1. Introduction

Dished Pvt Limited ("Dished", "we", "us" or "our") is committed to protecting your privacy. This Privacy Notice explains how we collect, use, disclose and protect personal data when you use the Dished mobile application, website and related services (the "Service"). We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions about this Notice or about our processing, or to exercise any of your rights, please contact us at legal@dished.uk.

2. Who we are / Data controller

Dished Pvt Limited

Registered Office: 128 City Road, London, EC1V 2NX, United Kingdom

Email: legal@dished.uk

We are the data controller for personal data processed in connection with the Service (unless otherwise stated).

3. Personal data we collect

We collect and process different categories of personal data depending on how you use the Service:

• Identity & contact data: Name (where provided), email address, telephone number.
• Account data: Account profile, login credentials, social login identifiers, order history, loyalty data.
• Payment data: Payment method identifiers and transactional data (payments are processed by Stripe or another nominated payment provider). NOTE: we do not store full card numbers.
• Dietary & health-related data (special category data): Dietary preferences, allergy information or other health-related information you voluntarily provide when placing orders.
• Location & application data: Approximate geolocation (if you enable location services), device identifiers, device information, app logs, crash reports, push notification tokens, camera/photo access when you upload images.
• Usage & analytics: App usage, search and browsing behaviour, device and connection information, cookies and similar technologies.
• Communications: Customer support enquiries, emails, in-app messages and other correspondence.

4. How we collect personal data

We collect data:

• Directly from you when you register, place orders, upload content, contact support, or provide dietary/allergy information.
• Via social login providers where you opt to use them.
• Automatically from your device when you use the app (logs, device identifiers, geolocation if permitted, cookies).
• From third parties such as payment processors, analytics providers and restaurants (for order fulfilment).

5. Why we use your personal data & lawful bases

We process personal data for the following purposes and lawful bases:

• To create and manage your account; lawful basis: performance of a contract.
• To process and fulfil orders (including sharing dietary/allergy information with restaurants); lawful basis: performance of a contract.
• To process payments (via Stripe or other payment providers); lawful basis: performance of a contract.
• To communicate with you about orders, security, and support; lawful basis: legitimate interests / performance.
• To send marketing communications (where you have consented); lawful basis: consent.
• To personalise and improve the Service, including recommendations, analytics and A/B testing; lawful basis: legitimate interests.
• To prevent fraud and abuse and to protect our legal rights; lawful basis: legitimate interests / legal obligation.
• To meet legal and regulatory obligations (e.g., tax, health & safety); lawful basis: legal obligation.

Special category data (dietary/allergy/health): we process this only with your explicit consent (for order fulfilment) and where necessary to protect your vital interests in the event of an emergency.

6. Consent when collecting dietary / allergy information

When we collect dietary or allergy information we will show a clear consent statement at collection. Example wording to present in-app:

"By providing your dietary or allergy requirements you consent to Dished processing that information and sharing it with the restaurant(s) necessary to fulfil your order."

You may withdraw consent at any time, but withdrawing consent may prevent us from sharing the information needed to fulfil certain orders.

7. Automated decision-making and profiling

We may use automated decision-making and profiling (algorithms) to: personalise restaurant and menu recommendations, tailor offers, and improve search results. These processes do not currently produce legal effects about you, but if any automated decision- making produces a legal or similarly significant effect we will notify you and provide information about your rights, including the right to request human review and to object.

You may object to profiling based on legitimate interests by contacting legal@dished.uk.

8. Cookies and similar technologies

We and third-party service providers use cookies, pixels and similar technologies to operate and improve the Service, to provide analytics and to deliver personalised advertising (where permitted). Our Cookie Policy (linked in-app) provides details of the cookies used and how to control them. Browser/device settings also allow you to disable some cookies; note that disabling cookies may affect functionality.

9. Who we share your data with

We share personal data with:

• Restaurants — to fulfil orders and to provide dietary/allergy information necessary to prepare your order.
• Payment processors (e.g., Stripe) — to process payments.
• Service providers — hosting, analytics, CRM, customer support, notification and messaging providers.
• Delivery partners (where applicable) — to arrange collection or delivery.
• Legal & regulatory authorities — where required by law.
• Prospective purchasers or investors — in connection with a sale, merger, or reorganisation of Dished; see Section 12.

We do not sell your personal data to third parties for their independent marketing purposes.

10. International transfers

Some service providers may process data outside the UK or EEA. Where we transfer personal data internationally we put in place appropriate safeguards (e.g., Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms) to ensure an adequate level of protection.

11. Data retention

In short: we keep your personal data only as long as necessary.

• We retain account, transactional and order data while your account is active and for a period after account closure as necessary for business, legal, tax and fraud-prevention purposes.
• Dietary and medical data is retained only for as long as necessary to provide the Service and to meet legal obligations or for safety reasons; you can request deletion at any time.
• If deletion or anonymisation is not possible (e.g., archived backups), we will isolate the data and prevent any further processing until deletion is possible.

If you want your data deleted sooner, contact legal@dished.uk and we will evaluate and action your request according to applicable law.

12. Sale, merger or transfer of business

If Dished, or substantially all of its business related to the Service, is sold, merged, or acquired by a third party, your personal data may be transferred to the buyer or successor. We will ensure any transfer complies with applicable data protection law and will notify you where required.

13. Security & breach notifications

We implement appropriate technical and organisational measures to protect your personal data (encryption, access controls, regular security reviews). In the event of a personal data breach affecting your data we will notify you and the ICO (where required) without undue delay and in accordance with UK GDPR.

14. Children

The Service is available to users of all ages, but persons under 18 should use the Service under the supervision and with the consent of a parent or legal guardian. We do not knowingly collect or store personal data of children under 13 without appropriate parental consent. If you believe a child under 13 has provided personal data, contact legal@dished.uk to request removal.

15. Your rights

Under UK GDPR you have the following rights (subject to legal limits):

• Access — request a copy of personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of personal data (right to be forgotten) where lawful.
• Restriction — ask us to restrict processing in certain circumstances.
• Object — object to processing based on legitimate interests, including profiling.
• Portability — receive your personal data in a structured, commonly used, machine-readable format.
• Withdraw consent — where processing is based on consent.
• Complain — lodge a complaint with the Information Commissioner's Office (ICO).

To exercise any right, contact us at legal@dished.uk. We will respond within the statutory timeframes.

16. How to contact us / Data Protection Contact

For privacy questions, to exercise your rights, or to make a complaint, contact:

Dished Pvt Limited

Registered Office: 128 City Road, London, EC1V 2NX, United Kingdom

Email: legal@dished.uk

We may require reasonable identification information to fulfil requests.

17. Changes to this Privacy Notice

We may update this Privacy Notice from time to time. Material changes will be communicated via the App and/or by email. Continued use of the Service after notice of changes constitutes acceptance of the updated Notice.

18. Complaints

If you are not satisfied with our handling of your personal data you may contact us at legal@dished.uk. You also have the right to complain to the ICO: https://ico.org.uk/.