This Privacy Notice explains how GNV ("we", "us", "our") collects, processes, and protects information in connection with the GNV Catering Platform ("Service"). We are committed to responsible data stewardship and transparent governance of all information processed through the platform.
Data We Collect
When you use the Service, we collect and process the following categories of information:
Account information — name, email address, organisational role, and authentication credentials
Usage data — pages visited, features used, interaction timestamps, and session metadata
Device information — browser type, operating system, and device identifiers for compatibility and security
Operational content — menus, recipes, meal plans, product data, and other content you create or import
Reference data — factual information relating to products, ingredients, suppliers, certifications, and supply-chain participants
Verification data — evidence, attestations, certificates, chain-of-custody events, and other data used to validate operational claims
Lawful Basis for Processing
We process personal data under the following lawful bases as defined by applicable data protection legislation including the UK GDPR and EU GDPR:
Contract performance — processing necessary to provide the Service, authenticate access, and fulfil our obligations under the Platform Terms
Legitimate interests — processing necessary for platform security, fraud prevention, service improvement, network integrity, and the generation of anonymised operational intelligence
Legal obligations — processing required to comply with food safety regulations, allergen disclosure requirements, and other applicable law
Consent — where required for specific processing activities, such as optional communications or analytics beyond core service delivery
Purpose of Processing
We process data to:
— Provide, maintain, and secure the platform services
— Authenticate identity and manage role-based access
— Normalise, verify, and enrich reference data across the network to maintain data integrity
— Generate derived outputs including verification scores, analytics, and operational intelligence
— Improve platform performance, reliability, and the accuracy of nutrition, allergen, and traceability information
— Detect and prevent fraud, misuse, and food safety risks
— Communicate service updates, incident notifications, and support responses
Data Categories and Retention
Personal data (account information and directly identifying usage data) is retained for the duration of your active use of the Service. Upon account closure, personal data is securely deleted within 90 days, unless a longer retention period is required by law or necessary to resolve outstanding disputes.
Reference Data, Verification Data, Derived Data, Aggregated Data, and Network Intelligence are retained as part of the platform's canonical reference and verification layer. These data categories are pseudonymised or anonymised such that individuals and customer-specific operations are not reasonably identifiable. Retention of these categories is necessary for the ongoing integrity of the verification network and is governed by the Platform Terms.
Anonymisation and Aggregation
Where we process data for network intelligence, operational scoring, or ecosystem-level analytics, we apply appropriate anonymisation and aggregation techniques. Data is considered anonymised where it has been processed such that neither individuals nor customer-specific operations are reasonably identifiable, taking into account all means reasonably likely to be used for identification.
Pseudonymised data (where direct identifiers have been replaced but re-identification remains technically possible with additional information) continues to be treated as personal data and is subject to appropriate safeguards.
Third-Party Sharing
We do not sell personal data. Personal data is shared only with:
Infrastructure providers — AWS (Amazon Web Services) for hosting, storage, and compute, under strict data processing agreements with appropriate safeguards
Authentication services — AWS Cognito for identity management and secure session handling
Service providers — limited third-party processors engaged under written data processing agreements, bound by confidentiality and security obligations
Anonymised, aggregated, and derived data may be used and shared as described in the Platform Terms. This includes data that has been processed such that individuals and customer-specific operations are not reasonably identifiable.
International Transfers
The Service is primarily hosted on AWS infrastructure in the EU (Ireland, eu-west-1). Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the relevant supervisory authority, adequacy decisions where applicable, and supplementary technical and organisational measures as required.
Security and Governance
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS) and at rest (AES-256), role-based access controls with least-privilege principles, logical tenant isolation at the data layer, audit logging of access and administrative operations, and regular security reviews.
Your Rights
Under applicable data protection law (including UK GDPR and EU GDPR), you have the following rights in relation to your personal data:
Access — request a copy of the personal data we hold about you
Rectification — request correction of inaccurate or incomplete personal data
Erasure — request deletion of your personal data where there is no compelling reason for continued processing
Restriction — request restriction of processing in certain circumstances
Portability — receive your personal data in a structured, commonly used, machine-readable format
Objection — object to processing based on legitimate interests
Withdraw consent — where processing is based on consent, withdraw that consent at any time
To exercise any of these rights, contact us at the address below. We will respond within one calendar month, or inform you if an extension is required. You also have the right to lodge a complaint with your relevant supervisory authority (in Ireland: the Data Protection Commission).
Contact
For privacy-related enquiries, data subject requests, or questions about this notice, contact us at privacy@globalnutritionvalue.com