TakeawaySoft
← Home

Privacy Policy

Last updated: 19 May 2026

⚠️ Placeholder content. This page is a starting template and is not legally reviewed. Before opening signup to the public, have a UK-qualified lawyer review and replace with proper text appropriate for the jurisdiction(s) you operate in.

This Privacy Policy explains how TakeawaySoft Ltd ("we", "us") handles personal data when Merchants ("you") use the Platform.

1. Who is the data controller?

For Merchant account data (admin emails, billing details, business info): TakeawaySoft is the controller.

For customer data captured by your shop (your customers' names, addresses, order history): you are the controller, we are your processor. The Data Processing Addendum (DPA) governs that relationship.

2. What we collect about Merchants

  • Account: business name, owner email, phone, country, currency.
  • Billing: Stripe customer ID, payment method last 4 digits + type (full PAN never touches us — it's tokenised by Stripe).
  • Usage: order volume, login timestamps, IP addresses, basic device info.
  • Communications: support emails and notes.

3. Lawful bases

  • Contract — most processing is necessary to provide the Platform.
  • Legitimate interest — fraud prevention, network/IT security, basic analytics.
  • Consent — marketing emails (opt-in only).
  • Legal obligation — tax records, AML where applicable.

4. Sharing

We share data only with:

  • Sub-processors listed in the DPA (Stripe, Cloudflare, AWS/Hetzner, etc.)
  • Law enforcement when legally compelled.

We never sell your data.

5. International transfers

Data is stored in the EU/UK. Some sub-processors (Stripe, etc.) may transfer to the US under Standard Contractual Clauses or equivalent safeguards.

6. Retention

Active account data: as long as your subscription is active. After account closure: 30 days for restoration, then permanently purged unless we have a legal obligation to retain (e.g. tax law).

7. Your rights

You can:

  • Access — download a JSON export of your data from your admin panel (Settings → Danger zone).
  • Rectify — edit your account at any time.
  • Erase — close your account; we delete after the 30-day cooldown.
  • Restrict / object — contact [email protected].
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

8. Security

We use TLS 1.2+ for all traffic, encrypted credentials, payment data tokenisation via Stripe, separated tenant isolation in the database, and platform-admin access logging. No security is absolute; report suspected issues to [email protected].

9. Cookies

See the Cookies page.

10. Contact

[email protected] for any privacy question.