Privacy & Data Governance Policy

Effective Date: May 12, 2024

At ANNY'S LIMITED, we treat your data with the same precision we apply to our physical logistics. This policy details our comprehensive framework for the collection, processing, and protection of personal data under the UK GDPR and the Data Protection Act 2018.

1. Data Architecture & Scope

We operate as a Data Controller for information provided via our web platforms and a Data Processor for information provided by our enterprise restaurant partners. The scope of this policy covers all digital interactions with ANNY'S LIMITED services.

2. Specific Data Categories Collected

• Identity Data: Names, usernames, professional titles.
• Contact Data: Billing addresses, delivery coordinates, email, telephone numbers.
• Technical Data: IP addresses, browser fingerprinting, IoT device identifiers (for tracking).
• Health/Dietary Data: Specific food allergies or dietary preferences provided during the subscription setup. This is classified as "Special Category Data" and requires explicit consent.
• Transaction Data: Historical order records and payment confirmation tokens (we do not store full CVV/PCI data).

3. Legal Bases for Processing

Under Article 6 of the UK GDPR, we rely on the following bases:
a) Contractual Necessity: To deliver the food you ordered.
b) Legal Obligation: For tax reporting and financial audit compliance.
c) Legitimate Interests: For fraud prevention and network security optimization.
d) Explicit Consent: For marketing and processing allergy-related data.

4. International Data Transfers

While our primary operations are based in Croydon, UK, some of our software infrastructure resides in EEA-based servers. We ensure that any transfers outside the UK are protected by Standard Contractual Clauses (SCCs) and robust encryption standards.

5. Retention and Destruction

We do not hold data longer than necessary. Financial records are retained for 7 years in accordance with HMRC requirements. Usage data is anonymized after 24 months for aggregate logistical modeling. Health data is deleted immediately upon account closure.

6. Your Rights Under UK Law

You have the right to access, rectify, or erase your data. You may also object to processing or request data portability. To exercise these rights, contact our Data Protection Officer at dpo@sunshinecoastwealth.sbs. We respond to all Subject Access Requests (SARs) within 30 days.