BiMarket

Privacy Policy

Last updated: May 2026

BiMarket UK ("BiMarket", "we", "us" or "our") is committed to protecting your privacy. This Privacy Policy explains what personal information we collect when you visit bimarket.co.uk, place an order, register an account, or interact with our customer service, and how we use, share, store and protect that information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

BiMarket UK operates the online grocery service available at bimarket.co.uk, specialising in Turkish and international groceries delivered across Great Britain.

  • Data controller: BiMarket UK
  • Contact for privacy matters: [email protected]
  • Postal correspondence: available on request via the email above

2. Information we collect

We collect personal information in the following categories:

  • Account data: name, email address, password (hashed), phone number, preferred language.
  • Order data: delivery and billing address, products purchased, order value, time of purchase, order history, special delivery instructions, gift messages.
  • Payment data: we do not store full card details on our servers. Payments are processed by Stripe, our PCI-DSS certified payment provider. We retain only a payment confirmation token, the last four digits of your card, card brand and expiry month/year.
  • Communications: messages you send us by email, contact form, live chat, social media or telephone (calls may be recorded for training and quality purposes).
  • Device and usage data: IP address, device type, operating system, browser type and version, referring URL, pages viewed, time spent, products clicked, search terms used and approximate location derived from your IP address.
  • Cookies and similar technologies: session cookies, preference cookies, analytics and (with your consent) marketing cookies. See section 9.
  • Marketing preferences: your opt-in/opt-out choices for email, SMS and push notifications.
  • Loyalty and promotional data: vouchers redeemed, referral activity, loyalty programme balance (if applicable).

We do not knowingly collect special category data (such as health, racial or religious information). Please do not submit such data to us. Where dietary preferences (e.g. halal, vegetarian) are stored, this is collected with your consent purely to assist product recommendations.

3. Lawful bases under UK GDPR

We rely on the following lawful bases (UK GDPR Article 6):

  • Contract (Article 6(1)(b)): to create your account, process your orders, take payment, arrange delivery and handle refunds, exchanges and customer queries.
  • Legitimate interests (Article 6(1)(f)): to operate, secure and improve our website and service, prevent and detect fraud, conduct service-improvement analytics, defend legal claims and send transactional service messages.
  • Consent (Article 6(1)(a)): for non-essential cookies, direct marketing emails or SMS, and any optional features (such as personalised recommendations). You can withdraw consent at any time.
  • Legal obligation (Article 6(1)(c)): to retain accounting records under HMRC requirements (typically 6 years), to respond to lawful requests from regulators or law enforcement, and to comply with the Licensing Act 2003 in relation to age-restricted products.
  • Vital interests (Article 6(1)(d)): in rare cases (e.g. urgent food safety recall notifications).

4. How we use your information

  • To create and manage your account and verify your identity.
  • To accept, process, fulfil and deliver your orders.
  • To take payment and issue refunds.
  • To provide customer service and handle complaints.
  • To send transactional messages (order confirmations, dispatch notices, delivery updates, refund confirmations, password resets, security alerts) — these are not marketing and you cannot opt out while you maintain an active account.
  • To send marketing emails, SMS or push notifications where you have opted in.
  • To personalise your experience, including product recommendations, recently viewed items and saved baskets.
  • To detect, prevent and investigate fraud, payment disputes, abuse, security incidents and breaches of our Terms & Conditions.
  • To operate age-verification for restricted products (Challenge 25) and check delivery age compliance.
  • To analyse aggregate site performance and improve our products, pricing, content, search results and user interface.
  • To comply with our legal, regulatory, tax and accounting obligations.
  • To enforce our legal rights, including debt recovery and pursuing or defending legal claims.

5. Who we share your data with

We share the minimum personal data necessary with carefully selected partners acting either as our processors (on our instructions) or as independent controllers where required by law:

  • Payment providers: Stripe Payments UK Ltd, for card processing, fraud screening and 3-D Secure authentication.
  • Delivery partners: DHL Parcel UK and other authorised couriers — we share recipient name, address, telephone number, email and order weight/dimensions for delivery and tracking.
  • IT and cloud providers: hosting, backup, email, SMS gateway, analytics and customer-support platforms, all under written data-processing agreements.
  • Marketing partners: only where you have consented (e.g. Brevo for transactional and marketing email/SMS, Meta/Google for advertising with hashed identifiers).
  • Professional advisers: auditors, accountants, insurers and legal counsel, where reasonably necessary.
  • Authorities: HMRC, the Information Commissioner's Office, the police, trading standards or the courts, where we are legally required, or where disclosure is necessary to protect rights, property or safety.
  • Corporate transactions: in the event of a merger, sale, restructuring or insolvency, your data may transfer to a successor entity under equivalent safeguards.

We do not sell your personal data.

6. International transfers

We aim to host your data within the UK or European Economic Area. Where data is processed outside the UK/EEA (for example by sub-processors of our IT providers in the United States), we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision.

7. How long we keep your data

  • Account information: while your account is active, and for up to 24 months after your last activity to allow easy reactivation, after which we may delete or anonymise it.
  • Order, invoice and tax records: 6 years from the end of the relevant tax year (HMRC requirement).
  • Customer service correspondence: up to 3 years.
  • CCTV / call recordings: typically up to 90 days unless required for an investigation.
  • Marketing preferences and unsubscribe records: kept indefinitely to honour your choices.
  • Cookies: per individual cookie expiry (see Cookie Notice).

8. Your rights under UK GDPR

You have the following rights, exercisable free of charge in most cases:

  • Right to access — request a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — ask us to delete data where we have no continuing lawful reason to keep it.
  • Right to restrict processing — in certain circumstances.
  • Right to data portability — receive certain data in a structured, machine-readable format.
  • Right to object — to processing based on legitimate interests or to direct marketing.
  • Right not to be subject to solely automated decisions producing legal or similarly significant effects. We do not currently use such automated decision-making.
  • Right to withdraw consent at any time, where consent is the lawful basis.

To exercise any of these rights, email [email protected]. We will respond within one calendar month. For your security, we may ask you to verify your identity before disclosing data.

If you are unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ICO)ico.org.uk — although we would appreciate the chance to address your concerns first.

9. Cookies and similar technologies

We use cookies and similar technologies to operate our site, remember your preferences, secure your session, analyse traffic and (with your consent) personalise advertising. You can manage your cookie preferences via the cookie banner or your browser settings. Strictly necessary cookies cannot be disabled because the site cannot function without them.

10. Marketing

We send marketing communications only with your consent. You can unsubscribe at any time using the link in any marketing email, the "STOP" reply to SMS, or by updating your preferences in your account. Unsubscribing from marketing does not stop transactional service messages.

11. Children

Our service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us so we can delete it.

12. Security

We employ appropriate technical and organisational measures to protect your personal data, including TLS encryption in transit, encrypted backups, hashed passwords (bcrypt/argon2), restricted internal access on a need-to-know basis, regular security reviews and PCI-DSS compliance via Stripe for card data. No internet transmission is ever 100% secure; we encourage you to use a strong, unique password and to never share your login credentials.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our service or applicable law. Material changes will be notified to active customers by email or a prominent notice on the site. The "Last updated" date at the top shows when this policy was last revised.

14. Contact

For any privacy enquiry, complaint or to exercise your rights, please contact:

WhatsApp

Bio

BiMarket AI Assistant

Online

Bio's responses may be inaccurate.