Privacy Policy

Ghochen Limited is the controller of your personal data. Our registered office is in Kingston upon Hull, United Kingdom. You can contact us at privacy@ghochen.com.

We are registered with the Information Commissioner’s Office (ICO) under registration number [to be obtained before launch].

Data you provide directly:

• Identity data: name, date of birth, passport or driving licence (for identity verification via Stripe Identity).
• Contact data: phone number, email address, business address.
• Business data: trading name, legal entity name, Companies House number, UTR, VAT number.
• Financial data: bank account details (collected and held by Stripe, not by Ghochen).
• Compliance data: FSA hygiene rating, insurance details, food safety certificates.
• Content data: product names, descriptions, images.
• Communication data: messages you send through the Platform to customers or Ghochen support.

Data collected automatically:

• Device data: device type, operating system, app version, crash logs.
• Usage data: features used, screens visited, session duration, error events.
• Location data: approximate location derived from IP address and business address.

Data from third parties:

• From Stripe: identity verification results, payment processing data.
• From the Food Standards Agency: your business’s current hygiene rating.
• From Companies House (if applicable): public company registration data.

We process your personal data on the following legal bases under UK GDPR Article 6:

• Contract: to provide the Platform and fulfil our obligations under our Partner Terms.
• Legal obligation: to comply with tax law, anti-money-laundering law, food safety law, and cooperate with competent authorities.
• Legitimate interests: to improve the Platform, prevent fraud, and ensure security. We balance these against your rights.
• Consent: for optional features such as marketing communications. Consent can be withdrawn at any time.

• To provide the partner services: accepting orders, processing payments, facilitating customer communication.
• To verify your identity and business credentials.
• To process payments and payouts through Stripe.
• To comply with legal obligations, including tax reporting and food safety cooperation.
• To detect and prevent fraud, abuse, and security threats.
• To improve the Platform through analytics and research on usage patterns.
• To provide customer support and communications about your account.
• To send you marketing communications where you have consented.

• Stripe: for identity verification, payment processing, and payouts.
• Supabase: as our database and authentication provider (data hosted in the EU).
• Meta Platforms: for WhatsApp Business Cloud API services, where you use WhatsApp flows.
• Shipday and courier partners: limited delivery-related data for order fulfilment.
• Sentry and PostHog: for error tracking and product analytics, with PII minimisation.
• Customers: limited information to complete orders (business name, product information, masked contact).
• Authorities: where legally required (HMRC, FSA, local authorities, law enforcement).
• Professional advisors and prospective or actual acquirers of Ghochen, under confidentiality obligations.

Most personal data is stored in the UK or the European Economic Area. Some service providers may process data in the United States under appropriate safeguards, including UK International Data Transfer Agreements and Standard Contractual Clauses.

• Active partner account data: for the duration of your account plus 7 years thereafter, for tax and legal compliance.
• Order and financial records: 7 years from the transaction date.
• WhatsApp message bodies: 13 months, then purged.
• Marketing preferences: until you withdraw consent.
• Support messages: 2 years from the end of the conversation.

Under UK GDPR you have rights to access your data, correct inaccurate data, erasure (in limited circumstances), restrict processing, data portability, object to processing, and withdraw consent. You can exercise these rights by emailing privacy@ghochen.com.

You have the right to complain to the Information Commissioner’s Office at ico.org.uk.

We use technical and organisational measures including encryption in transit and at rest, row-level security on databases, regular security reviews, and staff training. No system is perfectly secure; we will notify you and the ICO of material breaches as required.

We will update this Policy from time to time. Material changes will be notified to you at least 30 days in advance.