Privacy Policy

Last updated:

Privacy Policy

Last updated: 17 May 2026

At Selby Kebab, we are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect information about you when you use our website at or place an order with us. It also describes your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this policy carefully. If you have any questions, you can reach us using the contact details at the bottom of this document.

1. Who We Are

Selby Kebab is the data controller responsible for your personal data. This means we decide how and why your personal data is processed.

  • Business name: Selby Kebab
  • Registered address: 27 High St, Neston CH64 9TZ, UK
  • Email: hello@selbykebab.co.uk
  • Phone: 020 7946 0958
  • Website:

If you have any questions about how we handle your data, please contact us at the email address above.

2. What Personal Data We Collect

We collect the following categories of personal data:

  • Identity data: Your full name.
  • Contact data: Your email address, telephone number, and delivery address.
  • Order data: Details of every order you place with us, including items ordered, special instructions, allergen declarations, order value, and order status.
  • Account data: Your account credentials (stored as a secure hash — we never store your plain-text password), account creation date, and account preferences.
  • Payment data: We do not store full card details. Payment is processed by our third-party payment processor (see Section 7). We retain only a record of the transaction amount, date, and a masked payment reference.
  • Technical data: Your IP address, browser type and version, and pages visited, collected automatically when you access our website. This data is used only to maintain the security and performance of our service and is not used for profiling or marketing purposes.
  • Communications data: Any correspondence you send us, including support requests, complaints, and feedback.

We do not collect any special category data (such as health data, racial or ethnic origin, religious beliefs, or biometric data) unless you voluntarily provide allergen information as part of placing an order, which is processed solely to fulfil that order safely.

3. How We Collect Your Data

We collect personal data in the following ways:

  • Directly from you: When you create an account, place an order, contact our customer support, or subscribe to marketing communications.
  • Automatically: Technical data is collected automatically as you interact with our website through cookies and server logs.

4. Why We Use Your Data (Purposes and Legal Bases)

We only process your personal data where we have a valid legal basis to do so under UK GDPR. The table below sets out our purposes and the corresponding legal bases:

  • Order fulfilment: Processing and delivering your order, confirming payment, notifying you of order status changes. Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR).
  • Account management: Creating and maintaining your account, enabling you to view order history, and managing your preferences. Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR).
  • Customer communications: Sending transactional emails such as order confirmations, receipts, and updates. Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR).
  • Marketing communications: Sending promotional emails or offers where you have opted in. Legal basis: Consent (Article 6(1)(a) UK GDPR). You may withdraw consent at any time by clicking "unsubscribe" in any marketing email or by contacting us directly.
  • Fraud prevention and security: Monitoring for suspicious activity to protect our customers and our business. Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR).
  • Legal compliance: Retaining financial records as required by HMRC and applicable tax legislation. Legal basis: Compliance with a legal obligation (Article 6(1)(c) UK GDPR).
  • Service improvement: Analysing aggregated, anonymised order data to improve our menu, pricing, and service. Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR).

5. How Long We Keep Your Data

We do not keep your personal data for longer than is necessary for the purposes for which it was collected. Our standard retention periods are as follows:

  • Order records (including financial data): 7 years from the date of the order, in line with HMRC requirements for financial record-keeping.
  • Account data: For as long as your account remains active. If you request deletion of your account, we will erase your personal data within 30 days, except where we are required to retain it for legal compliance purposes (e.g. financial records).
  • Marketing consent records: Until you withdraw consent, and for a period of 12 months thereafter as evidence of consent.
  • Customer support correspondence: 3 years from the date of resolution.
  • Technical / server log data: 90 days, used only for security monitoring and then deleted.

6. Cookies

We use a small number of strictly necessary cookies to operate our website. We do not use third-party tracking or advertising cookies. Please see our separate Cookies Policy for full details.

7. Who We Share Your Data With

We do not sell, rent, or trade your personal data to any third party. We share your data only in the following limited circumstances:

  • Payment processors: When you place an order, your payment details are processed by our third-party payment provider. They are an independent data controller in respect of payment data and are subject to their own privacy policies and PCI-DSS obligations. We share only the minimum data necessary to process your transaction (order total, a transaction reference).
  • Service providers: We may use third-party software providers (e.g. email delivery services) who process data strictly on our behalf and under our instruction, pursuant to data processing agreements that comply with UK GDPR Article 28.
  • Legal requirements: We may disclose your data to law enforcement or regulatory bodies if required to do so by law, court order, or to protect the rights, property, or safety of Selby Kebab, our customers, or others.

All third-party processors are based in the UK or European Economic Area, or are subject to adequacy decisions or standard contractual clauses ensuring equivalent data protection.

8. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation, you have the following rights in respect of your personal data:

  • Right of access: You have the right to request a copy of the personal data we hold about you (a "Subject Access Request").
  • Right to rectification: You have the right to ask us to correct personal data that is inaccurate or incomplete.
  • Right to erasure ("right to be forgotten"): You have the right to ask us to delete your personal data where there is no compelling reason for us to continue processing it, subject to our legal retention obligations.
  • Right to restriction of processing: You have the right to ask us to restrict the processing of your personal data in certain circumstances, for example while a dispute about accuracy is resolved.
  • Right to data portability: Where processing is based on your consent or the performance of a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to have it transmitted to another data controller.
  • Right to object: You have the right to object to processing based on legitimate interests and to direct marketing at any time.
  • Rights related to automated decision-making: You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you. We do not currently make any such automated decisions.

9. How to Exercise Your Rights

To exercise any of your rights, please contact us at:

  • Email: hello@selbykebab.co.uk
  • Post: 27 High St, Neston CH64 9TZ, UK
  • Phone: 020 7946 0958

We will respond to all legitimate requests within one calendar month of receipt. In some cases (e.g. complex or multiple requests), we may extend this period by a further two months and will notify you accordingly. We may need to verify your identity before processing your request. There is no charge for exercising your rights, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to respond.

10. The Right to Lodge a Complaint

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK's supervisory authority:

  • Information Commissioner's Office (ICO)
  • Website: www.ico.org.uk
  • Helpline: 0303 123 1113
  • Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the opportunity to address your concerns before you contact the ICO, so please do reach out to us in the first instance.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. We encourage you to review this policy periodically.

This policy was last reviewed on 17 May 2026.

Back to menu