Your Privacy Matters

Privacy Policy

How Sordin Tech collects, uses and protects your personal data.

Last updated: March 2026

1. Who We Are

Sordin Tech ("we", "us", "our") is the data controller responsible for your personal data. We are a UK-based software company providing cloud EPOS, online ordering, marketing automation and loyalty tools for independent restaurants and food businesses.

If you have any questions about this policy or how we handle your data, you can contact us at [email protected].

2. What Data We Collect

Restaurant owner data

  • Name, email address and phone number
  • Business name, address and trading details
  • Account credentials (passwords are hashed and never stored in plain text)
  • Billing and payment information processed via Stripe

Customer order data

When customers place orders through a restaurant powered by Sordin Tech, we process:

  • Name, delivery address, email and phone number
  • Order history and preferences
  • Payment transaction references (we do not store full card numbers)
  • Guest tokens used for session identification

Analytics and technical data

  • IP address, browser type and device information
  • Pages visited, time on site and referral source
  • Cookies and similar tracking technologies (see Section 8)

3. How We Use Your Data

We use personal data for the following purposes:

Service delivery

  • Provisioning and operating your EPOS, ordering and marketing platform
  • Processing orders, payments and delivery coordination
  • Sending order confirmations, receipts and status updates
  • Providing customer support and resolving technical issues

Marketing and communications

  • Sending platform updates, feature announcements and onboarding emails
  • Operating marketing automation campaigns on behalf of restaurant owners
  • You can opt out of marketing emails at any time using the unsubscribe link

Analytics and improvement

  • Understanding how users interact with the platform to improve functionality
  • Aggregated, anonymised usage statistics for internal reporting
  • Monitoring platform performance, uptime and security

4. Legal Bases for Processing

Under UK GDPR, we rely on the following legal bases:

  • Contract — Processing necessary to deliver the services you have signed up for, including operating your EPOS system, processing orders and managing your account.
  • Legitimate interest — Platform analytics, fraud prevention, security monitoring and sending service-related communications. We balance our interests against your rights and only process data where it is reasonable to do so.
  • Consent — Marketing communications and non-essential cookies. You can withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation — Where we are required to retain data for tax, accounting or regulatory purposes.

5. Data Sharing

We do not sell, rent or trade your personal data to third parties. We share data only in these limited circumstances:

  • Stripe — Our payment processor handles card transactions securely. Stripe acts as an independent data controller for payment data. See Stripe's privacy policy.
  • Hosting providers — Our UK-based server infrastructure processes data on our behalf under strict data processing agreements.
  • Restaurant owners — Customer order data is shared with the restaurant that the customer placed the order with. The restaurant is a joint controller for that data.
  • Legal requirements — We may disclose data if required by law, court order or a regulatory authority.

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy:

  • Active accounts — Data is retained for the duration of your subscription and for 30 days after cancellation to allow for reactivation.
  • Order records — Retained for 6 years to comply with UK tax and accounting obligations (HMRC requirements).
  • Marketing data — Retained until you unsubscribe or withdraw consent. We periodically remove contacts who have not engaged for 12 months.
  • Analytics data — Aggregated and anonymised after 26 months.
  • Guest tokens — Expire after 12 months of inactivity.

When data is no longer needed, it is securely deleted or anonymised so that it can no longer be linked back to an individual.

7. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access — Request a copy of the personal data we hold about you.
  • Right to rectification — Ask us to correct inaccurate or incomplete data.
  • Right to erasure — Ask us to delete your data where there is no compelling reason to continue processing it.
  • Right to restrict processing — Ask us to limit how we use your data in certain circumstances.
  • Right to data portability — Receive your data in a structured, commonly used, machine-readable format.
  • Right to object — Object to processing based on legitimate interests, including direct marketing.
  • Rights related to automated decision-making — We do not make decisions based solely on automated processing that produce legal effects concerning you.

To exercise any of these rights, email us at [email protected]. We will respond within one month. There is no fee for making a request, unless the request is manifestly unfounded or excessive.

8. Cookies

We use cookies and similar technologies to keep you signed in, remember your preferences and understand how you use our platform.

Essential cookies

Required for the platform to function correctly. These include session cookies, CSRF tokens and guest identification tokens. You cannot opt out of essential cookies.

Analytics cookies

We use Google Analytics to understand traffic patterns and user behaviour. These cookies collect anonymised data and can be disabled through your browser settings or by using a Google Analytics opt-out browser add-on.

For more details about the specific cookies we use and how to manage them, please see our cookie policy or contact us.

9. International Transfers

Our servers are hosted in the United Kingdom. We aim to keep all personal data within the UK wherever possible.

Where data is transferred outside the UK (for example, through third-party services such as Stripe or Google Analytics), we ensure that appropriate safeguards are in place. These include:

  • UK adequacy regulations recognising the recipient country's data protection standards
  • International Data Transfer Agreements (IDTAs) or the UK addendum to EU Standard Contractual Clauses
  • The service provider's binding corporate rules or equivalent protections

10. Contact Us

If you have any questions, concerns or requests regarding this privacy policy or how we process your data, please get in touch:

11. Right to Complain

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

We would appreciate the chance to address your concerns before you approach the ICO, so please contact us first.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify active users by email and update the "Last updated" date at the top of this page.