Privacy Policy

1. YOUR PRIVACY MATTERS

Afrobasket Express Technology Limited ("ABX", "we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platforms (Customer Website, Vendor Website, Vendor App, Customer App, and Admin Portal - collectively, the "Services"). This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

DATA CONTROLLER INFORMATION

As the data controller, we are responsible for determining how and why your personal data is processed. We take this responsibility seriously and are committed to transparency in our data practices.

2. SCOPE AND APPLICATION

2.1 Who This Policy Applies To

This Privacy Policy applies to:

• Customers: Individuals using our customer-facing platforms to browse and purchase products;
• Vendors: Business users selling products through our marketplace;
• Delivery Agents: Independent contractors providing delivery services;
• Website Visitors: Anyone browsing our websites without an account;
• App Users: Users of our mobile applications;
• Support Users: Anyone contacting our customer support;

2.2 Services Covered

This policy covers all ABX platforms and services:

• ABX Customer Website and Mobile App
• ABX Vendor Website and Mobile App
• ABX Admin Portal
• Customer Support Systems (chat, email, phone)
• Marketing communications and newsletters

3. PERSONAL DATA WE COLLECT

3.1 Information You Provide Directly

For Customers:

• Account Information: Name, email address, phone number, password (encrypted)
• Delivery Information: Delivery addresses, postcode, location preferences
• Payment Information: Payment card details (tokenized and processed by third-party payment processors)
• Order Information: Purchase history, order details, product preferences
• Profile Information: Favorite shops, saved products, dietary preferences, spending limits
• Communication: Support messages, chat transcripts, feedback, reviews

For Vendors:

• Business Information: Business name, trading name, registration number, VAT number
• Contact Information: Name, email, phone number, business address
• Financial Information: Bank account details, tax information, transaction history
• Verification Documents: ID documents, business licenses, food hygiene certificates, insurance documents
• Product Information: Product listings, descriptions, images, inventory data
• Performance Data: Sales metrics, customer ratings, order fulfillment statistics

For Delivery Agents:

• Personal Information: Name, contact details, emergency contact
• Verification Documents: ID documents, driver's license, vehicle registration, insurance
• Performance Data: Delivery completion rates, location tracking during deliveries, customer ratings

3.2 Information Collected Automatically

• Device Information: IP address, browser type, device type, operating system, unique device identifiers
• Usage Data: Pages visited, features used, time spent, click patterns, search queries
• Location Data: GPS coordinates (with permission), postcode-based location, delivery addresses
• Cookies and Tracking: Session cookies, preference cookies, analytics cookies, advertising cookies
• Log Data: Access times, error logs, system interactions

3.3 Information from Third Parties

• Payment Processors: Payment verification, transaction status, fraud prevention data
• Identity Verification Services: Age verification, identity confirmation, business validation
• Social Media: If you use social login features (with your consent)
• Public Sources: Companies House data for vendor verification

4. HOW WE USE YOUR PERSONAL DATA

4.1 Legal Basis for Processing

Under UK GDPR, we must have a lawful basis to process your personal data. We rely on the following legal bases:

4.2 Specific Uses by User Type

Customer Data Used For:

• Processing and fulfilling your orders
• Communicating order status and delivery updates
• Providing customer support
• Personalizing your shopping experience and recommendations
• Managing your account and preferences
• Processing payments and refunds
• Showing nearby shops based on your postcode
• Preventing fraud and ensuring platform security
• Sending service updates and important notifications
• Marketing communications (with consent)
• Analyzing usage to improve our services

Vendor Data Used For:

• Verifying your business credentials and identity
• Managing your vendor account and shop profile
• Processing sales transactions and payments
• Facilitating order fulfillment and delivery
• Providing business analytics and performance metrics
• Communicating with you about orders and platform updates
• Ensuring compliance with food safety and business regulations
• Managing disputes and customer complaints
• Detecting and preventing fraudulent activity
• Tax reporting to HMRC (as required by law)

Delivery Agent Data Used For:

• Verifying identity and eligibility to provide delivery services
• Assigning deliveries based on location and availability
• Tracking delivery progress (GPS with consent)
• Managing performance and ratings
• Processing payments for delivery services
• Ensuring safety and security
• Resolving delivery-related issues

5. HOW WE SHARE YOUR PERSONAL DATA

5.1 When We Share Data

We do not sell your personal data to third parties. We only share your data in the following circumstances:

With Vendors (For Customers):

• Your name, delivery address, and contact information to fulfill orders
• Order details to prepare your purchase
• Vendors are independent data controllers for this information

With Customers (For Vendors):

• Shop name, location, and contact information
• Product information and availability
• Business ratings and reviews

With Delivery Partners:

• Customer name, delivery address, and contact information
• Order details necessary for delivery
• Delivery instructions and preferences

With Service Providers:

• Payment Processors: To process transactions securely (Stripe, PayPal, Revolut)
• Cloud Hosting: To store data securely (AWS, Google Cloud, Firebase)
• Communication Services: To send emails and notifications (SendGrid, Twilio)
• Analytics Providers: To understand usage patterns (Google Analytics)
• Customer Support Tools: To manage support tickets and chat
• Identity Verification: To verify vendor credentials

All service providers are carefully selected and required to protect your data in accordance with UK GDPR.

5.2 Legal and Regulatory Disclosure

We may disclose your personal data when required by law or to:

• Comply with legal obligations, court orders, or regulatory requests
• Report to HMRC for tax purposes (vendor financial data)
• Enforce our Terms and Conditions
• Protect our rights, property, or safety, or that of our users
• Detect, prevent, or address fraud, security, or technical issues
• Respond to emergency situations involving danger of death or serious physical injury

5.3 Business Transfers

If ABX is involved in a merger, acquisition, restructuring, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and ensure continued protection of your data.

5.4 International Transfers

Your personal data is primarily stored and processed in the United Kingdom. If we transfer data outside the UK/EEA, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the ICO
• Adequacy decisions recognizing equivalent data protection
• Binding Corporate Rules for multinational service providers

6. YOUR DATA PROTECTION RIGHTS

6.1 Rights Under UK GDPR

You have the following rights regarding your personal data:

1. Right of Access (Subject Access Request): Request a copy of the personal data we hold about you. We will provide this free of charge within one month. You can make a request by emailing dpo@abx.com.
2. Right to Rectification: Correct inaccurate or incomplete personal data. Update your name and email directly in your profile settings or contact support for other corrections.
3. Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data. Use the account deletion feature or email dpo@abx.com. Note: We may retain certain data for legal obligations (e.g., transaction records for 7 years for tax purposes).
4. Right to Restrict Processing: Request that we limit how we use your data. Applies when you contest accuracy or object to processing.
5. Right to Data Portability: Receive your personal data in a structured, machine-readable format or transfer your data to another service provider. Request via dpo@abx.com.
6. Right to Object: Object to processing based on legitimate interests, direct marketing, or automated decision-making and profiling.
7. Right to Withdraw Consent: Withdraw consent at any time for processing based on consent. Does not affect lawfulness of processing before withdrawal. Manage preferences in your account settings.

6.2 How to Exercise Your Rights

To exercise any of these rights:

• Email our Data Protection Officer: legal@abxtechnologies.co.uk
• Use the account management features in your profile
• Contact customer support through the platform
• Write to us at our registered address

We will respond to all requests within one month. If your request is complex, we may extend this by two additional months and will notify you.

6.3 Right to Lodge a Complaint

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: www.ico.org.uk
• Phone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

7. DATA RETENTION

7.1 How Long We Keep Your Data

We retain your personal data only as long as necessary for the purposes for which it was collected:

7.2 Deletion and Anonymization

When retention periods expire, we either:

• Delete: Permanently remove personal data from our systems
• Anonymize: Remove identifying information so data cannot be linked to you

Some anonymized data may be retained indefinitely for statistical and research purposes.

8. DATA SECURITY

8.1 Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

Technical Measures:

• Encryption of data in transit (TLS/SSL) and at rest (AES-256)
• Secure password storage using industry-standard hashing (bcrypt)
• Firewalls and intrusion detection systems
• Regular security testing and vulnerability assessments
• Secure API communications with authentication tokens
• Payment card data tokenization (PCI-DSS compliant processors)
• Regular backups stored securely
• Multi-factor authentication for admin access

Organizational Measures:

• Access controls limiting who can access personal data
• Staff training on data protection and security
• Confidentiality agreements with employees and contractors
• Data protection impact assessments for high-risk processing
• Incident response procedures
• Regular security audits and compliance reviews
• Vendor security assessments for third-party processors

8.2 Your Responsibilities

You can help keep your data secure by:

• Using a strong, unique password for your account
• Not sharing your login credentials with anyone
• Logging out after using shared devices
• Keeping your contact information up-to-date
• Reporting suspicious activity immediately
• Being cautious of phishing emails pretending to be from ABX

8.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the ICO within 72 hours of becoming aware
• Notify affected individuals without undue delay
• Provide information about the nature of the breach
• Advise on steps you can take to protect yourself
• Describe measures we are taking to address the breach

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 What Are Cookies

Cookies are small text files stored on your device when you visit our websites or use our apps. They help us provide a better user experience and understand how our services are used.

9.2 Types of Cookies We Use

9.3 Managing Cookies

You can control cookies through:

• Cookie Consent Banner: Manage preferences when you first visit
• Cookie Settings: Update preferences in your account settings
• Browser Settings: Most browsers allow you to refuse or delete cookies

Note: Disabling strictly necessary cookies may affect website functionality.

9.4 Third-Party Cookies

We use third-party services that may set their own cookies:

• Google Analytics: Website traffic analysis and user behavior
• Payment Processors: Secure transaction processing
• Social Media Plugins: Sharing and social login features
• Advertising Networks: Targeted advertising (with consent)

These third parties have their own privacy policies governing cookie use.

10. CHILDREN'S PRIVACY

10.1 Age Restrictions

Our services are not intended for children under the age of 18. We do not knowingly collect personal data from children. If you are under 18, please do not use our services or provide any personal information.

10.2 Parental Notice

If we become aware that we have collected personal data from a child under 18 without verification of parental consent, we will take steps to delete that information as quickly as possible. If you believe we have collected information from a child, please contact us immediately at dpo@abx.com.

10.3 Age Verification

For certain products (such as alcohol or age-restricted items), we implement age verification measures at the point of delivery to ensure compliance with UK law.

11. AUTOMATED DECISION-MAKING AND PROFILING

11.1 How We Use Automated Processing

We use automated decision-making and profiling in limited circumstances to improve your experience:

Product Recommendations:

• We analyze your browsing and purchase history to suggest products you might like
• This is based on legitimate interests to enhance user experience
• You can opt out by adjusting your privacy settings

Fraud Detection:

• Automated systems analyze transaction patterns to detect fraudulent activity
• This protects both you and our vendors from fraud
• Based on legitimate interests and legal obligations

Vendor Performance Monitoring:

• Automated systems track vendor metrics (delivery times, customer ratings)
• Used to maintain service quality standards
• Vendors can request manual review of automated decisions

11.2 Your Rights Regarding Automated Decisions

You have the right to:

• Request human intervention in automated decisions
• Express your point of view regarding the decision
• Contest decisions that significantly affect you
• Request an explanation of how the decision was made

To exercise these rights, contact info@abxtechnologies.co.uk with details of the decision in question.

12. MARKETING COMMUNICATIONS

12.1 Types of Marketing

With your consent, we may send you marketing communications about:

• New products and special offers from vendors
• Platform updates and new features
• Personalized promotions based on your preferences
• Seasonal campaigns and limited-time deals
• Vendor promotions and local shop highlights

12.2 How We Send Marketing

• Email: Newsletters, promotional offers, product updates
• Push Notifications: App notifications about deals and orders
• SMS: Text messages for time-sensitive offers (with explicit consent)
• In-App Messages: Banners and notifications within the platform

12.3 Managing Your Preferences

You can control marketing communications at any time:

• Click "Unsubscribe" links in marketing emails
• Adjust notification settings in your account preferences
• Reply "STOP" to marketing SMS messages
• Turn off push notifications in your device settings
• Contact info@abxtechnologies.co.uk to update all preferences

Note: You will continue to receive essential service communications (order confirmations, delivery updates, account notifications) regardless of marketing preferences.

13. LINKS TO THIRD-PARTY WEBSITES

13.1 External Links

Our platforms may contain links to third-party websites, including vendor websites, social media platforms, and partner services. This Privacy Policy does not apply to those external sites.

13.2 Third-Party Responsibility

We are not responsible for the privacy practices or content of third-party websites. We encourage you to read the privacy policies of any external sites you visit through our platform.

13.3 Social Media Integration

If you use social media features (such as sharing products or social login), information may be shared with those platforms according to their own privacy policies.

14. CHANGES TO THIS PRIVACY POLICY

14.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email if the changes are significant
• Display a prominent notice on our platforms
• Request renewed consent where required by law

14.2 Your Acceptance

By continuing to use our services after changes become effective, you accept the updated Privacy Policy. If you do not agree with any changes, you should stop using our services and may request account deletion.

14.3 Review History

Previous versions of this Privacy Policy are available upon request by contacting dpo@abx.com.

15. CONTACT INFORMATION

15.1 How to Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

15.2 Response Times

We aim to respond to all privacy inquiries within:

• General questions: 5 business days
• Subject Access Requests: 30 calendar days
• Data deletion requests: 30 calendar days
• Urgent matters: 48 hours

16. ADDITIONAL INFORMATION FOR SPECIFIC USERS

16.1 For Customers

Your Order Data: When you place an order, your information is shared with the vendor and delivery agent to fulfill your purchase. Both parties act as independent data controllers for the information they receive.

Reviews and Ratings: When you leave a review, your first name and review content will be publicly visible. You can request removal of reviews by contacting support.

16.2 For Vendors

Dual Role: As a vendor, you are both a data subject (for your personal business data) and a data controller (for customer information you receive through orders).

Compliance Obligations: You must comply with UK GDPR when handling customer data received through our platform. ABX provides guidance but you are responsible for your own compliance.

Data Sharing: Your business name, location, ratings, and product information will be publicly visible on our platform.

16.3 For Delivery Agents

Location Tracking: GPS tracking during active deliveries helps ensure customer satisfaction and your safety. You can disable tracking when not making deliveries.

Performance Metrics: Your delivery ratings and completion statistics are used to maintain service quality and may affect your eligibility for future deliveries.

17. GLOSSARY OF TERMS

For clarity, here are definitions of key terms used in this Privacy Policy:

• Personal Data: Any information relating to an identified or identifiable person.
• Processing: Any operation performed on personal data, including collection, storage, use, and deletion.
• Data Controller: The entity that determines the purposes and means of processing personal data.
• Data Processor: An entity that processes data on behalf of the data controller.
• Data Subject: The individual whose personal data is being processed.
• Consent: Freely given, specific, informed, and unambiguous agreement to data processing.
• UK GDPR: The UK General Data Protection Regulation, the primary data protection law in the UK.
• ICO: Information Commissioner's Office, the UK's independent data protection authority.
• Legitimate Interests: A legal basis for processing when it's necessary for purposes that are in our or a third party's legitimate interests.
• Pseudonymization: Processing data so it can no longer be attributed to a specific person without additional information.

18. LEGAL COMPLIANCE

18.1 Applicable Laws

This Privacy Policy and our data processing practices comply with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR) 2003
• Electronic Commerce (EC Directive) Regulations 2002
• Consumer Rights Act 2015

18.2 Data Protection Registration

Afrobasket Express Technology Limited is registered with the Information Commissioner's Office (ICO) as required under the Data Protection Act 2018.

18.3 Compliance Monitoring

We regularly review and update our data protection practices to ensure ongoing compliance with applicable laws and regulations. This includes:

• Annual data protection audits
• Regular staff training on data protection
• Data Protection Impact Assessments for new processing activities
• Monitoring changes in data protection legislation