STORENOVA — VENDOR PRIVACY POLICY

1. DEFINITIONS

• Available Balance: The portion of a Vendor's funds that has cleared the mandatory holding periods and is eligible for a Payout.
• Biometric Data: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, specifically facial geometry extracted from "selfies."
• Data Controller: The entity that determines the purposes and means of processing personal data. StoreNova acts as the Data Controller for all Vendor data.
• Data Processor: A third-party service provider (such as Stripe) that processes personal data on behalf of the Data Controller.
• KYC (Know Your Customer): The mandatory process of identifying and verifying the identity of Vendors to prevent fraud, money laundering, and identity theft.
• Merchant of Record (MoR): StoreNova's legal status as the entity authorised to process payments and take financial responsibility for transactions, necessitating high-level data collection for compliance.
• Payout: The electronic transfer of cleared funds from the StoreNova central account to the Vendor's verified bank account.
• Platform: Collectively refers to the StoreNova website, mobile applications, and backend systems used to facilitate the marketplace.
• Processing: Any operation performed on personal data, such as collection, recording, storage, adaptation, or deletion.
• UK GDPR: The retained version of the General Data Protection Regulation as it forms part of the law of England and Wales, supplemented by the Data (Use and Access) Act 2025.

2. DATA WE COLLECT

To maintain a secure and compliant marketplace, we collect the following categories of data:

• Business & Contact Information: Trading name, business address, email address, and phone number.
• Identification & Biometrics: Government-issued ID (Passport or Driving Licence) and facial geometry data extracted from selfies used for automated identity verification (KYC).
• Compliance Documentation: Food hygiene certificates, local authority registrations, and proof of right-to-work.
• Financial & Transaction Data: Bank account details for payouts, VAT/Tax numbers, and the full history of transactions processed through the StoreNova MoR account.

3. PURPOSE AND LAWFUL BASIS

We process your data based on the following legal grounds:

• Contractual Necessity: To manage your account and facilitate the Payouts.
• Legal Obligation: To comply with the Money Laundering Regulations, the Economic Crime and Corporate Transparency Act 2023, and HMRC tax reporting requirements.
• Substantial Public Interest: To process Biometric Data for the purpose of preventing fraud and ensuring the safety of the food supply chain.

4. DATA SHARING

We do not sell vendor data. We will share your information only with essential Data Processors:

• Payment & Identity Services: StoreNova will share data with Stripe to verify your identity and facilitate bank transfers.
• Logistics Partners: Business address and contact names are shared with delivery partners (e.g., Stuart, Gophr) solely for order collections.
• Regulatory Bodies: Disclosure to the Food Standards Agency (FSA) or HMRC if required by law or safety investigations.

5. AUTOMATED DECISION-MAKING & HUMAN REVIEW

We use automated systems to verify your identity. If our system cannot verify your ID or selfie, your application may be automatically suspended. In accordance with the Data (Use and Access) Act 2025, you have the right to request a manual human review of any automated decision that significantly affects your account status.

6. DATA RETENTION

• Financial Records: In accordance with UK tax laws, StoreNova retains vendor identification and transaction records for 7 years following the termination of your vendor account.
• Biometric Data: Facial geometry data used for verification shall be deleted once the identity check is completed, unless ongoing retention is required for active fraud prevention.
• Customer Data: Vendors must delete Customer personal data (names/addresses) within 24 hours of successful delivery.

7. YOUR RIGHTS

Under the UK GDPR, you have the following rights regarding your data:

• Access: The right to request a copy of the data we hold about you.
• Rectification: The right to correct inaccurate or incomplete information.
• Erasure: The right to request deletion (subject to our 7-year legal retention mandate).You can also delete your vendor account directly through the StoreNova app in the Profile tab.
• Objection: The right to object to automated decision-making.

To exercise these rights, you may contact the StoreNova Data Compliance Officer via the app support centre. If you remain unsatisfied, you retain the right to lodge a complaint with the Information Commissioner's Office (ICO).