Parish LarderWhere Local Happens

Legal

Privacy policy

Last updated: 20 May 2026

1. Who we are

Parish Larder is operated by Take 2 Technology Ltd, a company registered in England and Wales. We are the data controller for personal data processed through the Parish Larder website (parishlarder.com), customer mobile app, merchant mobile app, and driver mobile app (collectively, the “platform”).

Questions about this policy or any of the rights below: please email privacy@parishlarder.com.

2. What we collect and why

  • Account data — email, name, optional phone, address, postcode, country. Used to create your account, sign you in, and route orders and deliveries. Lawful basis: contract.
  • Community data — your community memberships, posts you publish (town crier, classifieds, stories, time bank, petitions), notification preferences. Used to operate the community features. Lawful basis: contract.
  • Payment data — handled by Stripe (Stripe Payments UK Ltd). We don’t store your card details — Stripe sends us a token plus the outcome of the charge. Lawful basis: contract.
  • Location data — postcode for orders, plus optional precise location if you grant the app permission (used to surface nearby stalls + drivers’ available jobs). Granted location is not stored beyond what’s needed to complete a session. Lawful basis: contract + consent.
  • Push notification tokens — Apple APNs, Google FCM, web push (VAPID). Stored against your user record so we can send you the alerts you opted into. Lawful basis: contract + consent.
  • Usage + technical data — IP, user agent, request paths, error logs. Used for service operation + security; stored in Vercel logs with rolling retention. Lawful basis: legitimate interest.
  • Marketing email — only if you opt in. You can unsubscribe from any marketing email via the link in the email or from your profile settings. Lawful basis: consent.

3. Who we share data with

We don’t sell personal data. We use a small set of sub-processors to operate the service:

  • Vercel — hosting + edge serving (US + EU regions, transferred under SCCs where relevant).
  • Neon — managed Postgres for our database.
  • Stripe — payments + payouts (PCI DSS Level 1).
  • Resend — transactional and marketing email delivery (account codes, order receipts, etc.).
  • Twilio — SMS + WhatsApp delivery, when you opt in to those channels.
  • Apple + Google — push notification delivery (APNs + FCM), if you grant the apps permission.
  • Expo — mobile app build + over-the-air update infrastructure.

Each sub-processor processes data on our instructions only and under a data processing addendum.

4. International transfers

Some of our sub-processors are based outside the UK. Where we transfer your data outside the UK, we rely on the UK’s international data transfer agreement or addendum (or the equivalent under the UK GDPR), or on the destination being covered by an adequacy decision.

5. How long we keep your data

  • Active account data: while your account is open. You can delete your account at any time from your profile settings.
  • Order + payment records: 6 years (UK HMRC requirement for business records).
  • Marketing opt-ins: until you withdraw consent.
  • Server logs: rolling 30-day window in Vercel logs.

6. Your rights

Under UK GDPR you have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate or incomplete data;
  • erase your data (subject to some legal retention requirements);
  • restrict or object to processing;
  • data portability — export your data in a machine-readable format;
  • withdraw consent at any time for processing based on consent.

To exercise any of these rights, email privacy@parishlarder.com. We’ll respond within one calendar month.

You also have the right to complain to the UK Information Commissioner’s Office (the ICO) at ico.org.uk.

7. Cookies

We use a small set of strictly necessary cookies (for sign-in sessions and CSRF protection). These don’t require your consent under PECR because they’re essential to the service you’ve asked for. We don’t use third-party advertising or analytics cookies.

8. Security

We hash passwords with bcrypt, store sign-in codes as one-way hashes (we never see your plaintext code), and serve all traffic over HTTPS. Database access is restricted to a small set of service accounts; admin tooling is gated behind password authentication.

9. Children

Parish Larder isn’t designed for users under 16. We don’t knowingly collect data from anyone under 16. If you think a child has signed up, contact us and we’ll delete the account.

10. Changes to this policy

We’ll update the “last updated” date at the top of this page and, for material changes, send a notice to your account email.

See also: Terms of service.