GDPR Compliance Policy – dishesofjoy

1. Introduction

dishesofjoy (https://dishesofjoy.com) is committed to protecting the privacy and personal data of its users in accordance with the European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). This policy explains what personal data we collect, why we process it, how we protect it, and the rights you enjoy under the GDPR. If you have any questions, please contact us at gdpr@dishesofjoy.com.

2. Data We Collect

We only collect data that is necessary for the provision of our services. The categories of personal data we process are:

• Email address – used for newsletter subscriptions, order confirmations, and customer support.
• Cookies and similar technologies – essential, functional, and analytical cookies that help us improve site performance and understand user behaviour.
• Analytics data – aggregated information such as page views, device type, and referral source collected via Google Analytics (IP anonymisation enabled).

We do not collect any special categories of data (e.g., health, political opinions) and we never sell or rent personal data to third parties.

3. Legal Basis for Processing

Under the GDPR, we must have a lawful basis for each type of processing. Our bases are:

• Consent – when you voluntarily subscribe to our newsletter or accept optional cookies.
• Legitimate interest – for activities such as fraud prevention, website security, and improving user experience through analytics.

Where consent is the basis, you can withdraw it at any time without affecting the lawfulness of processing based on consent before withdrawal.

4. How We Protect Your Data

Security is a core priority. We employ a layered approach:

• Transport Layer Security (TLS/SSL) – all data transmitted between your browser and our servers is encrypted using HTTPS.
• Secure servers – hosted in data centres that comply with ISO 27001 and SOC 2 standards.
• Access controls – only authorised personnel with a legitimate business need can access personal data, protected by strong passwords and two‑factor authentication.
• Limited retention – email addresses are retained for the duration of the subscription or as required by law; analytics data is anonymised after 24 months.
• Regular audits – we conduct periodic security assessments and vulnerability scans.

5. Your GDPR Rights

The GDPR grants you several rights regarding your personal data. Below is a concise description of each right, accompanied by an icon for quick reference.

• Right to Access

  You may request a copy of the personal data we hold about you, together with information about how we process it, the purposes of processing, and the recipients of your data.

• Right to Rectification

  If any of your personal data is inaccurate or incomplete, you have the right to have it corrected or completed without undue delay.

• Right to Erasure (Right to be Forgotten)

  You may ask us to delete your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent and no other legal basis applies.

• Right to Restrict Processing

  You can request that we limit the processing of your data while we verify the accuracy of the data or while we assess the legality of the processing.

• Right to Data Portability

  Upon request, we will provide your personal data in a structured, commonly used, and machine‑readable format, or transmit it directly to another controller where technically feasible.

• Right to Object

  You may object to the processing of your personal data for direct marketing, scientific/historical research, or statistical purposes. We will cease processing unless we demonstrate compelling legitimate grounds.

• Right to Withdraw Consent

  Where processing is based on your consent (e.g., marketing emails or optional cookies), you can withdraw that consent at any time, free of charge, using the unsubscribe link or cookie management tools.

6. How to Exercise Your Rights

To exercise any of the rights listed above, please follow these steps:

1. Send a written request to gdpr@dishesofjoy.com. Include your full name, the email address you use with us, and a clear description of the right you wish to invoke.
2. Provide proof of identity (e.g., a scanned government ID) to help us verify that the request is legitimate. This step protects your data from unauthorized access.
3. If you are requesting erasure or restriction, specify the data you want removed or limited.
4. We will acknowledge receipt of your request within 5 business days and will act on it without undue delay, and in any case within the statutory period of 30 days.

If we need more time (e.g., because of the complexity of the request or the need to consult other parties), we will inform you of the extension and the reasons within the original 30‑day period. The maximum extension allowed by law is an additional 2 months.

7. Response Time

All requests relating to your GDPR rights will be responded to within 30 calendar days from the date we receive your request. This timeframe includes verification of identity and the execution of the requested action. If a request is particularly complex or numerous, we may extend the period by up to two further months, but we will notify you of the extension and its justification before the original deadline expires.

8. International Transfers

dishesofjoy may transfer personal data to service providers located outside the European Economic Area (EEA) that provide hosting, analytics, or email delivery services. All such transfers are safeguarded by standard contractual clauses approved by the European Commission, ensuring an adequate level of protection.

9. Changes to This Policy

We review this GDPR Compliance Policy regularly. Any material changes will be posted on this page with a new “Last Updated” date. Continued use of the site after a change constitutes acceptance of the updated policy.

10. Contact Information

For any privacy‑related inquiries, complaints, or to exercise your rights, please contact our Data Protection Officer at:

You also have the right to lodge a complaint with a supervisory authority in the EU member state where you reside, work, or where the alleged infringement occurred.