STORENOVA — CUSTOMER PRIVACY POLICY

1. INTRODUCTION

StoreNova is committed to protecting your personal data. We operate in strict accordance with the UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025.

2. DATA WE COLLECT

We collect only the information necessary to fulfill your orders and improve your experience:

• Identity & Contact: Name, email, phone number, and delivery address.
• Transaction Data: Details of products purchased, amount paid, and order history.
• Technical & Usage Data: IP address, device type, and how you interact with our App/Web platform.
• Location Data: With your permission, we collect GPS data to show you local vendors and provide real-time delivery tracking.

3. PURPOSE OF PROCESSING

Under UK GDPR and the Data (Use and Access) Act 2025, we process data using:

• Contractual Necessity: To process your payment via Stripe and deliver your food.
• Legal Obligation: To maintain financial records for HMRC and comply with food safety reporting.
• Legitimate Interests: To prevent fraud, protect our platform, and conduct 'Soft Opt-in' marketing (where you have previously bought from us).
• Consent: For precise GPS tracking, third-party marketing and non-essential. You can withdraw consent at any time.

4. WHO WE SHARE DATA WITH

We do not sell your data. We share it only with:

• The Vendor: We provide the vendor with your name and order details so they can prepare your food and manage allergen compliance
• Delivery Partners: Your address and phone number are shared with couriers (e.g., Stuart, Gophr) to facilitate delivery.
• Payment Processors: Stripe handles all card data; StoreNova does not store your full credit card numbers.
• Regulatory Bodies: Disclosure to the FSA, HMRC, or law enforcement, when legally required.

5. LEGAL BASIS

We process your personal data only when we have a valid legal ground to do so:

• Contractual Necessity: Processing is required to perform our obligations to you (e.g., managing your account, facilitating payments as the MoR, and ensuring delivery).
• Legal Obligation: Processing is necessary for compliance with UK law (e.g., maintaining HMRC tax records and complying with Food Standards Agency safety audits).
• Legitimate Interests: Processing is necessary for our legitimate business interests, provided they do not override your rights. This includes platform security, fraud prevention, and 'soft opt-in' marketing for similar products.
• Consent: Where you have provided clear, affirmative consent (e.g., allowing GPS location tracking or opting into third-party newsletters).

6. DATA SHARING & DISCLOSURE

We do not sell your data. We share your information with selected third parties solely to operate the Platform:

• Payment Services: Data is shared with Stripe to process transactions. As the MoR, we ensure your payment data is handled under PCI-DSS standards.
• Logistics & Fulfillment: Name, address, and phone number are shared with delivery partners (e.g., Stuart, Gophr) to facilitate order fulfillment.
• Vendors: Specific order details and your name are shared with the Vendor to allow for the preparation of your goods.
• Service Providers: We use IT and cloud hosting providers (e.g., AWS, Google Cloud) to store data securely.
• Regulatory/Legal Bodies: We may disclose data to the FSA, HMRC, or law enforcement if required by a binding legal request.

7. DATA RETENTION

We retain your data only for as long as is necessary to fulfill the purposes for which it was collected:

• Account Data: Retained for the duration of your active relationship with StoreNova.
• Financial & Tax Records: Retained for 7 years following the date of the transaction to comply with UK statutory tax requirements.
• Delivery & GPS Logs: Sensitive location data is anonymised or deleted within 90 days of order completion to protect your movement history.
• Marketing Data: Retained until you withdraw consent or for 12 months from your last interaction with the Platform.

8. AUTOMATED DECISION-MAKING

We use automated profiling to detect and prevent fraudulent transactions. If an automated decision significantly affects you (e.g., a blocked payment), you have the right under the Data (Use and Access) Act 2025 to request a manual human review. Please contact our support team to contest an automated decision.

9. COOKIES & TRACKING

Our Platform uses cookies to distinguish you from other users and analyse traffic patterns. In compliance with 2026 standards, non-essential cookies are disabled by default. You may select "Reject All" or "Accept All" via our consent banner. Essential cookies used for security and login purposes do not require consent but can be managed via your browser settings.

10. YOUR RIGHTS

Under the UK GDPR, you have the following rights regarding your personal data:

• Right to be Informed: You have the right to be told exactly how we collect and use your data, how long we keep it, and who we share it with. Providing this Privacy Policy is the primary way we fulfill this obligation to you. We provide this policy and 'Just-in-Time' notices at the point of data collection to ensure you are always aware of how your data is used.
• Right of Access: You can request a copy of all personal data we hold about you (a 'Subject Access Request'). We must provide this electronically and free of charge.
• Right to Rectification: If your data is inaccurate or incomplete (e.g., a wrong delivery address), you have the right to have it corrected immediately.
• Right to Erasure ('Right to be Forgotten'): You can ask us to delete your data. Note: We will comply unless we have a legal obligation to keep it (e.g., HMRC tax records).You can also delete your account directly through the StoreNova app in the Profile tab.
• Right to Restrict Processing: You can ask us to 'freeze' your data. This means we keep the data stored but stop using it while we investigate a dispute or verify its accuracy.
• Right to Data Portability: You can request your data in a structured, commonly used, and machine-readable format to move it to another service provider.
• Right to Object: You have an absolute right to stop us from using your data for direct marketing. You can also object to processing based on our 'Legitimate Interests'.
• Right Related to Automated Decision-Making: Since we use automated systems for fraud detection and identity verification, you have the right to contest an automated 'block' and require a manual review by a StoreNova employee.
• Right to Withdraw Consent: Where we rely on consent (e.g., GPS tracking or non-essential cookies), you may withdraw it at any time through your device or app settings.

You must first raise concerns with us via our Electronic Complaint Form. We will acknowledge your complaint within 30 days and provide a full response without undue delay. If you are unsatisfied with our response to a privacy request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

11. SECURITY

We implement robust technical and organisational measures to protect your data, including AES-256 encryption for data at rest and TLS 1.3 for data in transit. Access to personal data is strictly limited to authorised personnel who require it to perform their duties.

12. CONTACT

For all data-related inquiries or to exercise your rights, please contact our Data Compliance Officer: Mr Tunde Olaoye