Welcome to Two and a Half Birds Ltd and our website, www.tahb.co.uk.

The protection of your personal data is our top priority. This policy explains how we ensure transparent and fair processing of your data and outlines our commitment to handling it carefully and responsibly.

To understand how we use data, please read this Privacy Policy and our Cookie Policy

1. Introduction, Scope and Who We Are

1.1 This Privacy Policy (“Policy”) explains how Two and a Half Birds Ltd (“we”, “us”, “our”) collects, uses, shares, and protects personal data when you interact with us, whether through our website at www.tahb.co.uk, by placing an order, or by contacting us by email, telephone, or post.

1.2 We are committed to safeguarding your personal data and complying with all applicable laws in the United Kingdom, including:

• the UK General Data Protection Regulation (UK GDPR);
  
  

• the Data Protection Act 2018 (DPA 2018);
  
  

• the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as amended; and
  
  

• any successor legislation or regulatory guidance issued by the Information Commissioner’s Office (ICO).
  
  
  

1.3 This Policy applies to customers, prospective customers, website visitors, account holders, and individuals who contact us in relation to our Products and services. It does not apply to the personal data of our employees, which is subject to a separate privacy notice.

1.4 This Policy should be read together with our Terms & Conditions, Cookie Policy, and Delivery and Payment Policy, all of which set out additional rights and responsibilities relevant to your relationship with us.

1.5 By using our website or placing an order with us, you acknowledge that you have read and understood this Policy. If you do not agree with its terms, you should refrain from using our services.

2. How to Contact Us & ICO Details

2.1 Two and a Half Birds Ltd is the controller of your personal data for the purposes of the UK GDPR and the DPA 2018.

2.2 Our registered details are:
Two and a Half Birds Ltd
Company number: 12513829
Registered office: 128 City Road, London, EC1V 2NX
Email: info@tahb.co.uk
Telephone: +44 7777 252337

2.3 We are registered with the Information Commissioner’s Office (ICO). Our registration number can be provided on request.

2.4 If you have questions about this Policy, your personal data, or your rights, please contact us at the details above.

2.5 You also have the right to lodge a complaint with the ICO at any time:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

3. Our Services and Audience (Adults Only)

3.1 We provide freshly prepared pet food products for delivery within our designated delivery area in Brentwood, United Kingdom. Our services are directed at adults purchasing for household use.

3.2 We do not knowingly offer, target, or provide services to children under the age of 18. Our website, ordering process, and communications are designed for adults, and we expect that any personal data provided relates to adults.

3.3 In compliance with the Age Appropriate Design Code (Children’s Code), we have assessed our services as not being likely to be accessed by children. If, however, we discover that we have inadvertently collected personal data from a child, we will delete it promptly unless we have a lawful basis to retain it.

3.4 If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately so that we can investigate and take appropriate action.

4. What Personal Data We Collect

4.1 We may collect and process the following categories of personal data about you:

• Identity data: name, title, age confirmation tick, and account identifiers.
  
  

• Contact data: billing address, delivery address, email address, and telephone number.
  
  

• Order and transaction data: details of Products ordered, order history, payment references, refunds, and related correspondence.
  
  

• Payment data: tokenised payment identifiers returned by Stripe and PayPal (we do not store full card numbers, CVVs, or bank details).
  
  

• Account data: login credentials, password hashes, and security preferences.
  
  

• Communications data: emails, phone calls, or other correspondence between you and us.
  
  

• Device and usage data: IP address, browser type, operating system, cookies, analytics identifiers, browsing patterns, and website interactions.
  
  

• Marketing preferences: your choices regarding newsletters, promotions, or cookie consent.
  
  
  

4.2 We do not intentionally collect special category data (such as health, political opinions, religious beliefs, or biometric data). Please do not provide this type of information in communications with us unless strictly necessary.

4.3 We do not require information about your pet that could indirectly identify you, such as veterinary records. If you choose to provide such details, they will be treated in accordance with this Policy.

5. How We Collect It

5.1 We collect personal data directly from you when you:

• place an order on our website;
  
  

• create or manage an account;
  
  

• communicate with us by email, telephone, or post;
  
  

• sign up to marketing communications (when offered);
  
  

• provide feedback, reviews, or complaints.
  
  
  

5.2 We collect personal data automatically when you use our website, including through cookies, server logs, analytics tools, and similar technologies.

5.3 We may also receive personal data about you from third parties:

• Payment providers (Stripe and PayPal) for payment confirmation and fraud checks;
  
  

• Delivery partners for proof of delivery;
  
  

• Analytics providers (Google Analytics, and in future, Meta Pixel) for website performance and usage insights;
  
  

• Anti-fraud and security services that help verify transactions.
  
  
  

6. Purposes and Lawful Bases (Matrix)

6.1 We process your personal data for the following purposes and lawful bases under the UK GDPR:

• To process and deliver your orders: including taking payment, arranging delivery, and providing order updates.
  Lawful basis: performance of a contract (Art. 6(1)(b)).
  
  

• To manage your account: maintaining login credentials, preferences, and purchase history.
  Lawful basis: performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) in securing accounts.
  
  

• To communicate with you: responding to enquiries, complaints, or feedback.
  Lawful basis: performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) to provide good customer service.
  
  

• To comply with legal obligations: record-keeping for tax, regulatory, and consumer protection compliance.
  Lawful basis: legal obligation (Art. 6(1)(c)).
  
  

• To protect against fraud and misuse: verifying payments, monitoring transactions, preventing abuse of promotions.
  Lawful basis: legitimate interests (Art. 6(1)(f)).
  
  

• To analyse website use and improve services: through cookies and analytics tools.
  Lawful basis: consent (Art. 6(1)(a)) for non-essential cookies; legitimate interests (Art. 6(1)(f)) for essential site performance cookies.
  
  

• To send marketing communications (if activated): newsletters, promotions, or offers.
  Lawful basis: consent (Art. 6(1)(a)) or, where applicable, soft opt-in under PECR for existing customers.
  
  
  

6.2 Where legitimate interests are relied upon, we have conducted balancing assessments to ensure your rights are not overridden. You may object to processing based on legitimate interests at any time.

7. Special-Category Data

7.1 We do not intentionally collect or process special category personal data (such as health, racial or ethnic origin, religious beliefs, political opinions, or biometric data).

7.2 If you choose to provide special category data in the course of communication with us (for example, disclosing a medical condition in relation to delivery preferences), we will treat it with particular care and confidentiality.

7.3 We will only process special category data where one of the lawful bases under Art. 6 UK GDPR applies and one of the conditions under Art. 9 UK GDPR is met, usually explicit consent.

7.4 Where such data is not necessary, we may securely delete or redact it to minimise risk.

8. Cookies & Similar Technologies (PECR)

8.1 Our website uses cookies and similar technologies to distinguish you from other users, to provide core functionality, and to improve your experience.

8.2 Cookies are small text files stored on your device when you visit our website. Some are strictly necessary for the operation of the site; others help us analyse usage, personalise content, or deliver marketing.

8.3 Under the Privacy and Electronic Communications Regulations 2003 (PECR), we are required to obtain your consent before placing or accessing cookies that are not strictly necessary for providing the service you requested. This includes analytics cookies and any advertising or social media tracking technologies.

8.4 When you first visit our website, you will be presented with a cookie banner. This allows you to accept or reject non-essential cookies and to manage your preferences. Your choices are recorded and respected. You can change your preferences at any time through our cookie settings page.

8.5 Strictly necessary cookies are deployed automatically as they are required for the operation of the site (for example, remembering your basket contents or ensuring security).

8.6 Full details of the cookies we use, their purposes, and retention periods are set out in our Cookie Policy, which forms part of this Privacy Policy.

9. Analytics and Online Tracking

9.1 We currently use Google Analytics 4 (GA4) to collect information about how visitors use our website. This helps us understand usage patterns, improve functionality, and optimise content.

9.2 Google Analytics collects information such as which pages you visit, how long you stay, how you arrived at the site, and what you click on. The information is aggregated and does not directly identify you.

9.3 GA4 uses cookies that are placed on your device only with your consent. You can withdraw consent at any time through our cookie settings.

9.4 Data generated by Google Analytics may be processed outside the UK, including in the United States. Where this occurs, we rely on appropriate transfer safeguards (see Section 16).

9.5 In future, we may implement other online tracking tools such as the Meta Pixel. These will only operate where you have given consent and will be clearly described in our Cookie Policy.

9.6 You may also opt out of analytics tracking at any time using browser settings or tools provided by Google, though functionality of the site may be affected.

10. Payments and Fraud Prevention

10.1 We accept payments via Stripe and PayPal. When you make a payment, your details are processed directly by these providers using secure encryption. We do not collect or store your full card number, CVV, or bank account details.

10.2 Stripe and PayPal act as independent controllers for the processing of payment information. Their own privacy notices apply to your payment transactions. We recommend you review these carefully:

• Stripe: https://stripe.com/gb/privacy
  
  

• PayPal: https://www.paypal.com/uk/webapps/mpp/ua/privacy-full

10.3 We receive confirmation of payment status, tokenised identifiers, and fraud-prevention results. We use this information to process your order, prevent fraud, and manage refunds.

10.4 To protect against fraudulent transactions, we may undertake checks using fraud-prevention services. These may include evaluating payment attempts against blacklists or transaction risk scores. Such checks are carried out on the basis of our legitimate interests in preventing crime and protecting our business and customers.

11. Deliveries and Logistics

11.1 To deliver your order, we share necessary information with our delivery partners, including your name, delivery address, telephone number, and any safe-place instructions you provide.

11.2 Delivery partners may also capture a proof-of-delivery image if you authorise safe-place delivery. Such images are used only to confirm delivery and are subject to strict retention periods.

11.3 We require our delivery partners to process your data only in accordance with our instructions and applicable law, and to implement appropriate security measures.

11.4 We are not responsible for any additional personal data you provide directly to couriers. Such information is handled under the courier’s own privacy policy.

12. Account Management

12.1 If you choose to create an account with us, we will collect your login credentials and associated account preferences.

12.2 You are responsible for keeping your password confidential and for ensuring it is not shared with anyone else. We recommend using a strong and unique password.

12.3 We will use your account data to streamline checkout, manage your order history, and maintain your preferences.

12.4 You may request closure of your account at any time. Some information (such as order history and payment records) may be retained for statutory and accounting purposes, even after account closure (see Section 18).

12.5 If we detect suspicious activity on your account, we may temporarily suspend access as a security measure.

13. Customer Support and Communications

13.1 When you contact us by email, telephone, or post, we will collect the information you provide in order to respond to your enquiry.

13.2 We may retain copies of correspondence, including complaints, for training, monitoring, and legal compliance. Retention periods are set out in Section 18.

13.3 If you raise a complaint, we may share relevant details internally to resolve your issue. We may also share information with our professional advisers or regulatory authorities where required.

13.4 Communications are handled on the lawful bases of performance of a contract (when linked to your order) and legitimate interests (when you make a general enquiry).

14. Marketing and Direct Marketing Rules

14.1 At present, we do not operate a marketing newsletter. If we introduce one in the future, we will update this Policy and provide clear opportunities for you to consent.

14.2 Where we rely on your consent to send marketing communications, you will always have the right to withdraw that consent at any time.

14.3 If we use the soft opt-in exemption under PECR for existing customers, we will only send marketing about our own similar products, and you will always be able to opt out easily and free of charge.

14.4 Every marketing message we send will contain an unsubscribe link or instructions. We maintain suppression lists to ensure your preferences are respected.

14.5 We will never sell your personal data to third parties for marketing purposes.

15. Social Media Interactions

15.1 We maintain profiles on social media platforms including, but not limited to, Facebook and Instagram. If you choose to engage with us on these platforms, such as by liking, commenting, messaging, or sharing content, please be aware that your personal data is also processed by the platform provider, which acts as a separate controller.

15.2 We may view and respond to your interactions, but we do not download or otherwise incorporate your social media data into our internal systems unless you specifically authorise us to do so (for example, if you contact us about an order through a platform’s messaging function).

15.3 Each platform has its own privacy policy and terms of service. We encourage you to review those documents to understand how your data is collected and used by the platform provider.

15.4 We do not use social media listening tools or attempt to link your social media activity to your account with us unless you initiate direct contact.

16. International Data Transfers

16.1 We are based in the United Kingdom and primarily store and process data within the UK and European Economic Area (EEA).

16.2 Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with Chapter V of the UK GDPR. These may include:

• the use of the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs);
  
  

• reliance on an adequacy decision by the UK Government; or
  
  

• reliance on the UK–US Data Bridge where the recipient is certified.
  
  
  

16.3 Providers such as Google, Stripe, and Meta may transfer data to the United States. Where this occurs, we require that they are either certified under the UK–US Data Bridge or that equivalent safeguards are in place.

16.4 We conduct Transfer Risk Assessments (TRAs) where required, to evaluate the risks associated with international transfers and to apply supplementary measures if necessary.

16.5 Copies of relevant transfer mechanisms (with sensitive details redacted) are available on request.

17. Sharing and Recipients

17.1 We may share your personal data with trusted third parties in order to provide our services. These include:

• Delivery partners: to deliver your orders and provide proof of delivery.
  
  

• Payment providers: Stripe and PayPal, to process payments and manage refunds.
  
  

• Hosting and IT service providers: who support the operation of our website and systems.
  
  

• Analytics providers: such as Google Analytics (with your consent) to help us understand usage.
  
  

• Fraud prevention and security partners: to protect against fraudulent transactions and attacks.
  
  

• Professional advisers and insurers: where necessary for business operations, compliance, or claims.
  
  

• Regulators, authorities, or courts: where required by law or to protect our legal rights.
  
  
  

17.2 Each recipient is either bound by contract to act only on our instructions (processors) or acts as an independent controller with their own responsibilities under data protection law.

17.3 We never sell personal data to third parties for commercial gain.

18. Data Retention

18.1 We retain personal data only for as long as necessary to fulfil the purposes set out in this Policy and to comply with legal, accounting, and reporting obligations.

18.2 Retention periods vary depending on the category of data:

• Order and transaction data: retained for up to seven years to comply with tax and accounting laws.
  
  

• Payment records: retained for up to seven years in line with financial regulations.
  
  

• Customer communications: retained for up to two years unless required longer for legal reasons.
  
  

• Account data: retained until you close your account, after which core transaction history is retained for statutory periods.
  
  

• Analytics data: retained in accordance with settings on Google Analytics (currently 14 months by default).
  
  

• Proof-of-delivery images: retained by delivery partners for a short operational period (typically 30–90 days).
  
  

• Consent records: retained as long as necessary to demonstrate compliance with UK GDPR and PECR.
  
  
  

18.3 When data is no longer required, it is securely deleted or anonymised so it can no longer be linked to you.

19. Security Measures

19.1 We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include:

• encryption of data in transit (TLS) and at rest where applicable;
  
  

• role-based access controls and staff training;
  
  

• firewalls, intrusion detection, and monitoring;
  
  

• regular patching and updates to systems;
  
  

• vendor due diligence and contractual security requirements.
  
  
  

19.2 We limit access to your personal data to employees, contractors,