Privacy Policy

PRIVACY POLICY

Last Updated: October 22, 2025

Introduction

 Tiffin Time Ltd ("Tiffin Time," "we," "us," or "our") is committed to protecting your privacy and ensuring you have a positive experience when using our mobile application and related services (collectively, the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our App. It also describes your rights and choices regarding your information. Please read this Privacy Policy carefully. By accessing or using our App, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, please do not use the App.

Who We Are

 Tiffin Time is a mobile platform that connects users with local food providers, including independent tiffin meal vendors and catering service providers for events. We are based in London, United Kingdom, and operate as a “data controller” as defined under applicable UK data protection law (including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018). This means we determine the purposes and means of processing personal data in the context of the services we provide.

Information We Collect

 We collect various types of information from and about users of our App. This includes information that you provide directly, information collected automatically as you use the App, and information from third parties (such as payment processors or login services).

3.1 Personal Data You Provide to Us: You may provide personal information to us when you use the App, for example when you create an account, place an order, or communicate with us or with Tiffin Providers. This information can include:

 - Account Information: When you register for a Tiffin Time account, we ask for basic registration details. This typically includes your name, email address, phone number, and a password. We use this information to create and secure your account and to communicate with you as needed.

 - Profile Information: You have the option to provide additional information in your profile, such as a profile photo, saved delivery addresses, food preferences, or dietary restrictions. This information helps personalize your experience (for example, by suggesting local providers or retaining your preferred delivery address for convenience).

 - Payment Information: If you make purchases through the App, our third-party payment processor will collect your payment card details (such as cardholder name, card number, expiration date, and CVV) and billing address to process the transaction. Importantly, Tiffin Time itself does not store your full card details; we rely on secure payment processing services (e.g., Stripe) that are compliant with PCI-DSS standards to handle your payment data. We may retain non-sensitive payment details related to your transactions (such as the fact that a payment was made, the amount, and the method, as well as a portion of your card number for identification), but full card numbers are not stored on our servers.

 - Order Information: When you place orders through the App, we collect information about the order. For Tiffin Meal orders, this includes details like the items or dishes you ordered, the quantity, special instructions or preferences you noted, your selected delivery/pick-up time, and delivery instructions (if applicable). For Catering Orders, the information includes the details of your event and request: the number of guests, event date and time, event address or venue, selected menu items or package, any special requests or notes (e.g., allergies or dietary requirements), and any other information you submit as part of the catering request and subsequent quote process. We also keep records of order history, so you can view past orders and so we can provide customer support or repeat order functionality.

 - Communications: If you contact us (for example, through customer support emails or chat), we will collect the information you provide in those communications, such as your name, contact information, and the content of your message, in order to respond to you and improve our services. Additionally, if the App offers in-app messaging between you and Tiffin Providers (for instance, to clarify an order or coordinate a catering event), those messages may be monitored or stored by us to facilitate the service, ensure compliance with our terms (e.g., that all communication stays on the platform), and for safety and dispute resolution purposes. We treat these communications as confidential, only accessing them if necessary for support, trust and safety, or legal reasons.

3.2 Information We Collect Automatically: When you use the App, we (or our service providers acting on our behalf) automatically collect certain information about your device and how you interact with the App. This includes:

 - Device and Technical Information: We receive data about the device and software you use to access the App. This may include the type of mobile device (e.g., iPhone or Android phone), the device’s unique ID or advertising identifier, the IP address of your device, your device’s operating system and version, and the type and version of your mobile browser. We also log the date and time you accessed our servers, and what features or pages you accessed. This technical information is used to ensure the App works properly across different devices, to troubleshoot bugs, and to analyze usage trends.

 - Location Data: With your permission, we collect precise geolocation data from your mobile device. We use location data to provide location-based services. For example, the App may use your location to show you nearby Tiffin Providers, to estimate delivery times, or to determine which vendors service your area. If you are using the App to arrange a delivery, we might collect location data during the delivery in order to track the progress (this can help provide you with live updates). You can control location sharing via your device’s settings; you may choose to allow location access only while using the app, always allow it, or deny it entirely. If you choose not to share precise location, you can often manually enter an address or postcode to find local providers, although some features (like automatic location-based search or real-time delivery tracking) may be limited.

 - Usage Information: We gather data on how you navigate and use our App. This can include the pages or screens you view, how long you spend on them, the links or buttons you click, the search queries you make, and other interactions. We also might collect crash logs and performance data if the app encounters an error. This usage information helps us understand what features are popular, how users engage with the App, and where improvements might be needed. It also assists in detecting and diagnosing technical issues. Generally, this information is collected in aggregate form (not linked to you personally) but in some cases it may be associated with your user account (for example, your order history or preferences).

 - Cookies and Similar Technologies: We use cookies, mobile SDKs, and similar tracking technologies to collect information about your use of the App over time and across different sections. In a mobile app context, “cookies” might not be literal files as in a web browser, but analogous technologies exist (such as local storage or device identifiers). These technologies help us recognize you, remember your preferences, and understand usage patterns. For instance, they can help keep you logged into your account, or remember that you’ve seen a particular in-app notification so we don’t show it again. We also use these technologies for advertising and analytics purposes, as described in Section 7 below. You have control over some of these through your device settings or by following the instructions in Section 7.3.

How We Use Your Information

 We use the personal information we collect for various purposes consistent with the provision of our services and the operation of our business. The main purposes for which we process your information include:

4.1 Providing and Improving Our Services: We use your information to operate the App and provide you with the services and functionality you request. This includes processing your account registration and login, facilitating the placement of orders (and catering quote requests), transmitting order details to the relevant Tiffin Provider, processing payments and deposits, and coordinating delivery or pickup logistics. We also use data to personalize your experience – for example, by remembering your preferences, recommending vendors you might like, or pre-filling forms with saved information. Additionally, understanding how users navigate our App (from the usage information we collect) helps us identify areas for improvement and develop new features. We continually strive to improve our platform’s performance, reliability, and user experience using the insights gained from data analysis.

3.       4.2 Communications: We use your contact information (like your email address and phone number) to communicate with you about your orders and account. This includes sending you order confirmations, receipts, and updates on the status of your Tiffin Meal delivery or catering request. For catering services, we will notify you when you receive a quote from a provider, when a deposit or payment is due, or send reminders about upcoming final payments. We also send service-related announcements when necessary (for instance, if we need to alert you to changes in our terms, privacy policy, or if there’s a critical update about the App). If you contact us with a question or support issue, we will use the information you provided to respond. With your consent, we may also send you marketing communications, such as newsletters, promotions, or offers from Tiffin Time or our partners. You can opt out of marketing emails or texts at any time by using the unsubscribe mechanism provided in the message or adjusting your account settings. (Transactional communications about your orders or account are not considered marketing and will be sent even if you opt out of marketing messages, as long as you use the service.)

4.3 Safety and Security: We are dedicated to keeping our platform safe and secure. We may use your information to prevent, detect, and investigate fraud, security breaches, or potentially prohibited or illegal activities. For example, we might use certain device and usage information to identify suspicious behavior (such as a login from an unusual location) and take steps to verify or protect the account. We also monitor for violations of our Terms and for user content that may be inappropriate or harmful. As part of our trust and safety efforts, communications through the App (such as messages between customers and providers) may be monitored or scanned by automated systems for fraud prevention, customer support, and compliance with our policies (for instance, ensuring no one is trying to arrange off-platform transactions, which are against our Terms). We also use and may share information as needed to enforce our Terms and Conditions, to resolve disputes, or to collect fees owed, and to protect our rights, property, and safety or that of our users and third parties. If necessary, we may use information to comply with legal obligations or to exercise or defend legal claims (see also Section 6.3 on legal requirements). Overall, your information helps us ensure the App remains a trusted marketplace for both customers and providers.

Lawful Bases for Processing (UK Users)

 For individuals in the UK (and similarly, those in the EU), we are required to have a valid legal basis for processing your personal data. Depending on the specific context, Tiffin Time relies on one or more of the following legal bases:

Contractual Necessity: We process certain personal data because it is necessary to fulfill our contract with you. When you use our App to place an order or request a service, we must process your information to deliver that service – for example, using your order details and address to have food delivered, or your payment information to process a transaction. If you plan to use our services, you must provide this information, otherwise we cannot perform the contract (i.e., we can’t provide the services without the data).

7.       Legitimate Interests: We process personal data as needed for Tiffin Time’s legitimate interests, provided that those interests are not outweighed by your rights and interests. Our “legitimate interests” include maintaining and improving our App and services (e.g., analyzing usage to improve functionality), securing our platform (e.g., fraud prevention and ensuring safe communications), and communicating with you about relevant products or services. When we rely on legitimate interests, we consider your privacy rights and take steps to minimize impacts – for instance, for analytics, we might use aggregated data that doesn’t directly identify individuals; for marketing to existing customers, we provide an easy opt-out mechanism.

8.       Consent: In certain cases, we rely on your consent to process personal data. For example, we will ask for your consent to access precise geolocation data on your mobile device (you can choose to allow or deny this when prompted by the app or your device settings). Similarly, we obtain your consent before sending you promotional communications via email or text (and you can withdraw that consent at any time by unsubscribing). If we ever process any special categories of personal data (like health-related information, which might be inferred from allergy details you provide), it would typically be based on your explicit consent. Note that you have the right to withdraw consent at any time, and doing so will not affect the lawfulness of processing based on consent before its withdrawal.

Legal Obligation: We also process personal data when required to comply with a legal obligation to which we are subject. For instance, we may need to retain transaction records to satisfy applicable tax or accounting laws, or to fulfill know-your-customer (KYC) requirements under anti-fraud or anti-money laundering regulations. If law enforcement or regulatory authorities lawfully require us to provide information (such as under a court order or subpoena), we have a legal obligation to comply after verifying the legitimacy of the request. Additionally, under UK data protection law, we must respond to certain rights requests (as described in Section 10), which entails processing data to comply with those legal duties.

              In cases where we process data based on legitimate interests or consent, you have certain rights to object or withdraw (see Section 10 on Your Rights). We will always ensure that we have a valid basis to process your personal data and that we respect your privacy rights under applicable law.

Sharing Your Information

 We understand that your personal information is important, and we are not in the business of selling it to others. However, there are circumstances where we need to share your information with third parties in order to operate our business, provide our services, comply with legal obligations, or protect our rights. The categories of third parties with whom we may share information include:

6.1 Tiffin Providers (Vendors): When you place an Order through our App – whether a regular Tiffin Meal or a Catering Order – we share the necessary details of that order with the independent food vendor (Tiffin Provider) who will be preparing and/or delivering your food. This is fundamental to the service: the provider needs certain information to fulfill your order successfully. The information shared can include your first and last name (so they know who the order is for), your delivery address or specified event location (for deliveries or catering event setup), your contact phone number (often required by couriers or vendors to handle any last-minute delivery issues or to find you upon arrival), and the details of your order (what you ordered, any special instructions or requests, the scheduled delivery/pick-up time, etc.). For Catering Orders, the provider will also receive the additional event details you provided (such as the number of guests, event date/time, special requests, etc.). We do not routinely share your email address or account login information with providers; they interact with you either through the App’s communication channels or via the phone number given for coordination. The providers are only allowed to use this information for the purpose of fulfilling your order and providing their service. They are not permitted to use your data for their own unrelated purposes (such as marketing their services outside our platform) unless you separately engage with them and provide consent. However, please note that Tiffin Providers are independent businesses, not under our direct control, and they are responsible for complying with their own legal obligations in handling personal data. We contractually require providers to treat customer information in confidence and in line with applicable privacy laws, using it only as needed to perform the order. If a provider misuses your information, we will take appropriate action (which may include terminating their use of our platform), and we will cooperate with you in addressing any issues.

6.2 Service Providers (Processors): We employ other companies and individuals to perform functions on our behalf – service providers – and in the course of their duties, they may process your personal information under our instructions. Examples of service providers include:

 - Payment Processors: As mentioned, we use third-party payment companies (such as Stripe) to handle credit/debit card processing and related financial transactions. These processors will receive the information needed to process your payments (e.g., card details, transaction amount, billing info) and are responsible for securely handling and storing that data. They are authorized to use your information only as necessary to process transactions and comply with applicable law (like fraud prevention and anti-money laundering checks).

 - Cloud Hosting and IT Infrastructure: We host our App and data on cloud platforms (for example, Amazon Web Services or other reputable providers). These companies provide storage, databases, and application tools that allow our App to run. Any personal data stored on their servers is subject to strict technical protections and is accessed only as needed by our internal systems.

 - Analytics and Performance Tools: We may use analytics providers (such as Google Analytics for Firebase or similar services) that help us understand usage patterns on the App. These services might use device identifiers and cookies to log interactions and then provide us aggregated insights. Typically, these analytics services do not identify you personally to us; they provide generalized statistics (e.g., number of users in a given day, popular features, crash reports).

 - Communications Services: We utilize services to send communications to users. For instance, we might use an email delivery service to send order confirmations, or an SMS API to send text message alerts (like verification codes or delivery notifications). These services would process your contact information and message content only for the purpose of delivering communications on our behalf.

 - Customer Support Tools: If we use a customer support software or CRM (customer relationship management) platform to manage inquiries, that platform will process any data involved in your support requests (like your contact info and the content of your question).

 - Marketing and Advertising Partners: With your consent, we might work with advertising networks or social media platforms to reach out to potential or existing customers. For example, we might upload a list of customer email addresses to a platform like Facebook or Google to create "custom audiences" for targeted Tiffin Time promotions. In doing so, these platforms serve ads to those users (or similar users) and are not allowed to use that list for other purposes – and typically the data is hashed or encrypted when transmitted. You can opt out of marketing as described in Section 4.2.

 All these service providers are bound by contractual agreements that require them to protect your data and use it only for the specific services they are providing to us. We do not allow them to use your info for their own marketing or other purposes unrelated to our requests. We take care to choose reputable providers with strong security practices. If a provider is located outside of the UK (or your home country), we will ensure appropriate safeguards for cross-border data transfer are in place (see Section 12 on International Data Transfers).

6.3 Legal Requirements: We may disclose personal information to courts, law enforcement agencies, government authorities, or other third parties when we believe it is legally required or when it is necessary to comply with a legal obligation. For example, we might disclose information in response to a court order, subpoena, or other lawful demand. We may also disclose information if we believe in good faith that such disclosure is necessary to (i) investigate or protect against harmful activities against our users, vendors, or property (including the App), (ii) detect, prevent, or address fraud, security, or technical issues, or (iii) enforce our Terms and other agreements or to collect amounts owed to us. Additionally, if you are involved in a dispute (for instance, a chargeback claim or a conflict with a provider) and it escalates legally, we might be required to provide relevant data as part of that process. In each case, we will limit the information we disclose to only what is necessary and will object to overbroad requests when appropriate. We also may notify you (if legally permitted) when such requests are received regarding your personal data.

6.4 Business Transfers: As our business grows and evolves, we might engage in transactions such as mergers, acquisitions, reorganizations, or asset sales. In the event that Tiffin Time is involved in a business transfer (e.g., being acquired by another company or merging with another entity), your personal information may be among the assets transferred. The new owner or merged entity would then continue to honor the terms of this Privacy Policy (or put in place a policy that is at least as protective of your rights, informing you of any significant changes). Similarly, if we ever go through bankruptcy or insolvency proceedings, your information may be considered an asset of the company and could be sold or transferred to third parties as part of those proceedings. In any such scenario, we will aim to ensure the confidentiality of any personal information involved in a business transfer and will give affected users notice on the App or by email before personal data becomes subject to a different privacy policy.

6.5 With Your Consent: In situations other than those described above, if there is a need to share your information with a third party, we will do so only with your consent. For example, if we ever wanted to feature a customer’s story or testimonial on our website and that involved sharing their name or photo, we would ask for permission. Or if you opt in to a program where Tiffin Time partners with another company (say, a promotion with a ride-sharing service or a loyalty program tie-in) and that requires sharing certain data, we would obtain your consent for that specific context. You are in control – we will not sell or share your personal information for third-party marketing purposes unless you explicitly agree.

1.       Cookies and Tracking Technologies

7.1 What Are Cookies: Cookies are small data files placed on your device (computer or mobile) when you visit a website or use a service. In mobile apps, there are analogous technologies (like device identifiers, local storage, and SDKs) that serve a similar purpose. Cookies and these related technologies can serve several functions: enabling the app to remember you, storing your preferences, and helping us understand how users use our App. For example, a cookie might store your login session so you don’t have to re-enter your password every time. Another cookie might track that you have seen a particular in-app tutorial so we don’t show it to you again. There are also cookies that help with analytics and advertising by recording some of your activities on the App.

7.2 Types of Cookies/Tracking Technologies We Use: We use the following categories of tracking technologies in our App:

 - Essential/Strictly Necessary: These are necessary for the App to function and cannot be switched off (without significantly affecting your experience). For instance, they include login authentication tokens (so when you log in, you stay logged in as you navigate through the app) and preferences required to route requests to the correct servers. Without these, certain basic functions of the App would not work.

 - Preferences: These remember choices you make and settings you select, to provide a more personalized experience. For example, if the App has a “remember my login” feature or if you set a preferred language or location, a cookie or local storage may save that preference. Preferences cookies make your use of the App more convenient.

 - Analytics: Analytics tools use cookies or similar identifiers to collect information about how users interact with our App. We use this information to analyze usage and improve performance. For instance, analytics cookies might track which screens are most frequently visited, how users flow through the App, or if certain features are being used at all. They can also help identify technical issues by logging errors or crashes. The information collected by these cookies is typically aggregated and does not directly identify individual users. We use third-party analytics services (e.g., Google Analytics for Firebase, etc.) which may use their own cookies/identifiers. However, we do not allow these analytics providers to use the data for any purpose other than providing services to us (i.e., they can’t use our analytics data to serve you ads on other platforms).

 - Advertising/Marketing: We may employ advertising identifiers or cookies to assist with marketing our services, including interest-based advertising (also known as personalized or targeted advertising). For example, if you visit our App and browse certain local vendors, we might later show you ads about our service or related cuisine on other apps or websites. This is often done by syncing a mobile advertising ID or a cookie with third-party advertising networks (like Google Ads or social media platforms) so that they can recognize you (in a non-identifiable way) and show you relevant ads. These cookies/IDs might also limit the number of times you see an ad and measure the effectiveness of ad campaigns. You can manage your preferences for targeted advertising (see Section 7.3 below). We do not share information that identifies you personally to third-party ad networks without your consent; typically, these networks rely on device or browser identifiers and do not know your name or contact details.

 It’s important to note that in a mobile app, some of these “cookies” aren’t traditional browser cookies, but they serve the same purpose. For instance, mobile devices have an Advertising Identifier (like Apple’s IDFA or Android’s AAID) which can be reset by you and controlled via your privacy settings. We adhere to platform policies regarding the use of these identifiers.

7.3 Your Choices Regarding Cookies & Tracking: You have several options to control or limit how we and third parties use cookies and similar technologies:

 - Device Settings: Both iOS and Android provide options in their settings where you can limit ad tracking and reset your device’s advertising identifier. For example, on iOS you can go to Settings > Privacy & Security > Tracking to disallow apps from tracking you, or Settings > Privacy & Security > Apple Advertising to turn off personalized ads. On Android, you might go to Settings > Privacy > Ads to delete or reset the advertising ID and opt out of personalized ads. These settings will inform the app environment that you prefer not to be tracked for advertising purposes, which participating apps and ad SDKs should respect.

 - In-App Controls: We may provide a settings page or toggle within our App (often under a section like “Privacy” or “Preferences”) where you can manage certain cookies or trackers, especially those related to analytics or marketing. For instance, you might have an option to opt out of analytics tracking (which could enable a flag that the analytics SDK respects to stop collecting data). Check the App’s settings or account area to see if such controls are available.

 - Browser Cookies: If you happen to use any web-based interface of our service (e.g., for viewing an order status or using our website), you can manage cookies through your web browser settings. Browsers typically allow you to refuse new cookies, delete existing cookies, or be notified when you receive a new cookie. Keep in mind, rejecting cookies on a browser might limit functionality (particularly for any login-based features on a web portal).

 - Do Not Track: Some web browsers have a “Do Not Track” (DNT) feature that, when enabled, sends a signal to websites indicating you do not want to be tracked. Currently, there is no industry standard for DNT in mobile apps, and our App does not respond to DNT signals in the context of app usage. However, as described above, you have other means to control tracking on mobile.

 - Opt-out links: Certain third parties we work with, such as Google or Facebook, may offer their own opt-out mechanisms. For example, Google provides a browser opt-out add-on for Google Analytics (to prevent your data from being used by Google Analytics), and advertising networks often participate in industry opt-out platforms like the Network Advertising Initiative (NAI) or the Digital Advertising Alliance (DAA). While these are more relevant to web-based tracking, if we use similar networks for in-app ads, those preferences might carry over based on your advertising ID.

 Please note that completely disabling cookies or tracking may impact the functionality of the App. For example, if you disable essential cookies, our App might not function properly or remember your preferences. Disabling analytics might make it harder for us to identify and fix issues you might be facing. We encourage you to choose the settings that best balance your privacy and App usability needs. For more detailed information about cookies and how to manage them, you can visit websites like AllAboutCookies.org, which provide guidance on controlling cookies in various browsers.

Data Retention

 We retain your personal information for as long as necessary to fulfill the purposes we collected it for, including to satisfy any legal, accounting, or reporting requirements, and for legitimate business purposes such as resolving disputes or preventing fraud. How long we keep specific personal data varies depending on the context of your interactions with us and our legal obligations. Here are some general guidelines:

Account Information: We keep the personal information associated with your Account (like your name, email, phone, profile info, and login credentials) for as long as your Account exists. If you choose to delete your Account, we will initiate the process of removing or anonymizing your personal data from our active systems. In most cases, we can complete the deletion within 30 days of the request. However, even after you delete your account, we may retain some information as described below.

3.       Order and Transaction Data: Information about the orders you place (including catering orders and payment transactions) is generally retained for a minimum period for legal and operational reasons. Legal reasons might include complying with financial regulations (keeping transaction records for tax, audit, and accounting purposes – often 6 years under UK law), and handling any potential consumer disputes or warranty claims. Operational reasons include having a record of past orders in case of inquiries or repeat orders, and to maintain the integrity of our business records. After the primary retention period, we may archive the data securely and retain it for a longer period if needed for establishing, exercising, or defending legal claims.

4.       Communications and Support: If you contacted support or if there were communications related to disputes, we may keep those records as long as necessary to address the issue and for use in any future related matters. For example, if you had a dispute with a Tiffin Provider and we helped mediate, we might retain the correspondence and outcome in case of any follow-up or legal inquiry.

5.       Location and Usage Data: Data like location logs or usage analytics are typically kept in aggregate form, but raw logs may be retained for a shorter period. For instance, server logs that include IP addresses or device identifiers may be kept for a few weeks or months for security monitoring and then either deleted or anonymized. Aggregated analytics (which do not identify individuals) may be kept indefinitely to understand long-term trends.

6.       Inactive Accounts: If you register an account but then stop using the App for an extended period, we may classify the account as “inactive.” At that point, we might delete some of your information to conserve resources or as part of data minimization practices. We would likely attempt to contact you before deleting an inactive account’s core information. Note, however, that even if an account is inactive, we may still retain records of transactions linked to that account for the reasons above.

7.       Anonymized and Aggregated Data: We sometimes convert personal data into statistical or aggregated data that no longer reveals your identity. For instance, we might aggregate order data to see average spending per user or total number of catering events per month. This aggregated data may be retained indefinitely since it contains no personal identifiers and is used for business analysis.

8.       Deletion and Backups: When you request deletion of your data or when we decide to purge data that’s no longer needed, we undertake a process to remove it from our active databases. However, data may remain in our backups or archived copies for a short period until those are overwritten or deleted in the normal course of our backup retention cycle. We maintain backup systems to ensure resilience and continuity of service, and these are usually purged on a rolling schedule (e.g., backups might be kept for a certain number of days). During the period that a deleted record exists in backup, it’s not readily accessible by any of our operational systems or personnel, except if needed for disaster recovery, and even then, any restoration process would address the need to still delete the data after recovery.

9.       Legal Holds: In certain circumstances (such as litigation, government investigation, or other legal matters), we may need to suspend our ordinary data deletion practices for specific data that is relevant to the issue. This is known as placing the data on a “legal hold.” During the hold period, we won’t delete the data until the hold is lifted, even if it surpasses our typical retention schedule. We have internal protocols to ensure we don’t hold data longer than necessary and that we resume deletion once the hold is no longer required.

In summary, our approach is to keep personal data only for as long as we have a valid reason to do so. When we no longer need personal information, we will securely delete it or anonymize it so that it can no longer be associated with an individual. If you have specific questions about our data retention practices (for example, for a certain type of data), you can contact us (see Section 14) and we will provide more detail or accommodate requests as required by law.

Data Security

 We take the security of your personal information seriously and use a combination of technical and organizational measures to protect it. However, no method of transmission over the Internet or electronic storage is completely secure, so we cannot guarantee absolute security. Here is more detail on our security practices:

Technical Safeguards: We employ industry-standard security technologies to protect data during transmission and storage. For example, our App uses encryption in transit (such as HTTPS and TLS protocols) to encrypt data sent between your device and our servers, reducing the risk of interception. Sensitive information like passwords is stored using strong hashing algorithms (so that even we cannot easily read your password) and payment information is handled by PCI-compliant services (as noted, full payment card details are not stored on our systems). Our databases are protected by firewalls and network security controls to prevent unauthorized access. We also use access control mechanisms, so that only authorized personnel and services can access the databases containing personal data. Regular backups are performed to ensure data integrity, but those backups are also encrypted and protected.

3.       Organizational Measures: We restrict access to personal data to employees, contractors, and agents who need to know that information in order to operate, develop, or improve our services. Those who have access are bound by strict confidentiality obligations and are subject to discipline (including termination and legal action) if they fail to meet these obligations. We provide training to our team on data protection best practices and security awareness, so they understand the importance of protecting user data. Our company has policies in place to handle security incidents, and we review these policies regularly.

4.       Testing and Assessments: We periodically review our information collection, storage, and processing practices to guard against unauthorized access, use, or disclosure. This may include penetration testing by third-party security experts, code reviews for security vulnerabilities, and keeping our software and infrastructure up-to-date with the latest security patches. We also monitor our systems for possible vulnerabilities and attacks, and we perform internal audits of data access logs to ensure no unauthorized access has occurred.

5.       Payment Security: As noted in Section 3.1 and 6.2, we delegate payment card handling to specialized payment processors (like Stripe). These processors are PCI DSS compliant, meaning they adhere to high security standards for handling payment card data. When you enter card information, it is transmitted directly to the payment processor over an encrypted connection and never touches our servers in plain text. We receive a token or identifier which we store and use for future charges (like for the Final Payment for a catering order) without needing to see your card details again. This tokenization adds an extra layer of security.

6.       Communication Safety: If our App provides communication channels (e.g., chat between customers and providers), we take steps to secure those channels. This might include encryption and also content monitoring for safety (ensuring no personal sensitive data is being exchanged insecurely, and detecting malicious content). We encourage users to communicate only through the App to benefit from these protections.

7.       User Responsibilities: It is also important to note that you play a role in keeping your personal data secure. We urge you to choose a strong and unique password for your Tiffin Time account and to keep it confidential. Do not share your password with others, and do not reuse the same password on multiple services. If you suspect that your account or password has been compromised, please change it immediately and contact us for assistance. Also be cautious of “phishing” attempts – Tiffin Time will never ask you for your password via email, and any suspicious requests for personal information should be verified through official channels. Always ensure you’re using our official App or website (look for proper domain names and valid certificates in the browser).

8.       Incident Response: In the unfortunate event of a data breach or security incident that affects your personal information, we have procedures in place to address the situation promptly. This includes identifying and closing the vulnerability, investigating the extent of the exposure, and notifying affected users and regulators as required by law. We will provide information on the nature of the breach, the data involved, and any steps we are taking to mitigate the impact and prevent future occurrences. We’ll also advise you on any steps you should take to protect yourself, if applicable (for example, changing passwords or being vigilant against potential scams).

While we strive to protect your personal data, it’s important to remember that no security measure is perfect. Cyber threats continuously evolve, and while we work hard to secure our systems, we cannot guarantee that personal information may not be accessed, altered, disclosed, or destroyed by a breach of our safeguards. By using our App, you acknowledge and accept these risks. We will continue to update and improve our security practices as new technologies and threats emerge to keep your data as safe as reasonably possible.

Your Rights (For Users in the UK and certain other jurisdictions)

 Under UK data protection law (and similar laws in other jurisdictions, such as the EU’s GDPR), you have a number of important rights regarding your personal data. These rights include:

Right to Access: You have the right to request confirmation that we are processing your personal data, and if so, to obtain a copy of the personal data we hold about you, as well as supplementary information about how that data is used, who it is shared with, how long it is stored, etc. This is commonly known as a “Data Subject Access Request.” We will provide you with a copy of your data in a concise, transparent, intelligible, and easily accessible form. In most cases, this will be free of charge (except if the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse it).

3.       Right to Rectification: You have the right to ask us to correct or update any personal information we hold about you that is inaccurate or incomplete. For example, if your contact information has changed or we have an incorrect name or detail in your profile, you can request we update it. In many cases, you can directly make changes by logging into your account and editing your profile or settings. We encourage you to keep your information up-to-date to ensure we serve you best.

4.       Right to Erasure (Right to be Forgotten): You have the right to request that we erase your personal data, but this right is not absolute and applies in certain circumstances. We will delete your data upon request if: (i) the data is no longer necessary for the purposes for which it was collected or processed; (ii) you withdraw consent (if the processing was based on consent) and no other legal basis for processing applies; (iii) you object to processing based on our legitimate interests and we have no overriding legitimate grounds to continue; (iv) we unlawfully processed your data; or (v) the data must be erased to comply with a legal obligation. There are exceptions to this right – for instance, we are not required to erase data that we need to keep for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims. When you request deletion of your account or data, we will let you know if any such exceptions apply (e.g., “We have deleted the data you requested, except we retained transaction records for tax law compliance.”). If we have made your personal data public (e.g., you posted a review that includes your name) and you validly request erasure, we will take reasonable steps to inform other controllers who are processing the personal data to erase links to or copies of that data, taking into account available technology and the cost of implementation.

5.       Right to Restrict Processing: You have the right to request that we limit the processing of your personal data in certain situations. This means we would store your data but temporarily not use or share it further until the restriction is lifted. You can ask for processing to be restricted if: (i) you contest the accuracy of the personal data (for a period enabling us to verify it); (ii) the processing is unlawful but you oppose erasure and request restriction instead; (iii) we no longer need the data for the original purposes, but you need it for the establishment, exercise, or defense of legal claims; or (iv) you have objected to processing (see next bullet) and verification of our legitimate grounds is pending. When processing is restricted, we will clearly mark the data and process it only for certain purposes (e.g., with your consent, for legal claims, to protect the rights of another person, or for reasons of important public interest) while the restriction is in place. We will inform you before lifting any restriction.

6.       Right to Object: You have the right to object to our processing of your personal data in certain circumstances. You can object at any time to our processing of your data for direct marketing purposes (including any profiling related to direct marketing), and we will stop processing your data for that purpose as soon as your objection is received. You can also object if our processing is based on legitimate interests or performance of a task in the public interest (which, in our context, would typically be legitimate interests), and you have grounds relating to your particular situation. We will then stop processing the data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless processing is needed for the establishment, exercise, or defense of legal claims. In practice: if you object to receiving marketing, we will honor that; if you object to other processing (like certain data we process for analytics or security), we will assess your request and either comply or explain why we have a legitimate need to continue.

7.       Right to Data Portability: You have the right, in certain cases, to receive the personal data that you have provided to us in a structured, commonly used, and machine-readable format (for example, a CSV or JSON file) and to have that data transmitted to another data controller, where technically feasible. This right applies when the processing is based on your consent or on a contract with you, and is carried out by automated means. For instance, if you requested it, we could provide you with a file containing the personal details you provided at registration and your order history in a format that another service could potentially import. This right to portability does not cover data that we generate (like analytics or inferred preferences) or data that is processed on a legal basis other than consent or contract. Also, it should not adversely affect the rights of others – if your data set includes personal data of others (like communication content that involves another person), we might need to redact those portions.

8.       Right not to be subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Tiffin Time does not make any such solely automated decisions (e.g., we don’t have an AI system that accepts or rejects catering requests without human involvement, or an automated system that changes prices individually for users). If in the future we implement automated decision systems that could significantly affect you, we will ensure we comply with legal requirements (such as providing notice and an opportunity for human review of the decision).

To exercise any of your rights, you can contact us using the contact details in Section 14 of this Privacy Policy. Please specify which right you wish to exercise and provide information to help us verify your identity (we want to make sure we’re dealing with the right person – for example, by verifying your email or phone number on account, or asking for additional identifying info if necessary). We will respond to your request as soon as we can, and at least within the legal time limits (usually one month for most rights, extendable by two more months for complex requests). If we need more information from you to process the request, we will let you know promptly. If for some reason we cannot fulfill your request (such as when an exemption applies or if it conflicts with another person’s rights), we will explain that in our response.

Please note that these rights may be subject to certain limitations and exceptions under applicable law. For example, if fulfilling your right to deletion would prevent us from complying with a legal obligation, or if providing access to your data would disclose personal data about another person, we might not be able to fulfill the request fully. However, we will always attempt to honor your rights to the fullest extent possible.

Lastly, if you have unresolved concerns, you also have the right to complain to a data protection authority as described in Section 15 below, but we encourage you to contact us first so we can try to resolve any issues directly.

1.       Children’s Privacy

 Our App and services are not intended for children under the age of 18, and we do not knowingly collect personal information from anyone under 18 years old. If you are under 18, you are not permitted to use the Tiffin Time App or provide any personal data to us (including creating an account, making purchases, or using any interactive features). We understand the importance of protecting children’s privacy, especially in an online environment.

If we become aware that we have collected or received personal information from a child under 18 without verification of parental consent, we will take immediate steps to delete that information from our servers and records. For example, if a 16-year-old registers by misrepresenting their age and we later learn of this (say, through a parent’s inquiry), we will close that account and remove any data associated with it.

If you are a parent or legal guardian and you discover that your child under 18 has obtained an account or otherwise provided personal information to Tiffin Time, please contact us at our support email (see Section 14: Contact Us). We will promptly investigate and take appropriate action, which may include deleting the child’s personal data and terminating their account.

We do not intentionally market our services to minors. All advertisements, content, and features of the App are directed towards adults (18+) who are interested in food ordering and catering services. We also do not use any personal data in a way that is likely to be detrimental to the rights and interests of children.

If in the future our policy changes (for example, if we develop a feature for younger audiences or allow family/guardian-managed accounts for minors), we will update this Privacy Policy and ensure that any collection of data from minors is done in compliance with applicable laws (like obtaining parental consent when required).

1.       International Data Transfers

 Tiffin Time is based in the United Kingdom, but we may process data that we collect from you in other countries. Specifically, if you are using the App from outside the UK, be aware that your personal data will likely be transferred to and stored on servers in the UK. It may also be processed by some of our third-party service providers who operate in other jurisdictions (for example, a cloud service provider might have data centers in the European Economic Area (EEA) or the United States; our email service might route data through servers globally, etc.).

Data protection laws vary from country to country. The UK (and the EEA) have strict laws governing data protection, and the UK has determined that certain countries (like those in the EEA, and a few others) provide adequate protection for personal data. For other countries that are not deemed “adequate” by the UK (or the EU), special precautions are necessary to ensure your data remains protected to the standards we are legally required to uphold.

Whenever we transfer your personal information out of the UK (or out of your country of residence), we will take steps to ensure that appropriate safeguards are in place to protect your data. These steps may include:

·       Standard Contractual Clauses: For transfers to our service providers or affiliates in countries that do not have an adequacy decision from the UK (or EU), we often use the relevant Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK’s Information Commissioner’s Office. These are legal contracts that impose data protection obligations on the recipient of the data, ensuring they protect the data to a standard comparable to EU/UK laws. We have signed SCCs, for instance, with infrastructure providers and other partners outside the EEA/UK as needed.

·       Additional Technical Measures: In some cases, we might apply additional encryption or pseudonymization to data before it’s transferred, such that even if data is transferred to a jurisdiction with potentially less oversight, the information remains protected (because, for example, only our servers in the UK can decrypt it).

·       Service Provider Contracts: Our agreements with data processors/service providers include commitments to uphold confidentiality and security in line with our standards, regardless of where they operate. Many of our major service providers (like cloud hosts, payment processors, etc.) are multinational companies that have their own robust privacy and security programs which align with EU/UK requirements (some are certified under frameworks like ISO 27001, and they offer their own SCCs or Binding Corporate Rules for customer data). We review their privacy practices to ensure they meet our needs.

If we transfer data from the UK/EEA to a country, such as the United States, where the legal environment around government access or surveillance might differ, we assess these risks as part of our transfer impact assessments. We remain committed to the privacy of our users and will challenge unlawful or overbroad government requests for personal data, as appropriate (as also noted in Section 6.3).

By using the App and providing us with your information, you understand that your personal data may be transferred to and processed in countries outside of your own. If you are located outside the UK, including in the European Union, and you use our services, please note that you are transferring your personal data to the UK. The UK is considered to have an adequate level of data protection by the EU (post-Brexit, the EU issued an adequacy decision for the UK), which means that from an EU perspective, UK law provides sufficient safeguards.

For users elsewhere (say, in the US or India or any other country), by using the App or providing information, you consent to the transfer of your personal data to the UK (and potentially other countries as explained). We will protect that information as described in this Privacy Policy, no matter where it is processed.

If you would like more information about the specific safeguards we apply to an international transfer of your data, you can contact us (Section 14) and we’ll be happy to discuss or provide copies of relevant contractual terms (some of which may be redacted for commercial confidentiality).

1.       Changes to this Privacy Policy

 We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

When we make significant (material) changes, we will notify users in an appropriate manner. For example, we might display a prominent notice within the App (or upon your next login) and/or send you an email or push notification, informing you of the update and providing a link to the revised Privacy Policy. The notice will explain, in summary, what the key changes are and may direct you to review the full updated Policy.

At the top of the Privacy Policy, we always indicate the date of the “Last Updated” version so you know when it was last revised. If you continue to use the App after a new version of the Privacy Policy has taken effect, it means you acknowledge and agree to the current practices outlined in the updated Policy (to the extent permitted by law). If you do not agree with any changes, you should stop using the App and can request that we delete your personal information or close your account if you wish (as per Section 10 and 14).

For minor changes that do not significantly affect your rights (for example, clarifications, grammatical improvements, or changes that expand your privacy rights), we might update the Privacy Policy without a specific notice beyond just updating the date and posting the new version. But for any change that materially affects how we handle personal data (for instance, if we started collecting a new type of data, or sharing data with a new category of third party not previously disclosed), we would ensure that affected users are made aware.

Your privacy is important to us, and we will not reduce your rights under this Privacy Policy without your explicit consent. In the unlikely event we ever wanted to handle personal data in a way that’s materially different from what was stated at the time of collection, we would seek your permission for that new use.

1.       Contact Us

 If you have any questions, concerns, or requests regarding this Privacy Policy or about how your personal information is handled at Tiffin Time, please do not hesitate to contact us. We are here to help and will do our best to address your inquiry promptly and thoroughly.

You can reach us by email at: hello@tiffin-time.com

(For general customer support regarding orders or technical issues with the App, you may use this email or the support features within the App. However, for privacy-specific inquiries, labeling your email with “Privacy Inquiry” in the subject can help direct it to the appropriate team.)

When you contact us, we may ask for certain details to verify your identity (especially if you are requesting access to, or deletion of, your data, per Section 10) to ensure we’re safeguarding your information. We appreciate your patience and cooperation in this process.

We will respond to your inquiries as soon as reasonably possible, generally within 30 days or sooner. If your question is complex or involves a rights request, we might let you know that we need a bit more time (as allowed by law). We aim for transparency and helpfulness in all communications.

1.       Complaints

 We hope to resolve any privacy-related concerns you bring to us. However, if you believe we have not been able to address your complaint satisfactorily or you have a concern about how we are handling your personal data, you have the right to file a complaint with the relevant data protection supervisory authority.

For users in the United Kingdom, the supervisory authority is the Information Commissioner’s Office (ICO). You can contact the ICO or find more information through the following channels:

·       Website: The ICO’s website (http://www.ico.org.uk/) contains information on how to report a concern. There is an online form available for filing complaints.

·       Phone: You can call the ICO’s helpline at 0303 123 1113. (If you prefer to use a national rate number, you can call 01625 545 745.)

·       Mail: You can write to the ICO at:

 Information Commissioner’s Office

 Wycliffe House, Water Lane

 Wilmslow, Cheshire SK9 5AF

 United Kingdom

If you are located in another country (especially within the European Union/EEA), you have the right to lodge a complaint with your local data protection authority. You can find the contact details for data protection authorities in the EU at the European Data Protection Board (EDPB) website, or ask us and we’ll help direct you to the appropriate authority.

Lodging a complaint will not affect any other legal rights or remedies you have. You also have the right to seek a judicial remedy if you believe your rights have been infringed.

We do encourage you, however, to reach out to us first (at hello@tiffin-time.com) if you have any concerns. We genuinely value the trust you place in us and would appreciate the opportunity to resolve any issue directly. We will work earnestly to address your concerns and find a fair resolution.

Thank you for reading our Privacy Policy. Your privacy and trust are important to Tiffin Time, and we are committed to safeguarding your personal information while providing you with a convenient and enjoyable service. If you have any questions or feedback about this Policy or our practices, please contact us.