top of page


Welcome to the CauliBox Privacy Policy. At CauliBox, we are committed to keeping your personal information safe and secure, and handling it in accordance with our legal obligations. This Privacy Policy sets out in detail the purposes for which we process your personal information, what rights you have in relation to that information, who we share it with and everything else we think is important for you to be aware of.

Please make sure you check it carefully and if you don’t agree with it, then you shouldn’t use our Platform or services. This is because by accessing our Platform or services, you confirm that you accept the way in which we process your personal information. This privacy policy forms part of our Terms, and capitalised words and phrases in it have the same meaning as those in our Terms.

If you have any concerns, please feel free to contact us at

About CauliBox

CauliBox is the data controller for the purposes of the personal information processed in accordance with this Privacy Policy.

You can contact us regarding this Privacy Policy by email to

Contents of this Privacy Policy:  
  1. About this Privacy Policy

  2. The personal information we collect, how we collect it, and why

  3. Our legal basis for processing personal information

  4. When do we share your personal information?

  5. Communications

  6. How long do we store your personal information?

  7. Security of your personal information

  8. Links

  9. Age restrictions

  10. Your rights and choices

  11. Contacting us

  12. Cookies

  13. General

In this Privacy Policy, unless the context requires a different interpretation:

  1. the singular includes the plural and vice versa;

  2. references to sub-clauses, clauses, schedules or appendices are to sub-clauses, clauses, schedules or appendices of this privacy policy;

  3. a reference to a person includes firms, companies, government entities, trusts and partnerships;

  4. "including" is understood to mean "including without limitation";

  5. reference to any statutory provision includes any modification or amendment of it;

  6. the headings and sub-headings do not form part of this privacy policy.

1. About this Privacy Policy

This Privacy Policy applies to the personal information we collect about you through our Platform, by telephone, by post, from third parties and when you otherwise communicate with us.

This Privacy Policy may change from time to time and, if it does, the up-to-date version will always be available on our Website. We will also tell you about any important changes to our Privacy Policy.

2. The personal information we collect, how we collect it, and why

Personal information means any information about an individual from which that individual can be identified. The following shows information we process about you, and the purpose for which we process that information. There may be more than one reason for which we collect such information and we have only listed the main reasons. If you would like further information, please contact us at


Information you provide to us

  • User Account information, such as your name and email address and other contact details.

    • Your account information enables us to personally and uniquely identify and communicate with you, both within the App, and externally in emails, SMS messages and other forms of communication. We also require this information for billing, account eligibility purposes and account maintenance purposes.

  • Your preferences for receiving communications and notifications

    • We store your preferences so we know exactly how to communicate with you (e.g. for marketing or sending service communications), and in some cases, how not to communicate with you.

Information we collect automatically

  • Account status

    • We store information about your User Account and interactions with our service, including where, you borrow and return (or do not return) a CauliBox.

  • Unique identifiers

    • When someone signs up with us, we generate unique identifiers (e.g. a number) as a mechanism to identify them across our technical systems, and to link that person with their product preferences, billing records, service interaction analytics and customer service history.

  • Your interactions with our service

    • When you interact with our Products, we record and track this information for our ongoing operations and to analyse how our Users enjoy our service so that we can continue to develop it.

  • Payment information (e.g. records of transactions, payment tokens)

    • We record payment and transaction data, for example in relation to Lost Box Payments, to keep financial and security records for our business and to comply with our legal obligations to retain financial and transaction information. We also keep a record of where payments have been successful or have failed against a User’s details in our systems.

  • IP address

    • This enables us to uniquely identify you and to distinguish you from other Users. In turn, it enables us to deliver you a more personalised service (e.g. correctly currency and pricing or more relevant CauliBox locations listed when searching).

  • Records of promotions

    • Whenever we hold promotions, for example through our Rewards programme, we keep an internal record of how they have been applied. We collect data around promotions, how Users interact with them, and we use that data to improve the way we run promotions in future.

  • Information we collect from other sources

    • Social media or third party sign in information

    • As part of the sign-up process, we import some of the information you may have disclosed to your social media pages, such as Facebook or Google (if you are able to and choose to connect to CauliBox via a social network).

  • Device Information​

    • Device IDs are collected by our payment partner stripe to assist in fraud prevention. 

All data collected above is transferred securely to Cauli servers at "" via industry standard encryption and directly to third parties where required, such as stripe for handling payment details and and payments.

In respect of all the above information, our overarching purpose is to enable us to generate a trusted, secure, engaged and community of people who want to eliminate the need for single-use packaging in the different branches of the takeaway food market. We want all of our visitors and Users’ information to be secure, but also visible to us so that we can provide them personalised customer service and a customised user experience.

3. Our legal basis for processing personal information

We only ever use your information in line with applicable data protection laws – in particular, the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. In short, this means we only use it where we have a legal basis to do so. Under GDPR, these are the general legal bases for which we process your personal information, as detailed in the table above:

  • Consent – you have given us consent to process your personal information for a specific purpose that we have told you about.

  • Performance of our contract – processing your personal information is necessary for a contract you have with us, or because we have asked you to take specific steps before entering into that contract.

  • Legitimate interests – processing your personal information is necessary for our legitimate interests or those of a third party, provided those interests are not outweighed by your rights and interests (including where processing is required to comply with or enforce a legal obligation, or to exercise or defend our legal rights).


4. When do we share your personal information?

We may disclose your information for certain purposes and to third parties, as described below:

  • CauliBox staff and our group of companies: we share your information with our staff (including employees, consultants, agents and advisors) and within the CauliBox group of companies as required for: providing you with access to our services according to our agreement, data storage and processing, providing customer support, making internal choices around business improvements, content development, and for the other purposes set out in this Privacy Policy. Where we hire staff outside of the EEA, we ensure that they are party to equivalency measures and contractual safeguards as mandated by the European Commission.

  • Third Party Providers: We use certain companies, agents or contractors (Third Party Providers) to perform services on our behalf or to help deliver our services to you. We contract with Third Party Providers, for example to provide payment processing services (Stripe), to analyse and action data (Google Analytics), email, messaging and newsletter communications, as well as for infrastructure and IT services, to personalise and enhance our services, to provide customer service, and to process and administer consumer surveys. In the course of providing such services, these Third Party Providers may have access to your personal information. We do not authorise them to use or disclose your personal information except in connection with providing their services to us.

  • Promotions with our partners: We may offer joint promotions, schemes or incentives with our selected partners that, in order for you to participate, will require us to share your information with the relevant partner, in particular when redeeming CauliCoins as part of our Rewards programme. In fulfilling these types of promotions, we may share your name and other information in connection with fulfilling the relevant incentive. Please note that our partners are responsible for their own privacy and data protection methods and if applicable you should refer to their relevant privacy policy.

  • To protect legitimate interests: There are certain circumstances where CauliBox and our Third Party Providers may disclose and/or make use of your information where a disclosure would be necessary to: (a) satisfy any applicable law, regulation, legal process, or other legal or governmental request or requirement, (b) enforce applicable terms of use, including investigation of any actual or alleged breaches, (c) detect, prevent, or otherwise address illegal or suspected illegal activities (including payment fraud), security or technical issues, or (d) protect against harm to the rights, property or safety of CauliBox, its Subscribers, visitors or the public, as required or permitted by law.

  • Transfers of our business: In connection with any corporate reorganisation, restructuring, investment, merger or sale, or other transfer of assets, we will transfer information, including personal information, provided that the receiving party agrees to comply with our requirements as set out in this Privacy Policy relating to your personal information.


5. Communications

This section is to explain how we will ensure that you only receive communications that you wish to receive.

Marketing communications:

We want to ensure that you are informed and aware of the best services and promotions that we can offer you. By consenting to receive additional communications (by mail, telephone, text/picture/video message or email) from us and any named third parties that feature at the point of obtaining consent in respect of such information, we will process your personal information in accordance with this Privacy Policy.

You can change your marketing preferences and unsubscribe at any time by accessing the settings within our App (if such functionality is available) or emailing us. If you choose not to receive this information we will be unable to keep you informed of new services and promotions of ours, or the CauliBox group of companies, that may interest you.

Whatever you choose, you’ll still receive other important information, for example service updates, as described below.

Service communications:

As detailed in the table at section 2, we may send you communications such as those which relate to any service updates (e.g. service availability, product releases, new locations) or provide customer satisfaction surveys. We consider that we can lawfully send these communications to you as we have a legitimate interest to do so, namely to effectively provide you with the best service we can and to grow our business.

6. How long do we store your personal information?

Unless a longer retention period is required or permitted by law, we will only hold your personal information on our systems for the period necessary to fulfil the purposes outlined in this Privacy Policy or until you request that the data be deleted. Even if we delete your personal information, it may persist on backup or archival media for legal, tax or regulatory purposes.

In accordance with this Privacy Policy, you have the right to request that we delete your personal information, except where we are legally permitted or required to maintain certain personal information. For example:

  • We are legally required to retain financial and transaction data for a minimum period of 7 years for tax, audit and accounting purposes. This includes keeping a record of the amount of each transaction, what it related to, and who we transacted with.

  • If there is an unresolved issue relating to your account, for example relating to a complaint surrounding a Lost Box Payment or your CauliCoins, then we will retain your personal information until the issue is resolved.

  • There may be other situations where we have legitimate business interests to retain personal information, such as to prevent fraud or protect security of our other Subscribers.

Any Third Party Providers that we engage will keep your personal information stored on their systems for as long as is necessary to provide the relevant services to you or us. If we end our relationship with any third party providers, we will take reasonable steps to ensure that they securely delete or return your personal information to us.

We may retain personal information about you for statistical purposes. Where information is retained for statistical purposes it will always be anonymised, meaning that you will not be identifiable from that information.


7. Security of your personal information

We are committed to securing and protecting your personal information, and we make sure to implement appropriate technical and organisational measures to help protect the security of your personal information. We may adopt various policies including anonymisation, pseudonymisation, encryption, password restricted access, and retention policies to guard against unauthorised access and unnecessary retention of personal information in our systems.

The information that we collect from you may be transferred to, and stored at, a destination outside of the European Economic Area (EEA). When we transfer and store your personal information outside of the EEA we will take steps to ensure that the information is transferred in accordance with this Privacy Policy and applicable data protection laws. In particular, we will ensure that appropriate contractual, technical, and organisational measures are in place with any parties outside the EEA such as the Standard Contractual Clauses approved by the EU Commission.

Unfortunately, the transmission of your personal information via the internet is not completely secure and although we do our best to protect your personal information, we cannot guarantee the security of your information transmitted to us over the internet and you acknowledge that any transmission is at your own risk.

8. Links

Our Platform may, from time to time, contain links to websites operated by third parties. This Privacy Policy only applies to the personal information that we collect from you and we cannot be responsible for personal information collected and stored by third parties. If you click on a link, please understand that the relevant third party websites have their own terms and conditions and privacy policies, and we do not accept any responsibility for the content of those third party websites or third party terms and conditions or policies. Please check these policies before you submit any personal information to these websites.


9. Restrictions

You must be 16 years of age or older to use our Products. We do not knowingly collect personal information from individuals under 16 years of age. If you are under that age limit, then please do not use CauliBox or provide any personal information to us. If you are under 18, you must have parental or guardian consent to use CauliBox.

If we learn that we have collected personal information of an individual under our age limits or otherwise without consent, then we will take all reasonable steps to delete that information from our systems which we are legally entitled to, and if required, delete the relevant User Account.


10. Your rights and choices

This section explains that you have a number of rights in relation to your personal information.

Under the GDPR and the UK Data Protection Act 2018, as a User of our Platform, you are entitled to certain rights. There are circumstances in which your rights may not apply. You have the right to request that we:

  • provide you with a copy of the information we hold about you;

  • update any of your personal information if it is inaccurate or out of date;

  • delete the personal information we hold about you - if we are providing services to you and you ask us to delete personal information we hold about you then we may be unable to continue providing those services to you;

  • restrict the way in which we process your personal information;

  • stop processing your data if you have valid objections to such processing; and

  • transfer your personal information to a third party.

For more information on your rights and how to use them, or if you would like to make any of the requests set out above, please contact us.

We may at certain times need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

As explained in section 4, even if you consented to the processing of your personal information for marketing purposes (by ticking the relevant box or by requesting information about services for example), you have the right to ask us to stop processing your personal information for such purposes. You can exercise this right at any time by contacting us or adjusting your privacy and notification settings within the App. Please note that we reserve the right to charge a fee for responding to requests where we reasonably determine that they are manifestly unfounded or onerous or being made in bad faith.


11. Contacting us

If you have any questions or concerns about how we handle your personal information, please contact by email to

If you are not satisfied with the way a complaint you make in relation to your Data is handled by us, you may be able to refer your complaint to the relevant data protection authority. For the UK, this is the Information Commissioner's Office (ICO). The ICO's contact details can be found on their website at


12. Cookies

We may use cookies on our Platform (e.g. for site analytics) which help us monitor use of the Digital Products, and in turn improve it based on how our Users interact with them. You can choose to accept or turn off cookies within your browser settings.

13. General

You may not transfer any of your rights under this Privacy Policy to any other person. We may transfer our rights under this privacy policy where we reasonably believe your rights will not be affected.

If any court or competent authority finds that any provision of this Privacy Policy (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this Privacy Policy will not be affected.

Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.

This Privacy Policy will be governed by and interpreted according to the law of England and Wales. All disputes arising under the Agreement will be subject to the exclusive jurisdiction of the English and Welsh courts.

bottom of page