Privacy Policy

1. Introduction

This Privacy Policy is issued by Tilamora Ltd (referred to throughout this document as "Tilamora," "we," "us," or "our"), a company registered in Ireland with its principal office located at Unit 12, Smithfield Market, Smithfield, Dublin 7, D07 N5RH. Tilamora is the data controller responsible for your personal data as described in this policy.

We operate an online farm-to-table delivery service that connects Irish families with fresh, organic produce sourced directly from over 150 partner farms across Ireland. When you visit our website at www.tilamora.ie, place an order, subscribe to a delivery plan, sign up for our newsletter, or contact our team, we may collect and process certain personal data about you.

This Privacy Policy explains what personal data we gather, the reasons we process it, how long we keep it, who we may share it with, and the rights you have regarding your data under the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018. We encourage you to read this document carefully. If you have any questions after reading it, please reach out to us using the contact details provided at the end of this page.

By using our website or services, you acknowledge that you have read and understood this Privacy Policy. We do not require you to provide personal data to browse our website, but certain features such as placing orders, subscribing to plans, or contacting us will require you to share some information with us.

2. Data We Collect

We collect different categories of personal data depending on how you interact with our website and services. Below is a comprehensive list of the types of data we may collect:

2.1 Information You Provide Directly

• Identity data: Your first name, last name, and title
• Contact data: Your email address, telephone number, and delivery address (including Eircode)
• Account data: Your username, password, and account preferences including dietary requirements and delivery schedule preferences
• Order data: Details of the products you have ordered, subscription plan details, delivery dates, and order history
• Payment data: Your billing address and payment card details (note that full card numbers are processed securely by our payment processor and are never stored on our servers)
• Communication data: Any messages, feedback, complaints, or enquiries you send us via our contact form, email, phone, or social media channels
• Marketing preferences: Your preferences for receiving marketing communications from us and your communication channel preferences

2.2 Information Collected Automatically

• Device data: Information about the device you use to access our website, including device type, operating system, browser type and version, and screen resolution
• Technical data: Your Internet Protocol (IP) address, browser plug-in types and versions, time zone setting, and general geographic location derived from your IP address
• Usage data: Information about how you use our website, including pages visited, time spent on each page, links clicked, products viewed, and your navigation path through the site
• Cookie data: Information collected through cookies and similar tracking technologies, which we describe in detail in Section 10 of this policy

3. How We Collect Data

We collect your personal data through several methods:

• Website forms: When you fill in our contact form, newsletter subscription form, account registration form, or checkout form, we collect the information you enter directly
• Cookies and analytics tools: Our website uses cookies and similar technologies to collect technical and usage data. We use Google Analytics to understand how visitors interact with our website. If you have accepted marketing cookies, we may also use the Meta Pixel (formerly Facebook Pixel) to measure the effectiveness of our advertising campaigns on Facebook and Instagram
• Server logs: Our web hosting servers automatically record certain information each time you visit our website, including your IP address, the date and time of your visit, and the pages you accessed
• Email and phone communications: When you contact us by email at [email protected] or by phone at +353 1 485 3200, we keep a record of that communication to help resolve your enquiry and for quality assurance purposes
• Third-party sources: We may receive personal data about you from our payment processor (Stripe) when you complete a transaction, including confirmation that payment has been received. We do not receive your full card details from Stripe

4. Why We Collect Data (Legal Basis)

Under GDPR Article 6, we must have a valid legal basis for processing your personal data. We rely on the following legal bases depending on the purpose of processing:

• Contract performance (Article 6(1)(b)): We process your identity, contact, order, and payment data because it is necessary to fulfil the delivery contract we have with you. Without this data, we cannot process your orders, manage your subscription, or deliver produce to your address
• Consent (Article 6(1)(a)): We process your data for marketing purposes only when you have given us your explicit consent. This includes sending you our weekly newsletter, promotional offers, and recipe content. You can withdraw your consent at any time by clicking the unsubscribe link in any marketing email or by contacting us directly
• Legitimate interest (Article 6(1)(f)): We process certain data based on our legitimate business interests, provided those interests are not overridden by your rights. This includes using analytics data to improve our website functionality, using your purchase history to recommend products you may enjoy, and processing data for fraud prevention. We conduct a legitimate interest assessment for each such processing activity to ensure balance between our interests and your privacy rights
• Legal obligation (Article 6(1)(c)): We may process your data where necessary to comply with a legal obligation, such as keeping financial records for tax purposes as required by Irish Revenue or responding to lawful requests from regulatory authorities

5. How We Use Data

We use your personal data for the following specific purposes:

• Service delivery: Processing and fulfilling your produce box orders, managing your subscription plan, scheduling deliveries, handling item swaps and customisations, and providing customer support related to your orders
• Account management: Creating and maintaining your Tilamora account, storing your delivery preferences and dietary requirements, and keeping your order history accessible to you
• Payment processing: Collecting payments for orders and subscriptions through our secure payment processor, issuing refunds when applicable, and maintaining billing records
• Communication: Sending you order confirmations, delivery notifications, subscription renewal reminders, and responding to your enquiries and feedback
• Marketing (with consent): Sending our weekly newsletter with seasonal recipes, farm updates, and special offers. We only send marketing communications to those who have explicitly opted in. Every marketing email includes a clear unsubscribe option
• Website improvement: Analysing how visitors use our website to identify areas for improvement, optimise page layouts, improve navigation, and enhance the overall shopping experience
• Legal compliance: Meeting our obligations under Irish tax law, consumer protection regulations, and food safety requirements

6. Data Retention

We keep your personal data only for as long as necessary to fulfil the purposes for which we collected it. The specific retention periods depend on the type of data and the reason for processing:

• Account and profile data: Retained for the duration of your active account plus 12 months after you close your account or after your last interaction with us, whichever is later. This allows us to reactivate your account and preferences if you decide to return
• Order and transaction data: Retained for 6 years after the date of the transaction to comply with Irish tax and accounting regulations under the Companies Act 2014 and Revenue requirements
• Contact form enquiries: Retained for 2 years from the date of your enquiry, after which they are securely deleted unless the enquiry led to an ongoing business relationship
• Newsletter subscription data: Retained until you unsubscribe, at which point your email address is removed from our active mailing list. A hashed record may be kept on our suppression list to ensure we do not inadvertently re-subscribe you
• Analytics and cookie data: Google Analytics data is retained for 14 months. Cookies have individual expiration periods as detailed in Section 10 of this policy
• Server log data: Retained for 90 days for security monitoring and troubleshooting purposes, then automatically deleted

When retention periods expire, we securely delete or anonymise your data so that it can no longer be associated with you. Anonymised data may be retained indefinitely for statistical and analytical purposes.

7. Data Sharing

We do not sell, rent, or trade your personal data to any third party for their own marketing purposes. We share your data only with the following categories of recipients, and only to the extent necessary for the purposes described:

• Payment processors: We use Stripe to process card payments securely. Stripe receives your payment card details and billing address solely to process your transaction. Stripe is PCI DSS Level 1 certified, the highest level of certification in the payment card industry. You can review Stripe's privacy policy at stripe.com/privacy
• Hosting provider: Our website is hosted on servers located within the European Economic Area (EEA). Our hosting provider has access to server log data, which may include your IP address and usage data
• Analytics provider: We use Google Analytics to collect and analyse website usage data. Google processes this data on our behalf and is prohibited from using it for its own purposes. We have enabled IP anonymisation in our Google Analytics configuration to limit the personal data shared with Google
• Advertising platform (with consent): If you have accepted marketing cookies, we may share limited data with Meta (Facebook/Instagram) through the Meta Pixel to measure advertising performance and to create custom audiences for our advertising campaigns. This data sharing occurs only with your explicit cookie consent
• Email marketing platform: We use a third-party email service provider to send our newsletter and transactional emails. This provider stores your email address and name solely for the purpose of delivering our emails on our behalf
• Delivery partners: Our delivery drivers receive your name, delivery address, and delivery time slot to fulfil your order. They do not receive your email address, phone number, or payment details
• Professional advisors: We may share data with our accountants, legal advisors, or auditors where necessary for professional advice, tax compliance, or legal proceedings
• Law enforcement: We may disclose your data to law enforcement agencies, regulatory bodies, or other authorities if required to do so by law, court order, or regulatory requirement

All third-party service providers with whom we share data are bound by data processing agreements that require them to protect your data to a standard consistent with GDPR. We conduct due diligence on all third-party providers before engaging them.

8. International Transfers

We make every effort to keep your personal data within the European Economic Area (EEA). Our web servers are located within the EEA, and the majority of our service providers operate within the EEA.

However, some of our third-party service providers, including Google (for analytics) and Stripe (for payment processing), may transfer and process your data outside the EEA, including in the United States. Where such transfers occur, we ensure that appropriate safeguards are in place to protect your data:

• Adequacy decisions: Where the European Commission has determined that a third country offers an adequate level of data protection, transfers may be made on the basis of that adequacy decision. The EU-US Data Privacy Framework, where applicable, provides a recognised mechanism for such transfers
• Standard Contractual Clauses (SCCs): Where no adequacy decision exists, we rely on Standard Contractual Clauses approved by the European Commission as the legal mechanism for transferring data to third countries. These clauses impose contractual obligations on the data recipient to protect your data to EEA standards

You may request a copy of the safeguards we have in place for international data transfers by contacting our privacy team at the details provided in Section 13.

9. Your Rights Under GDPR

As a data subject under the GDPR (Articles 15 through 22), you have the following rights regarding your personal data. These rights are not absolute and may be subject to certain conditions or exceptions as set out in the GDPR:

• Right of access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how we process it. We will provide this information free of charge within 30 days of receiving your verified request
• Right to rectification (Article 16): If any of the personal data we hold about you is inaccurate or incomplete, you have the right to ask us to correct or complete it. You can update most of your account information directly through your Tilamora account settings
• Right to erasure (Article 17): Also known as the "right to be forgotten," you can ask us to delete your personal data in certain circumstances, for example when the data is no longer necessary for the purpose for which it was collected, or when you withdraw consent for consent-based processing. Please note that we may need to retain certain data to comply with legal obligations such as tax record requirements
• Right to restriction of processing (Article 18): You can ask us to temporarily stop processing your data in certain situations, for instance while we verify the accuracy of your data following a rectification request, or while we assess whether our legitimate interests override your rights following an objection
• Right to data portability (Article 20): Where processing is based on consent or contract performance and is carried out by automated means, you have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format. You may also request that we transmit this data directly to another controller where technically feasible
• Right to object (Article 21): You have the right to object to processing based on legitimate interests. If you object, we will stop processing your data for that purpose unless we can demonstrate compelling legitimate grounds that override your rights. You have an absolute right to object to processing for direct marketing purposes at any time
• Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal
• Right to lodge a complaint: If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Data Protection Commission (DPC), the Irish supervisory authority for data protection. The DPC can be contacted at 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland, or through their website at dataprotection.ie

To exercise any of these rights, please contact us using the details in Section 13 below. We may need to verify your identity before processing your request to protect your data from unauthorised access. We aim to respond to all valid requests within 30 calendar days.

10. Cookies

Cookies are small text files that are placed on your device when you visit our website. They serve various functions that help us provide you with a better browsing experience. Below we explain the types of cookies we use, their purpose, and their duration:

10.1 Essential Cookies

These cookies are strictly necessary for the operation of our website and cannot be disabled. They enable core functions such as maintaining your session while you browse, keeping items in your shopping cart, and remembering your cookie consent preferences.

• Session cookie: Maintains your browsing session. Expires when you close your browser
• Cart cookie: Remembers items you have added to your shopping cart. Duration: 7 days
• Cookie consent cookie: Stores your cookie preference choice so we do not show the banner repeatedly. Duration: 12 months

10.2 Analytics Cookies

These cookies help us understand how visitors interact with our website by collecting information about pages visited, time spent on the site, and navigation patterns. This data is aggregated and anonymised. We use Google Analytics for this purpose.

• _ga: Distinguishes unique visitors. Duration: 13 months
• _ga_[ID]: Maintains session state. Duration: 13 months

These cookies are only placed on your device if you accept analytics cookies through our cookie consent banner.

10.3 Marketing Cookies

These cookies are used to track visitors across websites to enable us to display relevant advertising. If you accept marketing cookies, we may use the Meta Pixel to track conversions from our Facebook and Instagram advertising campaigns.

• _fbp: Used by Meta to deliver advertising. Duration: 3 months

Marketing cookies are only placed on your device if you explicitly accept them through our cookie consent banner.

10.4 Managing Your Cookie Preferences

When you first visit our website, you will see a cookie consent banner that allows you to accept or reject non-essential cookies. You can change your preferences at any time by clearing your browser cookies and revisiting our site, which will trigger the consent banner again. You can also manage cookies through your browser settings. Most browsers allow you to block or delete cookies through their privacy settings. Please note that blocking essential cookies may prevent certain features of our website from functioning correctly.

11. Children's Privacy

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16 years of age. If you are a parent or guardian and you become aware that your child has provided us with personal data without your consent, please contact us at [email protected]. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take immediate steps to delete that information from our systems.

Our subscription services and ordering system require the user to be at least 18 years of age or to have the consent and supervision of a parent or legal guardian. Account registration requires confirmation that the user meets this age requirement.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this page.

For significant changes that materially affect how we process your personal data, we will take reasonable steps to notify you in advance. This notification may take the form of a prominent notice on our website homepage, a notification within your Tilamora account dashboard, or an email to the address associated with your account. We will provide at least 14 days notice before significant changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of our website and services after any changes to this policy constitutes your acknowledgement of those changes.

13. Contact Details

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, you can contact us through any of the following channels:

If you are not satisfied with our response to your privacy concern, you have the right to escalate your complaint to the Irish Data Protection Commission: