← Back to home

Privacy Policy

Last updated: July 2026

Draft for review. Prepared to reflect UK GDPR and the Data Protection Act 2018. Should be reviewed by a UK solicitor or DPO before launch. The ICO registration number must be added once the controller is registered with the ICO (required for most organisations processing personal data).

1. Who we are (controller)

The Finest Trade Produce Ltd ("we", "us") is the data controller for personal data collected through this website and our trade portal.

  • Company number: 15334903
  • Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
  • Trading address: The Bottle Factory, Ossory Road, London SE1 5AN
  • ICO registration: [TODO: ICO registration number]
  • Contact: [TODO: contact email]

2. What we collect

  • Account & application data: business name, contact name, email, phone, delivery postcode, business type and any notes you provide.
  • Order & billing data: products ordered, quantities, delivery notes, invoices and payments.
  • Support data: messages, callback requests and issue reports (including any photos you upload).
  • Technical data: login session, IP address and browser metadata necessary to operate the portal securely.

3. Why we use it & lawful bases

PurposeUK GDPR Article 6 basis
Reviewing your trade applicationLegitimate interests (assessing trade buyers)
Processing orders, deliveries, invoicesPerformance of a contract
Transactional emails about your accountPerformance of a contract
Tax, accounting & food traceability recordsLegal obligation
Security, fraud prevention, debt recoveryLegitimate interests
Marketing emails (if any)Consent (you can withdraw at any time)

4. Who we share with

We do not sell personal data. We share data only with service providers needed to run the portal — currently hosting and database (Lovable Cloud / Supabase), transactional email delivery (Resend) and payment processing — and with regulators, accountants or law enforcement where legally required. All processors are bound by written data-processing terms.

5. International transfers

Some of our processors may store or process data outside the UK (typically in the EEA or the United States). Where this happens we rely on UK adequacy regulations, the UK International Data Transfer Agreement, or the EU Standard Contractual Clauses with the UK Addendum, as appropriate.

6. Retention

We keep account, order and invoice data for as long as your account is active and afterwards for the period required by UK tax and company law (currently six years from the end of the relevant financial year). Support messages and issue reports are kept for up to two years. Closed accounts are anonymised after the relevant retention period.

7. Your rights

Under UK GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have data deleted (subject to our legal retention duties);
  • restrict or object to processing based on legitimate interests;
  • receive your data in a portable format;
  • withdraw consent at any time where processing is based on consent;
  • not be subject to a decision based solely on automated processing (we do not carry out such decisions).

Email [TODO: contact email] to exercise any of these rights. We will respond within one month. You can also complain to the Information Commissioner's Office at ico.org.uk.

8. Emails & unsubscribe

Transactional emails (order confirmations, invoices, account notices) are part of providing the service and cannot be opted out of while your account is active. Any other email includes an unsubscribe link and you can also email us to opt out.

9. Cookies

We use only the cookies and local storage strictly necessary to keep you logged in and to operate the portal. We do not use advertising or third-party tracking cookies. Strictly necessary cookies do not require consent under the Privacy and Electronic Communications Regulations (PECR). If we add analytics or marketing cookies in the future we will ask for your consent first.

10. Security

We use industry-standard technical and organisational measures — including encryption in transit, role-based access controls and database-level access policies — to protect your personal data. No system is perfectly secure; if we become aware of a personal data breach affecting you we will notify you and the ICO where required by law.

11. Changes

We may update this policy from time to time. The "last updated" date above shows the most recent change. Material changes will be notified by email to active account holders.