Privacy notice

Palatable is a back-office product for hospitality venues — restaurants, bars, pubs and cafés — operated by Palate & Pen. We are the data controller for the personal data we collect about you. Contact us at hello@palateandpen.co.uk.

When you create an account or use Palatable, we process:

• Your name, email, phone (optional), job title, and business name — collected at signup.
• Authentication tokens and session cookies — used to keep you signed in.
• The content you put into the product — recipes, invoices, suppliers, menus, safety logs, staff training records.
• Usage diagnostics — page views, button clicks, errors — used to fix bugs and improve the product. No third-party advertising trackers.
• Payment metadata from Stripe — last 4 digits, card brand, billing country. We never see full card numbers.

We process this data on the basis of contract (necessary to deliver the service you signed up for) and legitimate interests (to keep the product secure and improving). Where we rely on consent — for example, optional marketing emails — you can withdraw at any time.

We use a small number of third parties to deliver the service:

• Supabase (Frankfurt, EU) — database + authentication.
• Vercel (US-based, EU edge) — hosting + content delivery.
• Stripe (UK + Ireland) — subscription billing.
• Resend (US) — transactional email.
• Anthropic (US) — invoice scanning + recipe extraction. We send only the relevant document content, no account-identifying metadata.
• Cloudflare (UK + global) — DNS + DDoS protection.

All sub-processors are covered by a Data Processing Agreement and either operate from the UK/EU or rely on Standard Contractual Clauses for international transfers.

We keep account data for the duration of your subscription and for up to 12 months after cancellation, so we can restore the account if you return. After that, account data is deleted permanently. Audit log entries for compliance-relevant events (HACCP, EHO, payments) are retained for 7 years per UK food-safety and tax-law requirements.

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Correct anything that’s wrong.
• Ask us to delete your data.
• Object to processing or restrict how we use your data.
• Receive your data in a portable format.
• Complain to the Information Commissioner’s Office (ico.org.uk).

Email hello@palateandpen.co.uk to exercise any of these. We respond within 30 days.

We use only essential cookies — session cookies that keep you signed in. We don’t use third-party advertising trackers. The product does not require a cookie banner under PECR because we use only strictly necessary cookies.

All data is encrypted in transit (TLS 1.2+) and at rest. Access to production data is gated to authorised staff and logged. Disclosed vulnerabilities can be reported at /.well-known/security.txt.

If we change how we handle data we’ll update this notice and, where the change is material, email account-holders before it takes effect.