Skip to main content

Privacy Policy

Version: 2.3
Effective Date: 7 November 2025
Last Updated: 14 May 2026

1. Who We Are

TrustDiner Ltd ("we", "us", "our") operates the TrustDiner platform, a community-driven food allergy safety service. We are registered in the United Kingdom. You can contact us at support@trustdiner.co.uk.

2. What Data We Collect

We collect and process the following data:

  • Account details (name, email address, password)
  • Allergy information you choose to provide
  • Restaurant reviews and comments
  • Technical data (IP address, browser type, usage data)
  • Analytics information via Mixpanel and Google Analytics (with your consent)
  • Advertising and conversion data via Meta Pixel (with your consent)
  • Marketing preferences and email interactions

3. How We Use Your Data

We process data to:

  • Operate and improve the TrustDiner platform
  • Personalise your experience
  • Send service and promotional emails (with consent)
  • Conduct analytics and performance measurement
  • Ensure platform security and community safety

4. Legal Bases for Processing

Under the UK GDPR, we rely on:

  • Consent – for marketing emails and analytics tracking
  • Legitimate interests – for operating and improving the platform
  • Legal obligations – when required to comply with law or respond to lawful requests

5. Data Retention

We retain your personal data for the following periods:

  • Account data: Retained while your account is active, plus 28 days after deletion request (grace period for restoration)
  • Reviews: Retained permanently for community benefit, but anonymized upon account deletion (disconnected from your identity)
  • Allergen preferences: Deleted immediately upon account deletion
  • Consent records: Retained for 7 years to demonstrate GDPR compliance
  • Audit logs: Retained for 7 years for legal and regulatory compliance
  • Session data: Cleared after 7 days of inactivity

To delete your account and personal data, visit your Profile β†’ Account Settings.

6. Sharing, Selling, and Transferring Your Data

We may share, transfer, or sell your personal data to third parties in the following circumstances:

6.1 Service Providers and Data Processors

We share data with third-party service providers who assist us in operating the platform:

  • AWS (UK region) – secure cloud hosting and data storage
  • Mixpanel – product analytics and performance tracking
  • Google Analytics (Google Ireland Ltd) – aggregated traffic and behaviour analytics (loaded only with your consent)
  • Meta Platforms Ireland Ltd (Meta Pixel) – ad measurement, conversion tracking, and retargeting on Facebook and Instagram (loaded only with your consent; see section 9.1)
  • SendGrid – email communications
  • Other service providers – as necessary for platform operation, maintenance, and improvement

All third-party processors are contractually required to comply with UK data protection standards and use your data only for specified purposes.

6.2 Data Sales and Commercial Transfers

We may sell, license, or otherwise transfer certain categories of your personal data to third parties for commercial purposes, including but not limited to:

  • Marketing and advertising partners – demographic information, preferences, and usage patterns for targeted advertising
  • Research organisations – aggregated or anonymised data for market research and analytics
  • Business partners – data sharing arrangements for commercial purposes
  • Data brokers and aggregators – where legally permitted and in compliance with applicable law

Categories of data that may be sold or transferred include: demographic information (age range, location), dietary preferences and allergen information, usage patterns and behaviour data, restaurant preferences and review activity, and aggregated analytics data.

6.3 Legal and Regulatory Disclosures

We may disclose your data when required by law, court order, regulatory authority, or to protect our legal rights, property, or safety, or that of our users or third parties.

6.4 Business Transfers

In the event of a merger, acquisition, sale of assets, or other business transfer, your personal data may be transferred to the acquiring entity as part of the transaction.

6.5 Your Rights Regarding Data Sharing and Sales

You have the following rights regarding our sharing and sale of your data:

  • Right to opt out: You may opt out of certain types of data sales and sharing by contacting us at support@trustdiner.co.uk or adjusting your account privacy settings
  • Right to object: You may object to processing based on legitimate interests, including data sharing for commercial purposes
  • Right to withdraw consent: Where data sharing is based on consent, you may withdraw that consent at any time
  • Right to information: You may request information about categories of third parties with whom we share or sell your data

Legal Basis: Our sharing and sale of data is based on your consent (where required), our legitimate business interests in operating and improving our services, compliance with legal obligations, and performance of our contract with you. For more information about exercising your rights, please see Your Data Rights.

7. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

  • Right to Access – Request a copy of all data we hold about you. Request your data via email.
  • Right to Rectification – Update your profile information. Edit your profile.
  • Right to Erasure ("Right to be Forgotten") – Request deletion of your account and personal data. Delete your account (28-day grace period applies).
  • Right to Withdraw Consent – Manage your analytics and marketing cookie preferences. Manage consent settings.
  • Right to Data Portability – Request your data in machine-readable format (JSON). Email support@trustdiner.co.uk.
  • Right to Lodge a Complaint – You can complain to the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.

For detailed information about exercising these rights, visit Your Data Rights or contact us at support@trustdiner.co.uk.

8. Data Security

We use encryption, access control, and regular security reviews to protect your information. Data is stored securely in AWS data centres within the United Kingdom.

9. Marketing, Communication & Advertising

You will only receive promotional emails if you explicitly opt in. You can unsubscribe at any time via the link in each email.

9.1 Meta Pixel (Facebook and Instagram advertising)

When you grant consent via our cookie banner, we load the Meta Pixel (operated by Meta Platforms Ireland Ltd) to help us measure the effectiveness of our advertising on Facebook and Instagram and to show relevant ads to users who have visited TrustDiner.

What we send to Meta: the page URL you are viewing, basic event metadata (e.g. which action you took), your IP address, your user agent, and a first-party Meta cookie (_fbp) used to associate events with your browser. We do not send your email address, your name, your allergy data, or the content of your reviews.

Events we track: page views, search queries, viewing a venue or chain page, and successful account registration. These events let us see whether our ads are leading to genuine engagement on TrustDiner.

Legal basis: your consent (UK GDPR Art. 6(1)(a)), captured via our cookie banner. You can withdraw consent at any time by re-opening the banner from the footer or by clearing the CookieConsent cookie in your browser; withdrawal stops further events being sent.

International transfers: Meta may process this data outside the UK/EEA, including in the United States. Transfers rely on the UK extension to the EU–US Data Privacy Framework and on Meta's Standard Contractual Clauses.

Automatic Advanced Matching (AAM): Meta's Automatic Advanced Matching has been enabled on TrustDiner since the Meta Pixel was first deployed on 13 May 2026; this notice was added on 14 May 2026 to describe that processing in detail. When you have given consent for Marketing & advertising cookies, your browser hashes (SHA-256) a small set of identifiers client-side before transmitting them to Meta alongside the standard pixel events listed above. The hashing is irreversible: Meta cannot recover the plaintext value from the hash. Identifiers that may be hashed and sent are limited to: email address, first name, last name, and (if you have entered them on the page) city and postal code. AAM lets Meta match your events to a Facebook or Instagram account it already knows about, which improves the accuracy of advertising attribution and measurement.

Withdrawing AAM consent:rejecting or revoking Marketing & advertising cookies via the banner (re-openable from the footer link β€œCookies”) immediately stops all pixel events, including any AAM hashed identifiers. There is no separate AAM-only opt-out β€” it is grouped with the broader marketing-cookie consent because both relate to advertising measurement.

Retention at Meta: Meta retains pixel event data according to its own privacy policy. For details, see Meta's Privacy Policy.

10. Updates to This Policy

We may update this Privacy Policy to reflect operational or legal changes. Updates will be published on this page with a revised date.