Effective Date: 1st May 2025
Business Name: Virtuous Restaurants Ltd
Website & Dashboard: www.virtuousrestaurants.com
Virtuous Restaurants (“we,” “us,” or “our”) values your privacy and is committed to protecting the personal information of our customers, restaurants, and delivery drivers. This Privacy Policy explains how we collect, use, store, and share personal data when you use our website, mobile apps, delivery driver app, or ordering widgets (“Platform”), and your rights regarding that information.
Your privacy is a top priority. Our Privacy Policy explains how we collect, use, store, and protect your personal data, and your rights under UK GDPR and the Data Protection Act 2018.
Customers:
Name, email, phone number, delivery address, payment details, order history.
Device and browser information, IP address, and cookies used in the ordering widget.
Location information if applicable for order tracking.
Restaurants:
Business information, contact details, menu items, payment information, and tax documents.
Login credentials and device/browser data.
Delivery Drivers:
Name, email, phone number, vehicle details, license and insurance documentation, background check information.
Location data collected during deliveries via the driver app.
Device identifiers, IP address, and app usage data.
Automatically Collected Information:
IP addresses, browser type, device identifiers, operating system, and usage analytics from the website, apps, and widgets.
Cookies and tracking technologies for functionality, performance, and analytics.
User-Generated Content:
Reviews, ratings, messages, and photos submitted through the Platform.
We use the information to:
Facilitate orders, deliveries, and payments.
Communicate with users regarding orders, account activity, service updates, and marketing (if consented).
Verify identity, eligibility, licenses, and insurance for restaurants and drivers.
Improve and optimise the Platform’s functionality, performance, and security.
Comply with legal obligations, audits, and regulatory requirements.
Essential cookies: Required for login sessions, ordering widget functionality, and cart/session management.
Non-essential cookies: Used for analytics, performance monitoring, and optional marketing.
Driver tracking: GPS/location data collected for routing and delivery purposes; only stored as long as necessary.
Users can opt out of non-essential cookies via browser/app settings.
Disabling essential cookies may limit Platform functionality.
We implement appropriate technical and organisational measures to safeguard your personal data:
Encryption: SSL encryption for sensitive data, including payment information
Access Control: Only authorised personnel can access personal data
Data Retention: Personal data is retained only as necessary or as required by law
Regular Audits: Security audits and risk assessments to maintain compliance
Data Hosting: All personal data collected through the AI-Assistant Dashboard is securely stored on a dedicated UK-based server, ensuring full compliance with UK data protection regulations. Our server infrastructure provides ISO-certified security, robust encryption, high availability, fast performance, proactive monitoring and rapid threat response, guaranteeing the integrity, confidentiality and reliability of your information. No system is completely secure, and users acknowledge that we cannot guarantee absolute security.
The Platform is not intended for children under 13: We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected such data, it will be deleted immediately.
We do not sell personal information to third parties.
We may share personal information with:
Restaurants and drivers to fulfill orders.
Payment processors, delivery logistics providers, and other service partners.
Law enforcement or regulatory authorities as required by law.
In connection with mergers, acquisitions, or business transfers.
Aggregated or anonymised data for analytics or research purposes.
All third-party providers are GDPR-compliance and carefully vetted for data security.
You have the right to:
Access: Request a copy of your personal data
Rectification: Correct inaccuracies in your data
Erasure: Request deletion of your data (“right to be forgotten”)
Restriction of Processing: Limit how your data is used
Data Portability: Receive your data in a machine-readable format
Object to Processing: Object to processing for legitimate interests or marketing
Withdraw Consent: Withdraw consent where applicable
To exercise any rights, contact us at support@virtuousrestaurants.com
Your personal data may be transferred or stored outside your country of residence. We ensure such transfers comply with GDPR using appropriate safeguards, such as standard contractual clauses.
The AI-Assistant dashboard data remains primarily on our dedicated UK-based server, with international transfers only where legally required and safeguarded.
The Platform is not intended for use by children; if we become aware that we have collected information from a child, we will promptly delete it. Personal data, including order history, account information, and driver location data, is retained only for as long as necessary to provide services, comply with legal obligations, or for legitimate business purposes, with specific retention periods applied where applicable (e.g., 7 years for tax documents, 5 years for order history). Marketing communications are sent only to users who have opted in, and users may withdraw consent or opt out at any time they wish to. For users outside the UK, all data processing and transfers comply with applicable data protection laws, including GDPR and equivalent international privacy regulations, and users retain all rights granted under their local laws. By continuing to use the Platform, all users acknowledge and accept these practices regarding data collection, retention, tracking, and marketing communications. By continuing to use the Platform, all users acknowledge and accept these practices regarding data collection, retention, tracking, and marketing communications
We may update this Privacy Policy at any time. Updates will be posted on this page, and the Effective Date will be revised. Please review periodically to stay informed about how we protect your personal data.
10.1 Principles of Retention
We retain personal data only for as long as is necessary to fulfill the purposes for which it was collected, including order fulfilment, account management, administration, audits, dispute resolution, and legal obligations.
When retention is no longer necessary, we securely delete, anonymise, or overwrite data, unless further retention is required by law (e.g., tax, accounting, litigation).
We apply the principle of least retention: keeping data only as long as necessary to meet legal and business needs.
10.2 Typical Retention Periods
Below are the standard retention durations we apply (subject to legal requirements and internal needs). These are aligned with best practices used in online restaurant and food-ordering platforms:
Order and transaction records: retained for 7 years for tax, accounting, and audit purposes.
Customer account and profile data (non-transactional): retained for up to 5 years from the date of last active use. If a user becomes inactive or deletes their account, personal information is removed unless legal obligations require otherwise.
Driver and restaurant verification and compliance documents: retained for 6 years after the end of the business relationship to meet audit, insurance, and legal requirements.
Location, GPS, and delivery route data: retained for 30 days after delivery completion, unless required longer for dispute resolution, investigation, or legal compliance.
Marketing consent and communication preference data: retained until consent is withdrawn, plus an additional 1 year to maintain evidence of consent history.
Usage, device, and analytics data: retained for between 1 and 3 years, after which any personal identifiers are removed or anonymised so that individuals cannot be identified.
10.3 Deletion, Anonymisation & Overwriting
After the relevant retention period ends, we securely delete data from active systems.
If full deletion is not feasible (e.g., due to backup systems or logs), we overwrite or pseudonymise personal identifiers so that individuals can no longer be identified.
For transactional records that must remain for legal compliance, we remove or mask personal identifiers wherever possible while preserving essential non-identifying details for accounting and audit purposes.
10.4 Right to Request Deletion / Erasure (“Right to be Forgotten”)
You may request erasure of your personal data at any time, subject to the constraints of this retention scheme and legal obligations.
If your request relates to data that is still required for a legal or operational purpose (e.g., tax records, open disputes), we will comply to the maximum permissible extent by removing what can be removed or masking identifiers.
We will respond to a deletion request without undue delay, and at most within 30 calendar days (or longer if complexity requires, notifying you).
10.5 Backup & Archive Retention
Backups or archives may retain historical snapshots for a limited period, generally between 90 days and 1 year, depending on system architecture.
Data in backups or archives is subject to the same deletion or anonymisation rules once the retention period in the live system has expired.
Access to backups and archives is restricted, encrypted, and read-only, except for necessary recovery operations.
10.6 Legal Holds / Exceptional Retention
In the event of litigation, regulatory investigation, or legal obligation, we may place a “legal hold” on specific records, temporarily suspending deletion until obligations have been met.
Legal holds are limited to the minimum necessary scope and duration.
10.7 Recordkeeping & Audit Trails
We maintain internal logs of all deletion, anonymisation, or overwriting actions, including timestamp, data category, and responsible system or agent.
Audit trails (with minimal metadata) are retained for at least 3 years to demonstrate compliance with our retention policy.
10.8 User Notification & Transparency
When you request erasure, or when we anonymise or delete your data, we will inform you of which data was removed or anonymised, unless doing so would compromise other users’ privacy or legal obligations.
If we cannot fully erase data due to legal or technical constraints, we will explain the reasons for partial retention or masking.
11.1 Third-Party Links and Integrations
Our Platform may contain links to, or integrate with, third-party websites, APIs, or services (including but not limited to payment processors, mapping services, social media platforms, and analytics providers).
These third parties operate independently and have their own privacy policies. We are not responsible for the content, security, or data handling practices of third-party sites or services.
We recommend users review the privacy policies of any third-party services they interact with through our Platform.
11.2 Embedded Content
Content embedded from third-party platforms (such as videos, maps, or widgets) may collect information about your interactions, devices, or IP address.
Embedded content providers may use cookies, tracking pixels, or other technologies, which are outside our direct control.
We advise users to review embedded content providers’ privacy policies to understand how they process data.
11.3 Automated Decision-Making and Profiling
Our Platform may use automated systems, algorithms, or AI (including the AI-Assistant dashboard) to assist with:
Delivery routing optimisation
Fraud prevention and risk assessment
Personalised recommendations and content suggestions
Operational analytics for efficiency and service improvements
These automated processes do not create legal effects or similarly significant effects on individuals unless explicitly stated.
Users have the right to request human review of any automated decision affecting them.
Users may also request meaningful information about the logic, significance, and intended consequences of automated processing.
11.4 AI Transparency and User Rights
Where AI or automated processing is used to make decisions impacting users’ experience, we ensure:
Transparency about the purpose and logic of the processing
Opportunity for human intervention, correction, or objection
Compliance with all applicable UK GDPR and DPA 2018 requirements regarding fairness, accuracy, and accountability
11.5 Data Minimisation in Third-Party and AI Use
We only share or process data with third-party providers or AI systems to the extent necessary for operational purposes.
Personal identifiers are pseudonymised or anonymised wherever possible, especially in analytics or AI-driven insights.
11.6 Third-Party & AI Risk Mitigation
All third-party providers and AI systems are carefully vetted for GDPR compliance, data security, and reliability.
Contracts with third-party service providers include binding data protection obligations, confidentiality agreements, and audit rights.
Any AI or automated system used is regularly monitored, updated, and tested to ensure compliance with privacy, security, and ethical standards.
11.7 User Consent and Opt-Out
Users retain full control over optional data shared with third-party services or used for AI personalisation and analytics.
Users may withdraw consent for optional processing at any time without affecting core services.
Users can opt out of non-essential cookies, tracking, or AI-driven personalisation via app, website, or account settings.
11.8 Liability Disclaimer
While we enforce strict contractual and technical safeguards, we cannot guarantee the practices of independent third-party services or embedded content providers.
Users acknowledge and accept that interactions with third-party content or AI-assisted recommendations are at their own discretion.
11.9 Separate Programs
Data collected through the Affiliate Program and the Virtuous Delivery Platform (driver registration) are processed separately and solely for the purposes of the respective program. Participation in one program does not imply consent, access, or rights to the other program.
12.1 Legal Basis for Processing
We process your personal data only when we have a valid legal basis under UK GDPR:
Performance of contract: for orders, deliveries, and payments.
Legal obligation: for tax, audit, or regulatory compliance.
Legitimate interests: for operational analytics, platform optimisation, and security, provided your rights are not overridden.
Consent: for marketing communications, non-essential cookies, and optional personalisation features.
We document and regularly review the legal basis for all processing activities.
12.2 Data Protection Officer (DPO) / Privacy Contact
We have appointed a Data Protection Officer to oversee compliance. You may contact our DPO at: vaibhav@virtuousrestaurants.com for any questions or concerns regarding your personal data.
12.3 ICO / Regulatory Complaint Instructions
If you are unsatisfied with our handling of your personal data, you may lodge a complaint with the UK Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns/ or by calling 0303 123 1113.
12.4 Children’s Privacy
The Platform is not intended for children under 13. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected such data, it will be deleted immediately.
12.5 Data Breach Notification
In the event of a personal data breach, we will notify affected users without undue delay and the ICO within 72 hours, where required. Notifications will include the nature of the breach, potential impacts, and recommended actions for users.
12.6 Data Minimisation & Purpose Limitation
We collect only the minimum personal data necessary for the purposes outlined in this Privacy Policy. Data is used exclusively for order processing, account management, delivery, legal compliance, operational optimisation, or marketing where consent has been provided.
12.7 Data Accuracy & User Responsibility
Users are responsible for providing accurate and complete information. We make reasonable efforts to maintain data accuracy and will promptly correct errors upon request.
12.8 Data Transfer & Safeguards
Where personal data is transferred outside the UK or EEA, we implement safeguards such as Standard Contractual Clauses, encryption, and access restrictions to ensure data protection compliance.
12.9 Automated Decision-Making & AI / Profiling
We may use automated systems, algorithms, or AI to optimise delivery routing, prevent fraud, provide personalised recommendations, or conduct operational analytics.
These processes do not create legal effects or similarly significant effects unless explicitly stated.
Users have the right to request human review, contest automated decisions, and receive meaningful information about the logic, significance, and consequences of automated processing affecting them.
12.10 Third-Party & Embedded Content
Our Platform may integrate with third-party websites, APIs, or embedded content (e.g., payment processors, maps, videos).
Third parties operate independently and have their own privacy policies.
Interactions with third-party content are at your own discretion.
We conduct due diligence and contractual safeguards to mitigate risk, but we cannot guarantee third-party practices.
12.11 Retention, Deletion, & Consent Management
Personal data is retained only as long as necessary for legal, tax, or operational purposes.
Users may request deletion, and we will comply unless legal obligations prevent full erasure.
Withdrawn consents are immediately enforced for optional processing, marketing, cookies, or AI personalisation.
12.12 Audit & Accountability
We maintain audit logs of all data processing, sharing, deletion, and access events. Logs are regularly reviewed to ensure accountability and compliance with UK GDPR and other applicable laws.
12.13 Security & Liability Disclaimer
We implement industry-standard technical and organisational safeguards, but no system can be completely secure. Users acknowledge and accept residual risk when using the Platform.
12.14 Updates to the Privacy Policy
Material changes to this Privacy Policy will be notified to users via email or a prominent notice on the Platform before changes take effect. The effective date will be updated accordingly.
12.15 Additional Clauses
Force Majeure / System Failures: We are not liable for data loss or interruptions caused by events beyond our reasonable control.
Governing Law / Jurisdiction: This Privacy Policy is governed by the laws of the United Kingdom.
Severability: If any provision of this Privacy Policy is invalid or unenforceable, the remaining provisions remain in full effect.
13.1 Introduction
Virtuous Restaurants® (“the Company,” “we,” “us”) uses Telegram exclusively to provide onboarding support and communicate official driver opportunities. Participation in onboarding and Registered Drivers Telegram groups is voluntary, independent, and does not create employment, agency, worker, franchise, or contractual rights.
Continued participation constitutes acceptance of this Policy, including any future updates. Updates may be posted publicly in Telegram or via email; continued participation after updates indicates consent.
13.2 Telegram Groups Covered
Virtuous Restaurants® Onboarding Drivers Telegram Support Channel – for new drivers completing lead-generation and onboarding steps.
Virtuous Restaurants® Registered Drivers Telegram Support Channel – for approved drivers eligible to receive delivery opportunities.
Membership in either group is voluntary and does not guarantee access to jobs, work, or income.
13.3 Data Collected
We process only the data necessary for Telegram group operations:
Telegram username and messages sent within official groups
Participation logs, engagement, and admin interactions
First and last name for recognition or official communications
Documents submitted for registration, verification, or approval
Any operational data required for compliance, auditing, or dispute resolution
13.4 Legal Basis for Processing
Consent – for public display of your first and last name, and messages in official Telegram groups.
Legitimate Interests – for onboarding, operational management, compliance, auditing, dispute resolution, and official group communications.
13.5 Voluntary Participation & No Guarantee
Participation in onboarding or Registered Drivers groups is voluntary.
Completing registration or receiving admin recognition does not guarantee approval to the Registered Drivers group or access to delivery opportunities.
Membership does not create employment, agency, or contractual rights.
13.6 Consent for Public Display & Communications
By participating, you consent to:
Public display of your first and last name in admin messages, announcements, or recognition posts.
Logging of messages and participation solely for operational, compliance, auditing, or dispute-resolution purposes.
You may withdraw consent at any time via admin@virtuousrestaurants.com. Withdrawal does not affect the lawfulness of prior processing but may result in removal or limited participation from Telegram groups or official communications.
13.7 Security Responsibilities
Drivers are solely responsible for securing their Telegram accounts and devices.
Virtuous Restaurants® applies technical and organisational measures to protect your data.
The Company is not liable for losses caused by compromised accounts, devices, unofficial contacts, or actions outside official channels.
13.8 Official Channels & Scam Protection
Admin will only communicate publicly in official Telegram groups.
Any DM, WhatsApp, SMS, or unofficial contact claiming to be admin is a scam — block and report immediately.
Only official Driver Registration Form links sent from driver.support@virtuousrestaurants.com or notifications@legalesign.com are valid.
No registration fees, charges, or offers outside official channels are valid. Do not engage with anyone messaging you privately claiming to be an admin. Block, delete, and report them immediately.
13.9 Audit & Monitoring
All communications may be logged or monitored solely for:
Compliance
Operational integrity
Auditing and dispute resolution
No other surveillance is intended or authorised.
13.10 Data Retention
Data is retained only as long as necessary for onboarding, operational, compliance, recognition, auditing, or dispute-resolution purposes.
Once no longer required, data is securely deleted or anonymised.
Maximum retention period for any personal data is 5 years unless operational, legal, or regulatory obligations require longer storage.
13.11 Withdrawal & Complaints
You may withdraw consent for public display of your name or Telegram data processing at any time via admin@virtuousrestaurants.com.
Complaints may be submitted to the UK Information Commissioner’s Office (ICO).
13.12 Termination & Group Management
Virtuous Restaurants® may suspend or remove participants from onboarding or Registered Drivers groups at any time, with or without notice, for:
Non-compliance
Inactivity
Operational requirements
Continued participation does not grant employment, agency, or worker rights.
13.13 Liability Disclaimer
Virtuous Restaurants® is not liable for:
Missed earnings or delivery opportunities
Disputes between drivers
Actions taken outside official channels
Losses caused by unsecured devices, Telegram accounts, or unofficial contacts
All work, postings, and communications are optional, performance-based, and do not guarantee income or assignments.
13.14 Governing Law
This Policy is governed by the laws of England & Wales.
13.15 Acknowledgement
By registering and participating in Telegram groups, drivers:
Confirm they have read, understood, and agreed to this Policy.
Understand participation is voluntary, independent, and fully compliant with UK subcontractor law and GDPR.
Consent to public display of their first and last name in official communications and admin messages.
Agree to use official channels only and ignore all external/unofficial contacts.
Understand that all work, postings, and communications are optional, performance-based, and do not guarantee income or assignments.
Accept that continued participation after updates constitutes acceptance of future amendments.
13.16 Job Claim Policy – Conflict Resolution
When a delivery opportunity is posted in the Virtuous Registered Drivers Telegram Group, multiple drivers may indicate interest. To ensure fair assignment, jobs are allocated on a first-come, first-served basis. Drivers must both reply to the Telegram message and call the admin using the official contact method to claim the job. Only the first driver to complete both steps will be assigned the delivery. Any subsequent expressions of interest will not be considered for that specific job but remain eligible for future opportunities. The admin’s decision on job allocation is final and binding, and all responses are logged for audit, operational, and dispute-resolution purposes. Drivers who fail to follow the official claim process risk losing the opportunity, and no exceptions will be made.
In the unlikely event of a data breach affecting your personal information, we will notify affected users without undue delay and, where required, the ICO within 72 hours. We will provide information on the nature of the breach, potential impacts, and steps you can take to protect yourself.
If you are unsatisfied with our handling of your personal data, you may lodge a complaint with the UK Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns/ or by calling 0303 123 1113.
For questions or concerns regarding your personal data or this Privacy Policy:
Virtuous Restaurants Ltd
Email: support@virtuousrestaurants.com
Phone: +4478 61 409509