Saladology® — Privacy & Cookies Policy (UK)

Version: 18 August 2025

Applies to:

  • saladology.co.uk,
  • saladology.uk,
  • saladology.food and
  • saladology.farm (the “Site”)

    • 1) Who we are (controller) & how to contact us

    Until incorporation completes, the controller is the Saladology team (pre‑incorporation) (“we”, “us”, “our”).

    • Correspondence address: Solar House, 915 High Rd, London N12 8QJ, United Kingdom
    • Data protection contact: fresh@saladology.co.uk
    • Telephone: 020 797 11 020
    • Mobile / WhatsApp: 07 777 222 123

    If you need this policy in another format (large print, audio, Braille), contact us using the details above.

    2) What this policy covers

    This policy explains what personal data we collect on the Site, why we collect it, how long we keep it, who we share it with (processors), international transfers, your rights, and how we use cookies and similar technologies.

    3) The laws we follow

    We comply with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR), each as amended by the Data (Use and Access) Act 2025 (DUAA). Where we transfer data internationally, we rely on recognised transfer tools (see Section 9). We keep this policy under review as ICO/Government guidance is updated following DUAA.

    4) What we collect, why we collect it, and how long we keep it

    Meetings (via scheduling form)

    • Data collected: Name, email, phone, company, role, preferred time, notes
    • Lawful basis: Contract (to arrange the meeting) or Legitimate interests (B2B relationship management)
    • Retention: 12 months after last interaction (longer only if needed for follow‑ups or legal claims)

    Contacting us (email/phone/WhatsApp)

    • Data collected: Contact details, message content, call metadata
    • Lawful basis: Legitimate interests (responding to enquiries)
    • Retention: 12 months after closure

    Website analytics & performance

    • Data collected: IP address, device/browser data, pages viewed, events (e.g., clicks/scrolls), session IDs
    • Lawful basis: Consent (non‑essential cookies/tech); strictly necessary where applicable under PECR/DUAA
    • Retention: Up to 13 months for analytics events; shorter where feasible

    Media delivery & security (serving 3D/2D animations, musical walk‑through, rotating bowl visuals; CDN & DDoS)

    • Data collected: IP address, device, playback events, network/edge telemetry
    • Lawful basis: Legitimate interests (secure, reliable delivery) and strictly necessary storage/access
    • Retention: Up to 12 months (CDN logs), shorter if possible

    Marketing to corporate contacts (B2B)

    • Data collected: Business email, name, role, company, interaction history
    • Lawful basis: PECR corporate subscriber rules + Legitimate interests (always include opt‑out)
    • Retention: Until you opt‑out + 24‑month inactivity review

    Recruitment (if you apply)

    • Data collected: CV/cover letter, interview notes, right‑to‑work
    • Lawful basis: Steps prior to contract; legal obligation
    • Retention: 6 months post‑process (or longer if you consent to talent pool)

    Children

    Our Site is for adults. Where consent is the lawful basis for an online service, UK law sets the child’s consent age at 13; otherwise, parental consent is required. We do not knowingly collect data from under‑13s.

    5) Where your data comes from

    • You (forms, emails, calls, meetings).
    • Automated collection (necessary cookies, security logs, consented analytics).
    • Scheduling provider (when you book a meeting).
    • Media/CDN providers (when you play videos/animations or load 3D assets).

    6) Processors we use (categories)

    We use reputable processors under UK GDPR/DUAA‑compliant contracts. Typical stack:

    • Hosting & CDN: e.g., Cloudflare/AWS/Vercel/Netlify (content delivery, security logging).
    • Scheduling: e.g., Calendly or Cal.com (meeting booking).
    • Analytics: e.g., GA4/Plausible/Matomo (only after consent unless clearly exempt — see Section 10).
    • Video/animation streaming: e.g., Vimeo/YouTube/Cloudflare Stream (your 2D/3D assets and walk‑through).

    We maintain an up‑to‑date list of sub‑processors at saladology.co.uk/sub‑processors (create this page or replace with your list). Where a provider changes, we’ll update that page.

    7) Marketing (emails/SMS)

    • We do not send consumer electronic marketing without consent, unless the soft opt‑in applies (existing customers of similar products, with a clear opt‑out in every message).
    • For corporate subscribers (work email addresses), PECR allows B2B emails without prior consent, but we always identify ourselves and include an easy unsubscribe.
    • You can opt out at any time via the link in our messages or by emailing fresh@saladology.co.uk.

    8) Your rights

    You have the right to access, rectify, erase, restrict, port, object to certain processing (including direct marketing), and withdraw consent at any time (it won’t affect processing already carried out). To exercise rights, email fresh@saladology.co.uk. If we cannot resolve your concern, you can complain to the Information Commissioner’s Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; Tel: 0303 123 1113; ico.org.uk.

    9) International transfers

    Some providers may process data outside the UK. When they do, we use one or more of:

    • the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs;
    • Adequacy mechanisms (e.g., the UK‑US Data Bridge for US organisations participating in the Data Privacy Framework – UK Extension); and
    • Transfer risk assessments, where required.

    10) Cookies & similar technologies

    Our approach

    • We never set non‑essential cookies or use similar tech until you give clear, affirmative consent via our banner.
    • We provide “Accept all” and “Reject all” with equal prominence on the first layer, plus granular toggles.
    • We honour your choices, don’t re‑prompt excessively, and offer a “Change cookie settings” link in the footer.
    • Until guidance stabilises post‑DUAA, we will continue to seek consent for analytics/advertising cookies as best practice, even if some low‑risk statistical uses may benefit from new exemptions.

    What we might set (illustrative)

    Strictly necessary

    • Examples: Load balancer/session ID; cookie to remember your cookie choices; security/anti‑abuse; media streaming tokens
    • Consent: No (required for the service)

    Analytics & performance

    • Examples: Page views, scrolls, play events for 2D/3D videos/animations; GA4/Plausible
    • Consent: Yes (we ask) — note: DUAA may exempt some low‑risk statistical uses once fully commenced; we will still ask unless clearly exempt

    Functional

    • Examples: Remembering form inputs; improved playback quality
    • Consent: Yes (if not strictly necessary)

    Advertising

    • Examples: We don’t run ads on the Site today
    • Consent: Yes (if introduced later)

    Important: PECR covers any tech that stores or accesses information on your device — not just cookies (e.g., local storage, SDKs). We block third‑party embeds that can set non‑essential identifiers until you consent; a placeholder invites you to “Enable”. Enabling may let that third party collect your IP/device details and playback events under its own privacy notice.

    Example cookie inventory (replace with your stack)

    • cookie_consent — Saladology — Stores your cookie preferences — 6 months — Strictly necessary
    • __cf_bm / similar — CDN (e.g., Cloudflare) — Bot management & rate‑limiting — 30 mins — Strictly necessary
    • _ga / _ga* (if used) — Google Analytics 4 — Website analytics — 13 months — Analytics (consent)
    • plausible_ignore (if used) — Plausible — Opt‑out signal — 12 months — Functional (consent)
    • vuid / yt* (if used) — Vimeo/YouTube embed — Playback analytics & quality — Varies — Functional/Analytics (consent)

    11) Security

    We implement technical and organisational measures appropriate to the risk, including encryption in transit, access controls, least‑privilege access, regular patching, and contracted processor safeguards. For media delivery and performance, CDNs may process limited telemetry to prevent abuse and ensure availability.

    12) Data retention

    We keep data only as long as needed for the purpose collected, then securely delete or anonymise it. Typical periods are listed above; legal or regulatory obligations may require longer retention (e.g., fraud prevention or litigation).

    13) Do you have to provide data?

    For meeting bookings and enquiries, basic contact details are necessary so we can respond or schedule. For cookies/analytics, you are in control — non‑essential tech is entirely optional.

    14) Automated decision‑making

    We do not make decisions solely by automated means that have legal or similarly significant effects on you. If our practices change, we’ll update this policy.

    15) International users

    Our Site is aimed at UK users. If we actively target the EEA in future, we’ll appoint an EU representative and update this policy.

    16) Changes to this policy

    We’ll update this page if our practices or the law change. Material changes will be highlighted for at least 30 days.

    17) Contact us

    • Email: fresh@saladology.co.uk
    • Telephone: 020 797 11 020
    • Mobile / WhatsApp: 07 777 222 123
    • Correspondence address: Solar House, 915 High Rd, London N12 8QJ, United Kingdom

    Version: 18 August 2025


    Contact Us
    Solar House,
    915 High Rd, 
    London N12 8QJ
    020 797 11 020
    07 777 222 123
    fresh@saladology.co.uk
    Company
    Terms & ConditionsPrivacy policy
    Copyright © 2025 SALADOLOGY