grubsy

Last updated: 9TH December 2025

1. Who we are

• Grubsy Delivery Services LTD (“Grubsy”, “we”, “us”, “our”)

• Company number: 16513066

• Registered office: 71–75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

• ICO Registration: C1788749

• Contact (privacy and rights requests): info@grubsy.delivery

• Data Protection Officer: Shane Devany (contact via info@grubsy.delivery)

1. What personal data we collect We collect and process:

• Account and identity data: name, email address, phone number, password hash.

• Delivery data: delivery addresses, delivery notes/instructions, contact preferences.

• Order data: items ordered, partner restaurant, prices/discounts, timestamps, order status, in‑app chat with restaurants/couriers, ratings/reviews.

• Payment data: processed by Stripe. We receive tokens, payment status, and limited card metadata (e.g., last 4 digits, brand); we do not store full card numbers.

• Location data:

  • Precise location to find nearby restaurants, assign couriers, and provide live tracking/ETAs.

  • Collection mode: “While Using the App.” If your device permits background updates and you grant permission, we may receive location during an active order solely to support live delivery updates and safety. You can manage permissions in device settings.

• Device and technical data: device model, OS and version, app version, IP address, device identifiers (e.g., IDFA/GAID), crash logs, diagnostics, app event logs.

• Marketing/analytics data: campaign attribution, engagement with emails, referral metadata (when available).

• Communications: copies/metadata of support tickets, in‑app chat, and emails relevant to orders.

Children: The service is not directed to persons under 16. We do not knowingly collect data from children. If you believe a child has provided data, contact us so we can delete it.

1. How we use your data and legal bases (UK GDPR)

• Provide and operate the app and services (place/deliver orders, live tracking/ETAs, customer support) — Contract; Legitimate Interests.

• Process payments, refunds, chargebacks — Contract; Legal Obligation (accounting/tax).

• Location‑enabled features (nearby restaurants, courier assignment, live tracking) — Contract; Legitimate Interests; Consent where required by OS permissions.

• Service communications about your orders and app operations — Contract/Legitimate Interests.

• Fraud prevention, safety, abuse detection, account integrity — Legitimate Interests (including use of Stripe Radar).

• Analytics, performance monitoring, product improvement — Legitimate Interests; Consent where required.

• Marketing via email — Consent or soft opt‑in where applicable; you can withdraw consent at any time.

• Legal compliance and responding to lawful requests — Legal Obligation.

• Establishment, exercise, or defense of legal claims — Legitimate Interests.

Where we rely on Legitimate Interests, we balance these against your rights and expectations and implement safeguards.

1. Automated decision‑making and profiling We use algorithms to:

• Estimate delivery times and optimize routes.

• Automatically assign orders to couriers.

• Detect potential fraud or abusive behavior (including via Stripe Radar).

• Personalize recommendations and offers (non‑intrusive).

We do not make solely automated decisions that produce legal or similarly significant effects without human involvement. If that changes, we will notify you and explain your right to human review, to express your view, and to contest decisions.

1. Sharing your data We share data with:

• Restaurants: order details needed to prepare and fulfill orders. Restaurants typically act as independent controllers for their own legal obligations (e.g., invoicing).

• Couriers/drivers: delivery address, contact details, and order information required to deliver orders. Couriers may be independent controllers for certain processing (e.g., tax/earnings records).

• Payment processor: Stripe (including Stripe Radar for fraud screening).

• Service providers (processors) under contract and acting on our instructions, including:

  • Cloud infrastructure/hosting: Amazon Web Services (AWS), Google Cloud Platform (GCP)

  • Analytics and crash reporting: Firebase/Google Analytics for Firebase, Crashlytics

  • Communications/messaging: email and push notification providers

  • Customer support tools and in‑app chat

  • Security and fraud prevention tools

• App distribution platforms: Apple App Store and Google Play Store (for app delivery, updates, and compliance).

• Law enforcement, regulators, and professional advisers when required by law or necessary to protect rights, property, or safety.

• Corporate transactions: in the context of a merger, acquisition, or asset sale, subject to safeguards.

We do not sell your personal data.

1. International transfers Some providers may process data outside the UK/EEA. Where we transfer personal data internationally, we rely on:

• UK adequacy regulations where available; or

• UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (as applicable), with supplementary measures where necessary.

You can contact us to request information or copies of relevant safeguards. Our primary cloud resources are UK‑based.

1. Retention We retain personal data only as long as necessary for the purposes above and to meet legal, accounting, or reporting requirements.

Typical retention periods:

• Account and order data: 6 years after your last order (consumer protection and limitation periods).

• Payment records and invoices: 7 years (accounting/tax).

• Location data used for live delivery and safety: 12 months, then deleted or anonymized.

• Support tickets and chat transcripts: 24 months after closure.

• Analytics events: raw identifiable events for 14 months; thereafter aggregated/anonymized.

• Backups: up to 90 days on rolling schedules.

Anonymized or aggregated data may be retained for analytics and reporting.

1. Your rights Under UK data protection law, you have the right to:

• Access your personal data.

• Rectify inaccurate or incomplete data.

• Erase your data in certain circumstances.

• Restrict processing in certain circumstances.

• Data portability.

• Object to processing based on Legitimate Interests and to direct marketing.

• Withdraw consent at any time where we rely on consent.

How to exercise your rights: email info@grubsy.delivery or use the in‑app “Privacy & Data Requests” form in Settings. We may request information to verify your identity. We respond within one month (extendable by two months for complex requests with notice).

1. Marketing and preferences

• Service communications (order confirmations, delivery updates) are necessary for the service and are not marketing.

• Marketing is sent by email with your consent (or soft opt‑in where permitted). Opt out any time via unsubscribe links, in‑app settings, or by contacting us.

• Push notifications are used for service‑related updates only (e.g., order status, courier arrival). You can control push settings in your device.

1. Cookies and SDKs Our app uses SDKs and similar technologies (including Firebase/GA4 and Crashlytics) for:

• Analytics and attribution

• Crash reporting and performance monitoring

• Messaging and push notifications

• Security and fraud prevention

See our Cookies/SDK Policy for details and controls: https://grubsy.delivery/cookies. You can also manage certain permissions in your device settings and in‑app where available.

1. Security We implement appropriate technical and organizational measures, including:

• Encryption in transit and at rest (where applicable)

• Access controls and least‑privilege principles

• Logging and monitoring

• Secure development practices, vulnerability management, and regular reviews

• Vendor due diligence and data processing agreements

No system is completely secure; we continually enhance our security posture.

1. Roles and responsibilities

• Grubsy is the data controller for personal data processed via the app.

• Restaurants and couriers may be independent controllers for certain processing (e.g., compliance, tax, and their own records) and are responsible for their own compliance.

1. Contact and complaints

• Contact: info@grubsy.delivery

• You have the right to complain to the UK Information Commissioner’s Office (ICO): https://ico.org.uk/make-a-complaint/

• ICO address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We encourage you to contact us first so we can try to resolve your concern.

1. Changes to this policy We may update this policy from time to time. We will post updates in the app and update the “Last updated” date. For material changes, we will provide a prominent in‑app notice or email you where appropriate.

Permissions summary (mobile)

• Location: “While Using the App” to find nearby restaurants, assign couriers, and provide live delivery tracking; may operate in background during an active order if permitted by your device; control in device settings.

• Notifications: service updates only (order status, delivery progress); control in device settings.

• Photos/Camera/Microphone (only if used for features like photo proof or chat attachments): optional and permission‑based.

Key vendors (current)

• Payments and fraud: Stripe (including Stripe Radar)

• Analytics and crash reporting: Firebase/Google Analytics for Firebase, Crashlytics

• Push/messaging: Firebase Cloud Messaging (and email provider as configured)

• Hosting/cloud infrastructure: Amazon Web Services (AWS), Google Cloud Platform (GCP)

• In‑app chat: in‑app chat provider (configured within the app)

• App distribution: Apple App Store, Google Play Store

​

​

​