Back to menu

Privacy Policy

Last updated: February 2026

1. Introduction

Smokeboxx Cafe ("we", "us", "our") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our website and online ordering platform at smokeboxx.co.uk (the "Site").

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is:

  • Business Name: Smokeboxx Cafe
  • Address: 3 Coalway Rd, Wolverhampton WV3 7LR
  • Email: [email protected]
  • Phone: 01902 535677

Please read this policy carefully. By using the Site, you acknowledge that you have read and understood how we process your personal data as described herein.

2. Information We Collect

We collect and process the following categories of personal data:

Personal Data You Provide

  • Identity Data: Your first name and last name.
  • Contact Data: Your email address, phone number, and delivery address.
  • Account Data: Your username and password (passwords are stored in encrypted form).
  • Payment Data: Payment card details are collected and processed securely by our payment provider, Stripe. We do not store your full card number on our servers.

Order Data

  • Details of orders you have placed, including items ordered, order total, delivery or collection preference, and order history.
  • Loyalty points balance and redemption history through the Smokeboxx Rewards programme.

Technical Data

  • IP address, browser type and version, operating system, device type, and screen resolution.
  • Pages visited, time spent on the Site, referring URLs, and other browsing behaviour on our Site.
  • Information collected through cookies and similar technologies (see Section 8).

3. How We Use Your Information

We use your personal data for the following purposes:

Order Processing & Fulfilment

  • To process, prepare, and deliver or make available for collection your food orders.
  • To process payments securely through Stripe.
  • To communicate with you about your order, including order confirmations, delivery updates, and any issues with your order.

Account Management

  • To create and manage your user account.
  • To maintain your order history and saved delivery addresses.
  • To provide customer support and respond to your enquiries.

Loyalty Programme

  • To administer the Smokeboxx Rewards programme, including tracking earned points, processing redemptions, and notifying you of your points balance or expiry.

Marketing Communications

  • With your explicit consent, we may send you promotional emails about new menu items, special offers, and events.
  • You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, or by contacting us at [email protected].
  • Opting out of marketing will not affect essential communications related to your orders or account.

Site Improvement & Analytics

  • To analyse how the Site is used so we can improve its functionality, performance, and user experience.
  • To detect and prevent fraud, abuse, and security issues.

4. Legal Basis for Processing

Under the UK GDPR, we rely on the following lawful bases for processing your personal data:

  • Performance of a Contract (Article 6(1)(b)): Processing your personal data is necessary to fulfil our contract with you when you place an order. This includes processing payments, arranging delivery or collection, managing your account, and administering the loyalty programme.
  • Legitimate Interests (Article 6(1)(f)): We process certain data where it is in our legitimate business interests to do so, provided these interests are not overridden by your rights. This includes improving our Site and services, preventing fraud, and maintaining the security of our platform.
  • Consent (Article 6(1)(a)): Where we send you marketing communications or use non-essential cookies, we do so only with your explicit consent. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Legal Obligation (Article 6(1)(c)): We may process your data where necessary to comply with a legal obligation, such as maintaining financial records for tax and accounting purposes.

5. Data Sharing

We may share your personal data with the following categories of third parties, only to the extent necessary for the purposes described in this policy:

  • Stripe: Our payment processor, who handles all card payment transactions. Stripe processes your payment data in accordance with their own privacy policy and PCI DSS compliance standards.
  • Delivery Partners: Where we use third-party delivery drivers or services, we share the minimum information necessary to complete your delivery (typically your name, delivery address, and phone number).
  • Hosting & IT Providers: Third-party companies that provide website hosting, maintenance, and technical infrastructure for the Site.
  • Legal & Regulatory Bodies: We may disclose your data if required to do so by law, or in response to a valid legal request from law enforcement or other governmental authorities.

We do not sell, rent, or trade your personal data to any third party for their marketing purposes.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our general retention periods are:

  • Account Data: Retained for the duration of your account. If your account is inactive for 24 months, we may contact you before deleting your account and associated data.
  • Order History: Retained for up to 6 years after your last order for accounting, tax, and legal compliance purposes (in line with HMRC requirements).
  • Loyalty Points Data: Retained for the lifetime of your account. Points data is deleted when your account is closed.
  • Marketing Consent Records: Retained for as long as you remain subscribed, plus a reasonable period after unsubscription to evidence your consent history.
  • Technical & Analytics Data: Typically retained for up to 26 months.

When personal data is no longer required, it will be securely deleted or anonymised.

7. Your Rights

Under the UK GDPR, you have the following rights in relation to your personal data:

  • Right of Access: You have the right to request a copy of the personal data we hold about you (a "Subject Access Request").
  • Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data. You can also update most of your information directly through your account settings.
  • Right to Erasure: You have the right to request that we delete your personal data, subject to certain legal exceptions (for example, where we need to retain it for legal or tax obligations).
  • Right to Data Portability: You have the right to request that we provide your personal data in a structured, commonly used, machine-readable format, or transfer it to another controller where technically feasible.
  • Right to Object: You have the right to object to the processing of your personal data where we are relying on legitimate interests, or for direct marketing purposes.
  • Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as while we verify the accuracy of your data.
  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month, as required by law. In certain circumstances, we may extend this period by a further two months, in which case we will inform you of the delay and the reasons.

There is no fee for making a request, although we may charge a reasonable fee for manifestly unfounded or excessive requests.

8. Cookies

Our Site uses cookies and similar tracking technologies to enhance your browsing experience, remember your preferences, and analyse how the Site is used.

Cookies are small text files placed on your device by your web browser. We use the following types of cookies:

  • Strictly Necessary Cookies: Required for the Site to function properly, including session management, shopping basket functionality, and security features. These cannot be disabled.
  • Functional Cookies: Used to remember your preferences and settings, such as your login details and delivery address.
  • Analytics Cookies: Used to collect anonymised data about how visitors use the Site, helping us to improve its performance and content.
  • Marketing Cookies: Used to track visitors across websites to display relevant advertisements. These are only set with your explicit consent.

You can manage your cookie preferences at any time through our cookie consent settings. You can also configure your browser to refuse cookies, although this may affect the functionality of the Site.

9. Children's Privacy

Our Site and services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at [email protected] and we will take steps to delete that information promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we provide. The revised policy will be posted on this page with an updated "Last updated" date.

Where changes are significant, we will make reasonable efforts to notify you by email or through a prominent notice on the Site. We encourage you to review this page periodically.

Your continued use of the Site after any changes to this policy constitutes your acceptance of the updated terms.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

  • Business Name: Smokeboxx Cafe
  • Address: 3 Coalway Rd, Wolverhampton WV3 7LR
  • Phone: 01902 535677
  • Email: [email protected]
  • Opening Hours: Daily, 5:00 PM – 10:00 PM

If you are not satisfied with how we have handled your personal data or your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.