Privacy Policy

Effective: 1 March 2026

1. Who we are

CrossKitchen operates a marketplace connecting diet-conscious customers with partner restaurants that prepare calorie-precise meals. In this policy "CrossKitchen", "we", "us" and "our" refer to the data controller for personal data collected through this service.

If you have questions about how we handle your data, contact us at [email protected].

2. Data we collect

We collect the following categories of personal data:

  • Account data — email address, name (optional), preferred locale.
  • Health & diet preferences — daily calorie goal, allergen exclusions, and dietary restrictions you choose to provide.
  • Order data — the items ordered, calorie targets, timestamps, fulfillment type, and order status.
  • Delivery addresses — street address, city, and postal code for delivery orders.
  • Payment data — payments are processed by Stripe. CrossKitchen does not store card numbers or full payment details; we only store a reference to the Stripe payment intent.
  • Device tokens — if you enable push notifications, we store your device token (APNs or FCM) to deliver notifications.
  • Session data — session token, IP address, and user-agent string to maintain your authenticated session and detect suspicious sign-ins.

3. How we use your data

We use your data to:

  • Process and fulfil your orders (contract performance).
  • Calculate exact ingredient quantities based on your calorie target (contract performance).
  • Send transactional notifications — order confirmations, status updates, and refund decisions — by email and push notification (contract performance).
  • Send optional weekly calorie summaries and marketing communications, if you have opted in (consent).
  • Detect and prevent fraud and abuse (legitimate interest).
  • Comply with legal obligations, including financial record-keeping (legal obligation).

4. Third-party services

  • Stripe — processes payments and manages payouts to restaurant partners. Subject to Stripe's Privacy Policy.
  • Apple (APNs) and Google (FCM) — deliver push notifications to your device if you have opted in to notifications.
  • Email provider — delivers transactional and marketing emails on our behalf.

We do not sell your personal data to third parties or use it for targeted advertising.

5. Data retention

We retain your account data for as long as your account is active, plus three years after closure. Order and financial records are retained for seven years to meet tax and accounting obligations. You may request earlier deletion subject to legal constraints.

6. Your rights

Under the GDPR and equivalent legislation you have the right to:

  • Access — request a copy of the data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your data where no legal obligation requires us to keep it.
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction and objection — restrict processing or object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, email [email protected]. You also have the right to lodge a complaint with your local data protection authority.

7. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email at least 14 days before the changes take effect. The current version is always available at this URL.