Legal

Privacy Policy

Last updated: 27 March 2026

1. Who We Are

Kitchen Tonic (“we”, “us”, “our”) is a food safety consultancy registered in England and Wales. We are the data controller for personal information collected through our website at kitchentonic.com and the services we provide.

Contact: hello@kitchentonic.co.uk
Address: London, United Kingdom

2. What Information We Collect

We may collect the following personal data:

  • Identity & contact data: name, email address, telephone number, business name, business address, and job title
  • Business data: food hygiene rating, business type, local authority area, and food safety information provided via our risk assessment tool
  • Payment data: payment card details are processed securely by our payment provider Stripe and are never stored on our servers
  • Technical data: IP address, browser type, device information, pages visited, and cookies (see our Cookie Policy)
  • Communication data: records of correspondence including emails, phone calls, and voice interactions with our AI assistant

3. How We Use Your Information

We process your personal data for the following purposes:

  • To provide our food safety consulting, training, and HACCP services
  • To generate your personalised risk assessment and scorecard
  • To send you your scorecard PDF and follow-up recommendations via email
  • To process payments for our services and courses
  • To communicate with you about your enquiry or booking
  • To send marketing communications where you have opted in
  • To improve our website and services through analytics
  • To comply with legal and regulatory obligations

4. Legal Basis for Processing

We rely on the following legal bases under UK GDPR:

  • Contract: processing necessary to provide the services you have requested or to take pre-contractual steps (e.g. risk assessment, booking a consultation)
  • Legitimate interests: improving our services, website analytics, and sending relevant business communications
  • Consent: marketing emails and non-essential cookies, which you can withdraw at any time
  • Legal obligation: where we are required to retain or disclose data by law

5. Who We Share Your Data With

We may share your personal data with:

  • Service providers: Stripe (payments), Postmark (email), Supabase (hosting), Vercel (website hosting), and Vapi (voice AI) — each acting as a data processor under contract
  • Our consultants: assigned food safety consultants who need your information to deliver services
  • Legal and regulatory authorities: where required by law

We do not sell your personal data to third parties. All our service providers are contractually obligated to process data in accordance with UK GDPR.

6. Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this policy:

  • Client records: 7 years after the end of the business relationship (in line with HMRC requirements)
  • Risk assessment data: 2 years from the date of assessment
  • Marketing contacts: until you unsubscribe or withdraw consent
  • Website analytics: 26 months (Google Analytics default)

7. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Access: request a copy of the data we hold about you
  • Rectification: ask us to correct inaccurate data
  • Erasure: ask us to delete your data where there is no compelling reason to continue processing
  • Restriction: ask us to suspend processing in certain circumstances
  • Portability: receive your data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interests or for direct marketing
  • Withdraw consent: where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at hello@kitchentonic.co.uk. We will respond within 30 days.

8. International Transfers

Some of our service providers (e.g. Vercel, Supabase) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or adequacy decisions approved by the UK Government.

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS), access controls, and regular security reviews. Payment data is handled entirely by Stripe, a PCI DSS Level 1 certified provider.

10. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated “last updated” date. We encourage you to review this policy periodically.

11. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113