Gander Privacy Policy
Last updated: 2025-10-08
1. Who we are
Welcome to the Gander privacy policy. Gander is provided by Gander Limited (“we”, “us”, “our”).
To use Gander, you must accept our Terms and Conditions: https://www.gander.co/terms-and-conditions
For more information, visit our website: https://www.gander.co/
Contact us about privacy:
- Email: privacy@gander.co
- Post: Gander Limited, Euromanx House, Freeport, Ballasalla, Isle of Man, IM9 2AP
For the purposes of UK data protection law, we are the controller of your personal data.
2. What Gander is (definitions)
- App: our native mobile applications for iOS and Android, available via the Apple App Store and Google Play.
- Web App: the browser-based version of Gander accessible via our Website that provides substantially the same functionality as the App.
- Website: our site at https://www.gander.co/ which also links to the Web App and information about our services.
- Services: the App, the Web App and the Website, collectively.
- Retailers: food and grocery sector retailers whose price reductions, promotions and loyalty offers are shown in the Services.
- You / your: users of our Services.
3. How Gander works
We provide aggregated information about price reductions, product promotions and loyalty offers from Retailers. The Services include features like:
- Creating an optional profile (e.g., dietary preferences and allergy filters) to tailor content.
- Browsing reductions and offers near a selected location (including your device’s precise location if permitted).
More detail on features is set out in our Terms and Conditions: https://www.gander.co/terms-and-conditions/
We are committed to protecting your privacy. This policy explains what personal data we collect, how we use it, and your rights.
4. Data we collect
Depending on how you use the Services, we may collect and process:
- Identity & Contact
- Your name, email address and mobile telephone number.
- User ID
- A randomly generated identifier used to recognise your account.
- Location
- Your precise current location or another location you choose.
- Social Media
- Login details for any social media accounts you choose to connect (e.g., Facebook, Instagram). Connecting social accounts is optional.
- Profile (optional)
- Information you choose to provide to tailor your experience, including dietary preferences and allergy information. This may include “special category” health data and will only be collected and used with your explicit consent.
- Feedback & Enquiries
- Information you provide when you contact us (emails, letters, conversations, complaints, feedback).
- Usage & Research
- Statistical information about how you and other users interact with the Services and with Retailers (e.g., product categories viewed, times and general patterns of interaction).
- When we combine your data with that of other users, we aggregate and anonymise it so individuals cannot be identified. Aggregated data is not personal data.
The law treats certain personal data as special category (e.g., health data such as allergy information). We only collect or use this with your explicit consent or where the law otherwise permits.
5. How we collect data
- Directly from you via the Services
- When you register or use features requiring an account. You may sign up using email, mobile number, or a social login.
- You may optionally provide profile data for personalisation.
- Automated technologies
- When you use the Services, we collect technical and usage data through cookies, SDKs and similar technologies.
- See our Cookie Policy for details: https://www.gander.co/cookies/
- Third parties and public sources
- We may receive technical or analytics information from service providers that help us operate and improve the Services.
6. How and why we use your personal data (lawful bases)
We only use your data where we have a lawful basis. Below are typical uses:
- Provide the Services (App/Web App/Website)
- Data used: Identity & Contact; Location; User ID; social login (if used).
- Basis: Performance of our contract with you.
- Personalise your experience (profiles, filters, preferences)
- Data used: Profile (including special category/health data if provided).
- Basis: Your consent (explicit for special category data).
You can withdraw consent at any time by emailing privacy@gander.co.
- Improve and research
- Data used: Usage & Research (aggregated/anonymised before sharing with Retailers).
- Basis: Our legitimate interests and Retailers’ legitimate interests in understanding users to improve services, without unfairly affecting your rights.
- Send marketing (if you opt in)
- Data used: Email address (and preferences).
- Basis: Consent.
Unsubscribe at any time via the link in each email or email privacy@gander.co. Service emails may still be sent.
- Manage our relationship with you
- Data used: Identity & Contact; information you provide in queries/complaints/feedback.
- Basis: Contract; legal obligations; and/or our legitimate interests in providing and improving support.
- Legal and regulatory compliance; security and fraud prevention
- Data used: Identity & Contact and any other data as necessary.
- Basis: Legal obligations; and our legitimate interests in keeping the Services secure and preventing misuse.
We will tell you if we need to use your data for a new purpose, unless the law permits otherwise.
7. Sharing your personal data
We share data only as needed for the purposes above:
- Retailers (aggregated/anonymised only)
We may share aggregated, anonymised insights so Retailers can understand general trends and improve customer experience. Retailers cannot identify you from this data. - Service providers (processors)
Companies that provide hosting, IT, analytics, customer support, communications and email marketing services, under contracts requiring appropriate security and confidentiality. - Legal, compliance and safety
Where required by law or necessary to enforce our terms or protect rights, property or safety of us, users or others.
You can ask us for more information about recipients using the contact details in section 1.
8. International transfers
We and some of our service providers may process your personal data in countries outside the UK and the European Economic Area (EEA).
When we do, we ensure appropriate safeguards, such as:
- An adequacy decision by the UK Government and/or European Commission;
- Standard Contractual Clauses (and, where applicable, the UK International Data Transfer Addendum);
- Participation in an approved transfer framework such as the EU–US Data Privacy Framework and/or the UK Extension, where applicable.
You can contact us for more information about specific transfer mechanisms.
9. Keeping your data secure
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse or alteration. However, no system is completely secure, and transmission of information over the internet or mobile networks carries some risk.
The Services may link to third-party sites or services. Their privacy practices are outside our control. Please review their privacy policies.
10. Cookies and similar technologies
We use cookies, SDKs and similar technologies to operate the Services, remember your preferences and analyse usage.
Details (including how to manage your choices) are in our Cookie Policy: https://www.gander.co/cookies/
11. How long we keep your data
We keep personal data only as long as necessary for the purposes described in this policy.
- Generally, we retain your data while you have an active account.
- After account closure, we may retain limited information for up to six (6) years (or longer if required by law) to deal with queries/complaints and for legal, accounting and regulatory purposes.
For more detail on retention applicable to specific categories, contact us (section 1).
12. Your rights
Depending on where you live (e.g., UK/EEA), you may have rights to:
- Access your personal data and request a copy;
- Rectify inaccurate or incomplete data;
- Erase your data where we have no compelling reason to keep processing it;
- Restrict certain processing in specific circumstances;
- Object to processing based on legitimate interests, and to object to direct marketing at any time;
- Data portability (receive your data in a commonly used format and/or request we transfer it to another controller), where applicable;
- Withdraw consent where processing is based on consent (this won’t affect processing already carried out).
To exercise these rights, contact us using the details in section 1. We may need to verify your identity.
You also have the right to lodge a complaint with a supervisory authority (see section 13).
13. Complaints
- Contact us first at privacy@gander.co or by post (section 1). We’ll do our best to resolve your concerns.
- Supervisory authority: In the UK, you can contact the Information Commissioner’s Office (ICO): https://ico.org.uk/make-a-complaint/
- Courts: You may also seek a remedy through the courts if you believe your rights have been infringed.
14. Changes to this policy
We may update this policy from time to time as we add features or as laws change. If changes are material, we will notify you via the Services or by email. The latest version will always be available in the App and Web App and on the Website.
Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Terms of Use, Service Agreement, or any other written or electronic agreement (the “Agreement”) between the Customer (“Controller”) and Gander Limited, a company incorporated in the Isle of Man with registered office at Gander Limited, 2nd Floor, Euromanx House, Freeport, Ballasalla, Isle of Man, IM9 2AP (“Processor”), under which Gander provides the Controller with access to its software and services (the “Services”). The Controller and Processor are individually referred to as a “Party” and collectively as the “Parties.”
The Parties enter into this DPA to ensure compliance with the UK GDPR, EU GDPR, and other applicable data protection laws with respect to Processor’s processing of Personal Data on behalf of the Controller.
Except as modified below, the terms of the Agreement shall remain in full force and effect.
1. Definitions
Unless otherwise defined herein, all capitalised terms shall have the meaning given to them in the GDPR or the Agreement.
- “Controller” means the entity which determines the purposes and means of the processing of Personal Data.
- “Processor” means the entity which processes Personal Data on behalf of the Controller.
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Processing” means any operation performed on Personal Data, such as collection, storage, use, disclosure, or erasure.
- “Sub-processor” means a third-party processor engaged by Gander to process Personal Data on behalf of the Controller.
- “Data Transfer” means the transfer of Personal Data from the Controller to the Processor, or between the Processor and its Sub-processors.
- “Standard Contractual Clauses (SCCs)” means the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021, as applicable.
- “UK GDPR” means the UK General Data Protection Regulation as incorporated under the UK Data Protection Act 2018.
2. Purpose and Scope
This DPA sets out the obligations of Gander as Processor in relation to the Processing of Personal Data on behalf of the Controller. In the event of a conflict between this DPA and the Agreement, the provisions of this DPA shall prevail.
3. Categories of Personal Data and Data Subjects
The Controller authorises Gander to process Personal Data as determined and instructed by the Controller in connection with the Services. The types of Personal Data and categories of Data Subjects are detailed in Annex I (Schedule 1).
4. Purpose and Duration of Processing
- Purpose: Gander shall process Personal Data solely for the provision of the Services as described in the Agreement.
- Duration: Processing shall continue for the duration of the Agreement unless otherwise required by law or agreed in writing by the Parties.
5. Controller Obligations
The Controller warrants that:
- It has all necessary rights and lawful bases to provide Personal Data to Gander for Processing.
- Where required, valid consents from Data Subjects have been obtained and recorded.
- It will promptly notify Gander of any withdrawal of consent, request for access, deletion, or rectification.
- It will provide all required privacy notices to Data Subjects.
- It will notify Gander of any complaints, regulatory notices, or requests relating to Personal Data processed under this DPA.
6. Processor Obligations
Gander agrees to:
- Process Personal Data only on documented instructions from the Controller.
- Implement appropriate technical and organisational measures to protect Personal Data.
- Ensure personnel who process Personal Data are bound by confidentiality.
- Provide reasonable assistance to the Controller in responding to Data Subject or regulatory requests.
- Not transfer Personal Data outside the UK/EEA unless adequate safeguards are in place, such as SCCs.
- Maintain a record of processing activities as required by law.
7. Sub-processors
- Gander may engage Sub-processors for the provision of its Services.
- Sub-processors will be bound by written agreements ensuring data protection standards equivalent to this DPA.
- A list of approved Sub-processors is maintained in Annex III (Schedule 1) and may be updated by Gander from time to time.
- Gander remains fully liable for the performance of its Sub-processors.
- The Controller may object to a new Sub-processor on reasonable grounds, and both Parties shall work in good faith to resolve such concerns.
8. Data Security
Gander shall implement and maintain appropriate technical and organisational measures to ensure the confidentiality, integrity, availability, and resilience of Personal Data. These measures are described in Annex II (Schedule 1).
9. Data Breach Notification
- Gander shall notify the Controller without undue delay (and within 48 hours where feasible) upon becoming aware of a Personal Data Breach.
- Gander shall provide sufficient information to allow the Controller to meet its obligations under data protection laws.
- Gander will take reasonable steps to mitigate and remedy the impact of any breach.
- Notification does not imply admission of fault or liability by Gander.
10. Audit Rights
Upon reasonable notice, the Controller may request information or conduct (or appoint a third party to conduct) an audit of Gander’s compliance with this DPA. Audits shall:
- Occur no more than once per 12-month period unless required by law or due to a known incident;
- Be conducted during normal business hours with at least 15 business days’ prior written notice;
- Be at the Controller’s expense.
Gander may provide independent audit reports (e.g., ISO 27001 certification or equivalent) in lieu of onsite inspection.
11. Return and Deletion of Personal Data
Upon termination or expiry of the Agreement, Gander shall:
- Return or delete all Personal Data as instructed by the Controller, unless retention is required by law;
- Delete any remaining copies within a commercially reasonable timeframe (typically 30 days).
12. International Data Transfers
Any transfers of Personal Data outside the UK/EEA shall be conducted in compliance with applicable data protection laws using one or more of the following:
- Standard Contractual Clauses (SCCs)
- UK International Data Transfer Addendum
- Adequacy decision by the European Commission or UK Government
Details of such transfers are included in Schedule 1 – Annex I.
13. Liability
Each Party’s liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, except where prohibited by applicable data protection law.
14. Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws of England and Wales, unless otherwise required by the applicable Agreement. Any dispute shall be subject to the exclusive jurisdiction of the courts of England and Wales.
Schedule 1: Annexes
Annex I – Details of Processing
- Nature and Purpose of Processing: Provision of Gander’s digital platform and related analytics to surface real-time reduced-to-clear food data.
- Categories of Data Subjects: Retail staff, store administrators, and consumers (app/web users).
- Types of Personal Data:
- Name, email address, username, and login credentials
- Store or retailer details
- Usage data and analytics
- Device identifiers and IP addresses
- Limited transactional data (where applicable)
- Duration: For the term of the Agreement or as required by law.
- Data Transfers: May include transfers to the UK, EEA, and approved third-country Sub-processors.
Annex II – Technical and Organisational Measures
- Encryption of data at rest and in transit (TLS/SSL, AES-256).
- Access controls with least-privilege principles.
- Regular vulnerability scans and penetration testing.
- Role-based user permissions.
- Multi-factor authentication for internal systems.
- Secure data backup and disaster recovery procedures.
- Logging, monitoring, and breach detection systems.
- Annual data protection and security training for employees.
- ISO 27001-aligned information security management.
Annex III – Approved Sub-processors
| Sub-processor | Purpose | Location | Safeguard Mechanism |
| Google Cloud Platform | Cloud hosting | EU | EEA data centre / SCCs |
| Google Workspace | Email, file storage | EU/UK | SCCs / Adequacy Decision |
| HubSpot | CRM and communications | EU/US | SCCs |
| Stripe | Payment processing | EU/US | SCCs |