Sree Svadista Prasada ("we", "us", "our") is a South Indian food ordering and meal-subscription service operating in Milton Keynes, Edinburgh, and Glasgow, United Kingdom.

For the purposes of UK data-protection law, we are the Data Controller. Our contact details are:

• Email: info@sreesvadistaprasada.com
• Phone: +44 73 0711 9962
• Website: sreesvadistaprasada.vercel.app

We collect the following categories of personal data:

We do not collect special-category (sensitive) data such as health information, biometrics, or financial card details. Payment processing is handled entirely by our third-party payment provider.

We process your personal data on the following lawful bases under UK GDPR:

• Contract performance — processing orders, managing subscriptions, arranging delivery.
• Legitimate interests — improving our service, fraud prevention, communicating with customers about their orders.
• Legal obligation — retaining transaction records for tax and regulatory compliance.
• Consent — sending marketing emails and newsletters (you can withdraw consent at any time).

We use an AI language model provided by Anthropic (Claude) solely to assist our kitchen team with generating menu item descriptions and suggestions. This AI tool:

• Is used only for internal content generation, not for automated decisions about customers.
• Does not receive, store, or process any personal data about customers or website visitors.
• Is operated in compliance with the EU AI Act's requirements for general-purpose AI systems (GPAI) used in low-risk administrative contexts.
• Does not perform any profiling, automated decision-making, or high-risk AI processing as defined under the EU AI Act or UK GDPR Article 22.

You have the right to be informed about any automated decision-making that significantly affects you. No such processing occurs on this platform.

We use the following types of cookies:

• Strictly necessary cookies — Authentication tokens stored in localStorage (ssp_token) and your basket state (ssp_cart). These are essential for the service to function and do not require consent.
• Analytics cookies — If we use analytics services in future, we will seek your consent beforehand.

You can clear stored data at any time via your browser's developer tools or settings.

We share your data only where necessary:

• MongoDB Atlas (MongoDB, Inc.) — our cloud database provider, storing orders, accounts, and enquiries. Data is processed under a Data Processing Agreement.
• Vercel — hosting our frontend application. No personal data is stored by Vercel beyond standard server logs.
• Render — hosting our backend API. Standard server logs apply.
• Google OAuth — optional login via Google. We receive only your name and email address; Google's privacy policy governs their processing.
• Delivery and postcode services — we use postcodes.io (a public UK postcode API) and getAddress.io for address lookup. Your postcode is sent to these services only during checkout address lookup; they do not receive any other personal data.
• Anthropic — as described in Section 4, for AI-assisted menu content only. No customer data is shared.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

Some of our service providers (MongoDB Atlas, Vercel, Anthropic) may process data outside the UK and EEA. Where this occurs, we rely on adequacy decisions or standard contractual clauses (SCCs) approved by the UK ICO to ensure your data receives an equivalent level of protection.

We retain your personal data for the following periods:

• Account data — for as long as your account is active, plus 12 months after account deletion.
• Order and transaction data — 7 years, as required by UK tax law (HMRC).
• Enquiries and support messages — 2 years from last correspondence.
• Newsletter subscriptions — until you unsubscribe, or 3 years without engagement, whichever is earlier.

You have the following rights regarding your personal data:

• Right of access — request a copy of all personal data we hold about you.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure — request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
• Right to restriction — limit how we use your data in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests or for direct marketing.
• Rights related to automated decision-making — not to be subject to solely automated decisions with significant effects (not applicable here, as we do not use such processing).
• Right to withdraw consent — at any time where processing is based on consent (e.g. marketing emails).

To exercise any of these rights, please contact us at info@sreesvadistaprasada.com. We will respond within 30 days.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

We implement appropriate technical and organisational measures to protect your personal data, including: encrypted data transmission (HTTPS), JWT-based authentication with secure key signing, bcrypt password hashing, and role-based access controls. We do not store payment card details on our systems.

Our service is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last updated" date at the top of this page and, where appropriate, by email. Continued use of our service after changes constitutes acceptance of the updated policy.

For any privacy-related queries or to exercise your rights:

• Email: info@sreesvadistaprasada.com
• Phone: +44 73 0711 9962