Privacy Policy
1. Introduction
Lupa Foods Ltd. (“Lupa Foods”) is committed to safeguarding the privacy of our customers, suppliers, employees, and other stakeholders. This Privacy Policy outlines how we collect, use, store, and protect your personal data when you interact with us, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Who We Are:
Lupa Foods Ltd.
Registered Office: 2 Imperial Place, Maxwell Road, Borehamwood, Hertfordshire, WD6 1JN
Registered number: 04934963
Any references to “we”, “our” or “us” refer specifically to Lupa Foods Ltd.
2. Definitions
For clarity, this policy uses the following definitions:
• Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject”).
• Data Controller: The person or organisation that determines the purposes and means of processing personal data.
• Processing: Any operation performed on personal data, such as collection, storage, use, or deletion.
• Consent: A clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the Data Subject’s agreement to the processing of their personal data.
3. Purpose of the Privacy Policy
This Privacy Policy explains the information that we collect about you, how we use it, the legal bases for processing, and how you can exercise your rights regarding your personal data. We are committed to processing your personal data in a lawful, fair, and transparent manner.
4. What Personal Data Do We Collect?
We collect various types of personal data depending on your interactions with us, including but not limited to:
• Customer and Supplier Information: Name, address, contact details (e.g., email, phone number), job title, and any other information provided during product listing or commercial transactions.
• Employee Data: Personal details such as name, address, date of birth, qualifications, employment history, and other data necessary for recruitment and employment.
• Website Visitors: Information voluntarily provided through our website, including names, email addresses, and other identifiable information.
• Automatically Collected Data: Technical data such as IP addresses, browser types, operating systems, and website usage statistics collected through cookies and other tracking technologies.
5. How Do We Collect Your Data?
We collect personal data through:
• Direct Interactions: When you provide information directly to us, such as during product listings, communications (e.g., emails, cold calls), or through our website.
• Automated Technologies: Data is collected automatically as you interact with our website, using cookies and similar technologies.
• Third-Party Services: We utilise services such as MailChimp for marketing communications and Google Analytics to analyse website traffic and user behaviour.
6. How Do We Use Your Data?
We use your personal data for the following purposes:
• To Fulfil Contracts: Managing orders, transactions, and relationships with customers, suppliers, and employees.
• Marketing and Communication: Sending you updates, marketing materials, and newsletters (with your consent where required).
• Improving Our Services: Analysing website usage to enhance user experience and site functionality.
• Recruitment: Processing job applications and managing employment-related activities.
We ensure that all data processing activities are conducted in accordance with the legal bases set out in the GDPR, including consent, contractual necessity, legal obligations, and legitimate interests.
7. Legal Basis for Processing
The legal bases for processing your personal data include:
• Consent: When you have explicitly consented to a specific type of processing.
• Contractual Necessity: Processing required to fulfil a contract or to take steps before entering into a contract.
• Legitimate Interests: Processing necessary for our legitimate interests, provided these are not overridden by your rights and freedoms.
• Legal Obligation: Processing necessary for compliance with legal or regulatory obligations.
8. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or to comply with legal, regulatory, or internal policy requirements. Retention periods include:
• Customer and Supplier Data: Retained for 7 years after the end of the relationship.
• Employee Data: Retained for 6 years after the end of employment.
• Marketing Data: Retained until you withdraw your consent.
After these periods, data is securely deleted or anonymised.
9. Data Security
We are committed to ensuring the security of your personal data. We employ robust security measures, including:
• Encryption: Protecting data in transit and at rest using encryption technologies.
• Access Controls: Restricting access to personal data to authorised personnel only.
• Regular Audits: Conducting regular security audits and vulnerability assessments.
• Compliance with Standards: Following best practices for information security management.
10. Data Subject Rights
Under GDPR, you have several rights regarding your personal data, including:
• Right to Access: You can request access to your personal data.
• Right to Rectification: You can request the correction of inaccurate or incomplete data.
• Right to Erasure: You can request the deletion of your personal data in certain circumstances.
• Right to Restrict Processing: You can request the restriction of processing under specific conditions.
• Right to Data Portability: You can request to receive your personal data in a structured, commonly used format.
• Right to Object: You can object to the processing of your personal data for specific purposes, such as direct marketing.
To exercise any of these rights, please contact us at the details provided below. We will respond to your request within one month.
11. Who Do We Share Your Data With?
We may share your personal data with:
• Service Providers: Third-party providers who process data on our behalf, such as IT service providers, marketing platforms (e.g., MailChimp), and analytics providers (e.g., Google Analytics).
• Legal and Regulatory Authorities: When required by law or regulation.
• Business Transfers: In the event of a sale, merger, or acquisition, where your data may be transferred as part of the business assets.
We ensure that all third parties we work with comply with GDPR standards and that appropriate data processing agreements are in place.
12. International Data Transfers
If your data is transferred outside the UK or European Economic Area (EEA), we ensure it is protected by appropriate safeguards, such as Standard Contractual Clauses or Binding Corporate Rules. We will inform you of any such transfers and the measures in place to protect your data.
13. Cookies and Tracking Technologies
We use cookies and similar technologies to collect non-personal information about your visit to our website. This helps us improve your experience and tailor our communications. You can manage your cookie preferences through your browser settings.
14. Data Breach Management
In the event of a data breach, we will:
• Contain and Assess: Immediately contain and assess the breach.
• Notify ICO: Notify the Information Commissioner’s Office (ICO) within 72 hours if the breach is likely to result in a risk to individuals’ rights and freedoms.
• Inform Affected Individuals: Inform affected individuals without undue delay if the breach poses a high risk to their rights and freedoms.
We have an incident response plan in place that outlines specific roles and responsibilities during a data breach.
15. Privacy by Design and Default
We incorporate data protection principles into the design of new systems and processes to ensure compliance with privacy standards. This includes conducting Data Protection Impact Assessments (DPIAs) where necessary, and ensuring data minimisation and pseudonymisation.
16. Training and Awareness
All employees and contractors receive training on data protection principles and practices, including:
• Annual Training: Regular refresher courses on data protection and security.
• Policy Updates: Updates on any changes in data protection laws or company policies.
• Incident Response: Training on recognising and responding to data breaches and other incidents.
17. Changes to This Policy
We may update this Privacy Policy from time to time. Any changes will be posted on our website, and where appropriate, notified to you by email. We encourage you to review this policy periodically to stay informed about how we are protecting your data.
18. Contact Us
If you have any questions or concerns about this Privacy Policy or how we handle your personal data, please contact:
Manish Mandavia, CEO
Email: manish@lupafoods.com
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns/ or by calling their helpline on 0303 123 1113.
This privacy notice was last updated on August 2024