Tooting Fish and Kebab
Last updated: 2 July 2026
This policy explains what personal information Tooting Fish and Kebab (“we”, “us”, “our”) collects when you use our mobile app and website (together, the “Service”), why we collect it, how we look after it, and the choices and rights you have. We are based in the United Kingdom and handle personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
By creating an account or placing an order, you accept the practices set out below.
1. Who we are
Tooting Fish and Kebab runs a food ordering and delivery service through our app and website. If you have any questions about this policy or the data we hold about you, please get in touch:
- Email: info@tootingfishkebab.co.uk
- Website: https://tootingfishandkebab.com
2. The information we collect
We collect only what we need to run your account, take your order, and deliver your food. The table below summarises this and doubles as a reference for the App Store and Google Play privacy disclosures.
|
Category |
What it includes |
Why we collect it |
|
Account & contact details |
Name, email address, phone number |
To create and run your account and contact you about orders |
|
Order & delivery details |
Delivery address, order history, items, notes and preferences |
To prepare and deliver your orders |
|
Payment details |
Handled by Stripe. We never store your full card number or CVV |
To take payment securely |
|
Location |
Rider app: precise location during an active delivery. Customer app: location may be used to help enter or confirm a delivery address |
To navigate, enable live order tracking, and confirm addresses |
|
Support & chat messages |
Messages you send us in in-app chat or to support |
To answer and resolve your queries |
|
Technical & diagnostic data |
Crash reports and error diagnostics (Firebase Crashlytics), device type, OS version, app state at time of a crash, and a push notification token (Firebase Cloud Messaging) |
To keep the app stable, fix problems, and send order notifications |
We do not collect special category data, and we do not track you across other companies’ apps or websites for advertising.
3. How we use your information
We use your information to:
- Create, secure and manage your account
- Take, prepare and deliver your orders
- Process payments through Stripe
- Send order updates and notifications (for example, “order confirmed” or “out for delivery”)
- Provide real-time order tracking and delivery navigation
- Respond to your support requests and chat messages
- Diagnose crashes, keep the Service secure, and improve reliability
- Meet our legal and accounting obligations, such as tax record-keeping
Legal bases (UK GDPR). We rely on: performance of a contract (to take and deliver your order); consent (for push notifications and device location, which you can withdraw at any time in your device settings); legitimate interests (to keep the Service secure and improve it); and legal obligation (for example, financial record-keeping).
4. Location data
Location is one of the most sensitive things we handle, so we want to be clear about it.
- Rider app. When a rider is on an active delivery and using the app, we collect precise device location to provide turn-by-turn navigation and to let the customer follow the delivery in real time.
- Customer app. We may use your device location to help you enter or confirm a delivery address. This is optional and only happens when you choose to use it.
We use location only to provide the delivery service. We do not use it for advertising and we do not sell it. You can turn location permissions on or off at any time in your device settings, though some delivery features may not work without it.
5. How we share your information
We do not sell your personal information. We share it only where it is needed to run the Service, with:
- Delivery riders — your name, delivery address and order details, so your order reaches you.
- Stripe — our payment provider, to process payments securely. Stripe handles card details under its own privacy policy and PCI-DSS standards.
- Cloud and infrastructure providers — including Supabase (database and authentication) and our hosting provider, which store data on our behalf.
- Google Firebase — for push notifications (Firebase Cloud Messaging) and crash reporting (Crashlytics).
- Google Maps — to show maps and provide navigation and address features.
- Authorities or legal bodies — where the law requires it, or to protect our rights, our users, or the public.
Each of these providers acts on our instructions under agreements that require them to keep your data secure and to provide protection equal to or greater than that described in this policy, using it only for the purposes we set.
6. International data transfers
Some providers may process data outside the UK. Where that happens, we make sure your data stays protected through appropriate safeguards, such as UK adequacy decisions or standard contractual clauses, as required by UK data protection law.
7. How long we keep your information
We keep your information for as long as your account is active and while we need it to provide the Service. We keep order and payment records for as long as the law requires for tax and accounting purposes. Once data is no longer needed, we securely delete or anonymise it.
8. How we protect your information
We use appropriate technical and organisational measures to keep your data safe, including encryption in transit (HTTPS/TLS), secure authentication, and restricted access controls. Sensitive credentials on your device are held in secure device storage. No system is ever completely secure, but we work continuously to protect your information.
9. Your rights
Under UK data protection law you can:
- Access the personal data we hold about you
- Ask us to correct data that is wrong or incomplete
- Ask us to delete your data (“right to be forgotten”)
- Object to or restrict how we use your data
- Withdraw consent at any time (for example, turn off notifications or location in your device settings)
- Ask for a copy of your data in a portable format
To exercise any of these, email us at info@tootingfishkebab.co.uk. You can also complain to the UK Information Commissioner’s Office (ICO) at https://ico.org.uk.
10. Deleting your account and data
You can delete your account and its associated personal data in two ways:
- In the app: open the app and go to Profile → Settings → Delete Account. Follow the prompts to confirm. This permanently removes your account and associated personal data.
You can also email info@tootingfishkebab.co.uk to request deletion.
When you delete your account, we delete the personal data associated with it, except for records we are legally required to keep — for example, transaction and payment records retained for tax and accounting purposes, and information kept for fraud prevention or security. We complete deletion requests within 30 days.
11. Children’s privacy
The Service is not intended for children under 16, and we do not knowingly collect their personal information. If you believe a child has given us personal data, please contact us and we will delete it.
12. Changes to this policy
We may update this policy from time to time. When we make significant changes, we will update the “Last updated” date above and, where appropriate, let you know in the app. Please check back from time to time.
13. Contact us
If you have any questions about this policy or how we handle your data, contact:
Tooting Fish and Kebab Email: info@tootingfishkebab.co.uk Website: https://tootingfishandkebab.com

