Welcome to Two and a Half Birds Ltd and our website, www.tahb.co.uk.

The protection of your personal data is our top priority. This policy explains how we ensure transparent and fair processing of your data and outlines our commitment to handling it carefully and responsibly.

To understand how we use data, please read this Privacy Policy and our Cookie Policy

1. Introduction, Scope and Who We Are

1.1 This Privacy Policy (“Policy”) explains how Two and a Half Birds Ltd (“we”, “us”, “our”) collects, uses, shares, and protects personal data when you interact with us, whether through our website at www.tahb.co.uk, by placing an order, or by contacting us by email, telephone, or post.

1.2 We are committed to safeguarding your personal data and complying with all applicable laws in the United Kingdom, including:

• the UK General Data Protection Regulation (UK GDPR);
  
  

• the Data Protection Act 2018 (DPA 2018);
  
  

• the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as amended; and
  
  

• any successor legislation or regulatory guidance issued by the Information Commissioner’s Office (ICO).
  
  
  

1.3 This Policy applies to customers, prospective customers, website visitors, account holders, and individuals who contact us in relation to our Products and services. It does not apply to the personal data of our employees, which is subject to a separate privacy notice.

1.4 This Policy should be read together with our Terms and Conditions, Cookie Policy, and Delivery and Payment Policy, all of which set out additional rights and responsibilities relevant to your relationship with us.

1.5 By using our website or placing an order with us, you acknowledge that you have read and understood this Policy. If you do not agree with its terms, you should refrain from using our services.

2. How to Contact Us & ICO Details

2.1 Two and a Half Birds Ltd is the controller of your personal data for the purposes of the UK GDPR and the DPA 2018.

2.2 Our registered details are:
Two and a Half Birds Ltd
Company number: 12513829
Registered office: 128 City Road, London, EC1V 2NX
Email: info@tahb.co.uk
Telephone: +44 7777 252337

2.3 We are registered with the Information Commissioner’s Office (ICO). Our registration number can be provided on request.

2.4 If you have questions about this Policy, your personal data, or your rights, please contact us at the details above.

2.5 You also have the right to lodge a complaint with the ICO at any time:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

3. Our Services and Audience (Adults Only)

3.1 We provide freshly prepared pet food products for delivery within our designated delivery area in Brentwood, United Kingdom. Our services are directed at adults purchasing for household use.

3.2 We do not knowingly offer, target, or provide services to children under the age of 18. Our website, ordering process, and communications are designed for adults, and we expect that any personal data provided relates to adults.

3.3 In compliance with the Age Appropriate Design Code (Children’s Code), we have assessed our services as not being likely to be accessed by children. If, however, we discover that we have inadvertently collected personal data from a child, we will delete it promptly unless we have a lawful basis to retain it.

3.4 If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately so that we can investigate and take appropriate action.

4. What Personal Data We Collect

4.1 We may collect and process the following categories of personal data about you:

• Identity data: name, title, age confirmation tick, and account identifiers.
  
  

• Contact data: billing address, delivery address, email address, and telephone number.
  
  

• Order and transaction data: details of Products ordered, order history, payment references, refunds, and related correspondence.
  
  

• Payment data: tokenised payment identifiers returned by Stripe and PayPal (we do not store full card numbers, CVVs, or bank details).
  
  

• Account data: login credentials, password hashes, and security preferences.
  
  

• Communications data: emails, phone calls, or other correspondence between you and us.
  
  

• Device and usage data: IP address, browser type, operating system, cookies, analytics identifiers, browsing patterns, and website interactions.
  
  

• Marketing preferences: your choices regarding newsletters, promotions, or cookie consent.
  
  
  

4.2 We do not intentionally collect special category data (such as health, political opinions, religious beliefs, or biometric data). Please do not provide this type of information in communications with us unless strictly necessary.

4.3 We do not require information about your pet that could indirectly identify you, such as veterinary records. If you choose to provide such details, they will be treated in accordance with this Policy.

5. How We Collect It

5.1 We collect personal data directly from you when you:

• place an order on our website;
  
  

• create or manage an account;
  
  

• communicate with us by email, telephone, or post;
  
  

• sign up to marketing communications (when offered);
  
  

• provide feedback, reviews, or complaints.
  
  
  

5.2 We collect personal data automatically when you use our website, including through cookies, server logs, analytics tools, and similar technologies.

5.3 We may also receive personal data about you from third parties:

• Payment providers (Stripe and PayPal) for payment confirmation and fraud checks;
  
  

• Delivery partners for proof of delivery;
  
  

• Analytics providers (Google Analytics, and in future, Meta Pixel) for website performance and usage insights;
  
  

• Anti-fraud and security services that help verify transactions.
  
  
  

6. Purposes and Lawful Bases (Matrix)

6.1 We process your personal data for the following purposes and lawful bases under the UK GDPR:

• To process and deliver your orders: including taking payment, arranging delivery, and providing order updates.
  Lawful basis: performance of a contract (Art. 6(1)(b)).
  
  

• To manage your account: maintaining login credentials, preferences, and purchase history.
  Lawful basis: performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) in securing accounts.
  
  

• To communicate with you: responding to enquiries, complaints, or feedback.
  Lawful basis: performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) to provide good customer service.
  
  

• To comply with legal obligations: record-keeping for tax, regulatory, and consumer protection compliance.
  Lawful basis: legal obligation (Art. 6(1)(c)).
  
  

• To protect against fraud and misuse: verifying payments, monitoring transactions, preventing abuse of promotions.
  Lawful basis: legitimate interests (Art. 6(1)(f)).
  
  

• To analyse website use and improve services: through cookies and analytics tools.
  Lawful basis: consent (Art. 6(1)(a)) for non-essential cookies; legitimate interests (Art. 6(1)(f)) for essential site performance cookies.
  
  

• To send marketing communications (if activated): newsletters, promotions, or offers.
  Lawful basis: consent (Art. 6(1)(a)) or, where applicable, soft opt-in under PECR for existing customers.
  
  
  

6.2 Where legitimate interests are relied upon, we have conducted balancing assessments to ensure your rights are not overridden. You may object to processing based on legitimate interests at any time.

7. Special-Category Data

7.1 We do not intentionally collect or process special category personal data (such as health, racial or ethnic origin, religious beliefs, political opinions, or biometric data).

7.2 If you choose to provide special category data in the course of communication with us (for example, disclosing a medical condition in relation to delivery preferences), we will treat it with particular care and confidentiality.

7.3 We will only process special category data where one of the lawful bases under Art. 6 UK GDPR applies and one of the conditions under Art. 9 UK GDPR is met, usually explicit consent.

7.4 Where such data is not necessary, we may securely delete or redact it to minimise risk.

8. Cookies & Similar Technologies (PECR)

8.1 Our website uses cookies and similar technologies to distinguish you from other users, to provide core functionality, and to improve your experience.

8.2 Cookies are small text files stored on your device when you visit our website. Some are strictly necessary for the operation of the site; others help us analyse usage, personalise content, or deliver marketing.

8.3 Under the Privacy and Electronic Communications Regulations 2003 (PECR), we are required to obtain your consent before placing or accessing cookies that are not strictly necessary for providing the service you requested. This includes analytics cookies and any advertising or social media tracking technologies.

8.4 When you first visit our website, you will be presented with a cookie banner. This allows you to accept or reject non-essential cookies and to manage your preferences. Your choices are recorded and respected. You can change your preferences at any time through our cookie settings page.

8.5 Strictly necessary cookies are deployed automatically as they are required for the operation of the site (for example, remembering your basket contents or ensuring security).

8.6 Full details of the cookies we use, their purposes, and retention periods are set out in our Cookie Policy, which forms part of this Privacy Policy.

9. Analytics and Online Tracking

9.1 We currently use Google Analytics 4 (GA4) to collect information about how visitors use our website. This helps us understand usage patterns, improve functionality, and optimise content.

9.2 Google Analytics collects information such as which pages you visit, how long you stay, how you arrived at the site, and what you click on. The information is aggregated and does not directly identify you.

9.3 GA4 uses cookies that are placed on your device only with your consent. You can withdraw consent at any time through our cookie settings.

9.4 Data generated by Google Analytics may be processed outside the UK, including in the United States. Where this occurs, we rely on appropriate transfer safeguards (see Section 16).

9.5 In future, we may implement other online tracking tools such as the Meta Pixel. These will only operate where you have given consent and will be clearly described in our Cookie Policy.

9.6 You may also opt out of analytics tracking at any time using browser settings or tools provided by Google, though functionality of the site may be affected.

10. Payments and Fraud Prevention

10.1 We accept payments via Stripe and PayPal. When you make a payment, your details are processed directly by these providers using secure encryption. We do not collect or store your full card number, CVV, or bank account details.

10.2 Stripe and PayPal act as independent controllers for the processing of payment information. Their own privacy notices apply to your payment transactions. We recommend you review these carefully:

• Stripe: https://stripe.com/gb/privacy
  
  

• PayPal: https://www.paypal.com/uk/webapps/mpp/ua/privacy-full

10.3 We receive confirmation of payment status, tokenised identifiers, and fraud-prevention results. We use this information to process your order, prevent fraud, and manage refunds.

10.4 To protect against fraudulent transactions, we may undertake checks using fraud-prevention services. These may include evaluating payment attempts against blacklists or transaction risk scores. Such checks are carried out on the basis of our legitimate interests in preventing crime and protecting our business and customers.

11. Deliveries and Logistics

11.1 To deliver your order, we share necessary information with our delivery partners, including your name, delivery address, telephone number, and any safe-place instructions you provide.

11.2 Delivery partners may also capture a proof-of-delivery image if you authorise safe-place delivery. Such images are used only to confirm delivery and are subject to strict retention periods.

11.3 We require our delivery partners to process your data only in accordance with our instructions and applicable law, and to implement appropriate security measures.

11.4 We are not responsible for any additional personal data you provide directly to couriers. Such information is handled under the courier’s own privacy policy.

12. Account Management

12.1 If you choose to create an account with us, we will collect your login credentials and associated account preferences.

12.2 You are responsible for keeping your password confidential and for ensuring it is not shared with anyone else. We recommend using a strong and unique password.

12.3 We will use your account data to streamline checkout, manage your order history, and maintain your preferences.

12.4 You may request closure of your account at any time. Some information (such as order history and payment records) may be retained for statutory and accounting purposes, even after account closure (see Section 18).

12.5 If we detect suspicious activity on your account, we may temporarily suspend access as a security measure.

13. Customer Support and Communications

13.1 When you contact us by email, telephone, or post, we will collect the information you provide in order to respond to your enquiry.

13.2 We may retain copies of correspondence, including complaints, for training, monitoring, and legal compliance. Retention periods are set out in Section 18.

13.3 If you raise a complaint, we may share relevant details internally to resolve your issue. We may also share information with our professional advisers or regulatory authorities where required.

13.4 Communications are handled on the lawful bases of performance of a contract (when linked to your order) and legitimate interests (when you make a general enquiry).

14. Marketing and Direct Marketing Rules

14.1 At present, we do not operate a marketing newsletter. If we introduce one in the future, we will update this Policy and provide clear opportunities for you to consent.

14.2 Where we rely on your consent to send marketing communications, you will always have the right to withdraw that consent at any time.

14.3 If we use the soft opt-in exemption under PECR for existing customers, we will only send marketing about our own similar products, and you will always be able to opt out easily and free of charge.

14.4 Every marketing message we send will contain an unsubscribe link or instructions. We maintain suppression lists to ensure your preferences are respected.

14.5 We will never sell your personal data to third parties for marketing purposes.

15. Social Media Interactions

15.1 We maintain profiles on social media platforms including, but not limited to, Facebook and Instagram. If you choose to engage with us on these platforms, such as by liking, commenting, messaging, or sharing content, please be aware that your personal data is also processed by the platform provider, which acts as a separate controller.

15.2 We may view and respond to your interactions, but we do not download or otherwise incorporate your social media data into our internal systems unless you specifically authorise us to do so (for example, if you contact us about an order through a platform’s messaging function).

15.3 Each platform has its own privacy policy and terms of service. We encourage you to review those documents to understand how your data is collected and used by the platform provider.

15.4 We do not use social media listening tools or attempt to link your social media activity to your account with us unless you initiate direct contact.

16. International Data Transfers

16.1 We are based in the United Kingdom and primarily store and process data within the UK and European Economic Area (EEA).

16.2 Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with Chapter V of the UK GDPR. These may include:

• the use of the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs);
  
  

• reliance on an adequacy decision by the UK Government; or
  
  

• reliance on the UK–US Data Bridge where the recipient is certified.
  
  
  

16.3 Providers such as Google, Stripe, and Meta may transfer data to the United States. Where this occurs, we require that they are either certified under the UK–US Data Bridge or that equivalent safeguards are in place.

16.4 We conduct Transfer Risk Assessments (TRAs) where required, to evaluate the risks associated with international transfers and to apply supplementary measures if necessary.

16.5 Copies of relevant transfer mechanisms (with sensitive details redacted) are available on request.

17. Sharing and Recipients

17.1 We may share your personal data with trusted third parties in order to provide our services. These include:

• Delivery partners: to deliver your orders and provide proof of delivery.
  
  

• Payment providers: Stripe and PayPal, to process payments and manage refunds.
  
  

• Hosting and IT service providers: who support the operation of our website and systems.
  
  

• Analytics providers: such as Google Analytics (with your consent) to help us understand usage.
  
  

• Fraud prevention and security partners: to protect against fraudulent transactions and attacks.
  
  

• Professional advisers and insurers: where necessary for business operations, compliance, or claims.
  
  

• Regulators, authorities, or courts: where required by law or to protect our legal rights.
  
  
  

17.2 Each recipient is either bound by contract to act only on our instructions (processors) or acts as an independent controller with their own responsibilities under data protection law.

17.3 We never sell personal data to third parties for commercial gain.

18. Data Retention

18.1 We retain personal data only for as long as necessary to fulfil the purposes set out in this Policy and to comply with legal, accounting, and reporting obligations.

18.2 Retention periods vary depending on the category of data:

• Order and transaction data: retained for up to seven years to comply with tax and accounting laws.
  
  

• Payment records: retained for up to seven years in line with financial regulations.
  
  

• Customer communications: retained for up to two years unless required longer for legal reasons.
  
  

• Account data: retained until you close your account, after which core transaction history is retained for statutory periods.
  
  

• Analytics data: retained in accordance with settings on Google Analytics (currently 14 months by default).
  
  

• Proof-of-delivery images: retained by delivery partners for a short operational period (typically 30–90 days).
  
  

• Consent records: retained as long as necessary to demonstrate compliance with UK GDPR and PECR.
  
  
  

18.3 When data is no longer required, it is securely deleted or anonymised so it can no longer be linked to you.

19. Security Measures

19.1 We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include:

• encryption of data in transit (TLS) and at rest where applicable;
  
  

• role-based access controls and staff training;
  
  

• firewalls, intrusion detection, and monitoring;
  
  

• regular patching and updates to systems;
  
  

• vendor due diligence and contractual security requirements.
  
  
  

19.2 We limit access to your personal data to employees, contractors, and service providers who need to know it for legitimate purposes. All are subject to confidentiality obligations.

19.3 While we take security seriously, no system is completely secure. In the event of a personal data breach, we will act promptly to contain the incident, assess risk, and notify the ICO and affected individuals where legally required.

20. Automated Decision-Making and Profiling

20.1 We do not use personal data to make decisions about you that produce legal or similarly significant effects solely by automated means.

20.2 We may carry out limited profiling for fraud detection and website analytics. Such profiling does not have legal or similarly significant effects on you.

20.3 Any future introduction of automated decision-making that falls within Articles 22 UK GDPR will be subject to a Data Protection Impact Assessment (DPIA), and you will be notified with an explanation of the logic involved and your rights.

21. Your Rights

21.1 You have a number of rights under the UK GDPR in relation to your personal data:

• Right of access: to obtain a copy of the personal data we hold about you.
  
  

• Right to rectification: to correct incomplete or inaccurate data.
  
  

• Right to erasure (“right to be forgotten”): to request deletion where there is no lawful basis for us to continue processing.
  
  

• Right to restriction: to request that processing be limited in certain circumstances.
  
  

• Right to data portability: to request transfer of your data to another controller in a machine-readable format.
  
  

• Right to object: to processing carried out on the basis of legitimate interests, including profiling, and to direct marketing.
  
  

• Rights relating to automated decision-making: to object to or seek human review of any automated decisions producing legal or significant effects.
  
  
  

21.2 These rights are not absolute and may be subject to conditions or exemptions under UK GDPR and DPA 2018.

21.3 We will respond to your request within one month of receipt, unless the request is complex or numerous, in which case we may extend by a further two months. We will notify you if an extension is required.

21.4 Exercising your rights is free of charge, although we may charge a reasonable fee or refuse to act if your request is manifestly unfounded or excessive.

22. Making a Request and Identity Verification

22.1 If you wish to exercise any of your rights under Section 21, you may submit a request to us by email at info@tahb.co.uk or in writing to our registered office.

22.2 To protect your privacy and the security of personal data, we may require you to verify your identity before acting on your request. Verification may involve providing information we already hold about you (for example, recent order details) or official identification documents.

22.3 Where a request is made on behalf of another person, we will require proof of authority, such as a signed mandate, power of attorney, or other lawful authorisation.

22.4 If your request is unclear or incomplete, we may ask you to clarify it before taking further action. This may extend the response time.

22.5 We will maintain a record of data subject requests and how they were resolved in order to demonstrate compliance with our legal obligations.

23. Complaints

23.1 We take privacy seriously and encourage you to raise any concerns directly with us so we can resolve them promptly. You can contact us at info@tahb.co.uk or by telephone at +44 7777 252337.

23.2 We will acknowledge receipt of your complaint within five working days and aim to provide a substantive response within one month. Complex matters may take longer, but we will keep you informed of progress.

23.3 If you remain dissatisfied after engaging with us, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection. You may contact the ICO at:

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

23.4 You also have the right to seek a remedy through the courts if you believe your data protection rights have been infringed.

24. Changes to this Policy

24.1 We may update this Privacy Policy from time to time to reflect changes in law, regulatory guidance, our data practices, or our services.

24.2 When material changes are made, we will notify you by posting a clear notice on our website and, where appropriate, by email.

24.3 The version in force at the time of your interaction with us will apply. You should check this page periodically to ensure you are aware of the latest version.

24.4 Previous versions of this Privacy Policy will be retained for reference and are available upon request.

25. Contact Details and Legal Information

25.1 The controller responsible for your personal data is:

Two and a Half Birds Ltd
Company number: 12513829
Registered office: 128 City Road, London, EC1V 2NX
Email: info@tahb.co.uk
Telephone: +44 7777 252337

25.2 If we appoint a Data Protection Officer or privacy lead in future, their details will be published here and updated in this Policy.

25.3 This Privacy Policy was last updated on 4 September 2025 and replaces any earlier versions.