Privacy & GDPR Policy

Privacy & GDPR Policy – Ranna

Effective Date: 1 October 2025

Version: 2.0

Controller: Kaptan Group Ltd (trading as Ranna)

1. Who We Are

Ranna is part of the Kaptan Group Ltd, which operates the following restaurants:

  • Ranna (Bow) – Bow Indian Ltd
  • Ranna (Dalston) – Dalston Indian Ltd
  • Ranna (Old Kent) – Old Kent Indian Ltd
  • Ranna (Walthamstow) – Walthamstow Indian Ltd
  • Ranna (South Woodford) – Derby Food Ltd

All are registered in England & Wales. For the purposes of this policy, they are collectively referred to as "Ranna", "we", "us", or "our".

We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Data We Collect

Depending on how you interact with us, we may collect:

  • Identity & Contact Data (name, address, email, phone number)
  • Account Data (login details, loyalty membership, preferences)
  • Transaction Data (order details, payment confirmation references – we do not store full card details)
  • Technical Data (IP address, browser, device type, cookies)
  • Order Channel Data (information shared with us via Uber Eats, Just Eat, Deliveroo, or phone orders)
  • Marketing Preferences (your communication choices)

We do not intentionally collect sensitive personal data unless required by law and with your explicit consent.

3. How We Collect Data

  • Directly: via our website, phone orders, in-store, or loyalty programme.
  • Indirectly: via third-party platforms (Uber Eats, Just Eat, Deliveroo). These companies act as independent data controllers and share only the data necessary for us to complete your order.
  • Automatically: through website cookies and analytics.

4. How We Use Your Data

We process your data to:

  • Fulfil your orders and deliver services
  • Manage your account and loyalty scheme
  • Contact you regarding your order or account
  • Send marketing (only if you have opted in)
  • Improve our website, menus, and services
  • Comply with legal and tax obligations
  • Prevent fraud and protect security

Legal bases for processing: contract, legal obligation, legitimate interest, or consent.

5. Marketing

  • We only send marketing if you have opted in.
  • You can unsubscribe at any time.
  • We never sell your data to third parties.

6. Cookies & Tracking

We use cookies and similar technologies to improve your experience. These include essential cookies (for ordering and accounts), analytics cookies (such as Google Analytics), security cookies (firewall and login protection), and preference cookies (to remember your settings).

For full details of how we use cookies, please see our Cookies Policy, available on our website.

7. Data Sharing

We may share your data with:

  • Third-party delivery platforms: Uber Eats, Just Eat, Deliveroo
  • Payment processors: Stripe, Worldpay, PayPal
  • IT & hosting providers: secure servers and website providers
  • Professional advisers: lawyers, accountants, auditors
  • Regulators or legal authorities: if required by law

We do not share data with third parties for marketing purposes.

8. Data Retention

We retain data as follows:

  • Orders & financial records: 7 years (legal requirement)
  • Accounts & loyalty data: kept while active, then deleted after 24 months of inactivity
  • Marketing preferences: kept until you withdraw consent

After retention periods, data is securely deleted or anonymised.

9. Security

We use:

  • SSL encryption for all websites and transactions
  • Firewalls and intrusion protection
  • UK-based secure servers (with approved sub-processors)
  • Staff access restrictions and training

10. Third-Party Websites & Content

If our website links to or embeds other sites (e.g., videos, payment links), those third parties may collect data. We are not responsible for their policies. Please check their privacy notices.

11. Your Rights

You have the right to:

  • Access the data we hold about you
  • Request correction or erasure
  • Restrict or object to processing
  • Data portability (receive your data)
  • Withdraw consent at any time (for marketing or consent-based processing)

Contact us to exercise these rights.

12. Contact Us

Data Controller: Afzal Mahmood, Ranna

Email: customerservice@ranna.co.uk

Website: www.ranna.co.uk

Address: 14/2g Tiller Road, E14 8PX

You also have the right to complain to the Information Commissioner's Office (ICO):
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
www.ico.org.uk

GDPR Compliance Statement

This section sets out how Ranna complies with UK GDPR (post-Brexit) and the Data Protection Act 2018.

Purposes & Lawful Basis for Processing

Purpose/ActivityData TypeLawful Basis
Registering you as a new customerIdentity, ContactContract
Processing and delivering orders (incl. payment & delivery)Identity, Contact, Transaction, FinancialContract, Legal Obligation, Legitimate Interest (debt recovery)
Managing customer relationships (e.g., updates, service notices)Identity, Contact, ProfileContract, Legal Obligation, Legitimate Interest
Administering our website and IT (security, troubleshooting, hosting)Identity, Contact, TechnicalLegitimate Interest, Legal Obligation
Marketing communicationsIdentity, Contact, PreferencesConsent
Analytics & service improvementsTechnical, UsageLegitimate Interest

Data Sources

  • Direct from you (orders via website, phone, in-store)
  • From third-party platforms (Uber Eats, Just Eat, Deliveroo)
  • Automatically via cookies and analytics

Data Breach Procedure

  • Any personal data breach will be assessed immediately
  • If required, the ICO will be notified within 72 hours
  • Where there is a high risk to individuals, affected customers will be informed without undue delay

Automated Decision-Making / Profiling

We do not use your data for automated decision-making. Analytics may categorise user behaviour (e.g., frequent ordering patterns) but this does not affect your rights or services.