Pick N Save
Legal

Privacy policy.

How Picknsave Ltd, parent company of The Food Supply, collects, uses, stores and protects your personal data — and the rights you have under UK data protection law.

Last updated: May 2026 UK GDPR & Data Protection Act 2018 Encrypted transport

01 Who we are

Picknsave Ltd ("we", "us", "our") is the data controller for the personal data we collect through our websites, ecommerce store, supplier portal and Pick N Save Inventory Management Platform (PIM). We trade as Pick N Save and operate The Food Supply wholesale catalogue and distribution business across the United Kingdom.

Our registered office address and company details can be obtained on request from [email protected].

Plain English summary: we collect the data we need to take your order, deliver your Goods and run our business. We do not sell your data. You can ask us at any time what we hold, ask us to correct it, or ask us to delete it.

02 Scope & consent

This policy applies when you:

  • browse our websites (including picknsave.co.uk and The Food Supply catalogue);
  • create an account as a customer, wholesale buyer, sales agent, staff member or supplier;
  • place an order or receive a delivery from us;
  • contact our support, sales or supplier team;
  • subscribe to our newsletter or receive other marketing communications;
  • apply for a role with us.

By using our services you confirm that you have read this policy. Where we rely on consent (e.g. for marketing or non-essential cookies), you can withdraw that consent at any time without affecting the lawfulness of processing before the withdrawal.

03 Data we collect

You give us

  • Identity data: name, business name, company number (for wholesale and supplier accounts), date of birth where required.
  • Contact data: email, phone number, billing and delivery addresses.
  • Account data: username, hashed password, two-factor authentication secret, security questions.
  • Transaction data: orders placed, products purchased, prices paid, payment method, invoices, delivery acknowledgements, returns.
  • Supplier data: bank details (for remittance), catalogue uploads, product specifications, food safety certifications, delivery schedules.
  • Communications: emails, messages, support tickets, call recordings (where notified).
  • Marketing preferences: the channels you've opted in to and any topic preferences.

We collect automatically

  • Device & usage data: IP address, browser type and version, operating system, referring URL, pages viewed, time spent, search terms used on the catalogue.
  • Cookies & similar: see section 5.
  • Diagnostics: error logs, performance metrics, security event logs (e.g. failed login attempts, audit trail for privileged actions).

From third parties

  • Payment processors confirm transaction status but we never store full card numbers — payment is tokenised.
  • Couriers share delivery tracking events.
  • Credit reference agencies when you apply for a wholesale credit account.
  • Companies House for verifying supplier and wholesale company details.

04 Why we use it (lawful basis)

We process personal data only where we have a lawful basis under UK GDPR. The table below summarises the main purposes.

Take & fulfil orders
Contract — to perform the Contract with you (or take steps before entering one).
Manage your account
Contract — for account creation, login, password resets and 2FA enrolment.
Process payments
Contract — to receive payment for Goods supplied to you.
Customer support
Contract / Legitimate interests — to respond to your queries and resolve issues.
Fraud prevention & security
Legitimate interests — to detect and prevent fraud, abuse and security incidents; to maintain audit logs of privileged actions.
Operational analytics
Legitimate interests — to understand how our services are used and improve them.
Marketing (with your consent)
Consent — to send newsletters and promotional offers. You can opt out at any time.
Legal & tax compliance
Legal obligation — to keep accounting records, comply with HMRC and respond to lawful requests.
Credit checks (wholesale)
Legitimate interests / Contract — to assess credit risk before extending credit terms.

05 Cookies & tracking

A cookie is a small text file stored on your device. We use cookies in three broad categories.

Essential cookies

Needed for the site to work — for example to keep you logged in, remember the contents of your cart, protect against cross-site request forgery, and rate-limit login attempts. These are always set; you cannot opt out without losing core functionality.

Preference cookies

Remember your settings (e.g. selected customer for wholesale accounts, list-vs-grid catalogue view, show-out-of-stock toggle, language preference).

Analytics cookies

Help us understand how visitors use our site so we can improve it. These are set only with your consent and you can withdraw consent at any time through your browser settings.

Managing cookies

You can configure or disable cookies via your browser settings. Note that disabling essential cookies will break the checkout and login flow.

06 Who we share with

We do not sell your personal data. We share it only with the following categories of recipients, and only as needed to run our services.

  • Suppliers & carriers involved in fulfilling your order (e.g. delivery name and address shared with the courier).
  • Payment processors (e.g. Stripe, GoCardless) for taking payments securely. We do not store full card numbers.
  • Hosting and infrastructure providers who host our servers, databases and backups — bound by data processing agreements.
  • Email and SMS providers for transactional and (where opted in) marketing communications.
  • Analytics providers (only with consent) to understand site usage.
  • Professional advisers (accountants, lawyers, auditors) where reasonably required.
  • Public authorities (e.g. HMRC, regulators, courts) where we are legally obliged to do so.
  • Successors in business in the event of a sale, merger, restructure or insolvency — your data may be transferred subject to equivalent protection.

All third parties acting as processors on our behalf are bound by contracts requiring them to keep your data secure, use it only for the agreed purpose, and respect your rights under UK GDPR.

07 International transfers

Some of our service providers may process data outside the UK. Where we transfer personal data internationally, we use one of the following safeguards approved under UK GDPR:

  • transfer to countries with an adequacy decision from the UK government (e.g. the EU/EEA);
  • International Data Transfer Agreement (IDTA) or the UK addendum to the EU Standard Contractual Clauses;
  • your explicit consent where appropriate.

08 How long we keep it

We keep personal data only for as long as we need it for the purpose we collected it, then we either delete or anonymise it. As guidance:

Order & transaction records
6 years from the end of the financial year in which the transaction occurred (HMRC requirement).
Active account data
For as long as your account remains open, plus 12 months.
Closed account data
Limited records retained for legal/financial obligations; otherwise deleted within 90 days.
Marketing preferences
Until you opt out; opt-out record retained indefinitely so we honour your choice.
Support tickets
3 years from the last activity.
Security & audit logs
12–24 months depending on log category.
Job applications
12 months unless we hire you; longer with your consent for future roles.

09 Security

We take security seriously and apply organisational and technical measures including:

  • encryption of data in transit (TLS) and at rest for sensitive fields;
  • strong hashing of passwords (we never store passwords in plain text);
  • two-factor authentication required for staff and admin accounts;
  • rate-limiting and honeypot protection on login forms;
  • audit logging of privileged actions and admin sessions;
  • least-privilege access controls and regular access reviews;
  • tested backups and incident response procedures.

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and, where required, notify you directly without undue delay.

10 Your rights

Under UK GDPR you have the following rights, which you can exercise free of charge in most cases by emailing us:

  • Right of access — to a copy of the personal data we hold about you.
  • Right to rectification — to ask us to correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — to ask us to delete your data where we no longer need it.
  • Right to restrict processing — to ask us to limit how we use your data while a query is resolved.
  • Right to data portability — to receive your data in a structured, commonly used, machine-readable format.
  • Right to object — to processing based on legitimate interests or direct marketing.
  • Rights related to automated decision-making — we do not make decisions about you based solely on automated processing that produces legal or similarly significant effects.

We will respond to valid requests within one calendar month. We may need to verify your identity before acting on a request. Some rights are not absolute — we will explain if we cannot fully comply (e.g. where we must retain records for tax purposes).

11 Marketing & opt-out

  • We send marketing emails only where you have opted in, or where you are an existing customer and the message is about similar products and you have not opted out (the "soft opt-in").
  • Every marketing email includes a one-click unsubscribe link.
  • You can manage your preferences at any time in your account settings or by emailing us.
  • Transactional emails (order confirmations, dispatch notifications, account security alerts, invoices) are sent as part of the service and cannot be opted out of while you have an active account.

12 Children's data

Our services are not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

13 Changes to this policy

We may update this Privacy Policy from time to time. The current version is always available here with the "Last updated" date at the top. Material changes will be notified to active account holders by email.

14 Contact & complaints

For privacy questions, requests to exercise your rights, or any data protection concern:

  • Email: [email protected] (subject: "Privacy")
  • Company: Picknsave Ltd (trading as Pick N Save and The Food Supply)
  • Registered in: England and Wales

Right to complain to the regulator

If you are not satisfied with how we have handled your personal data, you have the right to complain to the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We would appreciate the chance to address your concerns first, so please contact us before approaching the ICO.