Privacy Policy
Last updated: 20 May 2026
1. Who we are
Kulcha Express Global Ltd ("Kulcha Express", "we", "us", "our") operates this online food ordering platform. We are the data controller for personal data collected through this website and our ordering service.
Registered address: 398 Farnham Road, Slough, England, SL2 1JD
Contact: privacy@kulchaexpress.co.uk
We are registered with the Information Commissioner's Office (ICO) as a data controller. If you have any questions about this policy or how we handle your data, please contact us at the address above.
2. Data we collect
We collect the following categories of personal data:
When you place an order
- Full name
- Email address
- Phone number (required for delivery orders; optional for collection)
- Delivery address including postcode (delivery orders only)
- Order contents, quantities, and customisations
- Order value and payment status (we do not store card numbers — see Section 5)
- Requested delivery or collection time
- Special instructions or notes you provide
When you create an account
- Email address and password (stored as a one-way hash — we cannot read it)
- Name and profile picture (if you sign in with Google)
- Saved delivery addresses (if you choose to save them)
- Order history linked to your account
Automatically collected data
- Session cookies required for authentication and cart state (no third-party tracking cookies are set)
- IP address and browser type, retained in server logs for up to 30 days for security and fraud prevention
3. How and why we use your data
We process your personal data on the following legal bases under UK GDPR:
| Purpose | Legal basis |
|---|---|
| Processing and fulfilling your order | Performance of a contract (Art. 6(1)(b)) |
| Arranging courier delivery via Just Eat | Performance of a contract (Art. 6(1)(b)) |
| Sending your order confirmation and receipt by email | Performance of a contract (Art. 6(1)(b)) |
| Processing your payment via Stripe | Performance of a contract (Art. 6(1)(b)) |
| Maintaining your account and order history | Performance of a contract (Art. 6(1)(b)) |
| Sending missed-order alerts to restaurant staff | Legitimate interests (Art. 6(1)(f)) — ensuring orders are fulfilled |
| Fraud prevention and security monitoring | Legitimate interests (Art. 6(1)(f)) — protecting customers and the business |
| Complying with tax and accounting obligations (7-year retention of transaction records) | Legal obligation (Art. 6(1)(c)) — UK tax law |
| Resolving disputes with Just Eat regarding delivery charges | Legitimate interests (Art. 6(1)(f)) — contractual dispute management |
We do not use your personal data for automated decision-making or profiling that produces legal or significant effects.
4. Who we share your data with
We share the minimum necessary personal data with the following third parties to fulfil your order:
For delivery orders, we share your name, phone number, and delivery address with Just Eat and their courier partners to arrange and complete your delivery. Just Eat acts as a data processor on our behalf under a signed data processing agreement (Schedule C of our DaaS Agreement). Their couriers may contact you directly via phone if needed to locate your address. Just Eat's own privacy policy is available at just-eat.co.uk/privacy-policy.
All card payments are processed directly by Stripe. We do not see or store your full card number, expiry date, or CVV — these are transmitted directly from your browser to Stripe. We retain your Stripe Payment Intent ID for reconciliation and refund purposes. Stripe's privacy policy: stripe.com/gb/privacy.
We use Resend to send order confirmation and receipt emails. Your email address and order details are passed to Resend solely for this purpose. Resend does not use this data for its own marketing.
When you enter a delivery address, it is sent to Mapbox to convert it to map coordinates and calculate the driving distance to our restaurant. Mapbox processes this as a transient lookup and does not link it to your identity. Mapbox's privacy policy: mapbox.com/legal/privacy.
If you choose to sign in with Google, Google shares your name, email address, and profile picture with us under OAuth 2.0. We do not receive your Google password. This sharing is governed by Google's privacy policy: policies.google.com/privacy.
We do not sell your personal data to any third party. We do not share your data with advertisers or analytics platforms.
5. Payment data
Card numbers, expiry dates, and CVV codes are entered directly into a Stripe-hosted payment form embedded in our checkout. This data never touches our servers. We store only the Stripe Payment Intent ID, which allows us to process refunds and reconcile payments. All card data is held by Stripe under PCI-DSS Level 1 compliance.
6. How long we keep your data
| Data | Retention period | Reason |
|---|---|---|
| Order records (items, amounts, VAT) | 7 years | UK tax law (HMRC) |
| Delivery address on completed orders | 7 years | Linked to tax records |
| Account data (name, email, password hash) | Until you delete your account, then 30 days | Service provision |
| Saved delivery addresses | Until you delete them or your account | Your convenience |
| Server logs (IP, browser) | 30 days | Security monitoring |
| Delivery job records (courier details, JustEat data) | 7 years | Contract dispute window + tax records |
7. International data transfers
Some of our service providers (Stripe, Resend, Mapbox, Google) are based in the United States. Where data is transferred outside the UK, we ensure appropriate safeguards are in place — specifically, UK International Data Transfer Agreements (IDTAs) or UK Addenda to EU Standard Contractual Clauses (SCCs) — as required by UK GDPR Article 46.
Just Eat Takeaway.com and its courier partners operate within the UK. Your delivery data does not leave the UK when processed for delivery purposes.
8. Your rights
Under UK GDPR, you have the following rights:
- Right of access — request a copy of the personal data we hold about you (Subject Access Request).
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure — ask us to delete your data, subject to legal retention obligations (e.g. we must retain order records for 7 years).
- Right to restriction — ask us to restrict processing while a dispute is resolved.
- Right to data portability — receive your order history in a machine-readable format.
- Right to object — object to processing based on legitimate interests; we will stop unless we have compelling grounds.
To exercise any of these rights, email privacy@kulchaexpress.co.uk. We will respond within one calendar month. We may ask you to verify your identity before processing your request.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint · 0303 123 1113.
9. Cookies
We use only the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| authjs.session-token | Keeps you signed in to your account | 30 days or until sign-out |
| authjs.csrf-token | Protects sign-in forms against cross-site request forgery | Session |
| authjs.callback-url | Remembers where to redirect after login | Session |
| cart (localStorage) | Stores your cart locally in the browser — not a cookie, never sent to our servers | Until cleared |
We do not use advertising cookies, cross-site tracking cookies, or any third-party analytics cookies. No cookie consent banner is required for strictly necessary cookies under the UK PECR.
10. Security
We use industry-standard security measures including HTTPS encryption in transit, bcrypt password hashing, HMAC-signed order view tokens, and server-side price verification. Our infrastructure is hosted on a secured VPS with regular backups. No security measure is perfect — if you believe you have found a vulnerability, please contact us at privacy@kulchaexpress.co.uk before public disclosure.
11. Children
Our service is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email to registered account holders or by a notice on the website. The date at the top of this page reflects the most recent revision.
13. Contact us
For any privacy-related queries, data subject requests, or to report a potential data breach:
Kulcha Express Global Ltd398 Farnham Road, Slough, England, SL2 1JD
privacy@kulchaexpress.co.uk