This Privacy Policy explains how YallaCook Ltd collects, uses, stores, shares, and protects your personal data when you use the YallaCook website (www.yallacook.co.uk) and mobile application. Please read this policy carefully. By using the YallaCook platform, you confirm that you have read and understood this Privacy Policy.
1. Who We Are and How to Contact Us
YallaCook Ltd is the data controller responsible for your personal data collected and processed through the YallaCook platform. As data controller, we determine the purposes for which and the manner in which your personal data is processed.
YallaCook Ltd — Data Controller Details
Registered Name: YallaCook Ltd
Registered Address: Unit 9105, 141 Access House, Morden Road, Mitcham, Surrey, England, CR4 4DG
Company Registration Number: 13926151
VAT Registration Number: 423864684
Email: info@yallacook.co.uk
Website: www.yallacook.co.uk
1.1 If you have any questions, concerns, or requests relating to the way in which we process your personal data, or if you wish to exercise any of your data protection rights, please contact us at info@yallacook.co.uk or by writing to the registered address above.
1.2 YallaCook Ltd is registered with the Information Commissioner’s Office (ICO) as a data controller. If you are dissatisfied with the way we handle your personal data, you have the right to lodge a complaint with the ICO at www.ico.org.uk or by calling 0303 123 1113.
2. Scope of This Privacy Policy
2.1 This Privacy Policy applies to all personal data collected, processed, and stored by YallaCook Ltd in connection with the operation of the YallaCook platform, including:
- The YallaCook website at www.yallacook.co.uk
- The YallaCook mobile application (iOS and Android)
- Any associated digital services, APIs, and communications
2.2 This Policy applies to the following categories of individuals whose personal data we process:
- Customers — individuals who browse, register, and place orders on the Platform
- Vendors — businesses and individuals who register to sell products through the Platform
- Website and app visitors — individuals who browse the Platform without registering
- Prospective Vendors and business contacts
2.3 This Policy does not apply to third-party websites, services, or platforms linked to or from the YallaCook platform. We are not responsible for the privacy practices of such third parties and encourage you to read their respective privacy policies.
3. Personal Data We Collect
3.1 We collect personal data in the following ways: (a) directly from you when you register, browse, or transact on the Platform; (b) automatically through your use of the Platform; and (c) from third parties, including payment processors and analytics providers. The categories of personal data we collect are set out below.
3.1 Data Collected from Customers
When you register as a Customer and use the Platform, we may collect and process the following categories of personal data:
Category | Examples | How Collected |
Identity Data | Full name, username, date of birth | Registration form |
Contact Data | Email address, phone number, delivery address | Registration & checkout |
Account Data | Login credentials (password stored in hashed form), account preferences | Registration |
Transaction Data | Order history, items purchased, order values, Vendor details | Order placement |
Payment Data | Payment card type, last 4 digits, billing address (full card data held by Payment Provider only) | Checkout process |
Delivery Data | Delivery addresses, delivery instructions, recipient details | Checkout process |
Technical Data | IP address, device type, browser type and version, operating system, app version | Automatic collection |
Usage Data | Pages visited, search queries, clicks, time spent, features used | Automatic collection |
Communications Data | Customer support messages, complaints, feedback, reviews | Direct contact |
Marketing Preferences | Consent status for marketing emails, push notifications, SMS | Account settings / sign-up |
3.2 Data Collected from Vendors
When you register as a Vendor, we collect additional categories of personal data in order to onboard and manage your account and comply with our legal obligations:
Category | Examples | How Collected |
Business Identity Data | Business name, trading name, company registration number, VAT number | Vendor registration |
Individual Identity Data | Name of owner / director / authorised representative, date of birth | Vendor registration |
Contact Data | Business email, phone number, registered and trading addresses | Vendor registration |
Regulatory Compliance Data | Food hygiene rating, FSA registration number, food business operator registration, halal certification details | Vendor onboarding |
Financial Data | Bank account details for remittance, VAT status | Vendor onboarding |
Transaction Data | Order volumes, sales history, Commission records, remittance records | Platform operation |
Communications Data | Support queries, dispute records, correspondence | Direct contact |
3.3 Data Collected Automatically
When you visit or use the Platform, we automatically collect certain technical and usage data through cookies, pixels, server logs, and similar technologies. This may include your IP address, device identifiers, browser type, referring URLs, and information about how you interact with the Platform. Please refer to our Cookie Policy at www.yallacook.co.uk/cookies for further details.
3.4 We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected personal data from a person under 18, please contact us immediately at info@yallacook.co.uk so that we can delete it.
3.5 We do not collect special category personal data (such as health data, religious beliefs, or biometric data) as a routine matter. Where a Customer voluntarily provides dietary or allergy information when placing an order or contacting Vendor support, we will treat such information with appropriate care and process it only for the purposes of fulfilling your order and ensuring your safety.
4. How We Use Your Personal Data — Lawful Bases
4.1 Under the UK General Data Protection Regulation (UK GDPR), we are required to have a lawful basis for processing your personal data. The table below sets out the purposes for which we process personal data, together with the lawful basis relied upon for each processing activity.
4.1 Customer Data — Purposes and Lawful Bases
Purpose of Processing | Types of Data Used | Lawful Basis |
To create and manage your Customer account | Identity, Contact, Account Data | Contract performance (Article 6(1)(b) UK GDPR) |
To process and fulfil orders placed on the Platform | Identity, Contact, Transaction, Delivery, Payment Data | Contract performance (Article 6(1)(b) UK GDPR) |
To process payments and detect fraud | Payment, Transaction, Technical Data | Contract performance; Legitimate interests (fraud prevention) |
To coordinate delivery of orders | Contact, Delivery Data | Contract performance (Article 6(1)(b) UK GDPR) |
To provide customer support and manage complaints | Identity, Contact, Communications Data | Contract performance; Legitimate interests |
To send transactional communications (order confirmations, dispatch notices, updates) | Identity, Contact, Transaction Data | Contract performance (Article 6(1)(b) UK GDPR) |
To send marketing emails, push notifications, or SMS (where consented) | Identity, Contact, Marketing Preferences | Consent (Article 6(1)(a) UK GDPR) |
To personalise your experience and display relevant content | Usage, Technical, Transaction Data | Legitimate interests (Article 6(1)(f) UK GDPR) |
To analyse Platform usage and improve our services | Technical, Usage Data | Legitimate interests (Article 6(1)(f) UK GDPR) |
To comply with legal and regulatory obligations | All relevant categories | Legal obligation (Article 6(1)(c) UK GDPR) |
To enforce our Terms and Conditions and protect our rights | All relevant categories | Legitimate interests (Article 6(1)(f) UK GDPR) |
4.2 Vendor Data — Purposes and Lawful Bases
Purpose of Processing | Types of Data Used | Lawful Basis |
To onboard and manage Vendor accounts | Business Identity, Contact, Regulatory Compliance Data | Contract performance (Article 6(1)(b) UK GDPR) |
To transmit orders to Vendors | Transaction, Contact Data | Contract performance (Article 6(1)(b) UK GDPR) |
To process Commission deductions and remit payments | Financial, Transaction Data | Contract performance (Article 6(1)(b) UK GDPR) |
To verify regulatory compliance (food safety, halal certification) | Regulatory Compliance Data | Legal obligation; Legitimate interests |
To manage disputes and complaints | Communications, Transaction Data | Legitimate interests; Legal obligation |
To communicate operational updates, policy changes, and commercial information | Identity, Contact Data | Legitimate interests (Article 6(1)(f) UK GDPR) |
To comply with tax, financial reporting, and regulatory obligations | Financial, Identity, Transaction Data | Legal obligation (Article 6(1)(c) UK GDPR) |
4.3 Where we rely on legitimate interests as our lawful basis, we have carried out a balancing test to ensure that our legitimate interests are not overridden by your interests or fundamental rights and freedoms. You have the right to object to processing carried out on the basis of legitimate interests at any time (see Section 11).
4.4 Where we rely on your consent to process your personal data (for example, for marketing communications), you have the right to withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. You may withdraw consent by using the unsubscribe link in any marketing email, adjusting your notification settings in the app, or contacting us at info@yallacook.co.uk.
5. Cookies and Tracking Technologies
5.1 YallaCook uses cookies and similar tracking technologies (including pixels and local storage) to operate and improve the Platform, to understand how users interact with our services, and to deliver relevant content and advertising where applicable.
5.2 The types of cookies we use include:
Cookie Type | Purpose | Retention |
Strictly Necessary | Essential for the Platform to function — session management, login authentication, security | Session / short-term |
Functional | Remembering your preferences, language, saved addresses, and basket contents | Up to 12 months |
Analytics & Performance | Understanding how users navigate the Platform, identifying errors, measuring feature usage (e.g. via Google Analytics) | Up to 24 months |
Marketing & Targeting | Delivering relevant advertisements and measuring campaign effectiveness (where consent is given) | Up to 12 months |
5.3 Strictly necessary cookies are placed without your consent as they are essential to the operation of the Platform. All other cookies are placed only with your consent, which you may give or withdraw via the cookie consent banner displayed on your first visit to the Platform or through your account settings.
5.4 For full details of the specific cookies we use, their purposes, and their retention periods, please see our Cookie Policy at www.yallacook.co.uk/cookies.
5.5 Most web browsers allow you to control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform.
6. How We Share Your Personal Data
6.1 YallaCook does not sell your personal data to any third party. We share personal data only in the circumstances set out below, and only to the extent necessary for the relevant purpose.
6.1 Sharing with Vendors
When you place an order on the Platform, we share the personal data necessary for the Vendor to prepare and fulfil your order. This includes your name, order details, any special instructions, and your delivery address. Vendors are required under their Vendor Agreement to process this data only for the purpose of fulfilling your order and to comply with applicable data protection law. Vendors may act as independent data controllers in respect of personal data they receive from YallaCook.
6.2 Sharing with Payment Providers
Payment processing on the Platform is carried out by our third-party Payment Provider (currently Stripe Payments Europe Ltd, or such other provider as we may use from time to time). We share payment-related data with the Payment Provider solely to process your transaction securely. The Payment Provider’s own privacy policy governs its processing of your payment data. YallaCook does not store full payment card numbers.
6.3 Sharing with Delivery and Logistics Partners
Where we arrange delivery of orders, we share your name, delivery address, contact telephone number, and order reference with our courier and logistics partners to enable delivery. These partners process your data as data processors acting on our behalf.
6.4 Sharing with Technology and Service Providers
We engage third-party service providers to assist in operating the Platform and delivering our services. These include cloud hosting providers, email delivery platforms, SMS providers, customer support software providers, analytics providers (including Google Analytics), and app development partners. These providers process your personal data as data processors acting on our instructions and are contractually required to implement appropriate technical and organisational security measures.
6.5 Sharing for Legal Compliance and Enforcement
We may disclose your personal data to law enforcement agencies, regulatory authorities (including the Food Standards Agency or the ICO), or courts where we are required to do so by law, court order, or regulatory direction, or where we reasonably believe disclosure is necessary to: (a) comply with a legal obligation; (b) protect the rights, property, or safety of YallaCook, our users, or the public; or (c) detect, prevent, or investigate fraud or security incidents.
6.6 Business Transfers
In the event of a merger, acquisition, reorganisation, sale of assets, or insolvency of YallaCook Ltd, your personal data may be transferred to a successor entity or acquirer as part of that transaction. We will notify you of any such transfer and any consequent changes to this Privacy Policy in accordance with Section 14 below.
6.7 Aggregate and Anonymised Data
We may share aggregated, anonymised, or pseudonymised data with third parties for research, analytics, or business purposes. Such data does not identify you individually and does not constitute personal data for the purposes of the UK GDPR.
7. International Transfers of Personal Data
7.1 YallaCook is based in the United Kingdom and primarily processes personal data within the UK and the European Economic Area (EEA). However, some of our third-party service providers — including cloud hosting and analytics providers — may process personal data in countries outside the UK and EEA.
7.2 Where personal data is transferred outside the UK to a country not recognised by the UK government as providing an adequate level of data protection, we ensure that appropriate safeguards are in place in accordance with UK GDPR requirements. Such safeguards may include:
- International Data Transfer Agreements (IDTAs) approved by the ICO
- Standard Contractual Clauses (SCCs) adopted or approved under UK law
- Binding Corporate Rules where applicable
- Adequacy decisions issued by the UK Secretary of State
7.3 You may request further information about the specific safeguards we rely upon for international transfers by contacting us at info@yallacook.co.uk.
8. How Long We Keep Your Personal Data
8.1 We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, and to resolve disputes and enforce our agreements. The table below sets out our standard retention periods for key categories of personal data.
Category of Personal Data | Retention Period | Reason |
Customer account data | Duration of account + 6 years after account closure | Contract performance; limitation period for legal claims |
Order and transaction records | 6 years from the date of the transaction | Legal obligation (tax, accounting, consumer law) |
Payment records (transaction references and metadata) | 6 years | Legal obligation (HMRC record-keeping requirements) |
Vendor account and compliance data | Duration of Vendor relationship + 6 years | Contract performance; legal obligation |
Customer support and complaints records | 3 years from resolution of the complaint | Legitimate interests (legal defence) |
Marketing consent records | Until consent is withdrawn + 1 year | Legal obligation (demonstrating consent under UK GDPR) |
Technical and usage data (logs) | Up to 13 months | Legitimate interests (security monitoring, analytics) |
Cookie analytics data | Up to 24 months | As described in Cookie Policy |
8.2 Where we are required to retain personal data for longer periods by law (for example, for tax or regulatory purposes), we will retain it for the required period. Where personal data is no longer required, we will securely delete or anonymise it.
8.3 In some circumstances, we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice.
9. Security of Your Personal Data
9.1 YallaCook takes the security of your personal data seriously. We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
- Encryption of data in transit using Transport Layer Security (TLS/SSL)
- Encryption of sensitive data at rest
- Access controls and role-based permissions limiting access to personal data to authorised personnel only
- Regular security assessments and vulnerability testing
- Secure password hashing — we do not store passwords in plain text
- Staff training on data protection and information security
- Data breach detection, reporting, and response procedures
9.2 Payment card data is processed exclusively by our Payment Provider and is not stored on YallaCook’s systems. Our Payment Provider maintains PCI DSS compliance.
9.3 While we take all reasonable steps to protect your personal data, no method of transmission over the internet or electronic storage is entirely secure. We cannot guarantee the absolute security of your data. You are responsible for keeping your account login credentials confidential and for any activity that occurs under your account.
9.4 In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach (where required by law) and will notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms, without undue delay.
10. Children’s Privacy
10.1 The YallaCook Platform is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect, use, or disclose personal data from children under 18 years of age.
10.2 If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at info@yallacook.co.uk. We will take prompt steps to delete such data from our systems.
11. Your Data Protection Rights
11.1 Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to conditions and exceptions under applicable law.
Right | Description |
Right of Access | You have the right to request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one calendar month of receipt of a valid request. |
Right to Rectification | You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. |
Right to Erasure (‘Right to be Forgotten’) | You have the right to request deletion of your personal data in certain circumstances, for example where the data is no longer necessary for the purposes for which it was collected, or where you withdraw consent. |
Right to Restriction of Processing | You have the right to request that we restrict the processing of your personal data in certain circumstances, for example where you contest the accuracy of the data. |
Right to Data Portability | Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller. |
Right to Object | You have the right to object to processing of your personal data where we rely on legitimate interests as our lawful basis. You also have the right to object at any time to processing for direct marketing purposes. |
Rights in Relation to Automated Decision-Making | You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects. YallaCook does not currently make solely automated decisions of this kind. |
Right to Withdraw Consent | Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. |
11.2 To exercise any of the rights listed above, please submit your request in writing to info@yallacook.co.uk or by post to: YallaCook Ltd, Unit 9105, 141 Access House, Morden Road, Mitcham, Surrey, England, CR4 4DG. We may ask you to verify your identity before processing your request.
11.3 We will respond to all valid data subject requests within one calendar month. In complex or multiple requests, we may extend this period by a further two months, in which case we will notify you of the extension and the reasons for it within the first month.
11.4 You will not ordinarily be charged a fee to exercise your rights. However, we reserve the right to charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive, including repetitive requests.
11.5 If you are not satisfied with our response to your request or complaint, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
- Website: www.ico.org.uk
- Helpline: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
12. Third-Party Websites and Services
12.1 The Platform may contain links to third-party websites, mobile applications, or services operated by Vendors or other third parties. These links are provided for your convenience only. YallaCook is not responsible for the content, privacy practices, or data protection standards of any third-party website or service.
12.2 We encourage you to read the privacy policies of any third-party services you visit or use. Your interactions with third-party services are governed by their own terms and privacy policies, not by this Privacy Policy.
13. Marketing Communications
13.1 With your consent, we may send you marketing communications by email, push notification, or SMS about new Vendors, products, offers, promotions, and other news relating to YallaCook. We will only send you marketing communications where you have opted in to receive them.
13.2 You may opt out of receiving marketing communications from us at any time by:
- Clicking the ‘unsubscribe’ link at the bottom of any marketing email
- Adjusting your push notification preferences in your device or app settings
- Contacting us at info@yallacook.co.uk with a request to opt out
13.3 Please note that opting out of marketing communications will not affect our ability to send you transactional or service-related communications, such as order confirmations, dispatch notifications, and important account updates. These communications are essential to the performance of our contract with you.
13.4 Where we rely on your consent for marketing, we will keep a record of when and how consent was given. If you withdraw consent, we will suppress your details from future marketing communications promptly and in any event within 10 business days.
14. Changes to This Privacy Policy
14.1 YallaCook reserves the right to amend this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or regulatory requirements.
14.2 Where we make material changes to this Privacy Policy, we will notify registered users by email to the address associated with their account, by in-app notification, or by displaying a prominent notice on the Platform, no less than 14 days before the changes take effect (or such shorter period as may be required by law).
14.3 We recommend that you review this Privacy Policy periodically. The date on which this Policy was last updated is displayed at the foot of this document. Your continued use of the Platform following the effective date of any revised Privacy Policy will be deemed acceptance of the updated policy.
15. Summary of Lawful Bases Used
15.1 For ease of reference, the primary lawful bases under which YallaCook processes personal data are:
Lawful Basis | UK GDPR Reference | When We Rely On It |
Contract Performance | Article 6(1)(b) | Processing necessary to perform our contract with you as a Customer or Vendor, including account management, order processing, payment, and delivery |
Legal Obligation | Article 6(1)(c) | Processing necessary to comply with our legal and regulatory obligations, including tax, accounting, food safety compliance, and data breach notification |
Legitimate Interests | Article 6(1)(f) | Processing for fraud prevention, platform security, improving our services, analytics, and enforcing our legal rights, where our interests are not overridden by your rights |
Consent | Article 6(1)(a) | Marketing communications (email, SMS, push notifications); non-essential cookies and tracking technologies |
16. Glossary
Data Controller: A natural or legal person which determines the purposes and means of processing personal data. YallaCook Ltd is the data controller in respect of personal data collected through the Platform.
Data Processor: A natural or legal person which processes personal data on behalf of a data controller, acting under the data controller’s instructions.
Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, or online identifier.
Processing: Any operation performed on personal data, including collection, recording, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning sex life, or data concerning sexual orientation.
UK GDPR: The UK General Data Protection Regulation — the retained EU law version of the EU GDPR, as it has effect in UK law by virtue of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
ICO: The Information Commissioner’s Office — the UK’s independent authority set up to uphold information rights in the public interest. Website: www.ico.org.uk.
17. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a concern about how we handle your personal data, please contact us:
YallaCook Ltd
Unit 9105, 141 Access House, Morden Road, Mitcham, Surrey, England, CR4 4DG
Email: info@yallacook.co.uk
Website: www.yallacook.co.uk
Company Registration No: 13926151 | VAT No: 423864684
ICO — Information Commissioner’s Office: www.ico.org.uk | Tel: 0303 123 1113
This Privacy Policy was last reviewed and updated on 22 Feb 2026
© 2026 YallaCook Ltd. All rights reserved.