Privacy Policy

Effective date: 2 December 2025

1. Who we are and how to reach us

This Privacy Policy explains how Phothuytay collects, uses and protects your personal data when you visit and use the website https://www.phothuytay.co.uk.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Phothuytay is the data controller for personal data processed via this website and any related online services described below.

Contact for privacy matters: privacy@phothuytay.co.uk

Data Protection Officer (DPO): dpo@phothuytay.co.uk

This policy also takes into account the Privacy and Electronic Communications Regulations (PECR) for cookies and electronic marketing.

2. Scope of this policy

This policy applies to personal data collected through our website, contact forms, newsletter sign‑ups, online ordering or reservation tools accessed from our website, customer support communications, and our official social media channels when we direct you to this policy. It does not cover third‑party websites or services that we do not control.

3. What data we collect

We collect personal data that you provide to us and data that is collected automatically when you use our website:

  • Identification and contact details: name, email address, phone number.
  • Account information: username, password, preferences (if you create an account).
  • Order and reservation information: items ordered, delivery/collection details, reservation date/time, party size, special requests or dietary preferences you choose to share.
  • Payment-related information: transaction details, payment method, partial card details or tokens. We do not store full card numbers or security codes; these are handled by our payment service providers.
  • Marketing preferences: your opt-in status and communication preferences.
  • Communications: messages sent via forms, email, or social media, and any feedback or reviews you provide.
  • Technical and usage data: IP address, device and browser type, operating system, pages viewed, time spent, referral URLs, and cookie identifiers collected through cookies and similar technologies.
  • Location data: approximate location inferred from your IP address.
  • Job application data: CV/resume and related information if you apply for a role via our website.

4. Purposes and legal bases for processing

We process your personal data for the following purposes and under the following legal bases:

  • To provide our website and online services, including enabling browsing, account creation, orders and reservations.

    Legal basis: performance of a contract or steps taken at your request before entering into a contract; legitimate interests (to operate an effective online service).
  • To process payments and prevent fraud.

    Legal basis: performance of a contract; legitimate interests (fraud prevention); legal obligations (financial and accounting rules).
  • To communicate with you about your orders, reservations, inquiries, or service updates.

    Legal basis: performance of a contract; legitimate interests (customer service).
  • To send you marketing communications where permitted and to manage your preferences.

    Legal basis: consent (where required under PECR/UK GDPR); legitimate interests for service-related messages and direct marketing to existing customers about similar products/services, subject to your right to opt out.
  • To improve our website, products and services, including analytics, troubleshooting, testing, and measuring the effectiveness of content and campaigns.

    Legal basis: legitimate interests (to develop and improve our services); consent for non-essential cookies and similar technologies.
  • To comply with legal, tax and regulatory obligations and to establish, exercise or defend legal claims.

    Legal basis: legal obligation; legitimate interests (protecting our rights).
  • To consider job applications and manage recruitment.

    Legal basis: consent (where applicable); legitimate interests (to recruit staff); performance of a contract or steps prior to entering into a contract.

Where we rely on consent, you can withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

5. Cookies and similar technologies

We use cookies and similar technologies to operate our site, remember your preferences and analyze traffic. Some cookies are essential for the site to function; others are non-essential and are used only with your consent.

Types of cookies we may use:

  • Strictly necessary cookies: required for core functionality such as security, network management, and accessibility.
  • Performance and analytics cookies: help us understand how visitors use our site so we can improve it.
  • Functionality cookies: remember choices you make to provide enhanced features.
  • Advertising and social media cookies: may be set by us or our partners to build a profile of your interests and show relevant ads or enable social sharing.

How to manage cookies:

  • On your first visit, you may be asked to set your preferences for non-essential cookies. You can change your choices at any time by adjusting your browser settings to block or delete cookies. Blocking certain cookies may affect site functionality.
  • Most browsers allow you to refuse cookies or to delete them. Refer to your browser’s help section for instructions. You can also enable tools that limit online tracking.

We may use third-party analytics or advertising partners who set cookies and act as independent controllers for their subsequent use of data. Refer to their privacy information for details about their processing.

6. Sharing your data

We share personal data only as necessary for the purposes described above and subject to appropriate safeguards:

  • Service providers (processors) who supply hosting, website maintenance, analytics, customer support tools, email delivery, payment processing, reservation and ordering platforms, SMS or push notification services, security and anti‑fraud systems, and IT support.
  • Professional advisers, insurers and auditors for compliance, risk and governance purposes.
  • Law enforcement, regulators, courts and government bodies where required by law or to protect our rights or the rights of others.
  • Business transferees in connection with a merger, acquisition, reorganisation or sale of assets, in which case your data will remain protected in line with this policy.

We do not sell your personal data.

7. International transfers

Your personal data may be transferred to and processed in countries outside the United Kingdom where our service providers operate. When we transfer personal data internationally, we ensure an adequate level of protection by using one or more of the following safeguards:

  • Adequacy regulations or decisions confirming an adequate level of protection for the destination country.
  • Standard contractual clauses approved by relevant authorities together with the UK Addendum or the UK International Data Transfer Agreement, as applicable.
  • Additional technical and organisational measures such as encryption in transit and at rest, access controls, and minimisation.

8. Data retention

We keep personal data only for as long as necessary for the purposes described in this policy, and to meet legal, accounting or reporting requirements. Typical retention periods include:

  • Account information: for as long as your account remains active, then deleted or anonymised within 24 months of inactivity unless we must retain it to resolve disputes or meet legal obligations.
  • Order, reservation and transaction records: up to 6 years from the end of the relevant financial year to comply with tax and accounting requirements.
  • Customer service communications: up to 24 months after resolution.
  • Marketing preferences and consents: until you withdraw consent or object, with periodic suppression of inactive contacts.
  • Analytics data: typically up to 13 months in a form that can identify you, after which it is deleted or aggregated.
  • Job applications: usually up to 12 months after the recruitment process ends, unless you become an employee or you consent to a longer period.

When retention periods end, we will delete or irreversibly anonymise the data unless we need to keep it for the establishment, exercise or defence of legal claims.

9. Your rights

Under the UK GDPR, you have the following rights, subject to conditions and exemptions:

  • Right of access to your personal data.
  • Right to rectification of inaccurate or incomplete data.
  • Right to erasure (right to be forgotten).
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing based on legitimate interests, and to object at any time to direct marketing (including profiling for direct marketing).
  • Right to withdraw consent where we rely on consent.

To exercise your rights, contact us at privacy@phothuytay.co.uk. We may need to verify your identity. We aim to respond within one month, or within the period permitted by law for complex requests.

10. Data security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, role‑based permissions, secure configuration and patching, staff awareness, and regular monitoring. While we work hard to protect your information, no online service can be completely secure and we cannot guarantee absolute security.

11. Children’s privacy

Our website is not intended for children under 13 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate steps.

12. Automated decision-making

We do not use personal data to make decisions that produce legal or similarly significant effects about you based solely on automated processing. If this changes in the future, we will provide meaningful information about the logic involved and your rights related to such processing.

13. Complaints

If you have concerns about how we handle your personal data, please contact us first at privacy@phothuytay.co.uk so we can try to resolve the issue. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

14. Contact and DPO

General privacy inquiries: privacy@phothuytay.co.uk

Data Protection Officer: dpo@phothuytay.co.uk

15. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements or for other operational reasons. The date at the top of this page indicates when it was last updated. Significant changes will be communicated by reasonable means.

About The Editorial Team Terms of Service Legal Notice Privacy Policy Sitemap Contact
© 2025 Phothuytay