Make Me A List

Legal

Privacy Policy

no clever data tricks, promise

Last updated 23rd May 2026. We are the data controller, based in the UK, under UK GDPR.

  • No ads, ever
  • No selling of data
  • Cookies only for sign-in
  • Delete your data any time

This Privacy Policy explains how Make Me A Shopping List ("we", "us") collects, uses and protects your personal data. We are the data controller for the personal data described below, in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Who we are and how to contact us

For privacy enquiries or to exercise your rights, email hello@makemeashoppinglist.co.uk. We are based in the United Kingdom.

What personal data we collect

We collect the following categories of personal data:

  • Account data: name, email address, hashed password, email verification status.
  • Household preferences: number of adults and children, children's ages, preferred supermarket, weekly budget, dietary requirements, allergies, oven type, cooking skill level, preferred recipe detail.
  • Meal plan data: weekly meal plans, shopping lists, pantry items, favourites, prices you record at the till.
  • Billing data: handled by Stripe; we store only your Stripe customer ID and the last four digits + type of your payment card.
  • Technical data: IP address, browser user-agent, basic analytics events (sign-ups, meal-plan generations, feature use).
  • Support data: messages you send via the in-app feedback form or email.

Why we use it (lawful basis)

PurposeLawful basis
Run your account, generate plans, deliver the ServicePerformance of contract
Process payments for Pro subscriptionsPerformance of contract
Send service emails (verification, password reset, shopping reminders)Performance of contract
Improve the Service (anonymous analytics, troubleshooting)Legitimate interests
Meet legal and accounting obligationsLegal obligation

Who we share data with

We share the minimum necessary data with the following third-party processors, each acting under contract:

  • Stripe (payments): processes your card details; we never see them. Stripe privacy policy.
  • Resend (transactional email): sends emails like account verification and shopping reminders. Resend privacy policy.
  • OpenAI (AI meal generation): receives the meal-plan prompt (household size, budget, dietary requirements) to generate suggestions. We do not send your name, email, payment details or contact information to OpenAI. OpenAI privacy policy.
  • Laravel Forge / our hosting provider: hosts the application and database in the United Kingdom or European Union.

Some of these providers (notably OpenAI and Stripe) may transfer data outside the UK. Where this happens, we rely on UK-approved transfer safeguards such as the International Data Transfer Agreement or Standard Contractual Clauses.

How long we keep it

  • Account data + household preferences: until you delete your account, or 24 months after your last log-in, whichever is sooner.
  • Meal plans + shopping lists: kept while your account is active so you can revisit past weeks. Deleted when you delete your account.
  • Billing records: 6 years from the end of the financial year, as required by UK accounting law.
  • Analytics events: 12 months, then deleted or aggregated.
  • Feedback messages: 24 months.

Cookies and similar technologies

We only set cookies strictly necessary for the Service to work: session cookies, CSRF protection, "remember me" tokens. We do not use marketing or third-party analytics cookies, so we do not need to show a cookie consent banner. If we add non-essential cookies in future we will update this policy and ask for your consent first. The full list is in our Cookie Policy.

Your rights under UK GDPR

You have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data (you can update most of it from your settings page).
  • Delete your account and the data tied to it ("right to erasure").
  • Export your data in a portable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent where we rely on it (e.g. shopping reminder emails).
  • Lodge a complaint with the Information Commissioner's Office (ico.org.uk): though we would appreciate the chance to put things right first.

To exercise any of these rights, email hello@makemeashoppinglist.co.uk. We will respond within one calendar month.

Security

Passwords are hashed using bcrypt; we never see your plain-text password. All data is transmitted over HTTPS. We restrict admin-panel access to a small set of named operators. If a personal data breach occurs and is likely to put you at risk, we will notify you and the ICO within 72 hours where required.

Children

The Service is intended for adults aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top tells you when it changed. Material changes will be emailed to registered users.

your data, your call

Want to see or delete what we hold?

Email us from the address on your account and we'll come back within a working month, usually quicker.

Email us

Also worth a look: Terms, Cookies, Refunds.