropriate)
    Lawful basis: Legal Obligation (where applicable); Legitimate Interests (fraud prevention/risk)

  5. Operate, protect, and improve the website (security monitoring, troubleshooting, analytics)
    Lawful basis: Legitimate Interests; and Consent where required for non-essential cookies/analytics

  6. Send service communications (order confirmations, delivery updates, important account notices)
    Lawful basis: Contract; Legitimate Interests

  7. Marketing communications (only if you opt in, or where permitted for B2B communications)
    Lawful basis: Consent or Legitimate Interests (as applicable)
    You can opt out at any time using the unsubscribe link or by contacting us.

4) Who we share your data with

We do not sell personal data. We share it only where necessary to run our business, provide our services, and meet legal obligations.

A) Payment processing

  • Square (payment processing, transaction security, fraud prevention)

B) Delivery

  • Our in-house delivery team, who will use your name/business name, delivery address, and contact details to deliver orders and resolve delivery issues.

C) Website and IT services

We use trusted providers for website hosting, security, backups, email delivery, and maintenance. These providers process data only on our instructions and with appropriate safeguards.

D) Analytics

  • Google Analytics (website usage measurement). Google Analytics may use cookies and similar technologies to help us understand how the website is used.

E) Legal and compliance

We may share information with professional advisers (accountants, auditors, legal advisers) and/or authorities where required by law, regulation, or to protect rights and safety.

5) Cookies and Google Analytics

Cookies are small files stored on your device. We use:

  • Strictly necessary cookies (site functionality, login sessions, security, checkout)

  • Functionality cookies (remember preferences, where enabled)

  • Analytics cookies (Google Analytics, where enabled/consented)

  • Marketing cookies (only if you choose to enable them and if used)

You can control cookies through your browser settings. If your site uses a cookie banner, you can also manage your preferences there. Blocking essential cookies may affect login, checkout, or account features.

6) International data transfers

Some providers (including Google) may process data outside the UK. Where personal data is transferred internationally, we use appropriate safeguards (such as UK-approved contractual protections) to help keep your data protected.

7) How long we keep your data

We retain personal data only as long as necessary for the purposes described in this policy, including legal, tax, accounting, and compliance requirements.

Typical retention:

  • Orders, invoices, and accounting records: generally kept for up to 6 years (to meet tax/accounting requirements)

  • Account data: for as long as your account remains active, and for a reasonable period after closure unless we need to retain certain records

  • KYC/AML records (where collected): retained only as long as required for compliance and risk management, then securely deleted or anonymised

  • Support communications: typically retained for operational purposes and to manage disputes

We may retain data longer if needed to establish, exercise, or defend legal claims.

8) Your rights (UK GDPR)

You have the right to:

  • Request access to your personal data

  • Request correction of inaccurate data

  • Request erasure (where we don’t have a legal reason to keep it)

  • Request restriction of processing in certain circumstances

  • Object to processing based on legitimate interests

  • Request data portability (for certain data)

  • Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, contact us at [insert email]. We may ask for verification to protect your data.

If you are unhappy with how we handle your data, you may complain to the Information Commissioner’s Office (ICO), the UK data protection regulator.

9) Security

We use appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, alteration, or disclosure. No system is 100% secure, but we work to maintain strong protections and limit access to those who need it.

10) Third-party links and embedded content

Our website may include links to third-party websites or services. If you follow those links, those sites will have their own privacy policies and we are not responsible for their practices.

11) Changes to this policy

We may update this Privacy Policy from time to time. The latest version will always be posted on this page with the effective date above.

12) Contact us

FOODSTORY LIMITED (Companies House Link)
Registered office: 13–15 Thistle Street, Aberdeen, AB10 1XZ 
Privacy enquiries: admin@foodstorycafe.co.uk
General enquiries: wholesale@foodstorycafe.co.uk