Kulcha Express Global Ltd

At Kulcha Express, we are committed to protecting your privacy and ensuring the security of your personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our restaurants, use our website, or engage with our services.

Data Controller: Kulcha Express Global Ltd. is the data controller for the personal information we collect and process.

We process your personal data under the following lawful bases:

• Contract: To fulfill our contractual obligations when you order food or use our services
• Legitimate Interests: To improve our services, conduct marketing, and operate our business
• Consent: For marketing communications and non-essential cookies (where required)
• Legal Obligation: To comply with legal and regulatory requirements
• Vital Interests: To protect health and safety in emergency situations

• Contact Information: Name, email address, phone number, delivery address
• Order Information: Food preferences, dietary requirements, delivery instructions
• Communication: Messages, feedback, survey responses, customer service interactions
• Marketing Preferences: Newsletter subscription, communication preferences
• Accessibility Requirements: Special dietary needs, allergies

• Website Usage: IP address, browser type, device information, pages visited, session duration
• Cookies and Similar Technologies: Essential cookies, analytics cookies, marketing cookies (with consent)
• CCTV: Images captured in our restaurants for security purposes

• Delivery Partners: Order information from UberEats, Deliveroo, and JustEat when you order through their platforms
• Social Media: Information when you interact with our social media pages
• Analytics Providers: Aggregated website usage statistics

Note: We do not collect or store payment card information directly. All payments are processed securely by our delivery partners or third-party payment processors.

• Processing and fulfilling food orders
• Coordinating delivery through our partner platforms
• Providing customer service and order support
• Managing restaurant operations and table bookings

• Service Improvement: Analyzing customer preferences and feedback to enhance our menu and services
• Business Operations: Managing inventory, staff scheduling, and restaurant efficiency
• Marketing: Sending promotional materials about our services (with appropriate opt-out options)
• Security: Protecting our premises, customers, and staff through CCTV monitoring

• Email Marketing: Sending newsletters and promotional offers (you can unsubscribe at any time)
• Non-Essential Cookies: Analytics and marketing cookies (you can manage preferences through our cookie banner)

• Food Safety: Maintaining records for food hygiene and safety regulations
• Tax and Accounting: Keeping financial records as required by HMRC
• Health and Safety: Incident reporting and compliance with workplace regulations

• Delivery Partners: UberEats, Deliveroo, and JustEat receive necessary order and contact information
• Technology Providers: Website hosting, email services, and analytics platforms
• Professional Services: Accountants, lawyers, and business advisors (under strict confidentiality)

• Regulatory Authorities: Food Standards Agency, local councils, HMRC, ICO
• Law Enforcement: When required by law, court order, or to protect public safety
• Emergency Services: In case of health and safety emergencies

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred as part of the business assets, subject to the same privacy protections.

• Right of Access: Request a copy of the personal data we hold about you
• Data Portability: Receive your data in a structured, commonly used format

• Rectification: Correct inaccurate or incomplete personal data
• Erasure: Request deletion of your personal data (subject to legal obligations)

• Restriction: Limit how we process your personal data in certain circumstances
• Objection: Object to processing based on legitimate interests or for marketing purposes
• Withdraw Consent: Withdraw consent for consent-based processing at any time

We do not use automated decision-making or profiling that significantly affects you.

• Encryption: Data encrypted in transit using SSL/TLS protocols
• Access Controls: Role-based access to personal information
• Regular Updates: Security patches and system updates
• Backup Systems: Secure data backup and recovery procedures

• Staff Training: Regular data protection training for all employees
• Policies and Procedures: Comprehensive data protection policies
• Third-Party Agreements: Data processing agreements with all service providers
• Incident Response: Procedures for detecting and responding to data breaches

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the ICO within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay where required
• Take immediate steps to contain and remediate the breach

Some of our service providers may be located outside the UK. When we transfer personal data internationally, we ensure appropriate safeguards are in place:

• Adequacy Decisions: Transfers to countries with adequate data protection laws
• Standard Contractual Clauses: EU/UK Standard Contractual Clauses for other transfers
• Binding Corporate Rules: Where applicable for multinational service providers

We retain personal data only for as long as necessary for the purposes outlined in this policy:

• Order Information: 6 years for accounting and tax purposes
• Customer Communications: 3 years from last contact
• Marketing Data: Until you unsubscribe or 3 years of inactivity
• CCTV Footage: 30 days unless required for ongoing investigations
• Website Analytics: 26 months in anonymized form

Required for website functionality, including:

• Session management
• Security features
• Basic website operations

With your consent, we use cookies to:

• Understand website usage patterns
• Improve user experience
• Measure marketing effectiveness

With your consent, we may use cookies for:

• Personalized advertising
• Social media integration
• Remarketing campaigns

We do not knowingly collect personal information from children under 16 years of age without parental consent. If we discover that we have collected information from a child under 16 without verification of parental consent, we will delete such information immediately.

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make significant changes, we will:

• Post the updated policy on our website with a new effective date
• Provide additional notice as required by law

Your continued use of our services after changes take effect constitutes acceptance of the updated policy.

Email: online@kulchaexpress.co.uk

Post: Data Protection Officer
Kulcha Express Global Ltd
398 Farnham Road
Slough, SL2 1JD
United Kingdom

When you visit our restaurants, we may collect information through CCTV for security purposes and your order information if you provide contact details for bookings or feedback.

We collect limited information through cookies and website analytics to improve your browsing experience and understand how our website is used.

When you order through UberEats, Deliveroo, or JustEat, these platforms share necessary order and contact information with us to fulfill your order.

If you subscribe to our newsletter, we will only use your email address to send you updates about our services and special offers. You can unsubscribe at any time.