Privacy Policy
Last updated: April 13, 2026 — Version 2.0
1. Data Controller
GeraEats is operated by Gera Services (registered in England and Wales), a food delivery platform. We are the data controller under the UK GDPR and Data Protection Act 2018.
- Website: geraeats.com
- Data Protection: [email protected]
2. What Personal Data We Collect
2.1 Identity and Contact Data
Full name, email address, phone number, delivery addresses.
2.2 Order and Food Preference Data
Order history, food preferences, dietary requirements (where you provide them), restaurant ratings and reviews, and favourites.
Note: dietary information (e.g., allergies, religious dietary requirements) may constitute health or beliefs data under UK GDPR. We process this only to fulfil your orders and never share it beyond the restaurant preparing your food.
2.3 Location Data (Core to Delivery Service)
Delivery address for every order. Real-time GPS location via mobile app during active delivery for live tracking (passenger-facing). For delivery riders, continuous GPS location while active — required for dispatch and routing.
2.4 Transaction Data
Order history, prices paid, payment type and last four digits, refund and dispute history.
2.5 Rider Data
Delivery rider identity, vehicle type, earnings history, and ratings received.
2.6 Usage and Technical Data
IP address, browser type, device identifiers, app version, session data, crash logs.
3. Legal Bases for Processing
| Purpose | Legal Basis |
|---|---|
| Account and order management | Contract (Art. 6(1)(b)) |
| Processing food orders and delivery | Contract (Art. 6(1)(b)) |
| Sharing delivery address with restaurant/rider | Contract (Art. 6(1)(b)) |
| Dietary/allergy information processing | Explicit Consent (Art. 9(2)(a)) + vital interests for allergen safety |
| Rider location tracking (active delivery) | Contract (Art. 6(1)(b)) |
| Fraud prevention | Legitimate Interests (Art. 6(1)(f)) |
| Personalised restaurant recommendations | Legitimate Interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
4. Data Retention
- Order history and dietary data: while active + 2 years after closure
- Real-time rider location: 90 days then anonymised
- Financial records: 6 years (HMRC)
- Analytics: 13 months rolling
5. Who We Share Your Data With
We do not sell your data. We share only as necessary:
- Restaurants — order details and dietary requirements to prepare your food
- Delivery riders — delivery address and contact number
- Stripe — payment processing
- Railway, Neon, Vercel — infrastructure
- PostHog (EU, anonymised); Sentry (EU, errors)
- Food Standards Agency — hygiene ratings (public data integrated)
- Legal/regulatory authorities — when required by law
6. Your Rights
Access, rectify, erase, restrict, port, or object to your data. Email [email protected]. Complaints to the ICO.
7. Security
TLS 1.2+ in transit, AES-256 at rest, MFA on admin, regular audits. ICO notified within 72 hours of qualifying breach.
8. Cookies
Essential, functional, and (with consent) analytics cookies. See our Cookie Policy.
9. Contact
- Data Protection: [email protected]
- Support: [email protected]