I can create a complete, compliant UK privacy policy for Nonna, but to ensure it is accurate, lawful, and contains no placeholders, I need a few factual details that only you can provide. Please reply with the following:
1) Controller details
– Full legal entity name (and trading name, if different)
– Company number (if a limited company)
– Registered office and main trading address in the UK
– Primary email for privacy queries (e.g., privacy@yourdomain) and a phone number
2) Data Protection Officer (DPO) or contact
– Do you have a DPO? If yes, provide their name and email. If no, please provide the name/role and email of the person responsible for data protection (e.g., “Data Protection Lead”)
3) Website and app services in use
– Web host/CDN (e.g., Krystal, Cloudflare, WP Engine)
– Analytics and tracking (e.g., Google Analytics 4, Meta Pixel, TikTok Pixel, Hotjar)
– Cookie consent tool (e.g., CookieYes, Cookiebot)
– Reservation/booking system on the website (e.g., ResDiary, OpenTable, Quandoo), and whether you take deposits or card captures
– Contact form plugin or service (e.g., Gravity Forms, WPForms)
– Email marketing/newsletter platform (e.g., Mailchimp, Klaviyo)
– Online ordering/delivery platforms (e.g., Deliveroo, Uber Eats, Just Eat), if any
– Payment processors/gateways (online and in-venue) (e.g., Stripe, Square, Worldpay, Dojo, SumUp, Zettle)
4) Operational data
– Do you operate CCTV on premises? If yes, where, and typical retention period (e.g., 30 days unless needed longer for an incident)
– Do you offer guest Wi‑Fi? If yes, what data is logged and the retention period
– Do you collect dietary or allergy information with bookings or orders?
– Do you hire staff via the website or accept job applications by email/forms?
5) International data transfers
– Any tools/providers that transfer data outside the UK or EEA (commonly the USA)
– Whether you rely on UK IDTA/EU SCCs and provider transfer impact assessments
6) Retention periods (confirm or provide)
– Bookings and related correspondence (e.g., 24 months after visit)
– Marketing contacts (e.g., until withdrawal of consent or 24 months of inactivity)
– Customer service inquiries/complaints (e.g., 24 months after resolution)
– CCTV footage (e.g., 30 days)
– Guest Wi‑Fi logs (e.g., 90 days)
– Financial/transaction records (e.g., 6 years to meet tax obligations)
– Job applicant data (e.g., 6 months if unsuccessful; personnel files 6 years post-employment)
7) Children
– Do you target or knowingly collect data from under‑18s online? (Usually “no” for restaurants)
8) Automated decision-making
– Any automated profiling/decisions with legal or similarly significant effects? (Usually “no”)
Once I have these, I will deliver a final, ready-to-publish HTML policy (numbered sections; compliant with UK GDPR, Data Protection Act 2018, and PECR) including: data collection, purposes, legal bases, retention, user rights, cookies and tracking, data security, international transfers, DPO/contact details, and policy changes—without any placeholders or links.