Privacy Policy

There are two groups of people whose data we handle:

• Restaurant staff — owners, managers and team members who sign in to the Edibly dashboard or the Edibly Kitchen app to manage orders.
• Customers (diners) — people who place food orders through an Edibly-powered ordering site. Customers do not create logins; we hold only the details needed to fulfil an order.

Staff accounts. Email address and display name, used to sign in and to identify who actioned an order. Staff accounts are created by Edibly or a restaurant owner by invitation — there is no public sign-up in the app.

Order & customer data. When a customer places an order we collect their name, contact phone number, the items ordered, and — for delivery — their delivery address. This information is shown to restaurant staff in the dashboard and the Kitchen app, and may be printed on a kitchen ticket, so the order can be prepared and delivered.

Payment information. Card payments are taken on the customer-facing ordering website and are processed entirely by Stripe. We never see or store full card numbers; we retain only a payment reference and the order total. The Edibly Kitchen app does not take payments.

Push-notification token. The Kitchen app registers a device push token (via Apple Push Notification service and Expo) so we can alert staff to new orders. It is tied to the device and the restaurant, not to a customer.

Technical & diagnostic data. Like most services, our servers log basic technical information (IP address, timestamps, error and crash diagnostics) to keep the service secure and working. We do not use this for advertising and we do not track you across other apps or websites.

• To provide the ordering platform and the Kitchen app, and to authenticate sign-in.
• To receive, route, accept/reject and fulfil food orders.
• To send new-order push notifications and transactional order emails.
• To process payments (via Stripe) and reconcile takings and commission.
• To apply offers and loyalty rewards (matched by phone number) at checkout.
• To keep the service secure, diagnose problems and prevent abuse.
• To comply with our legal and accounting obligations.

We use only strictly necessary cookies and storage — no advertising, analytics or tracking — so no cookie-consent banner is required. Specifically:

• Your basket— saved in your browser’s local storage so your order is not lost.
• Sign-in session — a cookie that keeps restaurant staff signed in to the dashboard and Kitchen app.
• Payment & fraud prevention — cookies set by Stripe during checkout.

When you order through a restaurant partner’s own website, the ordering window is embedded from edibly.io and uses Stripe for payment. In that window, Edibly and Stripe set the same strictly-necessary cookies and storage described above as third parties — they are essential to take your order and payment, so they do not require consent. You can clear cookies and storage anytime in your browser, but the basket and checkout may then stop working.

We rely on the following legal bases to process personal data:

• Contract — to provide the service to restaurants and to fulfil customer orders.
• Legitimate interests — to secure, maintain and improve the service, where not overridden by your rights.
• Legal obligation — to meet tax, accounting and regulatory requirements.

We do not sell personal data. We share it only with the service providers that make Edibly work, each acting under contract on our behalf:

• Supabase — authentication and database hosting.
• Vercel — application hosting and serving.
• Stripe — payment processing for customer orders.
• Ideal Postcodes & postcodes.io — turning a delivery postcode into address options and estimating delivery distance (we send only the postcode).
• Apple Push Notification service & Expo — delivery of new-order notifications.
• Our email provider — sending transactional order and account emails.

We may also disclose data where required by law, or to protect our rights, users or the public.

We keep order and account data for as long as needed to provide the service and to meet our legal and accounting obligations, then delete or anonymise it. Diagnostic logs are kept for a short period and then rotated out.

Under UK data protection law you have the right to access, correct, delete or restrict the processing of your personal data, to object to processing, and to data portability. To exercise any of these, email data@edibly.io. You also have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.

Edibly Kitchen accounts are provisioned by Edibly for restaurant staff; there is no in-app sign-up. To delete a staff account and its associated personal data, email support@edibly.io from, or referencing, the account email address. We will remove the account and its personal data within 30 days, except where we are required to retain certain records (e.g. for accounting) for longer.

Customers who placed an order can ask the restaurant, or email us, to have their order contact details removed, subject to the same legal-retention exceptions.

We protect data in transit with TLS/HTTPS and restrict access to authorised systems and people. In the Kitchen app, your sign-in session is stored encrypted in the device’s secure keystore (iOS Keychain). No system is perfectly secure, but we take reasonable technical and organisational measures to protect personal data.

Some of our service providers process data outside the UK. Where they do, we rely on appropriate safeguards (such as the UK International Data Transfer Agreement or equivalent standard contractual clauses) to protect your data.

Edibly is intended for businesses and adult customers. It is not directed at children, and we do not knowingly collect personal data from children.

We may update this policy from time to time. We will revise the “last updated” date above and, where changes are significant, take reasonable steps to notify affected users.

XEED Online Ltd (trading as Edibly)
Company number SC384806 (registered in Scotland)
C/O Calculo, 09 Eastworks, Gateway Court, Glasgow, G40 4DS
ICO registration: ZA927353
Data-protection enquiries: data@edibly.io
General support: support@edibly.io