Privacy Policy &
Data Protection Framework

Effective Date: May 12, 2026

At **SIMPLY A LA CARTE LTD** (Company Registration 12345678, hereinafter referred to as "the Company", "we", "us", or "our"), we operate with a rigorous commitment to the protection of your personal information. This Privacy Policy outlines our data governance framework in strict accordance with the **General Data Protection Regulation (GDPR)** and the **United Kingdom Data Protection Act 2018 (DPA 2018)**.

1. Data Controller Identification

The designated Data Controller for all operations conducted via this portal is SIMPLY A LA CARTE LTD, located at 814 Leigh Road, Slough, SL1 4BD. Our Data Protection Officer (DPO) can be reached directly at info@coastalcapital.sbs for any inquiries regarding the exercise of your statutory rights.

2. Categories of Data Processed

We collect and process personal data that is strictly necessary for the performance of our catering and delivery services. This includes: **Identity Data** (name, title); **Contact Data** (billing address, delivery address, email, telephone numbers); **Financial Data** (encrypted payment card details processed via PCI-DSS compliant gateways); **Transaction Data** (details about payments and services purchased); **Technical Data** (IP address, login data, browser type); and **Sensitive Health Data** (specifically dietary requirements and allergen information provided explicitly by you for safety purposes).

3. Legal Basis for Processing

We rely on several legal bases for processing your information: **Performance of a Contract** (to deliver your food); **Legal Obligation** (to comply with food safety regulations and UK tax laws); **Consent** (for marketing communications); and **Legitimate Interests** (to improve our service efficiency and prevent fraudulent transactions).

4. Data Retention and Security

Your data is stored on high-security, encrypted servers located within the United Kingdom. We maintain a retention period of seven (7) years for financial records as required by HMRC. Health-related data (allergies) is purged thirty (30) days after service completion unless you maintain an active account with us. We utilize AES-256 encryption and regular penetration testing to ensure the integrity of our systems.

5. Your Statutory Rights

Under the GDPR and DPA 2018, you possess the **Right of Access**, the **Right to Rectification**, the **Right to Erasure** ('Right to be Forgotten'), the **Right to Restrict Processing**, and the **Right to Data Portability**. To exercise these rights, please submit a Subject Access Request (SAR) to our DPO. We will respond within one calendar month as prescribed by law.