Privacy Policy

Section 01

Who We Are

ElsaCookz Limited is the data controller responsible for your personal data. We are a company incorporated in England and Wales, operating the website at elsacookz.com and developing the ElsaCookz smart kitchen application (the "App").

As data controller, we determine the purposes and means of processing your personal data and are accountable for doing so lawfully, fairly, and transparently in accordance with applicable data protection law.

Section 02

Scope of This Policy

This policy applies to personal data collected through:

• our website at elsacookz.com and any associated subdomains;
• our pre-launch waitlist and email subscription forms;
• direct communications you send to us by email;
• the ElsaCookz App, including account registration, household setup, meal planning activity, rewards and gamification features (EcoPoints, Spin & Win, shopping vouchers, and related incentive programmes), and any other in-app interactions.

This policy covers both personal data (information relating to an identified or identifiable individual) and household data (aggregated or anonymised data about the consumption, food waste, and meal planning habits of a user's household unit). Where household data can reasonably be used to identify an individual, it is treated as personal data for the purposes of this policy.

When the ElsaCookz App launches, this policy will be updated to cover additional data processing activities associated with app use. You will be notified of material changes before they take effect.

This policy does not apply to third-party websites linked from our site. We are not responsible for the privacy practices of third parties and encourage you to review their policies separately.

Section 03

Data We Collect

At this pre-launch stage, the personal data we collect is limited to the following categories. When the App launches, the following additional categories will also apply.

Data you provide directly

• Email address — collected when you voluntarily sign up to our pre-launch waitlist or otherwise provide it to us.
• Account information — when you register for the App, we collect your name, email address, and any profile preferences you choose to provide.
• Household data — including household size, dietary preferences, ingredient inventories, expiry dates you log, meal plans you create, shopping lists, and cooking habits you input or that the App infers from your activity. This data is used to power personalised features and is associated with your account.
• Rewards and gamification data — including EcoPoints earned and redeemed, Spin & Win entries and outcomes, shopping vouchers issued or claimed, badges, streaks, missions completed, and other incentive programme activity. This data is linked to your account and used to administer the rewards programme and prevent fraudulent or duplicate claims.

Data collected automatically

• Technical data — including IP address, browser type and version, operating system, device type, time zone, and pages visited. This is collected by our hosting infrastructure and may be retained in server logs.
• Usage data — pages viewed and time spent, currently collected only via server-side logging and not linked to your identity. Within the App, usage data may include feature interactions, session frequency, and in-app navigation patterns used to improve the product.
• App performance and error data — where technical or human errors occur within the App (including system glitches, data processing failures, or incorrect feature outputs), we may collect diagnostic information to investigate, remediate, and prevent recurrence. This data is used for operational and security purposes only.

Data we do not collect at this stage

• Payment or financial information.
• Special category data (such as health, dietary, biometric, or ethnicity data), unless you voluntarily provide dietary preferences within the App, in which case this will be treated with the highest level of care.
• Personal data from children under 13 years of age.

Section 04

Lawful Basis for Processing

Under UK GDPR Article 6 and EU GDPR Article 6, we must have a valid lawful basis for each processing activity. The bases we rely on are:

• Consent (Art. 6(1)(a)) — where you have freely given specific, informed, and unambiguous consent to receive pre-launch communications from us. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legitimate interests (Art. 6(1)(f)) — where processing is necessary for our legitimate business interests, such as protecting website security, fraud prevention, and understanding how our site is used, provided those interests are not overridden by your rights and freedoms. We have conducted Legitimate Interests Assessments where we rely on this basis.
• Legal obligation (Art. 6(1)(c)) — where processing is necessary to comply with a legal obligation to which we are subject.

We do not currently rely on contractual necessity as a basis for processing, as we do not have a contractual relationship with waitlist subscribers at this stage.

Section 05

How We Use Your Data

We use your personal data only for the following purposes:

• to send pre-launch updates, early access news, and communications about the development and launch of the ElsaCookz App;
• to inform you of exclusive early access opportunities, product announcements, and relevant company news;
• to respond to enquiries or communications you send us;
• to monitor and maintain the security and performance of our website and App;
• to personalise your in-app experience, including meal recommendations, recipe suggestions, and ingredient management, based on your household data and usage patterns;
• to administer rewards, incentive programmes, and gamification features, including calculating and crediting EcoPoints, processing Spin & Win entries and results, and issuing shopping vouchers or other discounts — and to verify eligibility, prevent abuse, and maintain accurate records of rewards activity;
• to investigate, diagnose, and remediate technical errors, system glitches, or human errors that may affect the accuracy of rewards balances, voucher values, or other App features, in accordance with our error correction procedures;
• to comply with our legal and regulatory obligations.

We will not use your email address for any purpose incompatible with those stated above, unless we obtain your separate consent or are otherwise permitted or required by law.

We do not sell, rent, trade, or otherwise share your email address or household data with third parties for their own marketing or commercial purposes.

Section 06

Marketing Communications

We only send marketing communications where you have given express consent by signing up to our waitlist or actively opting in to receive them.

Our marketing emails comply with the Privacy and Electronic Communications Regulations 2003 (PECR) and applicable UK and EU electronic marketing rules. Each email will include a clear identification of ElsaCookz Limited as the sender and a straightforward mechanism to unsubscribe at any time.

If you unsubscribe, we will stop sending marketing communications promptly and may retain a record of your opt-out to honour your preferences going forward.

You can also withdraw consent or request removal of your email address at any time by contacting privacy@elsacookz.com.

Section 07

Cookies and Tracking Technologies

Our website uses a limited number of cookies and similar technologies. Under the UK Privacy and Electronic Communications Regulations (PECR) and the EU ePrivacy Directive, we are required to inform you about cookies and to obtain consent for non-essential cookies.

Strictly necessary

Essential for the website to function. They do not store personally identifiable information and do not require your consent under applicable law.

Functional (localStorage)

We use browser local storage to remember your cookie consent preference. This stores only a simple preference indicator and is not used for tracking or profiling.

Third-party (Mailchimp)

When you sign up to our waitlist, your data is processed by Mailchimp (The Rocket Science Group LLC). Mailchimp may set its own cookies in connection with this process. Please refer to Mailchimp's Privacy Policy for details.

You can manage your cookie preferences through our consent banner or through your browser settings. Disabling strictly necessary cookies may affect site functionality.

Section 08

Third-Party Processors

We share your personal data only with third-party service providers who process it on our behalf and under our written instructions. We have data processing agreements in place with each processor as required by UK GDPR Article 28. Our current processors are:

• Mailchimp (The Rocket Science Group LLC) — manages our email subscription list and sends pre-launch communications. Mailchimp processes your email address solely on our behalf and is not permitted to use it for their own marketing purposes.
• Netlify Inc. — our website hosting provider, which processes technical data (including IP addresses) as part of hosting and content delivery services.

We do not share your personal data with any other third parties except where required by law, to protect our legal rights, or to prevent fraud or harm.

Section 09

International Data Transfers

Some of our third-party processors are based outside the United Kingdom and the European Economic Area (EEA). Where we transfer personal data internationally, we ensure appropriate safeguards are in place:

• Mailchimp is based in the United States. EU transfers are covered by the EU–US Data Privacy Framework; UK transfers are covered by the UK–US Data Bridge or Standard Contractual Clauses (SCCs) where applicable.
• Netlify is based in the United States with global infrastructure. Data transfers are subject to SCCs or equivalent approved transfer mechanisms.

You may request further information about the specific safeguards in place by contacting privacy@elsacookz.com.

Section 10

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required or permitted by law:

• Waitlist email addresses are retained until you unsubscribe, request deletion, or the App has launched and waitlist communications are no longer required, at which point data will be deleted or anonymised.
• Account and household data created within the App will be retained for the duration of your active account and for a period of up to 12 months following account closure, after which it will be deleted or irreversibly anonymised, unless legal obligations require longer retention.
• Rewards and gamification records (including EcoPoints transactions, Spin & Win outcomes, vouchers issued, and redemption history) are retained for a minimum of 24 months from the date of the relevant activity to support dispute resolution, fraud prevention, and compliance with consumer promotions regulations.
• Server and access logs containing technical data are retained for a maximum of 90 days for security and infrastructure monitoring purposes.
• Records of consent and opt-outs may be retained for up to three years as evidence of compliance with applicable marketing and data protection law.

On receipt of a valid deletion request, we will act within 30 days. In limited circumstances we may be required to retain certain records for legal or regulatory purposes, and will notify you where this applies.

Section 10A

Rewards, Incentives, and Gamification Data

When you use rewards and gamification features within the ElsaCookz App — including earning EcoPoints, participating in Spin & Win, redeeming shopping vouchers, completing missions, or earning badges — we collect and process data relating to your participation in those programmes. This section explains how that data is handled.

What we collect

• EcoPoints earned, adjusted, and redeemed, including the triggering activity and timestamp for each transaction;
• Spin & Win entries, outcomes, and any rewards or vouchers generated as a result;
• shopping vouchers or discount codes issued to your account, including value, expiry date, redemption status, and associated partner or retailer where applicable;
• badges, streaks, mission completions, and other gamification milestones associated with your account.

Why we collect it

Rewards data is processed to administer the programme accurately and fairly, to prevent fraudulent, duplicate, or erroneous claims, to maintain an auditable record of incentive activity, and to resolve any disputes or discrepancies that arise.

Error correction and technical limitations

We take all reasonable steps to ensure that rewards balances, Spin & Win outcomes, and voucher values are calculated and recorded correctly. However, technical errors, software glitches, network failures, or human error may on occasion result in incorrect rewards being displayed, credited, or communicated. In such circumstances:

• We reserve the right to correct any error in a rewards balance or incentive value, whether the error resulted in an understatement or overstatement, once identified;
• Rewards, vouchers, or discounts that are issued or displayed as a result of a technical or human error — and that do not reflect your genuine earned entitlement — are not legally binding and may be withdrawn or corrected without notice;
• We will use reasonable endeavours to notify you of any material correction to your rewards balance;
• We will not be liable for any indirect loss, inconvenience, or disappointment arising from an error in rewards calculation or display, or from the correction of such an error.

Voucher and discount data

Where shopping vouchers or discount codes are issued through the App, we retain records of the voucher value, issue date, expiry, and redemption status. Voucher data may be shared with the relevant retail or commercial partner solely to the extent necessary to validate and process your redemption. Partner use of that data is governed by their own privacy policy.

Section 10B

Household Data

A core feature of the ElsaCookz App is the ability to manage food and meal planning at a household level. In doing so, the App collects and processes data that relates to your household's food habits, ingredient inventory, and consumption patterns. This section explains how that data is treated.

What constitutes household data

• Household size and composition (e.g., number of adults and children), where you choose to provide this;
• ingredient and food inventory you log, including product names, quantities, and expiry dates;
• meal plans, recipe selections, and cooking decisions made within the App;
• shopping lists generated by or within the App;
• food waste patterns and waste reduction scores calculated from your activity;
• dietary preferences and restrictions you voluntarily enter (e.g., vegetarian, nut-free);
• kitchen score and sustainability metrics generated by the App based on your usage.

How household data is used

Household data is used exclusively to deliver, personalise, and improve the core features of the App for you. Specifically:

• to generate personalised recipe and meal suggestions;
• to calculate expiry-aware alerts and food waste reduction insights;
• to power EcoPoints calculations and other sustainability-linked rewards;
• in aggregate and anonymised form, to improve the App's recommendation engine and product features.

How household data is protected

Household data is associated with your individual account and is not shared with other users or third parties, except where necessary to provide the Services (for example, with cloud infrastructure providers operating under data processing agreements). We do not sell household data or use it for advertising profiling.

Where household data includes voluntary information about dietary needs or health-related preferences, it is treated with the same care as special category data under UK GDPR and EU GDPR, and processed only on the basis of your explicit consent.

Anonymised and aggregated household data

We may use anonymised and aggregated household data — from which no individual or household can be identified — for product analytics, research, and to develop improvements to the App. This data does not constitute personal data and is not subject to the same restrictions under applicable data protection law.

Section 11

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction, including:

• HTTPS encryption for all data transmitted between your browser and our website;
• access controls limiting internal access to personal data to those with an operational need;
• use of reputable, security-certified third-party processors with contractual obligations to protect your data;
• regular review of security practices as the business develops.

No method of electronic transmission or storage is completely secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office (ICO) within 72 hours as required by UK GDPR Article 33, and will notify affected individuals where required under Article 34.

Section 12

Your Rights

Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — request deletion of your personal data where there is no longer a lawful basis for retention.
• Right to restriction (Art. 18) — ask us to restrict processing in certain circumstances.
• Right to data portability (Art. 20) — where processing is based on consent or contract and carried out by automated means, request your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests or direct marketing. Where you object to direct marketing, we will cease processing immediately.
• Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Rights related to automated decision-making (Art. 22) — we do not make automated decisions (including profiling) that have a legal or similarly significant effect on you.

To exercise any of these rights, contact us at privacy@elsacookz.com. We will respond within one calendar month of receipt, as required by law.

If you are dissatisfied with our response, you have the right to lodge a complaint with the supervisory authority:

EEA-based users also have the right to lodge a complaint with their local supervisory authority.

Section 13

Children's Privacy

Our website and waitlist are directed at adults. We do not knowingly collect personal data from children under 13 years of age, or under 16 for information society services where parental consent is required under UK GDPR Article 8 and EU GDPR Article 8.

If you are a parent or guardian and believe a child has submitted personal data to us without appropriate consent, please contact privacy@elsacookz.com and we will review and, where appropriate, delete that information promptly.

Section 14

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will:

• update the "Last updated" date at the top of this page;
• notify waitlist subscribers by email where the changes are significant;
• seek fresh consent before processing your data under revised terms where required by law.

We encourage you to review this policy periodically. The current version will always be available at elsacookz.com/privacy.

Section 15

Contact Us

For questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact our data privacy team: