Privacy Policy
Last updated: 15 April 2026
1. Who We Are
Stax's Burger ("we", "us", "our") operates the website at staxhouse.co.uk and provides an online food ordering service for our restaurant in Ware, Hertfordshire.
We are the Data Controller responsible for your personal data as defined under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
To contact us about data protection matters, please email: hello@staxhouse.co.uk
2. Data We Collect
2.1 Data you provide directly
- Order data: name, phone number, email address (optional), delivery address, order contents, and special instructions.
- Account data: email address, password (hashed, never stored in plain text), and full name when you create an account.
- Payment data: We do not store card details. Payment is processed directly by Stripe, a PCI-DSS compliant payment processor. We only retain a Stripe Payment Intent ID for reference.
- Communications: Messages sent via our contact form, including your name and email address.
- Newsletter: Email address and subscription status if you opt in.
2.2 Data collected automatically
- Technical data: IP address, browser type, device type, operating system, referring URL, pages visited, and time spent on the site.
- Cookie data: See Section 9 and our Cookie Policy for full details.
3. How We Use Your Data
- To process and fulfil your orders, including communicating your order status via email or SMS.
- To process payments securely via Stripe.
- To manage your account and order history if you register.
- To send you marketing emails if you have opted in — you may unsubscribe at any time.
- To prevent fraud and maintain the security of our platform.
- To comply with legal obligations, including tax and food safety law.
- To improve our service using aggregated, anonymised analytics.
4. Legal Basis for Processing
| Purpose | Legal Basis (UK GDPR Art. 6) |
|---|---|
| Processing your order | Contract (Art. 6(1)(b)) |
| Payment processing | Contract (Art. 6(1)(b)) |
| Order status notifications | Contract (Art. 6(1)(b)) |
| Fraud prevention & security | Legitimate interests (Art. 6(1)(f)) |
| Marketing emails | Consent (Art. 6(1)(a)) |
| Analytics (anonymised) | Legitimate interests (Art. 6(1)(f)) |
| Tax record-keeping | Legal obligation (Art. 6(1)(c)) |
6. Third-Party Services
We use the following third-party services that may process your data:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Stripe | Payment processing (PCI-DSS Level 1 certified). Card data never touches our servers. | stripe.com/gb/privacy |
| Supabase | Database and authentication infrastructure. Hosted in EU data centres. | supabase.com/privacy |
| Vercel | Website hosting and CDN. GDPR-compliant, EU data residency available. | vercel.com/legal/privacy-policy |
| Resend / Email provider | Transactional and marketing emails. | Available on request |
7. Data Retention
- Order data (registered customers): Retained for 7 years for accounting and legal compliance, then deleted.
- Guest order PII (name, phone, address): Automatically anonymised after 24 months. Order records are retained for accounting purposes with PII removed.
- Account data: Retained until you request deletion. Inactive accounts (no login for 3 years) are deleted after 30 days' notice.
- Marketing email list: Retained until you unsubscribe or request deletion.
- Analytics data: Aggregated and anonymised, no individual retention limit.
8. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access: Request a copy of the data we hold about you.
- Right to rectification: Ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): Request deletion of your personal data where there is no legal obligation to retain it.
- Right to restriction: Ask us to restrict how we process your data in certain circumstances.
- Right to data portability: Receive your data in a structured, commonly used format.
- Right to object: Object to processing based on legitimate interests or for direct marketing.
- Rights related to automated decision-making: We do not make solely automated decisions that significantly affect you.
To exercise any of these rights, email hello@staxhouse.co.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk / 0303 123 1113.
10. International Transfers
Your data is stored on servers within the European Economic Area (EEA) by our infrastructure providers. Where any data is transferred outside the EEA or UK, we ensure adequate protections are in place (Standard Contractual Clauses or UK adequacy decisions).
11. Security
We implement appropriate technical and organisational measures to protect your data, including:
- HTTPS encryption on all pages
- Stripe for PCI-compliant payment processing (we never handle raw card data)
- Row-level security policies on our database
- Regular security reviews
No method of internet transmission is 100% secure. If you believe your data has been compromised, contact us immediately at hello@staxhouse.co.uk.
12. Children's Privacy
Our service is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered customers by email of any material changes. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of our service after changes constitutes acceptance of the revised policy.
14. Contact Us
For any data protection enquiries:
- Email: hello@staxhouse.co.uk
- Address: Stax's Burger, 30 Amwell End, Ware, SG12 9HW