Privacy Policy

This policy explains how The Greedy Sheep(“we”, “our”, “us”) collects, uses, and protects your personal data when you use greedysheep.co.uk. It is written to meet our obligations under the UK Data Protection Act 2018, the UK GDPR, and the EU GDPR.

1. Who we are (Data Controller)

The data controller for this website is The Greedy Sheep, 8 Little Newport Street, Chinatown, Soho, London WC2H 7JJ, United Kingdom. You can reach us at info@greedysheep.co.uk or 020 8037 8128.

2. What data we collect, why, and on what basis

The personal data we hold falls into two categories:

• Contact form submissions - name, email, phone (optional), message. Lawful basis: legitimate interests (responding to enquiries about our restaurant). Retention: 24 months from your last contact, then deleted.
• Newsletter subscribers - email address only. Lawful basis: your consent, given when you submit the signup form. Retention: until you unsubscribe (every marketing email contains an unsubscribe link).

We do not collect special-category data, payment details, or location data. We do not knowingly collect data from anyone under 16.

3. Cookies and analytics

We use Vercel Analytics and Vercel Speed Insights to understand how visitors use our site. These services collect aggregate, anonymised usage data and do not set advertising cookies or identify individuals. We do not use any third-party advertising cookies.

The Vimeo background video on our homepage and the Google Maps embed on our contact page may set their own cookies when you interact with them. These are set by Vimeo and Google and are governed by their own privacy policies.

4. Who we share data with (Recipients)

We use trusted third parties to operate the website. They process data on our behalf under written agreements:

• Vercel Inc. - hosting and analytics (USA, UK data residency where available)
• Supabase Inc. - database storage for form submissions (EU - London region)
• Resend, Inc. - sends notification emails to our team

We never sell or rent your personal data, and we do not share it with anyone else for marketing purposes.

5. International transfers

Some of our processors are based in the USA. Where data leaves the UK or EEA, transfers are protected by Standard Contractual Clauses or by the UK/EU - US Data Privacy Framework where the processor is certified.

6. Your rights

Under UK and EU GDPR you have the right to:

• Access the personal data we hold about you
• Have inaccurate data corrected
• Have your data erased (the “right to be forgotten”)
• Restrict or object to our processing
• Data portability (we will provide it in JSON or CSV)
• Withdraw consent at any time (for newsletter subscriptions)
• Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk)

To exercise any of these rights, email us at info@greedysheep.co.uk. We will respond within one calendar month.

7. Security

We protect your data with TLS encryption in transit, encryption at rest, role-based access on our database, and strict secret management. We will notify you and the ICO within 72 hours if a breach occurs that puts your rights at risk.

8. Changes to this policy

If we make material changes we will post a notice on this page and update the “last updated” date above.

9. Contact and complaints

For any privacy question, email info@greedysheep.co.uk. If you are unhappy with our response, you can complain to the UK Information Commissioner's Office at ico.org.uk or call 0303 123 1113.