Privacy Policy

Last updated: 15 June 2026

Compliant with UK GDPR, Data Protection Act 2018, and Data Use and Access Act 2025

Introduction

Cafe Vera ("we", "us", or "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use our services, including our website, in-store point of sale (POS) system, and loyalty program.

We will be registered with the Information Commissioner's Office (ICO) as a data controller (registration in progress).

Data Controller:

Cafe Vera
Edinburgh, United Kingdom
Email: privacy@cafevera.co.uk

What Data We Collect

1. Personal Identification Information

  • Name
  • Email address
  • Phone number
  • Loyalty member number (e.g., CV-00001)

2. Account Information

  • Account credentials (securely hashed passwords)
  • Loyalty points balance
  • Loyalty tier status (Bronze, Silver, Gold, Platinum)
  • Account preferences and settings

3. Transaction Data (In-Store Only)

  • Order history and purchase details from in-store purchases
  • Order timestamps and locations
  • Total spending and order frequency

Note: We do not process online payments. All payments are made in-store. Payment information is processed by our in-store POS system and payment terminals only.

4. Technical Data

  • IP address
  • Browser type and version
  • Device information
  • Cookies and similar technologies

5. Marketing and Communications Data

  • Your preferences for receiving marketing communications
  • Communication history with us
  • Survey responses and feedback

How We Collect Your Data

Direct interactions: When you create an account, sign up for our loyalty program, or contact us.

In-store registration: When you join our loyalty program at our POS terminal in cafe.

Automated technologies: As you interact with our website, we may automatically collect technical data (cookies, IP address).

Why We Use Your Data (Legal Basis)

✓ Contract Performance

To process your orders, manage your loyalty account, and provide our services to you.

✓ Your Consent

To send you marketing communications, personalized offers, and promotional content (only if you've opted in). You can withdraw consent at any time.

✓ Legitimate Interests

To improve our services, analyze customer trends, prevent fraud, and ensure security. We balance our interests against your rights.

✓ Legal Obligation

To comply with UK tax laws (HMRC requirements), financial regulations, and legal requests.

How Long We Keep Your Data

Customer Account Data

Retained for 3 years after your last activity, or longer if you continue to use our services or have given marketing consent.

Financial Records (Orders, Transactions)

Retained for 6 years to comply with HMRC tax requirements.

Marketing Data

Retained until you withdraw consent or for 3 years of inactivity, whichever is sooner.

GDPR Requests and Audit Logs

Retained indefinitely for compliance and legal defense purposes.

How We Protect Your Data

We implement appropriate technical and organizational security measures to protect your personal data:

  • Encryption: All data transmitted is encrypted using SSL/TLS protocols
  • Secure hosting: Data stored with enterprise-grade cloud providers (Supabase) with ISO 27001 certification
  • Access controls: Strict staff access policies with role-based permissions
  • Regular backups: Automated daily backups with disaster recovery procedures
  • Monitoring: Continuous security monitoring and audit logging

Data Breach Notification: In the unlikely event of a data breach affecting your personal data, we will notify you and the ICO within 72 hours as required by UK GDPR.

Your Data Protection Rights

Under UK GDPR and Data Protection Act 2018, you have the following rights:

1. Right to Access

Request a copy of your personal data we hold about you (Subject Access Request).

2. Right to Rectification

Request correction of inaccurate or incomplete personal data.

3. Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data (subject to legal retention requirements for financial records).

4. Right to Restrict Processing

Request limitation on how we process your data in certain circumstances.

5. Right to Data Portability

Receive your personal data in a structured, machine-readable format.

6. Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

7. Right to Withdraw Consent

Withdraw your consent for marketing communications at any time.

How to Exercise Your Rights

To exercise any of these rights, please:

  • • Email us at: privacy@cafevera.co.uk
  • • Visit your account settings on our website
  • • Speak to a staff member in-store

We will respond to your request within 1 month. There is no fee unless your request is manifestly unfounded or excessive.

Who We Share Your Data With

We only share your personal data with trusted third parties when necessary:

Service Providers

  • Supabase (database hosting, EU-based) - stores customer and order data
  • Email service providers (if you opt-in) - for loyalty updates and marketing emails

Note: Payment processing is handled in-store only. We do not share payment data with online third parties.

Legal Requirements

Law enforcement, regulators, or courts when legally required.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred (you will be notified).

International Transfers: Your data is primarily stored within the UK/EU. Any transfers outside the UK are protected by appropriate safeguards (e.g., Standard Contractual Clauses, adequacy decisions).

Cookies and Tracking

We use cookies and similar technologies to improve your experience. For detailed information, please see our Cookie Policy.

Under the Data Use and Access Act 2025, we may use certain cookies (e.g., analytics, functionality) without explicit consent. However, you can manage your cookie preferences in your browser settings.

Children's Privacy

Our services are not directed at children under 13 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@cafevera.co.uk and we will delete it.

Under the Data Use and Access Act 2025, we take into account children's needs when deciding how to process their information.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

  • Posting the updated policy on our website with the "Last Updated" date
  • Sending you an email notification (if you have an account)
  • Displaying a prominent notice on our website or app

Your continued use of our services after the changes take effect constitutes your acceptance of the revised policy.

Contact Us & Complaints

If you have questions, concerns, or complaints about how we handle your personal data, please contact us:

Data Protection Contact

privacy@cafevera.co.uk
Cafe Vera, Edinburgh, UK

Right to Complain to ICO

You have the right to lodge a complaint with the UK Information Commissioner's Office:

ICO: 0303 123 1113
www.ico.org.uk

Electronic Complaints Form

As required by the Data Use and Access Act 2025, we provide an electronic complaints form for data protection concerns.

Submit Privacy Complaint
Terms & ConditionsCookie PolicyContact UsPrivacy Settings