Privacy Policy

What we collect when you order or visit, why we collect it, how we use it, and the rights you have over your personal data.

Effective date: 7 May 2026 · Last updated: 7 May 2026
Data controller: Aurum Grove Limited (UK), trading as Yum! Curries — registered office 1 Paston Place, Kemptown, Brighton, East Sussex, BN2 1HA, United Kingdom.

1. Who we are

Yum! Curries is a brand of Aurum Grove Limited, a company registered in England & Wales. We operate Indian QSR delivery from our Brighton kitchen at 1 Paston Place, with planned expansion across the UK. Our sister brand is Saakshis (Indian ready-meals).

For all data-protection matters, contact:

Aurum Grove Limited — Data Protection
Email: privacy@yumcurries.com · Allergen-specific queries: allergens@yumcurries.com
Post: 1 Paston Place, Kemptown, Brighton, East Sussex, BN2 1HA, UK

2. What personal data we collect

We collect only what is necessary to take your order, deliver food, comply with allergen-safety law, run the brand's marketing, and meet our legal obligations.

2.1 When you order via our direct site or via Uber Eats / Deliveroo / Just Eat

Name (first name and last initial in some flows)
Delivery address and postcode
Phone number
Email address (if entered)
Order details, including any special instructions or allergy notes you flag (we treat these as Article 9 special-category health data and handle accordingly)
Payment confirmation status (we do not see or store full card details — payment is processed by the platform you ordered through)

2.2 When you visit yumcurries.com

IP address (hashed or truncated wherever possible)
Device, browser, language, country
Pages viewed, time on page, scroll depth, click events
Referrer (the site or campaign that brought you here)
Anonymised analytics events via Google Analytics 4, Microsoft Clarity (heatmaps + session replay, masked PII), and conversion APIs (Meta CAPI, Google Ads). See our cookie policy for the full list.

2.3 When you opt in to marketing

Name, mobile or email, postcode, channel preference (WhatsApp / SMS / email)
Which offer code you redeemed and when

3. Why we use it (lawful bases)

Purpose	Lawful basis (UK GDPR Article 6 / 9)
Taking your order, processing payment, dispatching delivery, customer service	Performance of a contract
Allergen-safety record-keeping (Natasha's Law / FIR 1169/2011, FSA hygiene compliance)	Legal obligation; explicit consent for processing health data (Article 9(2)(a))
Sending marketing messages (offers, new dishes, store openings) where you've opted in	Consent (PECR + UK GDPR)
Site analytics, conversion measurement, performance debugging	Legitimate interest (and consent for non-essential cookies)
Fraud prevention, security, compliance with law-enforcement requests	Legitimate interest; legal obligation
Anonymous statistics (number of orders, popular dishes) for business planning	Legitimate interest

4. Who we share data with (our sub-processors)

We use a small set of carefully chosen third parties to operate the brand. Each is a "processor" under UK GDPR; they only handle data on our written instruction and under contractual safeguards equivalent to those we apply ourselves.

Sub-processor	Purpose	Region
Uber Eats (Uber Portier B.V.)	Order receipt + payment processing for orders placed via Uber Eats	EU/UK + global
Deliveroo	Order receipt + payment processing for orders placed via Deliveroo	UK
Just Eat	(Pending) Order receipt for orders placed via Just Eat	UK
Cloudflare	Site hosting (Pages), DNS, edge caching, webhook ingestion (Workers)	EU/UK
HighLevel ("GHL")	CRM, marketing automation, WhatsApp/SMS/email delivery	USA (under SCCs)
Google (Analytics 4, Tag Manager, Ads, Search Console)	Site analytics, ad measurement	EU/UK + USA (under SCCs)
Meta (Facebook, Instagram, CAPI)	Ad measurement, conversion API	EU/UK + USA (under SCCs)
Microsoft Clarity	Heatmaps, masked session replay (no PII captured)	EU/UK
Sentry	Error monitoring (PII scrubbed)	EU

Where any sub-processor is outside the UK/EU, we rely on the UK International Data Transfer Agreement or the EU Standard Contractual Clauses as approved by the ICO/European Commission.

5. How long we keep your data

Order history: 6 years (UK accounting / VAT records).
Allergen-flag records: 6 years (food-business safety records).
Marketing list entries: until you unsubscribe, then deleted within 30 days.
Analytics + cookies: see the cookie policy; most expire within 14 months.
Operational logs (server logs, error monitoring): 90 days.

6. Your rights under UK GDPR

You have the following rights, free of charge, exercisable at any time:

Access — get a copy of the personal data we hold about you.
Rectification — correct anything that's inaccurate or incomplete.
Erasure ("right to be forgotten") — ask us to delete your data, subject to legal retention obligations.
Restriction — limit how we use your data.
Portability — get your data in a structured, machine-readable format.
Object — object to processing based on legitimate interests, including direct marketing.
Withdraw consent — at any time, where consent is the lawful basis (e.g., marketing); withdrawal does not affect prior processing.
Complain — to the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.

To exercise any right, email privacy@yumcurries.com. We respond within one calendar month.

7. Allergens — special note

Where you tell us about an allergy in an order's special instructions, we treat that as Article 9 special-category health data. We process it only to safely fulfil your order and meet our legal obligations under Natasha's Law and FIR 1169/2011. We do not use allergen flags for marketing or profiling. Our menu's nut-free claim covers every dish we cook in our kitchen; off-site desserts (Ras Malai, Gulab Jamun) are made by a third-party supplier and contain nuts — see /allergen/nut-free for full disclosure.

8. Children

Our services are aimed at adults (18+). We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

9. Cookies

See our cookie policy for the full list of cookies and similar technologies used on yumcurries.com, including how to manage your preferences.

10. Security

We maintain a written information-security programme, including: encryption-in-transit (HTTPS/TLS 1.3) and at-rest where applicable, access controls scoped by role, periodic vulnerability scanning, prompt patching, and incident response. We notify the ICO and affected customers within 72 hours of becoming aware of a personal-data breach where required by UK GDPR Article 33–34.

11. Changes to this policy

We may update this policy as our services evolve or as the law changes. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated by email or banner notice for at least 30 days before they take effect.

12. Contact & complaints

Privacy contact: privacy@yumcurries.com
Allergen contact: allergens@yumcurries.com
General contact: hello@yumcurries.com
Post: Aurum Grove Limited, 1 Paston Place, Kemptown, Brighton, East Sussex, BN2 1HA, United Kingdom

Unhappy with how we've handled your data? You may complain to the UK Information Commissioner's Office: ico.org.uk · 0303 123 1113.