Legal
Privacy notice
Last updated: May 2026
This notice explains how SafePlate Ltd ("SafePlate", "we", "us") handles personal data across the SafePlate platform and the safe-plate.io website. Plain English. Questions: privacy@safe-plate.io.
Who we are
SafePlate Ltd, a company registered in England and Wales. For data we process about diners (allergen profiles, order history), we act as a data processor on behalf of the venue, which is the data controller. For data about operators, prospective customers, and website visitors, we act as a data controller.
The data we hold
Diner data (when you eat in a venue using SafePlate)
The venue captures, and we process on its behalf:
- Allergen declarations and dietary requirements made at the start of an order. This is health-category data under UK GDPR Article 9.
- Optional contact details (name, phone) where the venue takes a reservation through SafePlate.
- Order history during your visit — what was ordered, what was blocked, what was acknowledged in the kitchen.
We do not link diner data across venues. Your declaration to one restaurant is not visible to another.
Operator data (when you run a venue on SafePlate)
- Account information for staff users — name, email, role, password hash.
- Menu and ingredient data you upload.
- Audit-log records of allergen events, overrides, and shift summaries.
- Integration credentials (encrypted) for your EPOS — Square OAuth tokens or Access EVO API keys.
Visitor data (when you use safe-plate.io)
- Whatever you write into the contact form.
- Basic server logs — IP address, user agent, page visited, timestamp — retained for 30 days for security and abuse prevention.
- We do not use third-party advertising trackers. The site uses no marketing cookies.
Lawful basis
- Diner allergen declarations: processed under Article 6(1)(b) (necessary for the contract between the diner and the venue) and Article 9(2)(a) (explicit consent for health-category data, given when the declaration is captured).
- Operator account data: processed under Article 6(1)(b) (necessary for the contract).
- Visitor contact-form data: processed under Article 6(1)(a) (consent) and 6(1)(f) (legitimate interest in responding to enquiries).
Where we store data
All personal data is hosted in the United Kingdom or European Union. Encryption at rest (AES-256) and in transit (TLS 1.2+). Database backups are encrypted and stored in the same region.
Retention
- Diner allergen profiles: retained by the venue for the duration of the visit, then rolled up into anonymised compliance data. Identifiable diner records are deleted within 90 days unless the venue has a separate retention reason.
- Operator account data: retained for the duration of the contract plus 6 years after termination.
- Audit-log records: retained for 6 years from the date of the order.
- Contact-form messages: retained for 24 months unless we agree a longer retention.
Sharing
We share data only with:
- Sub-processors: our hosting provider, our payment processor (Stripe), and our error-monitoring service. Each contracted under UK GDPR-compliant terms. Full list on request.
- Authorities: where we are legally required to do so.
We do not sell, rent, or share personal data with marketing partners or data brokers under any circumstances.
Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion (right to be forgotten), subject to retention obligations.
- Object to processing or request restriction.
- Receive your data in a portable format.
- Withdraw consent at any time.
Write to privacy@safe-plate.io. We respond within 30 days.
Complaints
If you believe we have mishandled your personal data, contact us first. You also have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk.
Changes
Material changes will be published on this page with an updated date. For changes affecting existing operator customers, we'll also notify the account admin by email.
Contact: privacy@safe-plate.io · SafePlate Ltd, United Kingdom