Skip to main content
← Back to Ghochen

Privacy policy

Last updated 10 May 2026

Ghochen Limited is the data controller for the personal data we hold about you. This policy explains what we collect, why we collect it, who we share it with, and your rights under UK GDPR.

What we collect

  • Account details: name, phone number, email, language preference.
  • Delivery details: addresses, delivery notes, location at point of delivery.
  • Order details: what you ordered, when, from which Partner, total paid.
  • Payment details: tokenised card or bank reference (never the card number itself).
  • Communications: messages exchanged with our agent, support staff, or Partners.
  • Device + usage: app version, OS, IP address, page views, basic interaction events.

Why we use it

  • To take and fulfil your orders (contractual necessity).
  • To deliver food via couriers we dispatch on the Partner's behalf.
  • To process payments and refunds.
  • To detect and prevent fraud.
  • To improve the product (with your consent for non-essential analytics).
  • To send you operational messages about your orders.
  • To send you marketing messages where you have opted in.

Who we share it with

We share the minimum necessary data with:

  • Partners you order from (your first name, last initial, masked phone, delivery address after acceptance, your order, your notes).
  • Couriers we dispatch (your delivery address, masked phone, your name).
  • Payment processors (Stripe) for payment + refunds.
  • Communication providers (Twilio, Resend) for SMS + email delivery.
  • Analytics + error monitoring (PostHog, Sentry) with PII scrubbed where possible.
  • Legal authorities when required by law.

We do not sell your personal data.

Where we store it

Your data is stored in EU-region data centres (Supabase, hosted in eu-west-1). Some processors (Stripe, Anthropic) may process limited data outside the UK or EU under appropriate transfer mechanisms (UK IDTA or EU SCCs).

How long we keep it

Account data while your account is active, plus 30 days after deletion to allow recovery. Order + payment records for 6 years after the order date (HMRC + accounting requirement). Marketing consent records for 2 years after withdrawal.

Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion of your account and data (right to be forgotten).
  • Receive a copy of your data in a portable format.
  • Object to processing for marketing purposes.
  • Withdraw consent at any time.
  • Lodge a complaint with the Information Commissioner's Office (ICO).

To exercise any of these rights, email privacy@ghochen.com or use the data tools in your account settings.

Cookies

See our cookie policy for details on the cookies we use and how to control them.

Questions? Email legal@ghochen.com.

Ghochen Limited, a company registered in England and Wales.

Company No. 16578830. Registered office: 14/2E Docklands Business Centre, 10-16 Tiller Road, London E14 8PX, United Kingdom.

Privacy policy — Ghochen — Ghochen