1. Strategic Overview

At SHEFA FOODS LTD, data sovereignty and the protection of client information are fundamental to our operational integrity. This policy outlines how we, as a Data Controller, process personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We operate under a "Privacy by Design" framework, ensuring that all culinary and logistical systems are architected with security as a primary requirement.

2. Taxonomies of Data Collection

We classify personal data into several functional categories to ensure granular control and transparency:

• Identity Data: Full legal names, professional titles, and biometric identifiers where authorized (e.g., for secure facility access).
• Logistical Data: Delivery coordinates, access codes, and site-specific safety protocols.
• Sensitive Nutritional Data: Information regarding medically verified allergens, religious dietary restrictions, and caloric requirements. This is processed under Article 9 of the UK GDPR (Special Category Data) with explicit consent.
• Technical Footprint: Internet Protocol (IP) addresses, cryptographic session identifiers, and hardware specifications utilized to access our enterprise portal.

3. Lawful Basis for Processing

We do not process data without a specific, documented lawful basis. Under Article 6 of the UK GDPR, we rely on the following:

3.1 Contractual Necessity

The majority of our processing is required to execute the terms of your Master Service Agreement. We cannot deliver gourmet nutrition without knowing where you are and what you are allergic to.

3.2 Legal Obligation

SHEFA FOODS LTD is subject to stringent UK food safety regulations and financial reporting requirements. We maintain records for the period mandated by HMRC and the Food Standards Agency.

3.3 Legitimate Interests

We process data to optimize our logistical algorithms, prevent fraudulent procurement, and ensure the physical security of our staff during deliveries. We conduct rigorous Balancing Tests to ensure our interests do not override your fundamental rights.

4. Data Retention & Lifecycle Management

Personal data is not stored indefinitely. Our retention schedule is as follows:

• Transaction Records: 7 fiscal years to comply with UK tax law.
• Logistical Metadata: 2 years post-contract termination to optimize future routing.
• Nutritional Profiles: Deleted within 30 days of contract termination or upon withdrawal of consent.

5. International Transfers

SHEFA FOODS LTD prioritizes UK-based data residency. However, where we utilize global SaaS providers (e.g., for cloud-based logistics), we ensure that Standard Contractual Clauses (SCCs) and the UK Addendum are in place, providing an equivalent level of protection to that found within the United Kingdom.

6. The Rights of the Data Subject

As a user of SHEFA FOODS services, you hold absolute rights under the law:

• Right of Access: You may request a Machine-Readable Copy of all data we hold regarding your identity.
• Right to Erasure: Also known as the "Right to be Forgotten," this allows you to demand the deletion of your profile where no legal override exists.
• Right to Restriction: You may freeze our processing of your data during a dispute regarding its accuracy.

To exercise these rights, please contact our Data Protection Officer at dpo@tasmanedge.sbs. We respond to all verified requests within 30 days.