Last updated: 2 June 2026
Privacy Policy
This policy explains how FoodCore.io Ltd collects, uses, stores and protects personal data in connection with our kitchen management software service. We are committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are / Data Controller
FoodCore.io Ltd (FOODCORE.IO LIMITED), company number 17168660, registered in England and Wales, is the data controller for personal data we collect directly from subscribers and visitors to this website.
For personal data that subscribers upload about their own customers (for example, customer orders or dietary requirements), FoodCore.io acts as a data processor on the subscriber's instruction. The subscriber is the data controller for that data.
For all data protection queries or Subject Access Requests, contact us at info@foodcore.io with the subject line "Data Protection" or "Subject Access Request".
2. What Personal Data We Collect
Data you provide directly as a subscriber:
- Account registration: name, business name, email address, phone number.
- Billing: name and address for invoicing. Payment card details are processed entirely by Stripe — we do not store them.
- Communications: information you provide when contacting us by email, contact form, or live chat.
- Trial requests: name, business name, and email address — used solely to set up your trial account.
- Newsletter signup: email address, collected via our signup form on foodcore.io. Managed through Sender.net (account ID: ad6083267e6001). Used solely for marketing communications you have opted into.
Usage and technical data: IP addresses, browser type, pages accessed, session duration, click and scroll behaviour. Collected automatically when you visit our website. Website usage analytics are collected by Google Analytics 4 (property ID: G-EJJZYBXJYE) and PostHog (visitor analytics, session recordings, and heatmaps — EU-hosted) with your consent. PostHog may record screen activity during your visit in the form of a session replay to help us understand how visitors interact with our website and identify usability improvements. No payment card data or account passwords are ever captured in recordings.
Affiliate partner data: if you apply to or participate in our affiliate programme, we collect your name, business or trading name, email address, payment details (for commission payments), and referral performance data. This data is processed via Endorsely (our affiliate platform) and by us to administer the programme and pay commissions.
3. How We Use Your Data
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Providing the subscribed service (account management, billing, support) | Contract performance — Art. 6(1)(b) |
| Processing subscription payments via Stripe | Contract performance — Art. 6(1)(b) |
| Retaining financial and billing records | Legal obligation (HMRC) — Art. 6(1)(c) |
| Security monitoring and fraud prevention | Legitimate interests — Art. 6(1)(f) |
| Product improvement (anonymised analytics) | Legitimate interests — Art. 6(1)(f) |
| Website analytics via Google Analytics 4 | Consent — Art. 6(1)(a) (withdraw via cookie settings) |
| Visitor analytics, session recording, and heatmaps via PostHog | Consent — Art. 6(1)(a) (withdraw via cookie settings) |
| Affiliate programme administration and commission payments | Contract performance / legitimate interests — Art. 6(1)(b)/(f) |
| Marketing emails via Sender.net (newsletter subscribers) | Consent — Art. 6(1)(a) (unsubscribe any time) |
| Live chat support via Tawk.to | Consent / legitimate interests — Art. 6(1)(a)/(f) |
We do not sell your personal data to any third party. We do not use your data for advertising profiling.
4. Legal Basis for Processing
We rely on the following lawful bases under UK GDPR Article 6:
- Contract performance (Art. 6(1)(b)): processing necessary to deliver the service you have subscribed to, including account management, billing, and service communications.
- Legal obligation (Art. 6(1)(c)): retaining financial records as required by HMRC and applicable law.
- Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, and anonymised product analytics — balanced against your interests and rights.
- Consent (Art. 6(1)(a)): analytics cookies (Google Analytics 4), visitor session recording and heatmaps (PostHog), marketing emails (Sender.net), and live chat (Tawk.to). You may withdraw consent at any time without affecting the lawfulness of prior processing.
5. Third-Party Processors
We use the following third-party services. We share data with them only to the extent necessary to operate the Service. We will notify you at least 14 days before making any material change to this list.
| Service | Purpose | Data shared | Location / transfer basis |
|---|---|---|---|
| Google Analytics 4 ID: G-EJJZYBXJYE |
Website usage analytics | Anonymised usage data; no personal data from customer accounts. Consent-gated. | US — Standard Contractual Clauses (SCCs) in place |
| Google Ads ID: AW-724508800 |
Conversion tracking for website advertising | Conversion events (e.g. trial sign-ups). No account data transmitted. | US — SCCs in place |
| PostHog EU cloud — eu.i.posthog.com |
Visitor analytics, session recording (screen replay), and heatmaps | Anonymised usage data; session recordings of visitor interactions with our website; heatmap data. No personal account data, passwords, or payment details are captured. Consent-gated. | EU-hosted — no international transfer |
| Endorsely | Affiliate link management — may inject product recommendations into blog page content | Affiliate click data (anonymised). No personal account data shared. | EU / EEA |
| Sender.net Account: ad6083267e6001 |
Email marketing and newsletter distribution | Email addresses of newsletter subscribers only (consent-based). | EU-based |
| Tawk.to | Live chat widget — loads on all pages | Chat transcripts and any information you volunteer in a chat session. May collect IP address and browser data. | US / global — SCCs in place |
| Stripe | Payment processing | Billing name and address. Payment card data is processed entirely by Stripe — we never receive or store card numbers. | UK / EEA |
| Cloudflare | CDN, DDoS protection, and performance optimisation | Technical identifiers, IP addresses. No personal account data. | US / global — SCCs in place |
6. Cookies
We use cookies on this website. A consent banner is shown on your first visit. Essential cookies are set regardless of consent. Analytics and marketing cookies (Google Analytics 4, PostHog, Google Ads, Endorsely, Tawk.to, Sender.net) are only set if you accept all cookies. PostHog specifically uses cookies to support session recording and heatmap functionality — these are only active with your consent.
For a full list of cookies, their purposes, and duration, see our Cookie Policy.
7. Your Rights Under UK GDPR
As a data subject you have the following rights:
- Right of access: obtain a copy of the personal data we hold about you.
- Right to rectification: have inaccurate data corrected without undue delay.
- Right to erasure: request deletion of your data in certain circumstances.
- Right to restriction: restrict how we process your data in certain circumstances.
- Right to data portability: receive your data in a structured, machine-readable format.
- Right to object: object to processing based on legitimate interests or for direct marketing.
- Right to withdraw consent: withdraw any consent at any time without affecting the lawfulness of prior processing. To withdraw analytics cookie consent, clear your browser cookies and decline on next visit, or email us.
To exercise any right, email info@foodcore.io with subject line "Data Rights Request" or "Subject Access Request". We will respond within 30 days at no charge. We may need to verify your identity before processing your request.
8. Data Retention
- Account and billing data: retained for the duration of your subscription plus 2 years after termination (longer where required by HMRC accounting obligations).
- Customer data you upload: retained for the duration of your subscription. On cancellation, retained for 30 days for export, then permanently deleted.
- Usage/log data: up to 12 months. Anonymised analytics may be retained indefinitely.
- Newsletter email addresses: retained until you unsubscribe. A suppression record (email address only) is kept for 3 years to evidence consent.
9. International Transfers
Some of our third-party processors — specifically Google (Analytics 4 and Ads), Tawk.to, and Cloudflare — operate in the United States. These transfers are covered by Standard Contractual Clauses (SCCs) under UK data protection law, providing an appropriate level of protection for your data. Sender.net is EU-based and no international transfer occurs. Stripe processes payments in the UK/EEA. PostHog is hosted on EU infrastructure (eu.i.posthog.com) — no international transfer occurs.
10. Affiliate Programme — Data We Hold About Partners
Our affiliate programme is operated via Endorsely. If you participate as an affiliate partner, we collect and process the following data:
- Registration data: name, business/trading name, email address, website or social media URL.
- Performance data: referral click counts, conversion counts, commission amounts earned, referral attribution (tracked via Endorsely cookies with a 30-day attribution window).
- Payment data: bank account or payment details necessary to remit commission payments.
This data is processed on the basis of contract performance (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)). Affiliate performance and payment data is retained for 3 years after termination of the affiliate relationship (or longer where required by HMRC). You may request access to or deletion of your affiliate data by emailing info@foodcore.io. For full affiliate programme terms, see our Terms & Conditions.
11. Changes to This Policy
We will notify active subscribers by email at least 14 days before material changes take effect. The date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance.
12. Contact and Complaints
If you have concerns about how we handle your personal data, please contact us first:
- Email: info@foodcore.io — subject line: "Privacy" or "Data Rights Request" or "Subject Access Request".
- Contact form: foodcore.io/contact
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK's data protection supervisory authority:
- Website: ico.org.uk
- Telephone: 0303 123 1113