Privacy Policy

Last updated: 26 June 2026 · Version 1.0

1. Who we are

This policy explains how Sleepingmongoose.app Ltd ("foodallergens", "we", "us"), a company registered in Scotland (company no. SC893221, registered office 34 Hunter Grove, Bathgate, EH48 1NW), handles personal data for which we are the controller.

Contact for privacy matters: privacy@foodallergens.co.uk.

2. Scope — what this policy does and does not cover

This policy covers personal data where foodallergens is the controller — principally the personal data of our account holders and their authorised users (the people who sign up to and administer a foodallergens account) and visitors to foodallergens.co.uk.

Diners scanning a QR code: customers who scan a business's QR code to check allergen information do not need an account and are not asked for personal data — that interaction is anonymous.

Menu and allergen data that a business enters is information about food, not personal data. Where a business operates as a sole trader and its own contact details are personal data, we process those details to provide and publish its listing.

3. The personal data we collect

  • Account and registration data: business owner's name, login email address, business name, business address and phone number, and your logo.
  • Billing data: subscription plan and billing records. Card payments are processed by Stripe; we do not store full card details.
  • Usage and technical data: IP address, device/browser information, log data, and information from essential cookies (see section 7). We use privacy-friendly, cookieless analytics to understand overall traffic.
  • Communications: messages you send us (for example, support requests or the contact form) and related correspondence.

4. How we use your data, and our lawful bases

PurposeLawful basis
Providing, operating and securing the Service; managing your account; publishing your allergen page and (if opted in) directory listingPerformance of a contract
Taking payment and managing subscriptionsPerformance of a contract
Responding to enquiries and communicating about the ServicePerformance of a contract / legitimate interests
Improving and maintaining the Service; preventing fraud and abuseLegitimate interests
Meeting our legal and regulatory obligations (e.g. accounting)Legal obligation
Sending optional marketing communicationsConsent (where required)

Where we rely on legitimate interests, we have considered that those interests are not overridden by your rights. You may ask us for more detail.

5. Sharing your data

We share personal data only as needed to run the Service:

  • Service providers / processors:
  • Supabase — database, authentication and file storage (hosted in the EU, Ireland).
  • Vercel — application hosting (London region).
  • Stripe — payment processing and subscription billing.
  • Hostinger — outbound transactional email (account, order and support notifications).
  • Anthropic — AI menu extraction: when you use the AI import feature, the menu image, PDF or spreadsheet you upload is sent to Anthropic's API to extract items and allergens. This is menu/food data, though it may incidentally include your business name. It is not used to train models.
  • Legal / regulatory: where required by law, regulation or legal process.
  • Business transfers: in connection with a merger, acquisition or sale of assets, subject to appropriate protections.

They act on our instructions under appropriate contracts. We do not sell your personal data.

6. International transfers

Some of our service providers may process data outside the UK. Where they do, we rely on an appropriate safeguard — such as UK adequacy regulations or the UK International Data Transfer Agreement (or the International Data Transfer Addendum to the EU Standard Contractual Clauses) — so that your data receives an equivalent level of protection.

7. Cookies

We use essential cookies only — those necessary to sign you in and keep the Service secure. Our analytics are cookieless. We do not currently use advertising or non-essential tracking cookies. If this changes, we will update this policy and put in place any consent mechanism required by law.

8. How long we keep your data

We keep account and billing data for as long as you have an account and for a reasonable period afterwards to meet legal, accounting and dispute-handling needs (financial records are generally kept for 6 years). We then delete or anonymise it.

9. Your rights

Subject to conditions in data protection law, you have the right to: access your data; have inaccurate data corrected; have data erased; restrict or object to processing; data portability; and withdraw consent where processing is based on consent. To exercise these rights, contact privacy@foodallergens.co.uk. We will respond within the time limits set by law.

10. Security

We use appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls, and tenant isolation within the platform (each business can access only its own data). No system is completely secure, but we take reasonable steps to protect your data and to respond to any breach.

11. Marketing

If you have opted in (or where otherwise permitted), we may send you information about foodallergens. You can opt out at any time using the unsubscribe link or by contacting us.

12. Changes to this policy

We may update this policy from time to time. We will post the updated version here and, where changes are significant, notify you.

13. Complaints

If you have concerns about how we handle your personal data, please contact us first at privacy@foodallergens.co.uk. You also have the right to complain to the UK supervisory authority, the Information Commissioner's Office (ICO), at ico.org.uk.

Sleepingmongoose.app Ltd · Registered in Scotland, company no. SC893221 · Registered office: 34 Hunter Grove, Bathgate, EH48 1NW · Trading as foodallergens.co.uk.