Privacy Policy
Effective date: 25 March 2026
1. Who We Are
Niblets Ltd (“we”, “us”, “our”) is the data controller responsible for your personal data. We are registered in England and Wales and operate the niblets.co.uk website and related services (the “Service”).
Data Protection Contact: [email protected]
2. Data We Collect
We collect the following categories of personal data:
2.1 Data You Provide
| Data | When Collected |
|---|---|
| Full name | Account registration, subscription creation, orders |
| Email address | Account registration, Google/Microsoft SSO |
| Password (hashed) | Account registration (email/password method only) |
| Delivery address (address lines, city, postcode) | Subscription creation, order placement |
| Subscription & order preferences | Meal plan selection, meal customisation |
2.2 Data Collected Automatically
| Data | Purpose |
|---|---|
| IP address, browser type, device information | Security, fraud prevention, service improvement |
| Authentication tokens and session data | Session management, secure authentication, and maintaining your signed-in state |
2.3 Data from Third Parties
| Source | Data Received |
|---|---|
| Google Sign-In | Name, email address, email verification status |
| Microsoft Sign-In | Name, email address, email verification status |
| Stripe | Limited payment card details (last 4 digits, card type), transaction references, and payment status |
3. How We Use Your Data
We process your personal data on the following legal bases under UK GDPR:
| Purpose | Legal Basis |
|---|---|
| Create and manage your account | Performance of a contract |
| Process subscriptions, orders, and deliveries | Performance of a contract |
| Process payments via Stripe | Performance of a contract |
| Authenticate your identity (password or SSO) | Performance of a contract |
| Send order confirmations and delivery updates | Performance of a contract |
| Prevent fraud, detect abuse, and maintain security | Legitimate interest |
| Improve the Service and analyse usage patterns | Legitimate interest |
| Comply with legal or regulatory obligations | Legal obligation |
We do not sell your personal data to any third party. We do not use your data for automated decision-making or profiling that has a legal or similarly significant effect on you.
4. Cookies & Local Storage
4.1 Cookies
We use a small number of essential cookies to keep you securely signed in and to refresh your session. These cookies are configured with industry-standard security settings, expire after a short period, and are not used for advertising or tracking.
4.2 Browser Storage
We store limited session information (your name, email, and an authentication token) in your browser to maintain your signed-in state across page loads. This data is automatically cleared when you sign out.
We do not use any third-party analytics, advertising, or tracking cookies at this time.
5. Data Sharing & Third-Party Processors
We share personal data only with the following categories of recipients:
| Recipient | Data Shared | Purpose |
|---|---|---|
| Stripe, Inc. | Name, email, payment details, order amounts | Payment processing |
| Google LLC | OAuth tokens (during SSO authentication) | Identity verification (Google Sign-In) |
| Microsoft Corporation | OAuth tokens (during SSO authentication) | Identity verification (Microsoft Sign-In) |
| Cloud infrastructure provider | All service data (encrypted at rest) | Hosting, database storage, and content delivery |
All processors are bound by data processing agreements and comply with applicable data protection legislation. Some processors are based outside the UK. Where data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or UK adequacy decisions.
6. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Passwords are securely salted and hashed using industry-standard algorithms. We never store plain-text passwords.
- Authentication tokens are cryptographically signed and transmitted over HTTPS only.
- Session credentials are stored with strict security settings to prevent unauthorised access.
- All data in transit is encrypted using TLS 1.2 or higher.
- We never see or store your full card number — our payment processor handles card details directly.
- All inputs are validated and sanitised to protect against common web security threats.
7. Data Retention
| Data | Retention Period |
|---|---|
| Account data (name, email) | Until you delete your account, or 3 years of inactivity |
| Order & payment records | 6 years from the transaction date (UK tax & accounting requirements) |
| Delivery addresses | Retained with associated subscription; deleted on subscription deletion |
| Session & authentication data | Short-lived; cleared on sign-out or after a brief expiry period |
8. Your Rights
Under UK GDPR, you have the following rights:
- Access — Request a copy of the personal data we hold about you.
- Rectification — Request correction of inaccurate or incomplete data.
- Erasure — Request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.
- Restriction — Request that we restrict processing of your data in certain circumstances.
- Portability — Receive your data in a structured, commonly-used, machine-readable format.
- Objection — Object to processing based on legitimate interest.
- Withdraw Consent — Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, please email us at [email protected]. We will respond within one calendar month, as required by law.
9. Children's Privacy
Our Service is designed for parents and guardians to order meals for their children. We do not knowingly collect personal data directly from children under 13. All account holders must be at least 18 years old.
Any information about children (such as dietary preferences or age stages selected for meal plans) is provided by the parent/guardian and is processed for the sole purpose of fulfilling meal orders.
10. International Data Transfers
Your data is primarily stored within the European Economic Area (EEA). Where data is transferred to processors based outside the UK or EEA, we ensure appropriate safeguards via Standard Contractual Clauses (SCCs), the UK-US Data Bridge, or other approved mechanisms.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated by email and/or a prominent notice on the Service. The “Effective date” at the top of this page will be updated accordingly.
12. Complaints
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
We would appreciate the opportunity to address your concerns before you contact the ICO. Please email us at [email protected] first.
13. Contact Us
For any questions regarding this Privacy Policy or your personal data:
- Email: [email protected]
- General support: [email protected]
- Website: niblets.co.uk