1. Who We Are
Grabbi Limited ("Grabbi", "we", "us", "our") is a private limited company registered in England and Wales under company number 16656150. Our registered office is at Starlux Building, Bridgend Road, Aberkenfig, Bridgend, Wales, CF32 9BG.
We operate shop.grabbi.uk, grabbi.uk, and associated mobile applications (collectively, the "Platform"). We are the data controller for personal data processed through the Platform.
Contact us: privacy@grabbi.uk
2. What Data We Collect
Account Data: Name, email address, phone number, date of birth (for age-restricted purchases), password (hashed).
Order Data: Delivery address, order history, items purchased, payment method (card type and last 4 digits only — full card data processed by Stripe).
Location Data: Delivery address you provide. If you use our mobile app and grant permission, approximate GPS location for delivery tracking and postcode validation.
Driver Location Data: Company drivers' GPS location during active delivery shifts only, transmitted via company-owned devices. Personal driver phones are never tracked.
Loyalty Data: Points balance, transaction history, redemptions.
Communications: Messages you send us, customer service records, reviews.
Technical Data: IP address, browser type, device identifiers, app usage data, cookies (see Cookie Policy).
Authentication Data: Phone OTP verification via Firebase Authentication (Google). We do not store your OTP.
3. How We Use Your Data
Fulfil your orders
Legal basis: Contract performance
Order processing, delivery coordination, payment processing
Manage your account
Legal basis: Contract performance
Account creation, authentication, loyalty points
Customer communications
Legal basis: Contract performance / Legitimate interests
Order updates, delivery notifications, support responses
Marketing (opted-in only)
Legal basis: Consent
Promotional emails, SMS offers — you can unsubscribe any time
Fraud prevention and security
Legal basis: Legitimate interests / Legal obligation
Detecting suspicious activity, protecting customers and business
Age verification
Legal basis: Legal obligation
Verifying customers are 18+ before purchasing age-restricted products
Driver GPS tracking
Legal basis: Legitimate interests / Contract
Real-time delivery tracking for customers and fleet management
Analytics and improvement
Legal basis: Legitimate interests
Understanding how the Platform is used to improve it
Legal compliance
Legal basis: Legal obligation
Tax records, regulatory compliance, responding to lawful requests
Franchise operations
Legal basis: Legitimate interests
Sharing order and operational data with relevant franchise partners
4. Third Parties We Share Data With
Stripe
Payment processing. Stripe is PCI-DSS compliant. We never store full card numbers.
stripe.com/privacy
Firebase (Google)
Authentication (phone OTP and email), push notifications, file storage.
firebase.google.com/support/privacy
Anthropic
AI-powered features (Grabbi Brain). Only anonymised queries are sent — no personal data.
anthropic.com/privacy
Google Maps
Delivery tracking map, address validation.
policies.google.com/privacy
Epos Now
Point of sale system for in-store transactions. Inventory sync.
eposnow.com/uk/privacy
Xero
Accounting and payroll. Staff financial data only.
xero.com/uk/legal/privacy
SendGrid (Twilio)
Transactional emails and SMS notifications.
twilio.com/legal/privacy
Vercel
Website hosting. Processes technical data (IP, request logs).
vercel.com/legal/privacy
Render
Backend API hosting.
render.com/privacy
Franchise Partners
Relevant order and operational data shared with the franchise store fulfilling your order.
5. Data Retention
Order records: 7 years (HMRC legal requirement)
Account data: Until you delete your account, then 30 days
Driver location data: 30 days rolling (shift logs retained 12 months for legal purposes)
Marketing preferences: Until you unsubscribe or delete your account
Fraud prevention records: Up to 5 years
CCTV (in-store): 30 days
6. Your Rights Under UK GDPR
Right of Access
Request a copy of all data we hold about you
Right to Rectification
Correct inaccurate data
Right to Erasure
Delete your data (subject to legal retention obligations)
Right to Restriction
Limit how we process your data
Right to Portability
Receive your data in a machine-readable format
Right to Object
Object to processing based on legitimate interests
Right to Withdraw Consent
Withdraw marketing consent at any time
Right to Complain
Lodge a complaint with the ICO at ico.org.uk
To exercise any right, email privacy@grabbi.uk. We will respond within 30 days.
7. International Transfers
Some of our service providers (including Google Firebase, Stripe, Render, Anthropic) may process data outside the UK and EEA. All transfers are protected by appropriate safeguards including UK adequacy decisions or Standard Contractual Clauses.
8. Children
Our Platform is not intended for children under 16. We do not knowingly collect data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately at privacy@grabbi.uk.
9. Security
We implement appropriate technical and organisational measures to protect your data including encrypted data transmission (TLS), hashed passwords, tokenised payments via Stripe, and restricted staff access controls. No system is 100% secure — please contact us immediately if you suspect a data breach.
10. Changes to This Policy
We may update this policy as our business grows to 100 franchise locations. Material changes will be notified via email or in-app notification. Continued use of the Platform after changes constitutes acceptance.
