Sustaplates

Legal

Privacy policy

Last updated: 2026-05-10

1. Who we are

Sustaplates is operated by Sustaplates Ltd, a UK marketplace connecting food sellers with consumers and registered charities to reduce surplus food waste. For privacy enquiries, contact privacy@sustaplates.com.

2. What we collect

We collect only the personal data we need to operate the service:

  • Account data: email address, password hash (Argon2id, never the plaintext), persona (consumer / seller / charity), organisation name where applicable, and your two-factor authentication secret (encrypted at rest).
  • KYC documents uploaded by sellers and charities for manual review by our admin team. Stored encrypted; deleted once your tenant is approved or rejected per our retention schedule.
  • Transaction data: orders, payouts, donation acceptance certificates. Card details are never seen or stored by Sustaplates — Stripe Checkout handles all payment data on our behalf (PCI-DSS SAQ A scope).
  • Location data:postcodes you enter for search, or — only with your explicit permission — your device’s coordinates when you use “Use my location.” Coordinates are used in-memory to geocode and returned to you; we do not persist your live location.
  • Usage data (only with your consent — see cookie settings): anonymous analytics events and error reports via Sentry to help us improve the product.

3. How we use it

  • To create and operate your account, including authentication and 2FA.
  • To run the marketplace: surface listings, route orders, generate donation acceptance certificates for HMRC tax-relief filings.
  • To verify identity for sellers and charities (manual KYC review).
  • To send transactional emails (verification, receipts, KYC outcomes).
  • To detect and prevent fraud, comply with legal obligations, and respond to lawful requests.

4. Lawful basis (UK GDPR Article 6)

  • Contract — for operating your account and fulfilling transactions.
  • Legal obligation — for record-keeping required by HMRC, anti-money-laundering rules, and consumer protection law.
  • Legitimate interest — for service security, fraud prevention, and aggregated analytics.
  • Consent — for analytics cookies and any optional marketing communications. You can withdraw consent at any time via cookie settings or by emailing us.

5. Where your data lives

All production infrastructure (database, file storage, application servers) is hosted in the United Kingdom or the European Union. We do not transfer personal data outside the UK / EEA without putting in place appropriate safeguards (UK IDTA / EU SCCs).

6. Sub-processors

We share personal data only with the third parties needed to operate the service:

  • Stripe (payment processing) — receives the data needed to process card payments at Checkout.
  • Postmark / AWS SES (transactional email) — receives recipient email and message content.
  • Cloudflare Turnstile (bot protection) — receives a token from challenge widgets on public forms.
  • postcodes.io (UK postcode geocoding) — receives the postcode or coordinates you enter or generate when using location search.
  • Sentry (error monitoring, only when you accept analytics cookies) — receives anonymised stack traces and breadcrumbs.

The complete sub-processor register lists every third-party provider, what data each one receives, and the region they sit in. We will notify you of material changes before they take effect.

7. How long we keep it

  • Account data: while your account is active, plus up to 6 years after closure where required by tax / accounting law.
  • KYC documents: until tenant approval/rejection, then archived for 5 years for AML compliance, then deleted.
  • Transaction records: 6 years (UK tax law).
  • Audit log entries: 7 years, append-only.
  • Marketing email preferences: until you opt out.

8. Your rights

Under UK GDPR you can:

  • Request a copy of the personal data we hold about you.
  • Correct inaccurate data.
  • Request erasure (“right to be forgotten”) — initiate from your account profile; some data we’re legally required to keep will be retained as outlined above.
  • Object to or restrict certain processing.
  • Withdraw consent for analytics cookies at any time.
  • Lodge a complaint with the UK Information Commissioner’s Office (ICO).

To exercise any of the above, email privacy@sustaplates.com. We aim to respond within 30 days.

9. Security

We use HTTPS everywhere, Argon2id password hashing, TOTP-based two-factor authentication, encrypted-at-rest storage for sensitive fields, application-level payload encryption in production, and rate-limiting and bot challenges on every open form. Our security architecture is documented internally; high-level summary available on request.

10. Changes to this policy

We’ll bump the “Last updated” date at the top of this page when we change anything material, and notify account holders by email when changes affect them.