Privacy Policy

1. INTRODUCTION

1.1 About This Policy

This Privacy Policy explains how One More Espresso Ltd (Company No. 16854702), trading as BrewRun ("BrewRun", "we", "us", or "our"), collects, uses, shares, and protects personal data when you use our Platform. We are committed to protecting your privacy and handling your data transparently.

1.2 Data Controller

One More Espresso Ltd is the data controller for personal data collected through the BrewRun Platform. Our registered office is at 75 Royal Court Drive, Bolton, BL1 4AZ, United Kingdom.

1.3 Scope

This Policy applies to:

• The BrewRun mobile application
• The BrewRun website (www.brewrun.app)
• Related services and communications
• Both consumers and vendors using our Platform

1.4 Legal Basis

We process personal data in accordance with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations 2003
• Other applicable UK data protection laws

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

Account Registration:

• Name
• Email address
• Mobile phone number
• Date of birth (if required)
• Account credentials

Order Information:

• Delivery/collection preferences
• Order history and preferences
• Dietary requirements and allergens
• Customer notes and special requests

Payment Information:

• Payment card details (processed by Stripe - we do not store full card numbers)
• Billing information
• Transaction history

Vendor Information (for Vendor accounts):

• Business name and registration details
• Business address and contact information
• Bank account details for payments
• Food hygiene certificates
• Insurance documentation
• Tax identification numbers

Communications:

• Customer service inquiries
• Feedback and reviews
• Survey responses
• Marketing preferences

2.2 Information Collected Automatically

Device Information:

• Device type and model
• Operating system and version
• Unique device identifiers
• Mobile network information
• IP address

Location Data:

• Precise location (when you enable location services)
• Approximate location from IP address
• Vendor location check-ins

Usage Data:

• App/website usage patterns
• Features accessed
• Search queries
• Click-through rates
• Session duration and frequency

Cookies and Similar Technologies:

• Session cookies
• Preference cookies
• Analytics cookies
• Marketing cookies (with consent)

2.3 Information from Third Parties

Payment Processors:

• Transaction confirmations from Stripe
• Fraud prevention data

Social Media (if you connect accounts):

• Basic profile information
• Friend lists (if permitted)

Business Verification Services:

• Companies House data
• Food Standards Agency ratings

3. HOW WE USE YOUR INFORMATION

3.1 Primary Purposes

Service Delivery:

• Process and fulfill orders
• Connect consumers with vendors
• Manage user accounts
• Process payments and refunds
• Provide customer support

Communication:

• Send order confirmations and updates
• Notify about order status changes
• Respond to inquiries
• Send service announcements

Platform Improvement:

• Analyze usage patterns
• Develop new features
• Optimize user experience
• Conduct research and analytics

Safety and Security:

• Verify identity
• Prevent fraud and abuse
• Ensure Platform security
• Investigate violations

3.2 Legal Bases for Processing

We process personal data based on:

Contract Performance:

• Account creation and management
• Order processing and fulfillment
• Payment processing

Legitimate Interests:

• Platform improvement and analytics
• Fraud prevention and security
• Direct marketing (with opt-out)
• Business operations

Legal Compliance:

• Tax and accounting requirements
• Food safety regulations
• Legal claims or proceedings

Consent:

• Marketing communications (where required)
• Location services
• Cookies and tracking technologies

Vital Interests:

• Emergency situations involving health or safety

4. DATA SHARING AND DISCLOSURE

4.1 Sharing with Vendors

When you place an order, we share with the relevant vendor:

• Your first name (for order identification)
• Order details and customizations
• Collection time preferences
• Allergy and dietary information
• Contact information (only if necessary for order issues)

4.2 Service Providers

We share data with third-party service providers:

• Stripe - Payment processing
• Twilio - SMS notifications
• SendGrid - Email communications
• Amazon Web Services - Cloud hosting
• Mapbox - Mapping services
• Mixpanel - Analytics (anonymized)
• Sentry - Error monitoring

4.3 Legal Requirements

We may disclose data when required to:

• Comply with legal obligations
• Respond to lawful requests from authorities
• Protect our rights or property
• Prevent fraud or security threats
• Protect user safety

4.4 Business Transfers

If we are involved in a merger, acquisition, or asset sale:

• Your data may be transferred
• We will notify you via email/Platform notice
• You may have the right to object

4.5 Aggregated Data

We may share aggregated, non-personal data:

• Industry reports and insights
• Vendor performance benchmarks
• Platform usage statistics

4.6 We Never Sell Personal Data

We do not and will not sell your personal data to third parties.

5. DATA RETENTION

5.1 Retention Periods

5.2 Account Deletion

When you request account deletion:

• We delete or anonymize personal data
• Some data retained for legal compliance
• Deletion completed within 30 days
• You will receive confirmation

6. YOUR RIGHTS

6.1 UK GDPR Rights

You have the right to:

Access:

• Request a copy of your personal data
• Receive information about processing

Rectification:

• Correct inaccurate data
• Complete incomplete data

Erasure ("Right to be Forgotten"):

• Request deletion of personal data
• Subject to legal retention requirements

Restriction:

• Limit processing in certain circumstances
• Contest accuracy or lawful basis

Portability:

• Receive data in machine-readable format
• Transfer to another service provider

Objection:

• Object to processing based on legitimate interests
• Opt-out of direct marketing

Automated Decision-Making:

• Not be subject to solely automated decisions
• Request human review where applicable

6.2 Exercising Your Rights

To exercise any rights:

• Email: privacy@brewrun.app
• In-app: Account Settings > Privacy
• Response within 30 days
• No fee unless excessive or unfounded
• ID verification may be required

6.3 Marketing Preferences

Control marketing communications:

• Email: Unsubscribe link in every email
• Push: Device settings or app preferences
• SMS: Text STOP to opt-out
• Account: Update preferences anytime

7. DATA SECURITY

7.1 Security Measures

We implement appropriate technical and organizational measures:

Technical:

• Encryption in transit (TLS/SSL)
• Encryption at rest for sensitive data
• Regular security audits
• Access controls and authentication
• Regular software updates
• Intrusion detection systems

Organizational:

• Staff training and awareness
• Access limited to need-to-know basis
• Confidentiality agreements
• Vendor security assessments
• Incident response procedures

7.2 Payment Security

• PCI DSS compliance through Stripe
• We never store full payment card numbers
• Tokenization for recurring payments
• Fraud detection and prevention

7.3 Data Breach Notification

In case of a personal data breach:

• Notify ICO within 72 hours (if required)
• Inform affected users without undue delay
• Provide details and mitigation steps
• Document and investigate thoroughly

8. INTERNATIONAL TRANSFERS

8.1 Data Location

• Primary data storage in the UK
• Some processing in the EEA
• Limited transfers outside UK/EEA

8.2 Transfer Safeguards

For international transfers, we ensure:

• UK-approved Standard Contractual Clauses
• Adequacy decisions where applicable
• Appropriate technical measures
• Your rights remain protected

9. CHILDREN'S PRIVACY

9.1 Age Requirements

• Our Platform is not directed to children under 18
• We do not knowingly collect data from children
• If we discover child data, we delete it promptly
• Parents may contact us about their children's data

10. COOKIES AND TRACKING

10.1 Cookie Types

Essential Cookies:

• Required for Platform functionality
• Session management
• Security features
• Cannot be disabled

Functional Cookies:

• Remember preferences
• Language settings
• Login details

Analytics Cookies:

• Understand usage patterns
• Improve Platform performance
• Aggregated statistics

Marketing Cookies (with consent):

• Personalized advertising
• Remarketing campaigns
• Conversion tracking

10.2 Cookie Management

• Browser settings to block/delete cookies
• In-app preferences for mobile
• Cookie banner choices on website
• Note: Blocking may affect functionality

10.3 Do Not Track

We currently do not respond to Do Not Track signals, but you can control tracking through cookie preferences.

10.4 Cookie Declaration

11. VENDOR-SPECIFIC PROVISIONS

11.1 Vendor Data Processing

Vendors should note:

• Customer data provided for order fulfillment only
• Must comply with data protection laws
• Cannot use for independent marketing
• Must delete when no longer needed
• Report any breaches immediately

11.2 Vendor Analytics

We provide vendors with:

• Aggregated performance data
• Transaction histories
• Customer insights (anonymized)
• Trend analysis

12. THIRD-PARTY LINKS

12.1 External Websites

• Our Platform may contain links to third-party sites
• We are not responsible for their privacy practices
• Review their privacy policies before providing data
• Vendor websites are independent of BrewRun

13. UPDATES TO THIS POLICY

13.1 Changes

We may update this Policy to reflect:

• Legal or regulatory changes
• New Platform features
• Business developments
• User feedback

13.2 Notification

• Material changes notified via email or Platform
• Review date shown at top of Policy
• Continued use constitutes acceptance
• Previous versions available upon request

14. CONTACT INFORMATION

14.1 Data Protection Queries

For privacy-related questions or to exercise your rights:

Email: privacy@brewrun.app
Post: Data Protection Officer
One More Espresso Ltd
75 Royal Court Drive
Bolton, BL1 4AZ
United Kingdom

14.2 General Inquiries

Email: hello@brewrun.app
Website: www.brewrun.app

14.3 Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113
Address: Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

15. SPECIFIC PROCESSING ACTIVITIES

15.1 Location Services

When you enable location services:

• Find nearby vendors
• Calculate walking times
• Verify collection locations
• Provide location-based offers
• You can disable anytime in settings

15.2 Marketing and Profiling

With your consent, we may:

• Send promotional offers
• Recommend vendors based on preferences
• Create usage segments for targeting
• No significant automated decisions

15.3 Reviews and Feedback

When you leave reviews:

• Display first name only
• Vendors can respond publicly
• We moderate for inappropriate content
• Cannot be fully anonymous

16. LEGAL DISCLOSURES

16.1 Lawful Basis Summary

16.2 Data Protection Impact Assessments

We conduct DPIAs for:

• New processing activities
• High-risk operations
• Large-scale data processing
• New technologies

17. ACCESSIBILITY

This Privacy Policy is available in:

• Standard web format
• PDF download
• Large print (on request)
• Alternative formats for accessibility needs