Privacy Policy

Effective Date: 14th May 2026

Last material amendment: 5th June 2026 (addition of driver data subject access request procedure in Section 6 and Google Drive sub-processor disclosure in Section 12.1).

Business Name: Virtuous Restaurants Ltd
Website: www.virtuousrestaurants.com

Virtuous Restaurants (“we,” “us,” or “our”) values your privacy and is committed to protecting the personal information of our customers, restaurants, and delivery drivers. This Privacy Policy explains how we collect, use, store, and share personal data when you use our website, mobile apps, delivery driver app, or ordering widgets (“Platform”), and your rights regarding that information.

This Privacy Policy applies to users of our websites, mobile applications, and related services.

Our Privacy Policy explains how we collect, use, store, and protect your personal data, and your rights under UK GDPR and the Data Protection Act 2018.

1. Data We Collect

  • Customers:

    • Name, email, delivery address, payment details, order history, phone number (for account authentication via one-time passcode — OTP verification is required to create an account and place orders through the Platform).

    • Device and browser information, IP address, and cookies used in the ordering widget.

    • Location information if applicable for order tracking.

    • Loyalty and rewards data: points balance, transaction history, recent orders, common orders, likely orders, upsell items at checkout, and redemption records where a customer participates in a Partner Restaurant’s loyalty programme through the Platform.

    Restaurants:

    • Business information, contact details, menu items, payment information, and tax documents.

    • Login credentials and device/browser data.

    Delivery Drivers:

    • Name, email, phone number, vehicle details, licences and insurance documentation, background check information.

    • Location data collected during deliveries via the driver app.

    • Device identifiers, IP address, and app usage data.

    Automatically Collected Information:

    • IP addresses, browser type, device identifiers, operating system, and usage analytics from the website, apps, and widgets.

    • Cookies and tracking technologies for functionality, performance, and analytics.

    User-Generated Content:

    • Reviews, ratings, messages, and photos submitted through the Platform.

2. How Data Is Used

  • We use the information to:

    • Facilitate orders, deliveries, and payments.

    • Communicate with users regarding orders, account activity, service updates, and marketing (if consented) and to inform existing customers about the Virtuous Restaurants marketplace and partner restaurants in accordance with the Platform’s legitimate interests and Regulation 22(3) of the Privacy and Electronic Communications Regulations 2003, where the customer has not opted out.

    • Verify identity, eligibility, licences, and insurance for restaurants and drivers.

    • Improve and optimise the Platform’s functionality, performance, and security.

    • Comply with legal obligations, audits, and regulatory requirements.

    • To authenticate customers via one-time passcode (OTP) verification sent to the customer’s mobile phone number. Legal basis: performance of contract.
    • Operate restaurant-specific loyalty programmes, including recording points earned and redeemed. Legal basis: performance of contract (where a customer opts in to a restaurant’s loyalty programme).

Complaints, refunds, disputes and evidence handling: We process personal data (including messages, photos, videos, location/GPS data, and order records) strictly for administrative facilitation purposes only, in accordance with our Delivery Responsibility, Risk Allocation and Accountability Policy (incorporated into the Terms of Use). This includes forwarding evidence and messages to the relevant restaurant (or driver) when requested, and processing refunds or remedies solely where the restaurant has given prior written authorisation. We do NOT use such data to investigate, review, decide, determine, approve, deny, or otherwise influence the substantive outcome of any complaint, refund request, dispute, or risk allocation issue. All substantive decisions remain the sole responsibility of the relevant restaurant (subject always to non-excludable statutory consumer rights under UK law, including the Consumer Rights Act 2015).

Where the Platform operates autonomous delivery mechanisms, delivery location data, GPS coordinates, and delivery confirmation data from autonomous systems are processed on the legal basis of performance of contract (UK GDPR Article 6(1)(b)) to confirm delivery and document the completion of the order for risk allocation and dispute resolution purposes. No human driver accesses customer personal data in connection with autonomously delivered orders. Autonomous delivery confirmation data is retained in accordance with the retention periods set out in Section 10 of this Policy.

PIN confirmation data, including the timestamp and GPS coordinates at the point of delivery confirmation, is processed on the legal basis of performance of contract to document the completion of delivery and the transfer of risk in accordance with the Delivery Responsibility, Risk Allocation and Accountability Policy. Where an alternative confirmation method is used in place of PIN confirmation, the same legal basis and retention periods apply to the alternative confirmation record.

3. Cookies, Tracking, and Analytics

  • Essential cookies: Required for login sessions, ordering widget functionality, and cart/session management.

  • Non-essential cookies: Used for analytics, performance monitoring, and optional marketing.

  • Driver tracking: GPS/location data collected for routing and delivery purposes; only stored as long as necessary.

  • Users can opt out of non-essential cookies via browser/app settings.

  • Disabling essential cookies may limit Platform functionality.

4. How We Protect Your Data

We implement appropriate technical and organisational measures to safeguard your personal data:

  • Encryption: SSL encryption for sensitive data, including payment information

  • Access Control: Only authorised personnel can access personal data

  • Data Retention: Personal data is retained only as necessary or as required by law

  • Regular Audits: Security audits and risk assessments to maintain compliance

  • Data Hosting: Data Hosting and Infrastructure: The Platform’s ordering, delivery, and driver application services are hosted on Google Firebase, a cloud infrastructure platform operated by Google LLC. The Firebase project is configured to process and store personal data within the United Kingdom and/or European Economic Area data centre regions. Google LLC acts as a sub-processor on our behalf under Google’s standard data processing terms, which incorporate the UK International Data Transfer Agreement and the EU Standard Contractual Clauses as applicable.

    Our technology infrastructure provider is contractually bound to process personal data exclusively on our documented instructions and may not access, use, disclose, or exploit personal data for any purpose of their own. Payment data is processed separately by Stripe and is never stored within the Firebase infrastructure. No system is completely secure, and users acknowledge that we cannot guarantee absolute security. Where applicable, we ensure appropriate technical and organisational measures are in place commensurate with the risk to data subjects.

  • The Platform is intended for users aged 18 and over only. You must be at least 18 years old to create an account or place an order through the Platform. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that a user is under 18 we will immediately suspend their account and delete their personal data. If you believe a person under 18 has created an account please contact support@virtuousrestaurants.com immediately.

5. Sharing Your Data

We do not sell personal information to third parties.

We may share personal information with:

  • Restaurants and drivers to fulfill orders.

  • Payment processors, delivery logistics providers, and other service partners: customer payments on the Platform’s ordering interface are processed via Stripe’s payment infrastructure, which supports card payments, Apple Pay, and Google Pay. Apple Pay and Google Pay transactions are processed through Stripe’s underlying payment infrastructure. For Stripe’s data processing terms and privacy practices, see stripe.com/gb/privacy.

  • Law enforcement or regulatory authorities as required by law.

  • In connection with mergers, acquisitions, or business transfers.

  • Aggregated or anonymised data for analytics or research purposes.

  • Analytics Providers: For Platform system performance monitoring, operational infrastructure analytics, and service optimisation. No analytics provider receives or processes data for the purpose of monitoring individual driver activity, acceptance rates, availability, or engagement patterns.

All third-party providers are GDPR-compliant and carefully vetted for data security.

Cloud infrastructure and hosting providers: The Platform uses Google Firebase (operated by Google LLC) as its cloud hosting infrastructure. Google LLC processes personal data as a sub-processor under binding data processing terms. Google LLC’s data processing is governed by Google’s Cloud Data Processing Addendum and the applicable UK IDTA. Google LLC does not use personal data processed through Firebase for Google’s own advertising or commercial purposes.

Marketplace App Data Processing:

Where a Partner Restaurant has opted in to participation in the Marketplace App (as defined in the Platform Services Agreement), the Platform will host, display, and make publicly available that restaurant’s menu content — including item names, descriptions, pricing, images, allergen summaries, and availability — for the purpose of enabling customer discovery and ordering. This constitutes processing of the restaurant’s operational content data and, where such content includes personal data, processing of personal data.

The Platform acts as data processor in respect of such customer personal data when processing it solely to facilitate individual orders placed through the Marketplace App. The restaurant remains the data controller for any personal data of its customers that flows through orders originating from the Marketplace App. The Platform processes such content data on the legal basis of: (a) performance of the contract with the Partner Restaurant, specifically the content licence granted in their Platform Services Agreement; and (b) the restaurant’s acknowledgement of the mandatory standard condition set out therein.

Partner Restaurants may withdraw from the Marketplace App at any time by written notice to admin@virtuousrestaurants.com, subject to any applicable notice period in their Platform Services Agreement. Following confirmed withdrawal, the Platform will remove the restaurant’s content from the Marketplace App within a reasonable operational period. Withdrawal does not affect any other processing activities described in this Policy.

When a customer places an order through the Marketplace App, the personal data collected at checkout (name, delivery address, email, phone number, payment details) is processed in the same manner as any other order placed through the Platform, as described in Section 1 and Section 2 of this Privacy Policy. No additional data categories are collected solely by reason of the order originating from the Marketplace App.

Partner Restaurants participating in the Marketplace App must ensure that their own customer-facing privacy notices and terms of service disclose that orders placed through their menus may be facilitated through a shared marketplace platform operated by Virtuous Restaurants Ltd, and that customer data will be processed in accordance with this Privacy Policy. This is required to satisfy the restaurant’s own transparency obligations as data controller under UK GDPR Article 13.

Payment data processing: Payment data is processed by Stripe in accordance with Stripe’s own privacy policy and data processing terms. The Platform does not store raw payment card data. In the event of a Stripe system failure, data breach, or processing error caused by Stripe’s systems, the Platform’s liability is limited in accordance with the Platform Services Agreement. Partner Restaurants are directed to Stripe’s own terms for their data processing obligations as Stripe Connect account holders.

6. Your Rights Under GDPR

You have the right to:

  • Access: Request a copy of your personal data

  • Rectification: Correct inaccuracies in your data

  • Erasure: Request deletion of your data (“right to be forgotten”)

  • Restriction of Processing: Limit how your data is used

  • Data Portability: Receive your data in a machine-readable format

  • Object to Processing: Object to processing for legitimate interests or marketing

  • Withdraw Consent: Withdraw consent where applicable

To exercise any rights, contact us at support@virtuousrestaurants.com. Registered independent drivers may submit rights requests to driver.support@virtuousrestaurants.com.

Data Subject Access Requests (DSARs) — Response Timeframe and Exemptions

We will respond to any data subject access request or other rights request without undue delay and in any event within one calendar month of receipt. Where a request is complex or we receive a high volume of requests simultaneously, we may extend this period by a further two months. Where an extension applies, we will inform you of the extension and the reasons for it within the first month of receiving your request.

Where we decide not to take action on a request, we will inform you without undue delay and in any event within one calendar month of receipt, explaining our reasons and your right to lodge a complaint with the ICO.

Where the Platform is conducting an active fraud investigation or compliance review in connection with your account, and where disclosure of the information requested in a DSAR would be likely to prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty, we may apply the relevant exemptions under Schedule 2, Part 1 of the Data Protection Act 2018 to withhold or restrict the specific information that forms part of that active investigation. Where such an exemption is applied, we will inform you that an exemption has been applied and identify the relevant Schedule 2 provision, to the extent that doing so does not itself prejudice the investigation. This exemption is applied on a case-by-case basis and does not affect your right to access information unrelated to an active investigation, nor does it affect your right to complain to the ICO.

Where the ICO is succeeded, merged or replaced into a successor data protection authority, references to the ICO in this Policy shall be read as references to the successor body exercising equivalent regulatory functions.

Registered independent drivers requesting access to their personal data held by the Platform will receive access to their individual compliance records held securely in the Platform’s driver compliance system, shared directly with the requesting driver in a commonly used format within 30 calendar days of a valid request submitted to driver.support@virtuousrestaurants.com.

7. International Transfers

Your personal data may be transferred or stored outside your country of residence. We ensure such transfers comply with GDPR using appropriate safeguards, such as the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses, as applicable, in accordance with UK GDPR.

Where our technology services involve processing outside the UK, we ensure appropriate safeguards including the UK IDTA are in place.

Where personal data is processed through Google Firebase infrastructure, Google LLC’s standard contractual clauses and the UK International Data Transfer Agreement are in place to govern any transfers of personal data from the United Kingdom to Google LLC’s corporate structure. The Platform configures Firebase data storage and processing to remain within UK and/or EEA regional boundaries to the maximum extent technically available. Users may request further details on the transfer safeguards in place by contacting support@virtuousrestaurants.com.

8. Additional Privacy Safeguards and User Rights

The Platform is not intended for use by anyone under the age of 18; if we become aware that we have collected information from anyone under 18, we will promptly delete it. Personal data, including order history, account information, and driver location data, is retained only for as long as necessary to provide services, comply with legal obligations, or for legitimate business purposes, with specific retention periods applied where applicable (e.g., 7 years for tax documents. 7 years for order and transaction records). Marketing communications are sent only to users who have opted in, and users may withdraw consent or opt out at any time they wish to.

Informational communications about the Platform’s marketplace and partner restaurants may also be sent to existing customers on the basis of the Platform’s legitimate interests under Regulation 22(3) of the Privacy and Electronic Communications Regulations 2003. Each such communication includes a clear opt-out mechanism. Customers who opt out will not receive further marketplace communications.

For users outside the UK, all data processing and transfers comply with applicable data protection laws, including GDPR and equivalent international privacy regulations, and users retain all rights granted under their local laws. By continuing to use the Platform, all users acknowledge and accept these practices regarding data collection, retention, tracking, and marketing communications.

Certain processing activities (e.g. marketing communications and non-essential cookies) rely on your consent. You can withdraw consent at any time without affecting core services. See section 6 for your rights and how to opt out.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Where changes are material — including any changes that affect how we process your personal data, the purposes for which we process it, your rights under this Policy, or our legal obligations — we will notify you via email or a prominent in-app or on-site notice before those changes take effect, in accordance with Section 12.14 below. Minor corrections, clarifications, and updates that do not affect the substance of how we process your personal data may be posted without advance notice. The Last Material Amendment date at the top of this Policy will be updated on each material revision.

10. Data Retention, Automated Deletion & Overwriting, and Related Safeguards

10.1 Principles of Retention

  • We retain personal data only for as long as is necessary to fulfill the purposes for which it was collected, including order fulfilment, account management, administration, audits, dispute resolution, and legal obligations.

  • When retention is no longer necessary, we securely delete, anonymise, or overwrite data, unless further retention is required by law (e.g., tax, accounting, litigation).

  • We apply the principle of least retention: keeping data only as long as necessary to meet legal and business needs.

10.2 Typical Retention Periods
Below are the standard retention durations we apply (subject to legal requirements and internal needs). These are aligned with best practices used in online restaurant and food-ordering platforms:

  • Order and transaction records: retained for 7 years for tax, accounting, and audit purposes.

  • Customer account and profile data (non-transactional): retained for up to 5 years from the date of last active use. If a user becomes inactive or deletes their account, personal information is removed unless legal obligations require otherwise.

  • Driver and restaurant verification and compliance documents: retained for 6 years after the end of the business relationship to meet audit, insurance, and legal requirements.

  • Location, GPS, and delivery route data: retained for 30 days after delivery completion, unless required longer for dispute resolution, investigation, or legal compliance. For delivery evidence forming part of a dispute record, see Section 10.9.

  • Marketing consent and communication preference data: retained until consent is withdrawn, plus an additional 1 year to maintain evidence of consent history.

  • Usage, device, and analytics data: retained for between 1 and 3 years, after which any personal identifiers are removed or anonymised so that individuals cannot be identified.

  • Loyalty points and rewards data: retained for the duration of active programme participation and for 2 years following last account activity, unless the customer requests earlier deletion.

Note that Partner Restaurants, as separate independent data controllers, retain their own records of orders in accordance with their own retention schedules and legal obligations, which may differ from this Platform retention schedule. Please refer to the relevant Partner Restaurant’s Privacy Policy for their retention periods.

10.3 Deletion, Anonymisation & Overwriting

  • After the relevant retention period ends, we securely delete data from active systems.

  • If full deletion is not feasible (e.g., due to backup systems or logs), we overwrite or pseudonymise personal identifiers so that individuals can no longer be identified.

  • For transactional records that must remain for legal compliance, we remove or mask personal identifiers wherever possible while preserving essential non-identifying details for accounting and audit purposes.

10.4 Right to Request Deletion / Erasure (“Right to be Forgotten”)

  • You may request erasure of your personal data at any time, subject to the constraints of this retention scheme and legal obligations.

  • If your request relates to data that is still required for a legal or operational purpose (e.g., tax records, open disputes), we will comply to the maximum permissible extent by removing what can be removed or masking identifiers.

  • We will respond to a deletion request without undue delay, and at most within 30 calendar days (or longer if complexity requires, notifying you).

10.5 Backup & Archive Retention

  • Backups or archives may retain historical snapshots for a limited period, generally between 90 days and 1 year, depending on system architecture.

  • Data in backups or archives is subject to the same deletion or anonymisation rules once the retention period in the live system has expired.

  • Access to backups and archives is restricted, encrypted, and read-only, except for necessary recovery operations.

10.6 Legal Holds / Exceptional Retention

  • In the event of litigation, regulatory investigation, or legal obligation, we may place a “legal hold” on specific records, temporarily suspending deletion until obligations have been met.

  • Legal holds are limited to the minimum necessary scope and duration.

10.7 Recordkeeping & Audit Trails

  • We maintain internal logs of all deletion, anonymisation, or overwriting actions, including timestamp, data category, and responsible system or agent.

  • Audit trails (with minimal metadata) are retained for at least 3 years to demonstrate compliance with our retention policy.

10.8 User Notification & Transparency

  • When you request erasure, or when we anonymise or delete your data, we will inform you of which data was removed or anonymised, unless doing so would compromise other users’ privacy or legal obligations.

  • If we cannot fully erase data due to legal or technical constraints, we will explain the reasons for partial retention or masking.

10.9 Complaints and Dispute-Related Data

Data relating to complaints, refunds, disputes, or delivery evidence (including photographs, videos, messages, and location data) is retained only for as long as necessary to provide administrative facilitation, resolve any related logistical matters, meet legal obligations, or support audits — generally no longer than 180 days from the date of delivery unless a longer period is required by law. Once the dispute is resolved or the retention period ends, such data is securely deleted, anonymised, or overwritten in accordance with our formal data retention schedule. All processing and sharing of this data is governed by the Delivery Responsibility, Risk Allocation and Accountability Policy, which takes precedence on these matters.

For the avoidance of doubt, records relating to commercial invoices issued to Partner Restaurants, including the order details, refund amounts, and payment confirmation that form the basis of such invoices, constitute financial and transactional records and are retained for 7 years in accordance with Section 10.2 of this Policy and applicable tax and accounting obligations, regardless of whether they also relate to a customer complaint or delivery dispute. The 180-day dispute-data retention period applies to operational evidence (photographs, videos, GPS data, messages) and does not reduce the retention period applicable to financial records.

11. Third-Party Integrations, Embedded Content, and Automated Processing

11.1 Third-Party Links and Integrations

  • Our Platform may contain links to, or integrate with, third-party websites, APIs, or services (including but not limited to payment processors, mapping services, social media platforms, and analytics providers).

  • These third parties operate independently and have their own privacy policies. We are not responsible for the content, security, or data handling practices of third-party sites or services.

  • We recommend users review the privacy policies of any third-party services they interact with through our Platform.

11.2 Embedded Content

  • Content embedded from third-party platforms (such as videos, maps, or widgets) may collect information about your interactions, devices, or IP address.

  • Embedded content providers may use cookies, tracking pixels, or other technologies, which are outside our direct control.

  • We advise users to review embedded content providers’ privacy policies to understand how they process data.

11.3 Automated Decision-Making and Profiling

  • Our Platform may use automated systems, algorithms to assist with delivery routing optimisation, fraud prevention and risk assessment, personalised recommendations and content suggestions, and operational analytics for efficiency and service improvements.

  • We comply with the updated rules on automated decision-making under the Data (Use and Access) Act 2025.

  • Where these processes involve solely automated decision-making that may have legal or similarly significant effects on individuals and involve special category data, we apply the stricter requirements of UK GDPR. For non-special category data, such processing is generally permitted subject to appropriate safeguards.

  • Users have the right to request meaningful information about the logic involved, to request human review of any automated decision affecting them, to make representations, and to contest the decision.

The Platform operates a compliance monitoring system that automatically analyses claim patterns, delivery GPS records, evidence submission records, and order data across user accounts over time to identify patterns consistent with systematic or repeated fraud, as described in the Delivery Responsibility, Risk Allocation and Accountability Policy Section 15.3B. This automated monitoring may result in a user’s account being escalated for enhanced compliance review, which may include requiring additional verification steps before further claims are processed, or may ultimately result in the Platform exercising its right to cease providing technology access to a verified fraudulent user under Section 15.3A of the Accountability Policy. These outcomes may constitute automated decisions with a significant effect on the relevant user. Users subject to any such automated determination have the right to request human review of that determination by contacting support@virtuousrestaurants.com, to make representations to the Platform regarding the assessment, and to request meaningful information about the logic and data underlying the automated conclusion. Such requests will be responded to within one calendar month, subject to any applicable exemptions under Schedule 2 of the Data Protection Act 2018 where an active fraud investigation is ongoing.

11.4 Transparency and User Rights

  • Where automated processing is used to make decisions impacting users’ experience, we ensure:

    • Transparency about the purpose and logic of the processing

    • Opportunity for human intervention, correction, or objection

    • Compliance with all applicable UK GDPR and DPA 2018 requirements regarding fairness, accuracy, and accountability

11.5 Data Minimisation in Third-Party Use

  • We only share or process data with third-party providers to the extent necessary for operational purposes.

  • Personal identifiers are pseudonymised or anonymised wherever possible.

11.6 Third-Party & Risk Mitigation

  • All third-party providers are carefully vetted for GDPR compliance, data security, and reliability.

  • Contracts with third-party service providers include binding data protection obligations, confidentiality agreements, and audit rights.

  • Any automated system used is regularly monitored, updated, and tested to ensure compliance with privacy, security, and ethical standards.

11.7 User Consent and Opt-Out

  • Users retain full control over optional data shared with third-party services.

  • Users may withdraw consent for optional processing at any time without affecting core services.

  • Users can opt out of non-essential cookies.

11.8 Liability Disclaimer

  • While we enforce strict contractual and technical safeguards, we cannot guarantee the practices of independent third-party services or embedded content providers.

  • Users acknowledge and accept that interactions with third-party content or upsell recommendations are at their own discretion.

11.9 Separate Programs

Data collected through the Referral & Affiliate Program and the Virtuous Delivery Platform (driver registration) are processed separately and solely for the purposes of the respective program. Participation in one program does not imply consent, access, or rights to the other program.

11.10 The Platform’s ordering, menu management, and application services are provided through third-party technology infrastructure and development service providers acting as data processors under binding Article 28 data processing agreements. Such providers are contractually prohibited from accessing, using, or disclosing personal data except strictly as required to provide the technical services to the Platform. The identity and categories of these providers are disclosed in accordance with the Platform’s data subject access request procedures and applicable UK GDPR transparency obligations.

12. Legal Basis, DPO, Breach, Children, Consent, Third Parties, Retention, and Accountability

12.1 Legal Basis for Processing
We process your personal data only when we have a valid legal basis under UK GDPR:

  • Performance of contract: for orders, deliveries, and payments.

  • Legal obligation: for tax, audit, or regulatory compliance.

  • Legitimate interests: for operational analytics, platform optimisation, and security, provided your rights are not overridden.

  • Consent: for marketing communications, non-essential cookies, and optional personalisation features.
    We document and regularly review the legal basis for all processing activities.

Criminal records and background check data: Where the Platform collects background check information from delivery drivers for the purpose of right-to-work verification and platform safety compliance, such data is processed on the basis of legal obligation (to the extent required by applicable UK employment and immigration law) and, where it constitutes criminal convictions data as defined under UK GDPR Article 10, under Schedule 1, Part 1, paragraph 6 of the Data Protection Act 2018 (processing necessary for the purposes of preventing or detecting unlawful acts) and/or Schedule 1, Part 2 as applicable. Background check data is processed solely for the purposes of driver registration compliance and is retained in accordance with Section 10.2 of this Privacy Policy. It is not shared with third parties except where required by law or where the driver’s consent has been obtained.

Sub-processor authorisation: The Platform has authorised Google LLC (operating Google Firebase cloud infrastructure) as a sub-processor for the purposes of hosting and operating the Platform’s ordering and delivery technology. This authorisation is documented in the Platform’s Article 28 data processing agreement with its technology infrastructure provider. All sub-processors are bound by data processing obligations no less protective than those imposed on the Platform under UK GDPR.

The Platform additionally uses Google Drive, operated by Google LLC, as secure cloud storage for driver onboarding and compliance documentation. Google LLC processes this data as a sub-processor under the same binding data processing terms applicable to Firebase, and does not use such data for Google’s own purposes.

12.2 Data Protection Contact / Privacy Contact
We have appointed a Data Protection Contact to oversee compliance. You may contact our Data Protection Contact at: vaibhav@virtuousrestaurants.com for any questions or concerns regarding your personal data.

12.3 ICO / Regulatory Complaint Instructions
If you are unsatisfied with our handling of your personal data, you may lodge a complaint with the UK Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns/ or by calling 0303 123 1113.

12.4 Children’s Privacy: The Platform is intended for users aged 18 and over only. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that a user is under 18 we will immediately suspend their account and delete their personal data. For the purposes of UK GDPR data protection obligations we additionally confirm that we do not offer information society services directly to children under the age of 13 and will delete any such data immediately upon discovery.

12.5 Data Breach Notification
In the event of a personal data breach, we will notify affected users without undue delay and the ICO within 72 hours, where required. Notifications will include the nature of the breach, potential impacts, and recommended actions for users.

12.6 Data Minimisation & Purpose Limitation
We collect only the minimum personal data necessary for the purposes outlined in this Privacy Policy. Data is used exclusively for order processing, account management, delivery, legal compliance, operational optimisation, or marketing where consent has been provided.

12.7 Data Accuracy & User Responsibility
Users are responsible for providing accurate and complete information. We make reasonable efforts to maintain data accuracy and will promptly correct errors upon request.

12.8 Data Transfer & Safeguards
Where personal data is transferred outside the UK or EEA, we implement safeguards such as the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses, encryption, and access restrictions, in compliance with UK GDPR to ensure data protection compliance.

We use the ICO’s three-step test to identify restricted transfers and apply safeguards such as the UK International Data Transfer Agreement (IDTA) or UK Addendum where required.

12.9 Automated Decision-Making & Profiling
We may use automated systems and algorithms to optimise delivery routing, prevent fraud, provide personalised recommendations, or conduct operational analytics.

  • These processes do not create legal effects or similarly significant effects unless explicitly stated.

  • Users have the right to request human review, contest automated decisions, and receive meaningful information about the logic, significance, and consequences of automated processing affecting them.

12.10 Third-Party & Embedded Content
Our Platform may integrate with third-party websites, APIs, or embedded content (e.g., payment processors, maps, videos).

  • Third parties operate independently and have their own privacy policies.

  • Interactions with third-party content are at your own discretion.

  • We conduct due diligence and contractual safeguards to mitigate risk, but we cannot guarantee third-party practices.

12.11 Retention, Deletion, & Consent Management

  • Personal data is retained only as long as necessary for legal, tax, or operational purposes.

  • Users may request deletion, and we will comply unless legal obligations prevent full erasure.

  • Withdrawn consents are immediately enforced for optional processing, marketing and cookies.

12.12 Audit & Accountability
We maintain audit logs of all data processing, sharing, deletion, and access events. Logs are regularly reviewed to ensure accountability and compliance with UK GDPR and other applicable laws.

12.13 Security & Liability Disclaimer
We implement industry-standard technical and organisational safeguards, but no system can be completely secure. Users acknowledge and accept residual risk when using the Platform.

12.14 Updates to the Privacy Policy
Material changes to this Privacy Policy will be notified to users via email or a prominent notice on the Platform before changes take effect. The effective date will be updated accordingly.

12.15 Additional Clauses 

  • Force Majeure / System Failures: We are not liable for data loss or interruptions caused by events beyond our reasonable control.

  • Governing Law / Jurisdiction: This Privacy Policy is governed by the laws of the United Kingdom.

  • Severability: If any provision of this Privacy Policy is invalid or unenforceable, the remaining provisions remain in full effect.

13. Platform Applications — Data Collection and Mobile Compliance

13.1 Platform Applications

The Platform operates or will operate three distinct applications. Each collects different categories of personal data appropriate to its function.

Virtuous Restaurants — Customer Facing

Data collected includes name, email address, delivery address, phone number for OTP verification, order history, payment details processed through Stripe, device identifiers, IP address, and location data where provided for order tracking. Camera access is not required. Push notification permission may be requested for order status updates. This application is intended for users aged 18 and over only.

Virtuous Restaurants Console — Restaurant Facing

Data collected includes restaurant staff login credentials, order data, device identifiers, IP address, and app usage data. Location data is not collected through this application. Push notification permission may be requested for incoming order alerts. This application is intended for authorised restaurant staff only and is not a consumer-facing application.

Virtuous Restaurants Driver — Driver Facing

Data collected includes driver name, contact details, GPS and location data collected continuously during active delivery periods for routing and delivery documentation purposes, timestamped photographic evidence captured through the application at the point of collection and delivery, device identifiers, and app usage data. Camera access is required to capture pre-seal photographic verification and delivery evidence in accordance with the Platform’s delivery documentation obligations. Location data is collected only during active delivery sessions and is retained for 30 days after delivery completion unless required longer for dispute resolution. Push notification permission is required for delivery opportunity alerts. This application is intended for registered independent drivers only.

13.2 Device Permissions

Location — required by Virtuous Restaurants Driver during active delivery sessions. Optional in Virtuous Restaurants for order tracking. Not collected by Virtuous Restaurants Console.

Camera — required by Virtuous Restaurants Driver for delivery documentation. Not required by Virtuous Restaurants or Virtuous Restaurants Console.

Push Notifications — may be requested by all three applications for order and delivery alerts. Users may disable notifications through device settings without affecting core application functionality.

All data collected through each application is processed in accordance with the legal bases and retention periods set out in this Privacy Policy.

13.3 App Store and Google Play Compliance

Data collected through each application is processed solely for the purposes described in this Privacy Policy. No data collected through any application is used for purposes inconsistent with what is disclosed here.

For iOS users: The Platform complies with Apple’s App Tracking Transparency framework. Where device-level identifiers are used for analytics purposes, the Platform will request permission through the system prompt before accessing the IDFA. Users may withdraw this permission at any time through their device settings without affecting access to core application functionality.

For Android users: The Platform’s data collection and use practices for each application are disclosed in the respective Google Play Data Safety sections in accordance with Google Play Developer Programme Policies. The information provided in each Data Safety section is consistent with this Privacy Policy.

The Platform does not share personal data collected through any application with data brokers. The Platform does not use data collected through any application for interest-based advertising without explicit user consent.

No application is intended for users under the age of 18. For the purposes of UK GDPR data protection obligations we additionally confirm that no application is directed at children under the age of 13. If we become aware that a child under 13 has created an account or provided personal data through any application, we will delete it immediately.

For any questions about data practices in connection with any of the Platform’s applications contact support@virtuousrestaurants.com.

14. Virtuous Restaurants® WhatsApp Onboarding & Registered Drivers Policy

14.1 Introduction
Virtuous Restaurants® (“the Company,” “we,” “us”) uses WhatsApp solely as an optional communication channel to provide onboarding support, share general updates, and notify drivers of official delivery opportunities. Participation in WhatsApp communications is entirely voluntary, and drivers may leave the group at any time without consequence. All delivery assignments must be accepted and recorded through the official App, which serves as the only system of record. WhatsApp messages do not create any obligation, employment relationship, or entitlement to work or compensation.

We use WhatsApp (owned by Meta) as a communication channel. Meta acts as an independent controller for its own processing. Please review Meta’s privacy policy. For higher compliance we recommend/review use of WhatsApp Business API where feasible.

14.2 Virtuous Restaurants® Registered Independent Drivers WhatsApp Support Channel – for approved drivers eligible to receive delivery opportunities.
Presence in the group is voluntary and does not guarantee access to jobs, work, or income.

14.3 Data Collected
We process only the data necessary for WhatsApp group operations:

  • Messages sent from phone numbers within the official group such as questions or comments 

  • Participation logs, engagement, and admin interactions

  • First and last name for recognition or official communications

  • Documents submitted for registration, verification, or approval

  • Any operational data required for compliance, auditing, or dispute resolution

14.4 Legal Basis for Processing

  • Consent – for public display of your name, phone number, and messages in the official WhatsApp group.

  • Legitimate Interests – for onboarding, operational management, compliance, auditing, dispute resolution, and official group communications.

14.5 Voluntary Participation & No Guarantee

  • Participation in Registered Drivers group is voluntary.

  • Completing the registration form does not guarantee invite to the Registered Drivers group or access to any delivery opportunities.

  • Membership does not create employment, agency, or contractual rights.

14.6 Consent for Public Display & Communications
By participating, you consent to:

  • Public display of your phone number, messages, announcements or any recognition posts sent by the Admin.

  • Logging of messages and participation solely for operational, compliance, auditing, or dispute resolution purposes. You may withdraw consent to be in the WhatsApp at any time via driver.support@virtuousrestaurants.com. Withdrawal does not affect the lawfulness of prior processing but may result in removal or limited participation from the WhatsApp group.

14.7 Security Responsibilities
Drivers are solely responsible for securing their WhatsApp accounts and devices.
Virtuous Restaurants® applies technical and organisational measures to protect your data.
The Company is not liable for losses caused by compromised accounts, devices, unofficial contacts, or actions outside official channels.

14.8 Official Channels & Scam Protection

  • Admin will only communicate publicly in official WhatsApp group.

  • Any DM, WhatsApp, SMS, or unofficial contact claiming to be admin is a scam — block and delete immediately.

  • Only official Driver Registration Form links sent from driver.support@virtuousrestaurants.com or notifications@legalesign.com are valid.

  • No registration fees, charges, or offers outside the official channels are valid. Do not engage with anyone contacting you privately claiming to be an Admin, as such messages are fraudulent. The authorised Admin communicates exclusively through public broadcasts to the group and will never contact drivers via private message or phone call.

14.9 Audit & Monitoring
All communications may be logged or monitored solely for:

  • Compliance

  • Operational integrity

  • Auditing and dispute resolution

  • No other surveillance is intended or authorised.

14.10 Data Retention
Data is retained only as long as necessary for onboarding, operational, compliance, recognition, auditing, or dispute-resolution purposes.
Once no longer required, data is securely deleted or anonymised.
Maximum retention period for any personal data is 5 years unless operational, legal, or regulatory obligations require longer storage.

14.11 Withdrawal & Complaints
You may withdraw consent from the Independent Driver WhatsApp group at any time by leaving the group or contacting driver.support@virtuousrestaurants.com.

Complaints may be submitted to the UK Information Commissioner’s Office (ICO).

14.12 Termination & Group Management
Virtuous Restaurants® may suspend or remove participants from the Registered Drivers group at any time, with or without notice, for:

  • Non-compliance with these Terms, the Platform’s Privacy Policy, or applicable law.
  • Verified breach of Platform security or communication protocols, including impersonation, phishing, or unauthorised contact attempts within or in connection with the group.
  • Operational requirements, including where the group is discontinued or restructured.

Continued participation does not grant employment, agency, or worker rights.

14.13 Liability Disclaimer
Virtuous Restaurants® is not liable for:

  • Missed earnings or delivery opportunities

  • Disputes between drivers

  • Actions taken outside official channels

  • Losses caused by unsecured devices or unauthorised communications.

  • All work, postings, and communications are fully voluntary, optional and performance-based, and do NOT guarantee income or assignments.

14.14 Governing Law
This Policy is governed by the laws of England & Wales.

14.15 Acknowledgement
By registering and participating in the WhatsApp group, drivers:

  • Confirm they have read, understood, and agreed to this Policy.

  • Understand participation is voluntary, independent, and fully compliant with UK subcontractor law and GDPR.

  • Consent to public display of their first and last name in official communications and admin messages.

  • Agree to use official channels only and ignore all unauthorised/unofficial communications.

  • Understand that all work, postings, and communications are optional, performance-based, and do not guarantee income or assignments.

  • Accept that continued participation after updates constitutes acceptance of future amendments.

15. Contact Us

In the unlikely event of a data breach affecting your personal information, we will notify affected users without undue delay and, where required, the ICO within 72 hours. We will provide information on the nature of the breach, potential impacts, and steps you can take to protect yourself.

If you are unsatisfied with our handling of your personal data, you may lodge a complaint with the UK Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns/ or by calling 0303 123 1113.

For questions or concerns regarding your personal data or this Privacy Policy:

Virtuous Restaurants Ltd
Email: support@virtuousrestaurants.com
Phone: +44 78 61 409509

Privacy Policy — Version 1.1
Effective 14 May 2026 
Virtuous Restaurants Ltd — Company No. 16314621

This Privacy Policy is governed by the laws of England and Wales and complies with the UK General Data Protection Regulation and the Data Protection Act 2018. For correspondence regarding this Policy or to exercise your data rights contact support@virtuousrestaurants.com.

Related documents:

Terms Of Use — virtuousrestaurants.com/terms/

Accountability Policy — virtuousrestaurants.com/accountability/

Authorised Communications — virtuousrestaurants.com/authorised-communications/

 

© 2026 Virtuous Restaurants Ltd. All rights reserved.