Munch Prep

← Back to home

Data and compliance

Last updated: 2 April 2026

This page summarises how Munch Prep approaches UK and EU data protection requirements, including the UK GDPR and EU GDPR (together, "GDPR"). It supplements our Privacy policy and does not replace legal advice. For contractual data processing terms between your organisation and Munch Prep, a separate data processing agreement may apply where we act as a processor.

Controller and processor roles

Platform operations. Munch Prep typically acts as a controller for personal data we process to run the platform, secure accounts, bill our customers, improve the service, and meet legal obligations.

Brand and kitchen data. Where we process personal data on documented instructions from a brand or kitchen customer solely to provide the Services to them (for example hosting order and customer records they control), we act as a processor for that processing, and they are the controller for that data.

End customers. When a consumer orders from a brand using Munch Prep, the brand is usually the primary controller for that relationship; we process data as needed to deliver the platform and may also have our own controller responsibilities for certain operational data.

Categories of personal data

Examples include identifiers (name, email), account and role data, transaction and delivery details, technical and security logs, and support communications. Exact categories depend on which features you use.

Lawful bases (GDPR)

We rely on lawful bases such as:

  • Contract — to provide the Services you requested;
  • Legitimate interests — for example fraud prevention, service improvement, and internal reporting, where not overridden by your interests or rights;
  • Legal obligation — where we must retain or disclose information by law;
  • Consent — where required for specific processing (such as certain marketing cookies or communications), which you may withdraw.

Subprocessors

We use vetted infrastructure and service providers to host data, authenticate users, send email, process payments, and operate the product. They process personal data on our instructions and under contractual obligations. A current list may be provided on request or in customer-facing documentation; typical categories include cloud database and hosting (for example Google Cloud / Firebase) and payment services (for example Stripe).

International transfers

Where personal data is transferred outside the UK or EEA, we implement appropriate safeguards such as the UK IDTA / Addendum or EU standard contractual clauses, and supplementary measures where required by regulators.

Data subject rights

Under GDPR, individuals may have rights including:

  • Access to their personal data;
  • Rectification of inaccurate data;
  • Erasure in certain circumstances;
  • Restriction of processing;
  • Objection to processing based on legitimate interests or for direct marketing;
  • Data portability for data provided under contract or consent, where technically feasible;
  • Withdrawal of consent where processing is consent-based.

To make a request, contact info@munch-prep.com or use our contact form. We may need to verify your identity. If we are processing as a processor on behalf of a brand, we may direct you to that brand for some requests.

Supervisory authority

You have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk).

Security

We apply administrative, technical, and organisational measures appropriate to the risk, including access controls and encryption in transit where supported. Details may be shared under confidentiality in a commercial or security review.

Record keeping

We maintain records of processing activities where required and conduct assessments for high-risk processing when appropriate.

Updates

We will update this page when our practices or regulatory expectations change materially. Check the "Last updated" date above.