Privacy Policy

At Apache Pizza, we are deeply committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains in detail how we collect, use, store, share, and protect your personal information when you visit our website at apache-pizzav.com, place an order, use our services, or otherwise interact with us. We encourage you to read this policy carefully so that you fully understand how we handle your personal data and what rights you have in relation to it.

This Privacy Policy is issued by Apache Pizza (hereinafter referred to as "we", "us", "our", or "Apache Pizza"). We operate in Ireland and are fully subject to the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Acts 1988–2018, and all applicable Irish and European Union data protection legislation. The supervisory authority responsible for overseeing data protection compliance in Ireland is the Data Protection Commission (DPC).

By using our website, placing an order, or otherwise providing us with your personal information, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please refrain from using our website or services.

1. Who We Are – Data Controller

For the purposes of applicable data protection law, Apache Pizza is the Data Controller responsible for your personal data. This means we determine the purposes and means by which your personal data is processed.

If you have any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, you may contact us at any time using the details provided above. We aim to respond to all privacy-related inquiries within 30 calendar days, in accordance with our obligations under GDPR Article 12.

2. What Personal Data We Collect

We collect various categories of personal data depending on how you interact with us. We only collect the minimum amount of data necessary to fulfil the stated purpose (the principle of data minimisation under GDPR Article 5). The categories of personal data we may collect include:

2.1 Personal Identification Information

• Full name
• Delivery address (including street, city, county, and Eircode)
• Billing address (if different from delivery address)
• Email address
• Phone number
• Date of birth (where age verification is required)
• Username and password (for registered accounts)

2.2 Order and Transaction Data

• Details of food and beverage items ordered
• Order history and preferences
• Payment method type (e.g., credit card, debit card, cash on delivery) — note: we do not store full card numbers
• Transaction reference numbers
• Special dietary requirements or customisation requests you provide
• Promotional codes or vouchers applied

2.3 Usage and Technical Data

• IP address
• Browser type and version
• Device type, operating system, and screen resolution
• Referring website or URL
• Pages visited on our website and time spent on each page
• Clickstream data and navigation paths
• Time and date of visits
• Search terms used on our website

2.4 Cookie and Tracking Data

We use cookies, pixel tags, web beacons, and similar tracking technologies to collect data about your browsing behaviour on our website. This includes session identifiers, preference settings, and analytics identifiers. Please refer to Section 9 of this policy and our separate Cookie Policy for full details.

2.5 Communications Data

• Messages or enquiries sent to us via email, contact forms, or live chat
• Feedback, reviews, and ratings you provide
• Records of telephone calls (for quality assurance and order confirmation purposes)
• Social media interactions when you contact or tag us on social platforms

2.6 Marketing Preferences

• Your opt-in or opt-out status for email, SMS, or push notification marketing
• Communication preferences and interests
• Responses to surveys or promotional campaigns

2.7 Data We Receive From Third Parties

We may also receive personal data about you from third-party sources, including:

• Payment processors and financial institutions (transaction confirmations)
• Delivery platform partners (if you order through a third-party platform)
• Social media platforms (if you log in using a social media account or engage with our social content)
• Analytics providers who help us understand how users interact with our website

3. How We Use Your Personal Data

We process your personal data only where we have a valid legal basis to do so under GDPR Article 6. The legal bases we rely upon are: (a) the performance of a contract; (b) compliance with a legal obligation; (c) our legitimate interests; and (d) your consent. Below we explain each purpose and the corresponding legal basis:

3.1 Order Processing and Fulfilment (Contract Performance – Article 6(1)(b))

• To receive, process, and confirm your food orders
• To arrange delivery of your order to the address you provide
• To process your payment securely
• To send you order confirmations, receipts, and delivery status updates
• To handle returns, refunds, cancellations, or disputes

3.2 Account Management (Contract Performance – Article 6(1)(b))

• To create and manage your customer account
• To allow you to save delivery addresses and payment preferences
• To maintain your order history for your convenience
• To authenticate your identity when you log in

3.3 Customer Service (Legitimate Interests – Article 6(1)(f))

• To respond to your enquiries, complaints, and feedback
• To investigate and resolve order issues or disputes
• To provide technical support relating to our website or app

3.4 Legal Compliance (Legal Obligation – Article 6(1)(c))

• To comply with our obligations under Irish tax law, including the Taxes Consolidation Act 1997 and VAT legislation
• To meet food safety and traceability requirements under Irish and EU food law
• To respond to lawful requests from An Garda Síochána, Revenue Commissioners, or other public authorities
• To maintain legally required business records

3.5 Marketing and Promotions (Consent – Article 6(1)(a))

• To send you promotional emails, SMS messages, or push notifications about our offers, new menu items, and special deals — but only where you have given your explicit consent
• To display personalised advertisements on third-party platforms based on your interests
• To invite you to participate in surveys, competitions, or loyalty programmes
• You may withdraw your consent to marketing at any time by clicking "unsubscribe" in any marketing email, by adjusting your account settings, or by contacting us directly at [email protected]

3.6 Website Analytics and Improvement (Legitimate Interests – Article 6(1)(f))

• To analyse how visitors use our website in order to improve navigation, content, and the overall user experience
• To monitor website performance, identify technical errors, and ensure security
• To conduct internal research and develop new products or services
• To carry out A/B testing and measure the effectiveness of our marketing campaigns

3.7 Fraud Prevention and Security (Legitimate Interests – Article 6(1)(f))

• To detect, prevent, and investigate fraudulent transactions or abuse of our services
• To verify the identity of customers placing high-value or suspicious orders
• To protect our business, our customers, and third parties from harm

4. Sharing Your Personal Data With Third Parties

We treat your personal data with the utmost care and do not sell, rent, or trade your personal data to any third party for their own commercial purposes. However, we do share your data with carefully selected third parties in the following circumstances:

4.1 Service Providers and Data Processors

We engage third-party companies and individuals to perform functions on our behalf. These parties act as Data Processors under GDPR and are contractually bound to process your data only on our documented instructions and in compliance with applicable data protection law. They include:

• Payment processors (e.g., Stripe, PayPal, or card payment gateway providers) to securely process your payment transactions
• Delivery and logistics partners to fulfil your food delivery orders
• Cloud hosting and IT infrastructure providers who host our website and database
• Email and SMS service providers who facilitate transactional and marketing communications
• Analytics providers (e.g., Google Analytics) who help us understand website usage
• Customer relationship management (CRM) platform providers
• Accounting and financial software providers for invoicing and record-keeping

4.2 Legal and Regulatory Authorities

We may disclose your personal data to law enforcement agencies, courts, regulatory bodies, or government authorities in Ireland and the EU where we are legally required to do so, or where such disclosure is necessary to:

• Comply with a legal obligation, court order, or judicial process
• Protect the rights, property, or safety of Apache Pizza, our customers, or the public
• Investigate, detect, or prevent fraud, security incidents, or criminal activity

4.3 Business Transfers

In the event of a merger, acquisition, restructuring, sale of assets, or similar corporate transaction involving Apache Pizza, your personal data may be transferred to the relevant third party as part of that transaction. We will notify you via email or a prominent notice on our website prior to any such transfer, and you will retain your rights under GDPR throughout that process.

4.4 Social Media and Advertising Platforms

Where you have consented to marketing, we may share limited pseudonymised data (such as hashed email addresses) with social media platforms including Meta (Facebook/Instagram) and Google to enable targeted advertising campaigns. You can opt out of this type of data sharing at any time by withdrawing your marketing consent.

5. Data Security

We take the security of your personal data extremely seriously. We have implemented a comprehensive range of technical and organisational security measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction, in accordance with GDPR Article 32.

5.1 Technical Measures

• SSL/TLS encryption on all pages of our website to protect data transmitted between your browser and our servers
• Encrypted storage of sensitive personal data, including hashed and salted password storage
• Firewalls and intrusion detection systems to protect our servers from unauthorised access
• Regular security patches and software updates
• Tokenisation of payment data — we never store full credit or debit card numbers on our systems
• Access controls and role-based permissions ensuring only authorised personnel can access personal data
• Regular data backups to prevent data loss

5.2 Organisational Measures

• Staff training on data protection and GDPR compliance
• Binding confidentiality obligations for all employees and contractors who handle personal data
• Data protection impact assessments (DPIAs) carried out for high-risk processing activities
• Documented data breach response procedures in line with GDPR Article 33 notification requirements
• Regular internal audits of our data processing activities

6. Your Rights Under GDPR

As a data subject under the GDPR and the Data Protection Acts 1988–2018, you have significant rights in relation to your personal data. These rights are set out below. To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one calendar month of receipt, as required by GDPR Article 12. In complex cases, we may extend this period by a further two months, but we will inform you if this is necessary.

6.1 Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you, along with information about how we process it. This is known as a Subject Access Request (SAR). We will provide this information free of charge in a commonly used electronic format.

6.2 Right to Rectification (Article 16)

If the personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it without undue delay. You can also update certain information directly by logging into your account on our website.

6.3 Right to Erasure / "Right to Be Forgotten" (Article 17)

In certain circumstances, you have the right to request the deletion of your personal data. This right applies where:

• The data is no longer necessary for the purpose it was collected
• You withdraw your consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Please note that this right is not absolute and may be limited where we have legal obligations to retain data (e.g., financial records required by Revenue).

6.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, for example, while the accuracy of data is being contested, or where processing is unlawful but you prefer restriction over erasure.

6.5 Right to Data Portability (Article 20)

Where processing is based on your consent or the performance of a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as CSV or JSON), and to transmit that data to another data controller.

6.6 Right to Object (Article 21)

You have the right to object at any time to the processing of your personal data where that processing is based on our legitimate interests or carried out for direct marketing purposes. If you object to direct marketing, we will stop processing your data for that purpose immediately and without needing to justify our decision.

6.7 Rights in Relation to Automated Decision-Making (Article 22)

We do not currently make decisions about you based solely on automated processing (including profiling) that have a legal or similarly significant effect on you. If this changes in the future, we will update this policy and seek your consent where required.

6.8 Right to Withdraw Consent (Article 7(3))

Where we process your data based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent, please contact us or use the opt-out mechanisms provided in marketing communications.

7. Data Retention Periods

We retain your personal data only for as long as is necessary to fulfil the purpose for which it was collected, or as required by applicable law. In determining appropriate retention periods, we consider the nature of the data, the purpose of processing, and our legal obligations. Our general retention periods are as follows:

Once data is no longer required for its stated purpose and any applicable retention period has expired, we will securely delete, destroy, or anonymise it in line with our data retention and disposal procedures.

8. International Data Transfers

Apache Pizza is based in Ireland, which is a member state of the European Union. The EU provides a high level of data protection under the GDPR. However, some of our third-party service providers (such as cloud hosting providers, analytics tools, or email marketing platforms) may process your personal data outside of the European Economic Area (EEA).

Whenever we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place to protect your data in accordance with GDPR Chapter V. These safeguards may include:

• Adequacy decisions issued by the European Commission recognising that the destination country provides an adequate level of data protection (e.g., the EU-US Data Privacy Framework for transfers to the United States)
• Standard Contractual Clauses (SCCs) approved by the European Commission and incorporated into our contracts with third-party processors
• Binding Corporate Rules (BCRs) where applicable for multinational corporate groups

You may request further information about the safeguards we have in place for international transfers, or obtain a copy of the relevant Standard Contractual Clauses, by contacting us at [email protected].

9. Cookies and Tracking Technologies

Our website at apache-pizzav.com uses cookies and similar tracking technologies to enhance your browsing experience, analyse website traffic, and support our marketing activities. A cookie is a small text file that is stored on your device when you visit a website.

We use the following categories of cookies:

• Strictly Necessary Cookies: Essential for the functioning of our website (e.g., maintaining your shopping basket, login sessions). These do not require your consent.
• Performance and Analytics Cookies: Help us understand how visitors use our site by collecting anonymous statistical data (e.g., Google Analytics).
• Functional Cookies: Remember your preferences such as saved delivery address or language settings.
• Targeting and Advertising Cookies: Used to deliver relevant advertisements and track the effectiveness of our marketing campaigns.

When you first visit our website, you will be presented with a cookie consent banner allowing you to accept or decline non-essential cookies. You can change your cookie preferences at any time through our Cookie Settings tool or by adjusting your browser settings to refuse cookies.

Please note that our use of cookies is governed by the ePrivacy Regulations (S.I. No. 336 of 2011), as well as the GDPR, which together implement the EU Cookie Directive and Privacy and Electronic Communications Directive in Ireland.

10. Children's Privacy

Our website, services, and food ordering platform are intended for use by individuals who are 18 years of age or older. We do not knowingly collect, process, or store personal data from children under the age of 18.

If you are under 18 years of age, please do not use our website or provide us with any personal data. If you wish to place a food order, please ask a parent or legal guardian to do so on your behalf.

If we become aware that we have inadvertently collected personal data from a child under the age of 18 without verifiable parental consent, we will take immediate steps to delete that data from our records. If you believe that a child under 18 has provided us with their personal data, please contact us immediately at [email protected] so that we can investigate and take appropriate action.

This approach is consistent with our obligations under GDPR Article 8 and the Irish Data Protection Act 2018, which provide additional protections for children's personal data.

11. Links to Third-Party Websites

Our website may contain links to third-party websites, social media platforms, or other online services that are not operated or controlled by Apache Pizza. This Privacy Policy applies only to our own website and services. We have no control over, and accept no responsibility for, the privacy practices of any third-party websites.

We recommend that you review the privacy policy of any third-party website you visit before providing them with any personal data. The inclusion of a link on our website does not constitute an endorsement of that website or its privacy practices.

12. How to Make a Complaint to the Data Protection Commission

If you are unhappy with how we have handled your personal data or responded to a rights request, you have the right to lodge a complaint with the Data Protection Commission (DPC), which is the supervisory authority for data protection in Ireland.

We would, however, appreciate the opportunity to address your concerns directly before you contact the DPC. Please contact us in the first instance at [email protected] and we will do our best to resolve your complaint promptly and fairly.

If you remain dissatisfied after contacting us, you may contact the DPC using the following details:

You also have the right to seek judicial remedy before the courts of Ireland if you believe your rights under GDPR have been infringed. These rights are in addition to, and do not affect, your statutory rights under Irish consumer protection law, including the Consumer Rights Act 2022.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our business practices, legal obligations, or the services we offer. Any material changes will be communicated to you by:

• Posting the updated Privacy Policy on our website at apache-pizzav.com with a revised "Last Updated" date
• Sending you an email notification where we hold your email address and the changes are significant
• Displaying a prominent notice on our website homepage or order page

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. Your continued use of our website or services following the posting of changes constitutes your acknowledgement of the updated policy.

Where changes require a new or different legal basis for processing (e.g., a new purpose requiring consent), we will seek your consent before implementing those changes.

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have any concerns about how we handle your personal data, please do not hesitate to contact us using the following details:

We are committed to working with you to achieve a fair and prompt resolution to any privacy concerns you may raise. All privacy-related correspondence will be treated with strict confidentiality and handled in accordance with our obligations under the GDPR and the Data Protection Acts 1988–2018.