Birthday SteakPremium Dining Gifts

Legal

Privacy Policy

Last updated: 14 May 2026

1. Who we are

Birthday Steak operates the website birthdaysteak.co.uk and sells dining experience vouchers. For the purposes of UK data protection law, we are the data controller for personal data processed as described in this policy. Contact: [email protected].

2. What data we collect

Depending on how you use our service, we may process:

  • Identity and contact details: name, email address (buyer and recipient), and any personal message you add to a voucher.
  • Order data: voucher value, venue, delivery method, scheduled send time, and voucher code.
  • Payment data: processed by Stripe — we do not receive or store your full card number.
  • Technical data: IP address, browser type, and similar information our host may log for security and reliability.
  • Partner portal data: if you use our partner login, account identifiers managed by our auth provider.

3. How we use your data and lawful basis

We use personal data to fulfil voucher orders (contract), send confirmations and voucher emails (contract), operate redemption and fraud prevention (legitimate interests), meet legal and accounting obligations (legal obligation), and improve our service where proportionate (legitimate interests). We do not sell your personal data and we do not use it for third-party marketing.

4. Recipients and processors

We share data only as needed with trusted processors:

  • Stripe — card payment processing.
  • Supabase — secure database storage and partner authentication.
  • Resend — transactional email delivery.
  • Cloudflare — hosting, edge network, and security.

Some processors may process data outside the UK / EEA. Where they do, we rely on appropriate safeguards such as standard contractual clauses or adequacy decisions, as required by applicable law.

5. Retention

We keep voucher and transaction records for up to six years where needed for tax, accounting, and legal claims. Marketing is minimal; we retain enquiry emails only as long as needed to respond. You may ask us to delete data sooner where the law allows — note we must retain certain financial records.

6. Security

We use industry-standard measures including HTTPS, access-controlled infrastructure, and reputable payment and auth providers. No online transmission is completely secure; please use strong passwords for partner accounts.

7. Your rights

Under UK GDPR you may have the right to access, rectify, erase, restrict, or object to certain processing, and in some cases to data portability. To exercise your rights, email [email protected]. You may complain to the ICO (ico.org.uk); we ask that you contact us first so we can try to resolve the issue.

8. Children

Our service is not directed at children under 16. Purchases are intended for adults aged 18+.

9. Cookies

We use essential cookies only. See our Cookie Policy.

10. Changes

We may update this policy; the latest version will always be on this page with an updated date.