TAKEOUTROULETTE
Contact
Privacy

Privacy policy.

Last updated 2026-04-22

This policy explains what personal information Takeout Roulette collects, why, who it’s shared with, and what rights you have. It’s written to meet UK GDPR and the UK Privacy and Electronic Communications Regulations (PECR).

We are the data controller for the information described here. “We”, “us”, and “our” refer to Takeout Roulette, operated from the United Kingdom. You can reach our privacy contact at hello@takeoutroulette.com.

1. What we collect and why

Email address (landing-page signup form)

If you submit your email on the coming-soon signup form, we receive that email and a timestamp. We use it only to notify you when the product launches. The email is forwarded to our operations inbox via Amazon Simple Email Service and is not sold, shared, or used for advertising. Legal basis: your consent (UK GDPR Article 6(1)(a)), which you can withdraw at any time by emailing us.

Postcode and cuisine selection (wheel)

When you use the spin-the-wheel product, we send your postcode (and any cuisine filter you pick) to our Just Eat proxy service so we can return the list of restaurants that can deliver to you. This is transient — we don’t store the postcode or link it to you. Legal basis: legitimate interests (UK GDPR Article 6(1)(f)) in providing the service you requested.

Technical logs

Our hosting provider (Amazon Web Services) and our CDN (Amazon CloudFront) record standard web-server access logs for every request: IP address, user agent, timestamp, path, HTTP status, and response size. We use these logs for security, abuse prevention, and debugging. Logs are automatically deleted after 14 days. Legal basis: legitimate interests in site security and reliability.

Analytics (Google Analytics 4)

We use Google Analytics 4 on the dashboard (the spin-the-wheel surface) to understand in aggregate how visitors use the product — page views, device type, rough geographic region, referrer, and event counts such as how often users spin. GA sets first-party cookies to distinguish anonymous sessions. We do not send any personal identifiers (no email, no postcode, no IP) to GA. Legal basis: legitimate interests in understanding product usage so we can improve it. You can opt out at the browser level (extensions, “Do Not Track”, or the official Google Analytics opt-out), or block Google’s domains at network level.

Other cookies

Third parties we rely on for other features (Google Maps for the location input) may set their own cookies — see the dedicated cookie policy for the full list.

2. Who we share data with

We share personal data only with processors that help us deliver the service. Each receives only what they need to do their job.

  • Amazon Web Services, Inc.— cloud hosting, email delivery (SES), logs, and CDN (CloudFront). Processing takes place in the AWS Europe (Ireland) region and CloudFront’s global edge network.
  • Google LLC / Google Ireland Ltd.— Google Maps JavaScript API and Places (for the location input), and Google Analytics 4 (for aggregate product analytics on the dashboard). Google may set its own cookies and record your IP address under its own privacy policy.
  • Just Eat Takeaway.com N.V.— we query their consumer postcode endpoint to get restaurant listings. We send only the postcode; they do not receive anything that identifies you.

We do not sell personal data, and we do not share it for cross-context behavioural advertising. If you click through to a delivery partner (Deliveroo, Just Eat, Uber Eats), that partner becomes the data controller for anything that happens on their site. If, in the future, we add an affiliate-link rewriter or any other third-party tracker, we will update this policy and the cookie policy before enabling it.

3. International transfers

Some of our processors are headquartered outside the UK/EEA (Google in particular). When data leaves the UK/EEA, it is transferred under appropriate safeguards — the UK Addendum to the EU Standard Contractual Clauses or, where applicable, the UK Extension to the EU–US Data Privacy Framework.

4. How long we keep things

  • Signup emails: until you ask us to remove them, or until the product launches and we close the list (whichever comes first).
  • Server / CDN access logs: 14 days, then deleted.
  • Wheel queries (postcode, cuisine): not retained. Processed in memory by our proxy service and dropped.

5. Your rights

Under UK GDPR you have the right to:

  • Access a copy of the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data where there’s no ongoing legal basis.
  • Restrict or object to processing.
  • Receive your data in a portable format.
  • Withdraw consent for anything you previously consented to.
  • Complain to the UK Information Commissioner’s Office (ico.org.uk) if you believe we’ve mishandled your data. We would appreciate the chance to put things right first.

To exercise any of these, email hello@takeoutroulette.com. We aim to respond within one month.

6. Security

All traffic between your browser and our systems is encrypted with HTTPS. Access to our cloud accounts is protected by multi-factor authentication and role-scoped IAM policies. We deliberately keep the data surface small: we don’t run user accounts, we don’t store spin history, and we don’t hold payment information.

7. Children

The service is not directed at children under 16. We don’t knowingly collect personal data from anyone under that age. If you believe we have, please contact us and we’ll delete it.

8. Changes to this policy

We may update this policy as the product evolves (for example, when we add a delivery partner or change hosting). When we do, we’ll update the “last updated” date at the top. Material changes will also be announced on the homepage.