Privacy Policy

MyFitFood Ltd ("MyFitFood", "we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what we collect, why we collect it, how we use and share it, and the rights you have under the UK GDPR and the Data Protection Act 2018. We are the data controller for the personal data we hold about you.

• Account details: name, email, phone, password (hashed).
• Delivery details: address, postcode, access notes.
• Order data: meals chosen, plan preferences, dietary tags, allergens you have flagged.
• Payment data: handled by our PCI-DSS compliant payment provider; we receive only the last four digits and card brand.
• Communications: emails, support messages, reviews, survey responses.
• Technical data: IP address, device, browser, pages visited, referral source — collected via cookies and analytics.

• Contract: to take orders, process payments, deliver meals, manage subscriptions and provide customer service.
• Legal obligation: to keep accounting, tax and food-safety records.
• Legitimate interests: to secure our site, prevent fraud, improve products, and send service updates about your account.
• Consent: to send marketing emails or use non-essential cookies. You can withdraw consent at any time.

We use strictly necessary cookies to make the site work (e.g. login, cart) and, with your consent, analytics and performance cookies to understand how the site is used. You can manage your preferences via the cookie banner or your browser settings. Disabling cookies may affect site functionality.

We share data only with trusted processors who help us run the Service, including:

• Payment providers (e.g. Stripe) to process transactions.
• Delivery partners to fulfil orders.
• Email and SMS providers for transactional and (with consent) marketing messages.
• Cloud hosting and analytics providers.
• Professional advisors, regulators or law enforcement where required by law.

We never sell your personal data.

Where data is transferred outside the UK, we rely on UK-approved safeguards such as the International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or transfers to countries deemed adequate by the UK Government.

We retain personal data only as long as necessary for the purpose collected: account data while your account is active and for up to 24 months after closure; order and tax records for 7 years; marketing data until you unsubscribe; support messages for up to 3 years.

We use industry-standard technical and organisational measures — including encryption in transit (TLS), encryption at rest, access controls and routine security reviews — to protect your data. No system is perfectly secure; please use a strong, unique password and notify us immediately of suspected unauthorised access.

Under UK data protection law you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request erasure ("right to be forgotten") in certain circumstances.
• Restrict or object to processing, including direct marketing.
• Receive your data in a portable format.
• Withdraw consent where processing relies on it.
• Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any right, email privacy@myfitfood.co.uk. We respond within one calendar month.

We send marketing only with your consent or where permitted under "soft opt-in" for existing customers. Every marketing email includes a one-click unsubscribe link.

The Service is intended for adults aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

We may update this policy from time to time. The "Last updated" date above reflects the latest revision. Material changes will be communicated by email or a prominent notice on the website.

For any privacy-related question or to exercise your rights, contact our data team at privacy@myfitfood.co.uk.