top of page
Privacy Policy
Privacy Policy
Heavenly Desserts
heavenlydesserts.co.uk
Last updated: 8 April 2026 | Version 3.2
Franchise Notice: Heavenly Desserts restaurants are operated by independent franchisees. This privacy policy covers Heavenly Desserts’ corporate website and centrally managed marketing activities only. Each franchisee is an independent data controller responsible for the personal data they collect and process in their restaurant (including staff records, CCTV, and in-store transactions). Please ask your local restaurant for details of their own privacy practices.
1. Who We Are
Data Controller: Heavenly Desserts Franchise Ltd
Company No. 10434042
23 Brunel Parkway, Pride Park, Derby, DE24 8HR
ICO Registration: ZB971761
Email: info@heavenlydesserts.co.uk
We are the data controller for the personal information collected through our website (heavenlydesserts.co.uk), our mobile app, our email marketing, and our centrally managed customer services. This means we decide how and why your personal information is used, and we are responsible for protecting it.
This policy explains what personal information we collect, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have. It applies to everyone who uses our website, app, or interacts with our marketing.
2. The Law That Applies
We comply with the following UK data protection legislation:
-
The UK General Data Protection Regulation (UK GDPR)
-
The Data Protection Act 2018 (DPA 2018)
-
The Data (Use and Access) Act 2025 (DUA Act) — which amends the UK GDPR, DPA 2018, and PECR
-
The Privacy and Electronic Communications Regulations 2003 (PECR) — as amended by the DUA Act
-
ICO Codes of Practice and regulatory guidance
Where we process personal information of individuals in the European Union (for example, through our German website heavenlydesserts.de), we also comply with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications-Telemedia Data Protection Act (TDDDG). Our German-specific privacy notice is available separately on heavenlydesserts.de.
3. What Personal Information We Collect
Information you give us
-
Your name, email address, and phone number — when you sign up for our newsletter, contact us, or make an enquiry
-
Your order details and delivery address — when you place an order through our website or app
-
Your account details — when you create an account or join our loyalty programme
-
Your payment information — when you make a purchase (processed securely by our payment provider; we do not store your full card details)
-
Your feedback and correspondence — when you contact us, leave a review, or respond to a survey
-
Your franchise enquiry details — if you express interest in becoming a franchisee (including your name, occupation, contact details, preferred locations, and investment range)
Information we collect automatically
-
Device and browser information — your IP address, browser type, operating system, and screen resolution
-
How you use our website — pages visited, time spent, links clicked, and referral source
-
Cookie and tracking data — subject to your consent choices (see Section 8 below)
-
Location data — approximate location based on your IP address (we do not track your precise GPS location without your permission)
Information from other sources
-
Social media platforms — if you interact with us through Instagram, Facebook, or TikTok, the platform may share limited profile information with us in accordance with their own privacy policies
-
Third-party booking or ordering platforms — if you book a table or place an order through a third-party service linked to our website
4. Why We Use Your Information
We only use your personal information where we have a lawful reason to do so. The table below sets out what we do with your information, why, and the legal basis we rely on.
What we do | Why | Legal Basis |
|---|---|---|
Process your orders and deliver your food | To fulfil your order and provide the service you’ve requested | Contract performance (UK GDPR Art. 6(1)(b)) |
Manage your account and loyalty membership | To provide you with account features, loyalty points, and personalised offers | Contract performance (UK GDPR Art. 6(1)(b)) |
Process payments | To take payment for orders securely | Contract performance (UK GDPR Art. 6(1)(b)) |
Send you marketing emails and newsletters | To keep you informed about offers, events, and new locations | Consent (UK GDPR Art. 6(1)(a)) or Soft opt-in (PECR Reg. 22) |
Analyse website usage and improve our services | To understand how people use our website and make it better | Recognised legitimate interest (DUA Act — statistical analytics exception) or Consent for non-exempt tracking. The statistical analytics exception only applies where: (i) processing is for aggregate statistics only; (ii) no individual tracking occurs; (iii) IP addresses are anonymised; and (iv) data is not used for any other purpose. |
Respond to your enquiries and complaints | To answer your questions and resolve issues | Legitimate interest (UK GDPR Art. 6(1)(f)) |
Process franchise enquiries | To assess and respond to expressions of interest in becoming a franchisee | Legitimate interest (UK GDPR Art. 6(1)(f)) |
Prevent fraud and protect security | To detect and prevent fraudulent activity and protect our website | Contract performance (UK GDPR Art. 6(1)(b)) |
Comply with legal obligations | To meet tax, accounting, and regulatory requirements | Contract performance (UK GDPR Art. 6(1)(b)) |
Where we rely on legitimate interest, we have carried out a balancing assessment to ensure our interests do not override your rights and freedoms. You can ask us for details of these assessments at any time by contacting us.
5. Marketing Communications
We will only send you marketing emails if you have given us your consent, or if you have previously purchased from us and we are sending you information about similar products or services (known as the “soft opt-in” under PECR Regulation 22). The soft opt-in only applies where: (i) you purchased a product or service from us; (ii) we are marketing our own similar products or services (not third-party products); and (iii) you were given a clear and simple opportunity to opt out at the time of purchase, and we continue to offer that opportunity in every subsequent message.
Every marketing email we send includes a clear unsubscribe link. You can opt out at any time and we will stop sending you marketing within 48 hours of your request.
We do not share your email address with any third party for their own marketing purposes.
6. Who We Share Your Information With
We share your personal information with the following categories of organisations, all of whom are bound by data processing agreements and are required to protect your information:
Category | What they do for us | Where data is processed |
|---|---|---|
E-commerce platform (incoming) | Our website is migrating to a new e-commerce platform for online ordering | EU (Ireland) / Canada |
Social media platforms | We maintain business pages on social media. When you interact with our pages, the platform processes your data under their own privacy policy. | EU (Ireland) / USA (with safeguards) |
Ordering and loyalty platform | Manages our online ordering, table bookings, and loyalty programme | UK |
Payment processor | Processes card payments securely. We do not see or store your full card number. | EU (Ireland) |
Email marketing platform | Sends our newsletters and marketing emails to subscribers who have opted in | USA (Data Privacy Framework certified, with Standard Contractual Clauses) |
Analytics provider | Helps us understand how people use our website so we can improve it. IP addresses are anonymised. | EU (Ireland) / USA (with safeguards) |
Cookie consent platform | Manages your cookie preferences and records your consent choices | EU (Germany) |
Website hosting provider | Hosts our website and processes form submissions on our behalf | EU / Israel (adequate jurisdiction) |
We may also share your information with law enforcement, regulators, or other authorities if we are required to do so by law or to protect our legal rights.
We do not sell your personal information to anyone.
7. International Data Transfers
Some of our service providers process data outside the UK. When this happens, we ensure your information is protected by one or more of the following safeguards:
-
The country has been assessed as providing an adequate level of data protection (an “adequacy regulation” under UK GDPR)
-
An International Data Transfer Agreement (IDTA) or the ICO’s Addendum to EU Standard Contractual Clauses is in place with the recipient — these are the UK-specific transfer mechanisms approved by the ICO under UK GDPR
-
The recipient is certified under the EU-US or UK-US Data Privacy Framework
-
We have carried out a Transfer Risk Assessment to confirm the transfer does not undermine the protection of your information
You can ask us for details of the safeguards in place for any specific transfer by contacting us.
8. Cookies and Similar Technologies
Our website uses cookies and similar technologies. A cookie is a small file placed on your device that helps us provide and improve our services.
Cookies that do not require your consent
Under PECR (as amended by the DUA Act 2025), certain cookies do not require your prior consent:
-
Essential cookies — essential for the website to function (for example, security tokens, session management, and your cookie consent preferences)
-
Analytics cookies — where the sole purpose is to collect aggregate statistics to improve our website, and we provide you with clear information and a simple way to opt out
-
Functional cookies — where the purpose is to adapt how the site looks or works for your device or preferences
Cookies that require your consent
The following types of cookies are only placed on your device if you give us your consent through our cookie banner:
-
Marketing cookies — used by social media platforms and advertising networks to show you relevant advertisements
-
Third-party tracking cookies — placed by embedded content (such as social media feeds) that may transfer data to third-party servers
You can change your cookie preferences at any time by clicking the cookie settings link in bottom left of our website. Our separate Cookie Policy provides full details of each cookie we use, its purpose, and how long it lasts.
We take our cookie obligations seriously. If you have any concerns about how we use cookies, please contact us or visit our separate Cookie Policy for full details.
9. How Long We Keep Your Information
We keep your personal information only for as long as we need it for the purposes described in this policy, or as required by law
Type of information | How long we keep it | Why |
|---|---|---|
Order and transaction records | 6 years from the date of the transaction | UK tax and accounting law (HMRC requirements) |
Marketing consent records | For as long as you remain subscribed, plus 6 years after you unsubscribe | To demonstrate we had valid consent if challenged |
Website analytics data | 14 months maximum | Minimise data held; best practice |
Cookie consent records | 12 months, then re-consent requested | ICO guidance on consent freshness |
Customer service records | 3 years after the enquiry is closed | To resolve follow-up issues and complaints |
Franchise enquiry records | 3 years after last contact | To manage the franchise application pipeline; to respond to follow-up enquiries from applicants; and to defend any legal claim arising from the franchise application process. The 3-year period reflects the standard limitation period under the Limitation Act 1980 for contractual and pre-contractual claims. |
Account and loyalty data | For as long as your account is active, plus 2 years after closure | To allow account reactivation and resolve disputes |
When the retention period expires, we securely delete or anonymise the information so it can no longer identify you.
10. Your Data Protection Rights
Under UK data protection law, you have the following rights. These are not absolute — some apply only in certain circumstances.
Right | What it means |
|---|---|
Access | You can ask us for a copy of the personal information we hold about you. Under the DUA Act 2025, we will carry out a reasonable and proportionate search to locate your information. |
Withdraw consent | Where we rely on your consent, you can withdraw it at any time. This does not affect any processing that took place before you withdrew consent. |
Object to direct marketing | You have an absolute right to object at any time to us using your personal information for direct marketing purposes. This right is unconditional — we do not need to demonstrate compelling grounds and we must stop immediately. To exercise this right, contact us at info@heavenlydesserts.co.uk or use the unsubscribe link in any marketing email. |
Objection | You can object to our use of your information where we rely on legitimate interest. We will stop unless we can demonstrate compelling grounds. |
Data portability | You can ask us to provide your information in a structured, commonly used format so you can transfer it to another organisation. |
Restriction | You can ask us to limit how we use your information while a concern is being resolved. |
Erasure | You can ask us to delete your personal information in certain circumstances (for example, if we no longer need it or you withdraw your consent). |
Rectification | You can ask us to correct any information that is inaccurate or incomplete. |
Complaint | You have the right to complain to the Information Commissioner’s Office (ICO) if you believe your data protection rights have been breached. |
To exercise any of these rights, please contact us at info@heavenlydesserts.co.uk. We will respond within one month. If your request is complex, we may extend this by a further two months and will let you know.
11. Children’s Privacy
Our website and services are not directed at children under the age of 13. We do not knowingly collect personal information from children under 13 without verifiable parental or guardian consent. If you are under 13, please ask a parent or guardian before using our website or providing any personal information.
If you are a parent or guardian and believe we have collected information about your child, please contact us immediately at info@heavenlydesserts.co.uk and we will delete it.
Where we rely on consent to process personal data and the user is under 13, we require a parent or guardian to provide that consent on their behalf, in accordance with UK GDPR Article 8 and the Data Protection Act 2018. Children aged 13 and over may provide their own consent for data processing. Where our services are likely to be accessed by children under 18, we apply the standards set out in the ICO’s Age Appropriate Design Code (Children’s Code). This means we apply privacy by default, minimise data collection, disable non-essential cookies by default for younger users, and do not use nudge techniques to encourage children to share more information than necessary. If you are a parent or guardian and believe we have collected personal information about a child under 13 without appropriate consent, please contact us immediately at info@heavenlydesserts.co.uk and we will delete it.
12. How We Protect Your Information
We take the security of your personal information seriously and use appropriate technical and organisational measures to protect it, including:
-
Encryption of data in transit (HTTPS/TLS) across all our websites
-
Access controls limiting who within our organisation can access personal information
-
Regular security reviews of our website and the services we use
-
Confidentiality obligations on all staff who handle personal data
-
Data processing agreements with all third-party service providers
No system is completely secure. If you believe your information has been compromised, please contact us immediately.
13. Automated Decision-Making
We do not currently use any automated decision-making (including profiling) that produces legal effects or similarly significant effects on you. If this changes, we will update this policy and, where required, seek your consent or provide you with the right to contest the decision and request human review.
14. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in how we use your information, changes in the law, or updates to our services.
When we make significant changes, we will notify you by placing a prominent notice on our website and, where you are a registered user, by email. The “Last updated” date at the top of this policy will always show when it was last revised.
15. Contact Us
If you have any questions about this privacy policy, want to exercise your data protection rights, or have a concern about how we handle your information, please contact us:
Email: info@heavenlydesserts.co.uk
Post: Privacy Enquiries, Heavenly Desserts Franchise Ltd, 23 Brunel Parkway, Pride Park, Derby, DE24 8HR
Supervisory Authority
You have the right to raise a concern with the UK’s data protection regulator:
Information Commissioner’s Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113
Live chat: available on the ICO website
We would appreciate the opportunity to address your concerns directly before you contact the ICO, but you are entitled to contact them at any time.
bottom of page