Privacy Policy
Last updated: 14 June 2026 · Trades Office Limited (No. 17181500), trading as PlateProof · ICO: ZC133896
This Privacy Policy explains how PlateProof collects, uses, stores and protects personal data when you use the PlateProof platform, website, applications and related services (the “Service”). PlateProof is a trading name of Trades Office Limited, registered in England and Wales under company number 17181500, and processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and, where it applies to a customer, the EU GDPR.
1. About PlateProof
PlateProof is an evidence-backed allergen-compliance platform for food businesses. It assists with allergen identification and record-keeping and evidences a human sign-off. It is not a food-safety authority, an allergen-testing or certification service, or a guarantor of accuracy or safety.
2. Data Controller & Processor Roles
For the business and allergen records you create through the Service:
- the customer (your food business) is the data controller
- and PlateProof acts as the data processor
PlateProof acts as a data controller for:
- account registration data
- billing information
- support communications
- and platform security and operational data
This relationship is further governed by the Data Processing Agreement, which forms part of the contract between PlateProof and its customers.
3. Information We Collect
Account information — name, business/organisation name, email address, and password credentials (stored as a secure hash by Supabase Auth; we never see your plain-text password).
Allergen & operational records — events, dishes, allergen findings and their provenance, dietary flags, and sign-off records that name the individual who reviewed and signed a declaration, with a timestamp.
Uploaded images — photographs of ingredient packaging and dishes. These are retained as your compliance evidence (see Retention).
Technical & usage data — IP address (for security and abuse-prevention), session information, and audit logs of key actions.
4. Allergen Data Is About Dishes, Not Diners
PlateProof records the allergens present in food. It is not designed to collect and does not require health data about individual diners or guests. You should not enter an identifiable individual’s health or dietary-requirement data into the Service. Allergen information about a dish is not special-category personal data.
5. How We Use Personal Data
- to provide and operate the Service
- to provide AI-assisted allergen identification
- to record and evidence human sign-offs
- to authenticate users and manage accounts
- to manage subscriptions and billing
- to provide support
- to monitor platform stability and security
- to comply with legal obligations
- and to prevent fraud or misuse
6. AI Processing & Human Review
The Service uses Anthropic to help identify allergen information from uploaded images and dish names. Data submitted through the Service is not used to train general-purpose AI models. All AI outputs are suggestions and must be reviewed and signed off by a named human before reliance.
7. Lawful Bases for Processing
| Purpose | Lawful basis |
|---|---|
| Providing the Service | Contract |
| Account management | Contract |
| Subscription billing | Contract |
| Support communications | Contract |
| Security monitoring | Legitimate interests |
| Audit logging | Legitimate interests |
| Fraud prevention | Legitimate interests |
| Product improvement | Legitimate interests |
| Legal compliance | Legal obligation |
8. Data Retention
Unlike most platforms, the evidence is the purpose of the Service. Sign-off records, the supporting photographs, and the frozen declaration snapshot are retained as your compliance record for the term of your account and are not automatically deleted, because their value is being available when an inspector, auditor or customer asks for proof.
Following cancellation or termination, your data remains available for export for a defined period (see the Data Processing Agreement), after which it may be deleted unless retention is required by law or you have asked us to retain it for your own compliance needs. Audit logs are retained for up to 12 months. IP addresses processed for security are retained only briefly.
9. Security
PlateProof uses technical and organisational measures designed to protect personal data, including:
- encryption in transit (TLS) and at rest
- database row-level security that isolates each organisation's records
- authentication via Supabase Auth, with platform-level rate limiting and MFA (TOTP) supported at the auth layer
- audit logging of key actions, with signed evidence held append-only
- restricted, server-side-only privileged access
- and EU-hosted managed cloud infrastructure
At present PlateProof operates as a sole-founder business with restricted administrative access. In the event of a personal data breach involving a risk to individuals, PlateProof will comply with applicable breach-notification obligations, including notifying the ICO where legally required within 72 hours of becoming aware.
10. Sub-Processors & International Transfers
PlateProof uses a small number of sub-processors to operate the Service. Database, authentication and file storage are hosted in the EU. Some processing (AI allergen identification) occurs in the United States under appropriate safeguards (UK International Data Transfer Agreement and, where the EU GDPR applies, Standard Contractual Clauses). The current list is in the Sub-Processors Policy.
11. Your Rights
Depending on applicable law, you may have rights to:
- access your personal data
- correct inaccurate data
- delete personal data
- restrict or object to processing
- data portability
- and lodge a complaint with the Information Commissioner's Office (ICO)
Requests may be sent to privacy@plateproof.io; we respond within the period required under UK GDPR (typically one month). You may also complain to the ICO (ico.org.uk · 0303 123 1113).
12. Cookies
PlateProof sets only a strictly necessary authentication cookie required to keep you logged in. It does not use advertising, tracking or analytics cookies. See the Cookie Policy.
13. Children
The Service is for business users only and is not directed at children. PlateProof does not knowingly collect personal data from children.
14. Changes & Contact
We may update this Privacy Policy from time to time; where changes materially affect privacy rights we will give reasonable notice. Questions: privacy@plateproof.io. Trades Office Limited, trading as PlateProof, Company No. 17181500, Hexham, Northumberland, United Kingdom. ICO Registration: ZC133896.
PlateProof deliberately holds a small amount of personal data: account users and the named staff who sign off declarations. It is not designed to process diner health data. This keeps the privacy footprint low by design.