Legal
Privacy Policy
Last updated: 1 April 2025 · Iskender Turkish Kebab House, Dublin, Ireland
01
Who We Are
Iskender Turkish Kebab House ("we", "us", "our") operates a food-ordering mobile application
available on the Google Play Store and Apple App Store, and the website
iskenderturkishkebabhouse.com. We are based in Dublin, Ireland.
This Privacy Policy explains what personal data we collect when you use our app or website,
how we use it, and what rights you have over it.
02
Data We Collect
When you create an account or place an order, we may collect the following information:
- Account information: your name, email address, and password (stored securely as a hash)
- Contact details: phone number and delivery address
- Order history: items ordered, prices, timestamps, and order status
- Payment information: we do not store raw card numbers; payments are processed securely via Stripe. We retain transaction references and order totals for accounting purposes
- Device & usage data: device type, operating system, app version, and general usage patterns (used to improve the app)
- Location data: approximate delivery address coordinates to provide accurate delivery estimates. We do not continuously track your location in the background
We collect only what is necessary to operate the food-ordering service. We do not sell your personal data to third parties.
03
How We Use Your Data
We use the data we collect solely to operate and improve our service:
- To create and manage your account
- To process, fulfil, and track your food orders
- To send order confirmations and delivery status notifications
- To process refunds or adjustments if part of your order is unavailable
- To respond to support requests and resolve complaints
- To detect and prevent fraud or abuse
- To comply with legal and accounting obligations
- To improve app performance and user experience based on anonymised usage data
We do not use your data for advertising profiling, and we do not share it with third-party advertisers.
04
Data Storage & Security
Your data is stored on secure servers provided by Supabase, hosted within
the European Union. All data is encrypted in transit (HTTPS/TLS) and at rest.
Payment processing is handled entirely by Stripe, a PCI-DSS compliant
payment provider. We do not store full card numbers, CVVs, or raw payment credentials on
our servers.
Access to personal data is restricted to authorised personnel only and is protected by
strong authentication.
05
Data Sharing
We do not sell, rent, or trade your personal data. We share it only in the following limited circumstances:
- Service providers: we use Supabase (database), Stripe (payments), and Expo (mobile push notifications) to operate the service. Each is contractually bound to protect your data
- Delivery partners: courier staff see your delivery address and order details to complete your delivery
- Legal requirements: we may disclose data if required by law, court order, or to protect the rights and safety of our users or the public
06
Your Rights
Under GDPR and applicable Irish data protection law, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your account and associated personal data (see our Account Deletion page)
- Restrict or object to how we process your data
- Data portability — receive a copy of your data in a structured, machine-readable format
- Withdraw consent at any time where processing is based on consent
To exercise any of these rights, contact us at
[email protected].
We will respond within 30 days.
07
Data Retention
We retain your personal data for as long as your account is active or as needed to
provide our services. If you request account deletion, we will remove your personal
data within 7 days, subject to the following exceptions:
- Order and transaction records may be retained for up to 7 years for legal and accounting compliance (Irish Revenue requirements)
- Anonymised, aggregated data (e.g. total orders per day) may be retained indefinitely as it cannot identify you
- Data may be retained longer if required by a legal obligation or dispute resolution process
08
Children's Privacy
Our service is not directed at children under the age of 16. We do not knowingly collect
personal data from anyone under 16. If you believe a child has provided us with personal
information, please contact us and we will delete it promptly.
09
Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the
"Last updated" date at the top of this page. Significant changes will be communicated
via in-app notification or email. Continued use of the app after changes constitutes
acceptance of the updated policy.
10
Contact Us
If you have any questions about this Privacy Policy or how we handle your data,
please contact us:
We take privacy seriously and aim to respond to all enquiries within 2 business days.
For account deletion requests, please visit our
Delete Account page.