Privacy Policy

Kerala Groceries UK is operated by Tasty Kerala Ltd, a company registered in England and Wales. We are the data controller for personal information collected through our website and mobile applications.

Contact: admin@keralagroceries.com | Phone: 07769 867 549

We collect the following categories of personal information:

2.1 Information You Provide Directly

• Name — used to personalise your account and orders
• Email address — used for account login, order confirmations, and service communications
• Phone number — used for order updates via WhatsApp and SMS, and for phone verification
• Delivery address (street address, city, postcode) — used to fulfil and deliver your orders
• Payment details — processed by our payment gateway (we do not store full card numbers)
• Order notes and preferences — any instructions you add to your orders

2.2 Account Login Data

We support email/password registration and Google Sign-In. When you sign in via Google, we receive your name, email address, and profile picture from Google, subject to your Google account privacy settings.

2.3 Data Collected Automatically

• IP address and browser/device type
• Pages visited and time spent on site
• Referring website or search query
• Cart activity and browsing behaviour on our platform

We use your personal data for the following purposes:

• Order fulfilment — processing, packing, and delivering your grocery orders
• Account management — creating and maintaining your user profile
• Payment processing — securely processing card payments and managing your KG Wallet balance
• Order notifications — sending order confirmation, dispatch, and delivery updates via WhatsApp, SMS, or email
• Customer support — responding to your queries, complaints, and refund requests
• Platform improvement — analysing usage data to improve the website and app experience
• Legal compliance — retaining records as required by UK law (e.g., accounting, tax obligations)
• Fraud prevention — detecting and preventing fraudulent transactions

Our lawful basis for processing is: contract performance (to fulfil your orders), legitimate interests (platform security and improvement), andlegal obligation (regulatory compliance).

We use trusted third-party service providers who may process your personal data on our behalf:

4.1 Payment Gateways

Card payments are processed through Worldpay (and may also be processed through Stripe for certain transactions). These providers are PCI-DSS compliant. We do not store or access your full card number. Please refer to Worldpay's and Stripe's respective privacy policies for information on how they handle payment data.

4.2 Communications – Twilio (WhatsApp & SMS)

We use Twilio to send order confirmation and delivery update messages via WhatsApp and SMS. Twilio processes your phone number to route these messages. Twilio is bound by its own privacy policy and data processing agreement. Your phone number is only used for transactional communications related to your orders or account security.

4.3 Google Services

We use Google Sign-In for account authentication and Google Analytics to understand site traffic. Google may collect data per its own privacy policy. You can opt out of Google Analytics tracking via your browser settings or by using the Google Analytics Opt-out Browser Add-on.

4.4 Supabase (Infrastructure)

Our platform is built on Supabase, a cloud database and authentication provider. Your account and order data is stored on Supabase's encrypted infrastructure, hosted within the European Economic Area (EEA).

4.5 Address Lookup

When you enter a delivery address during checkout, we may use a UK address lookup service to autocomplete and validate your postcode. Only the postcode or partial address is sent to perform the lookup.

We may contact you via WhatsApp, SMS, or email for order updates and service notifications.

These communications include: order confirmation, payment receipt, dispatch notification, delivery updates, and important account or security alerts. These are transactional messages and are necessary to fulfil your contract with us.

We do not send unsolicited marketing messages. If we introduce a marketing channel in the future, we will obtain your explicit consent before doing so, and you will always have the option to opt out.

Kerala Groceries UK operates a digital KG Wallet system. This wallet may hold:

• Cashback credits — earned from qualifying orders
• Refund credits — issued when a refund is processed to your wallet
• Promotional credits — added as part of special offers or campaigns

Wallet balance and transaction history are associated with your account and stored securely in our database. Wallet credits have no cash value outside the platform and cannot be transferred to another account. We may retain wallet transaction records for up to 7 years for accounting purposes.

We use cookies and similar tracking technologies for the following purposes:

• Essential cookies — required for the website to function (e.g., maintaining your session and cart)
• Analytics cookies — help us understand how visitors use our site (e.g., Google Analytics). These are anonymised where possible.
• Preference cookies — remember your settings such as delivery postcode or recently viewed products

You can control non-essential cookies through your browser settings. Disabling cookies may affect your shopping experience on our site.

We do not sell your personal data. We share data only in the following circumstances:

• Service providers — third parties that help us operate (payment processors, communication tools, hosting) under strict data processing agreements
• Delivery partners — couriers may receive your name and delivery address to complete your order
• Legal requirements — if required by law, court order, or government authority
• Business transfers — in the event of a merger or acquisition, your data may be transferred to the new entity, which will be bound by this policy

We implement appropriate technical and organisational security measures to protect your personal data, including:

• Encrypted data storage (AES-256) and encrypted transmission (TLS/HTTPS)
• Row-level security on our database so users can only access their own data
• PCI-DSS compliant payment processing — we never handle raw card details
• Phone number verification via one-time passcode (OTP) before account actions
• Access controls limiting staff access to customer data on a need-to-know basis

Despite our best efforts, no online system is 100% secure. If you suspect unauthorised access to your account, please contact us immediately at admin@keralagroceries.com.

We retain personal data for as long as necessary to:

• Maintain your account and purchase history while your account is active
• Comply with UK legal and tax record-keeping requirements (typically 6–7 years)
• Resolve disputes or enforce our terms

When you delete your account, we will remove or anonymise your personal data except where retention is required by law.

As a UK resident, you have the following rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — ask us to correct inaccurate or incomplete data
• Right to erasure — request deletion of your data ("right to be forgotten"), subject to legal retention obligations
• Right to restrict processing — ask us to limit how we use your data in certain circumstances
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Rights related to automated decision-making — we do not make solely automated decisions that significantly affect you

To exercise any of these rights, email admin@keralagroceries.com with "Data Rights Request" in the subject line. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your data correctly.

Our platform is not intended for children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will post the updated policy on this page with a revised "Last updated" date. For significant changes, we may notify you by email. Your continued use of our services after any changes constitutes acceptance of the updated policy.

The data controller for all personal information collected through Kerala Groceries UK is: