Legal

Privacy Policy

This Privacy Policy describes how ElsaCookz Limited collects, uses, stores, and protects your personal data. It has been prepared in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and — for visitors in the European Economic Area — the EU GDPR.

Effective: 1 April 2025
Last updated: 5 April 2026
Controller: ElsaCookz Limited
Version: 1.2

Section 01

Who We Are

ElsaCookz Limited is the data controller responsible for your personal data. We are a company incorporated in England and Wales, operating the website at elsacookz.com and developing the ElsaCookz smart kitchen application (the "App").

As data controller, we determine the purposes and means of processing your personal data and are accountable for doing so lawfully, fairly, and transparently in accordance with applicable data protection law.

Data Controller: ElsaCookz Limited
Privacy enquiries: privacy@elsacookz.com
Website: www.elsacookz.com

Section 02

Scope of This Policy

This policy applies to personal data collected through:

  • our website at elsacookz.com and any associated subdomains;
  • our pre-launch waitlist and email subscription forms;
  • direct communications you send to us by email.

When the ElsaCookz App launches, this policy will be updated to cover additional data processing activities associated with app use. You will be notified of material changes before they take effect.

This policy does not apply to third-party websites linked from our site. We are not responsible for the privacy practices of third parties and encourage you to review their policies separately.

Section 03

Data We Collect

At this pre-launch stage, the personal data we collect is limited to the following categories:

Data you provide directly

  • Email address — collected when you voluntarily sign up to our pre-launch waitlist or otherwise provide it to us.

Data collected automatically

  • Technical data — including IP address, browser type and version, operating system, device type, time zone, and pages visited. This is collected by our hosting infrastructure and may be retained in server logs.
  • Usage data — pages viewed and time spent, currently collected only via server-side logging and not linked to your identity.
We do not currently use Google Analytics, Meta Pixel, or any third-party behavioural tracking or advertising technology. If we introduce such tools in future, this policy will be updated and your consent sought where required by law.

Data we do not collect at this stage

  • Payment or financial information.
  • Special category data (such as health, dietary, biometric, or ethnicity data).
  • Personal data from children under 13 years of age.

Section 04

Lawful Basis for Processing

Under UK GDPR Article 6 and EU GDPR Article 6, we must have a valid lawful basis for each processing activity. The bases we rely on are:

  • Consent (Art. 6(1)(a)) — where you have freely given specific, informed, and unambiguous consent to receive pre-launch communications from us. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legitimate interests (Art. 6(1)(f)) — where processing is necessary for our legitimate business interests, such as protecting website security, fraud prevention, and understanding how our site is used, provided those interests are not overridden by your rights and freedoms. We have conducted Legitimate Interests Assessments where we rely on this basis.
  • Legal obligation (Art. 6(1)(c)) — where processing is necessary to comply with a legal obligation to which we are subject.

We do not currently rely on contractual necessity as a basis for processing, as we do not have a contractual relationship with waitlist subscribers at this stage.

Section 05

How We Use Your Data

We use your personal data only for the following purposes:

  • to send pre-launch updates, early access news, and communications about the development and launch of the ElsaCookz App;
  • to inform you of exclusive early access opportunities, product announcements, and relevant company news;
  • to respond to enquiries or communications you send us;
  • to monitor and maintain the security and performance of our website;
  • to comply with our legal and regulatory obligations.

We will not use your email address for any purpose incompatible with those stated above, unless we obtain your separate consent or are otherwise permitted or required by law.

We do not sell, rent, trade, or otherwise share your email address with third parties for their own marketing or commercial purposes.

Section 06

Marketing Communications

We only send marketing communications where you have given express consent by signing up to our waitlist or actively opting in to receive them.

Our marketing emails comply with the Privacy and Electronic Communications Regulations 2003 (PECR) and applicable UK and EU electronic marketing rules. Each email will include a clear identification of ElsaCookz Limited as the sender and a straightforward mechanism to unsubscribe at any time.

If you unsubscribe, we will stop sending marketing communications promptly and may retain a record of your opt-out to honour your preferences going forward.

You can also withdraw consent or request removal of your email address at any time by contacting privacy@elsacookz.com.

Section 07

Cookies and Tracking Technologies

Our website uses a limited number of cookies and similar technologies. Under the UK Privacy and Electronic Communications Regulations (PECR) and the EU ePrivacy Directive, we are required to inform you about cookies and to obtain consent for non-essential cookies.

Strictly necessary

Essential for the website to function. They do not store personally identifiable information and do not require your consent under applicable law.

Functional (localStorage)

We use browser local storage to remember your cookie consent preference. This stores only a simple preference indicator and is not used for tracking or profiling.

Third-party (Mailchimp)

When you sign up to our waitlist, your data is processed by Mailchimp (The Rocket Science Group LLC). Mailchimp may set its own cookies in connection with this process. Please refer to Mailchimp's Privacy Policy for details.

We do not currently use advertising, analytics, or cross-site tracking cookies. If this changes, we will update this policy and present a refreshed consent notice before any new cookies are set.

You can manage your cookie preferences through our consent banner or through your browser settings. Disabling strictly necessary cookies may affect site functionality.

Section 08

Third-Party Processors

We share your personal data only with third-party service providers who process it on our behalf and under our written instructions. We have data processing agreements in place with each processor as required by UK GDPR Article 28. Our current processors are:

  • Mailchimp (The Rocket Science Group LLC) — manages our email subscription list and sends pre-launch communications. Mailchimp processes your email address solely on our behalf and is not permitted to use it for their own marketing purposes.
  • Netlify Inc. — our website hosting provider, which processes technical data (including IP addresses) as part of hosting and content delivery services.

We do not share your personal data with any other third parties except where required by law, to protect our legal rights, or to prevent fraud or harm.

Section 09

International Data Transfers

Some of our third-party processors are based outside the United Kingdom and the European Economic Area (EEA). Where we transfer personal data internationally, we ensure appropriate safeguards are in place:

  • Mailchimp is based in the United States. EU transfers are covered by the EU–US Data Privacy Framework; UK transfers are covered by the UK–US Data Bridge or Standard Contractual Clauses (SCCs) where applicable.
  • Netlify is based in the United States with global infrastructure. Data transfers are subject to SCCs or equivalent approved transfer mechanisms.

You may request further information about the specific safeguards in place by contacting privacy@elsacookz.com.

Section 10

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required or permitted by law:

  • Waitlist email addresses are retained until you unsubscribe, request deletion, or the App has launched and waitlist communications are no longer required, at which point data will be deleted or anonymised.
  • Server and access logs containing technical data are retained for a maximum of 90 days for security and infrastructure monitoring purposes.
  • Records of consent and opt-outs may be retained for up to three years as evidence of compliance with applicable marketing and data protection law.

On receipt of a valid deletion request, we will act within 30 days. In limited circumstances we may be required to retain certain records for legal or regulatory purposes, and will notify you where this applies.

Section 11

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction, including:

  • HTTPS encryption for all data transmitted between your browser and our website;
  • access controls limiting internal access to personal data to those with an operational need;
  • use of reputable, security-certified third-party processors with contractual obligations to protect your data;
  • regular review of security practices as the business develops.

No method of electronic transmission or storage is completely secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office (ICO) within 72 hours as required by UK GDPR Article 33, and will notify affected individuals where required under Article 34.

Section 12

Your Rights

Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion of your personal data where there is no longer a lawful basis for retention.
  • Right to restriction (Art. 18) — ask us to restrict processing in certain circumstances.
  • Right to data portability (Art. 20) — where processing is based on consent or contract and carried out by automated means, request your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests or direct marketing. Where you object to direct marketing, we will cease processing immediately.
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Rights related to automated decision-making (Art. 22) — we do not make automated decisions (including profiling) that have a legal or similarly significant effect on you.

To exercise any of these rights, contact us at privacy@elsacookz.com. We will respond within one calendar month of receipt, as required by law.

If you are dissatisfied with our response, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

EEA-based users also have the right to lodge a complaint with their local supervisory authority.

Section 13

Children's Privacy

Our website and waitlist are directed at adults. We do not knowingly collect personal data from children under 13 years of age, or under 16 for information society services where parental consent is required under UK GDPR Article 8 and EU GDPR Article 8.

If you are a parent or guardian and believe a child has submitted personal data to us without appropriate consent, please contact privacy@elsacookz.com and we will review and, where appropriate, delete that information promptly.

Section 14

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will:

  • update the "Last updated" date at the top of this page;
  • notify waitlist subscribers by email where the changes are significant;
  • seek fresh consent before processing your data under revised terms where required by law.

We encourage you to review this policy periodically. The current version will always be available at elsacookz.com/privacy.

Section 15

Contact Us

For questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact our data privacy team:

Data Controller: ElsaCookz Limited

Privacy enquiries: privacy@elsacookz.com

General enquiries: hello@elsacookz.com

Website: www.elsacookz.com

Regulatory body: Information Commissioner's Office — ico.org.uk

ElsaCookz Limited Privacy Policy v1.2 — Prepared in accordance with UK GDPR, the Data Protection Act 2018, and EU GDPR. Effective 1 April 2025.