Privacy Policy
At Cotta, we respect your privacy. This policy outlines how we collect, use, and protect your personal information when you visit our website, our app, or use our services.
VERSION 2.3, LAST UPDATED 11 MARCH 2026
1. Information and Scope
Cotta Digital Services Limited ("Cotta," "we," "us," or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our mobile application (the "App"), our website (cottavita.com), and our marketplace services (collectively, the "Services").
Cotta operates a marketplace connecting Customers with Partners (merchants). We primarily fulfil deliveries using our own employed drivers and vehicles, supported by Nash, a third-party logistics management platform used to assign drivers, plan routes, and track deliveries. On occasion, where our own delivery capacity is unavailable, we may use Stuart, a third-party delivery network, to complete a delivery. In all cases, your personal data is shared only to the extent necessary to fulfil your order
Company Information
Legal Entity: Cotta Digital Services Limited
Company Number: 16714780 (Registered in England & Wales)
Registered Office: 34-35 Clarges Street, London, United Kingdom, W1J 7EJ
Data Controller: Cotta Digital Services Limited acts as the Data Controller for all Customer and Partner data collected through the App.
Age Restriction: Our Services are not directed at individuals under the age of 18. By using the App or our Services, you confirm that you are aged 18 or over. If we become aware that personal data has been collected from a person under 18, we will delete that data promptly.
2. Information
We Collect We adhere to the principle of Data Minimisation, collecting only the data necessary to provide the core functionality of our marketplace and delivery services.
2.1 Information You Provide Directly
Identity Data: First name, last name, and username.
Contact Data: Delivery address, billing address, email address, and telephone number. Note: We require a valid mobile phone number to send you delivery updates and to facilitate coordination between our delivery team and you.
Financial Data: Partial payment card details (e.g., last 4 digits). Full payment credentials are processed directly by our PCI-DSS compliant payment processor, Stripe, and are not stored on Cotta’s servers.
Profile Data: Your username, password, order history, feedback, and survey responses.
Browse Filters: Dietary and allergen filters (e.g. "Gluten-Free," "Vegan," "Halal") are available as search filters to help you find relevant products. These selections are not stored against your account or profile and are not retained once your session ends.
2.2 Information We Collect Automatically
When you interact with our App, we utilise device permissions and third-party Software Development Kits (SDKs) to collect:
Location Data: With your explicit consent, we collect your precise geolocation only while you are using the App (Foreground Permission). This data is used to:
Verify that your delivery address is within our serviceable area.
Display relevant Partners available in your vicinity.
Enable efficient route optimisation for our drivers. (You may revoke location access at any time via your device settings. If you do so, you must manually enter your delivery address.)
Technical & Usage Data: Internet Protocol (IP) address, device model, operating system version, time zone, and app interaction logs (e.g., screen views, crash reports). We use Google Analytics for Firebase to collect this data to maintain App stability and performance.
Device Identifiers: We collect the iOS Identifier for Vendor (IDFV), an Apple-assigned identifier used for analytics purposes and to route push notifications via OneSignal. The IDFV is specific to our app on your device and cannot be used to track you across third-party applications.
App Tracking Transparency: We do not track you across third-party applications or websites for advertising purposes. We do not share your Advertising Identifier (IDFA) with any advertising networks, including Google. Accordingly, our App does not request App Tracking Transparency permission under iOS 14.5 and later.
Cookies and Website Tracking: When you visit our website at cottavita.com, we may use cookies and similar tracking technologies. This is governed separately by our Cookie Policy, which explains the categories of cookies used, their purposes, and how to manage your preferences. The App itself uses SDKs and local device storage rather than browser cookies; the relevant disclosures for app-specific tracking are set out in this Privacy Policy.
2.3 Information Generated Through Order Fulfilment
When an order is placed and fulfilled, we generate and process:
Logistics & Tracking Data: Timestamps of order acceptance, pickup, and delivery; driver route data managed via Nash's logistics platform; and proof of delivery (which may include a photograph of the package at your location if you are unavailable to receive it personally).
3. How We Use Your Personal Data
We process your personal data only where we have a lawful basis to do so under the UK GDPR.
Purpose / Activity | Type of Data | Lawful Basis for Processing |
|---|---|---|
Account Registration | Identity, Contact | Performance of a Contract: Necessary to create your user profile and grant access to the marketplace. |
Order Processing & Delivery | Identity, Contact, Financial, Location | Performance of a Contract: We require your location and contact details to fulfil your order and coordinate delivery. |
Service Notifications | Contact (Phone/Email) | Performance of a Contract: Sending order confirmations and delivery updates via Twilio or similar providers. |
Route Optimisation | Location, Address | Legitimate Interest: To enable efficient driver routing and minimise delivery times, processed via Nash's logistics platform. |
Driver Safety & Fraud Prevention | Identity, Transaction, Usage | Legitimate Interest: To protect our delivery and operations staff from abusive behaviour and to detect fraudulent payment activity. |
App Improvement & Analytics | Technical, Usage | Legitimate Interest: To analyse user behaviour (via Firebase) to improve App features and fix crashes. |
Marketing Communications | Identity, Contact | Consent: We will only send you promotional offers if you have opted in. You may withdraw consent at any time. |
Browse Filter Use | Filter selections (transient) | Legitimate Interest: We process dietary and allergen filter selections in real time solely to return relevant search results. These selections are not stored, retained, or linked to your profile. Because the data is not retained, no special category processing occurs under Article 9 UK GDPR. |
4. Data Sharing and Disclosures
We do not sell your personal data. Because Cotta primarily delivers using its own employed drivers, third-party data sharing is limited. However, we do work with the following categories of external recipients:
4.1 Internal Access
Certain Cotta employees and contractors, including operations and customer service staff, may access your personal data strictly for the purpose of managing your orders and resolving service queries. All staff are bound by confidentiality obligations.
4.2 External Service Providers (Data Processors)
We engage trusted third-party service providers to support our technical operations. These providers process data on our behalf and are subject to contractual data protection obligations:
Marketplace Partners (Merchants): We share your Order Details (items ordered) with the relevant Partner to prepare your goods. We do not share your full delivery address with Partners unless strictly necessary for specific fulfilment types.
Payment Processors: Stripe processes your payments and acts as an independent controller for the financial transaction data it collects.
Logistics Management: Nash provides the platform through which we assign drivers, plan routes, and track deliveries. Nash receives your delivery address and order reference to operate this service on our behalf.
Emergency Delivery Fulfilment: Stuart, a third-party delivery network, may occasionally be used where our own delivery capacity is unavailable. In these cases, Stuart receives your name, delivery address, and order reference solely to complete that delivery.
Authentication: Auth0 manages secure user login and session management. Auth0 processes your email address and authentication credentials on our behalf.
CRM and Marketing: HubSpot receives your name, email address, telephone number, marketing consent status and dates, and order data to power our customer relationship management system and, where you have opted in, to send you marketing communications. HubSpot acts as a data processor on our behalf.
Cloud Infrastructure: Google Firebase and Microsoft Azure host our databases and application backend.
Communication Services: Twilio sends SMS delivery updates. OneSignal sends push notifications.
Consent Management: OneTrust operates our cookie consent mechanism on cottavita.com, recording and storing user consent preferences on our behalf. OneTrust processes a unique consent identifier and timestamp when you interact with our cookie banner.
5. Account Deletion and Data Retention
5.1 Your Right to Delete
You have the right to delete your account at any time. We provide a mechanism to initiate account deletion directly within the App:
Go to Account.
Select Account Settings.
Tap Delete Account.
Effect of Deletion: Upon confirmation, your login credentials will be immediately deactivated. Your personal profile data (name, email, saved addresses) will be permanently erased or anonymised within 30 days of your request.
5.2 Retention of Transaction Records
Please note that even if you delete your account, Cotta is legally required to retain certain data:
Financial Records: We retain records of financial transactions (transaction ID, amount, date) for a period of 6 years to comply with HMRC tax and accounting regulations in the UK.
Fraud & Safety Data: We may retain hashed device identifiers associated with fraudulent activity or safety incidents to prevent banned users from re-registering, protecting our platform and internal staff.
6. International Transfers
Our primary operations are in the United Kingdom. However, our technical infrastructure (e.g., Stripe, Firebase, Twilio) utilises servers located in the United States.
The UK-US Data Bridge: When we transfer your personal data to our service providers in the United States, we rely on the UK Extension to the EU-US Data Privacy Framework (DPF). Our major vendors, including Stripe, Google, Twilio, Auth0, HubSpot, and OneTrust, are certified participants in the DPF, ensuring they provide a level of data protection adequate under UK law. For transfers to service providers not covered by the DPF, including Nash our logistics management platform, we rely on the International Data Transfer Agreement (IDTA) approved by the UK Information Commissioner's Office (ICO), which contractually requires equivalent data protection standards.
7. Your Legal Rights
Under the UK GDPR, you have the right to:
Request access to your personal data (Subject Access Request).
Request correction of inaccurate data.
Request erasure of your data (as detailed in Section 5).
Object to processing based on legitimate interests.
Request restriction of processing.
Data Portability (receive a copy of your data).
To exercise these rights, please contact us at hello@cottavita.com. We may request specific information to confirm your identity before processing your request.
8. Contact Us
Cotta Digital Services Limited
Email: hello@cottavita.com
Registered Office: 34-35 Clarges Street, London, United Kingdom, W1J 7EJ
Complaints: You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.
ICO Helpline: 0303 123 1113
Website: www.ico.org.uk
Do you have questions?
Reach out to our team and start a discussion.
