Skip to main content

Data Processors

Last updated March 2026 — GDPR Article 28

Under Article 28 of the UK General Data Protection Regulation (UK GDPR), we are required to enter into a Data Processing Agreement (DPA) with every third party that processes personal data on our behalf. The table below lists all processors we currently use, what data each one handles, and confirms that a DPA is in place.

Where processors provide their DPA as part of standard terms of service (the most common approach for SaaS providers), acceptance of those terms constitutes the agreement. All processors listed below have complied with this requirement.

If you have questions about any of these arrangements, please contact us at [email protected].

Processor Register

1. Square

Role: Payment processor and customer management.
Data processed: Payment card data (handled and tokenised entirely by Square — we never store raw card details), billing information, and transaction records.
DPA: In place via Square's standard Data Processing Agreement, available at squareup.com/gb/en/legal/general/dpa and accepted upon account creation.
Privacy policy: squareup.com/gb/en/legal/general/privacy

2. Google LLC (Google Workspace / Gmail)

Role: Transactional and operational email delivery via Google Workspace (saltwind.catering).
Data processed: Recipient email addresses, names, and content of transactional notifications (booking confirmations, enquiry acknowledgements, and similar operational emails).
DPA: In place via Google's Cloud Data Processing Addendum, accepted as part of Google Workspace Terms of Service.
Location: USA (EU-US Data Privacy Framework and UK adequacy decision).
Privacy policy: policies.google.com/privacy

3. Cloudflare

Role: Website hosting, CDN, and security (DDoS protection, WAF, edge caching).
Data processed: IP addresses, HTTP request metadata, and website traffic logs for security and performance purposes. Cloudflare acts as a network-layer processor for all traffic to our website.
DPA: In place via Cloudflare's standard Data Processing Addendum, available at cloudflare.com/cloudflare-customer-dpa and accepted upon account creation.
Privacy policy: cloudflare.com/privacypolicy

4. Google

Role: Analytics and tag management (Google Analytics 4 and Google Tag Manager).
Data processed: Anonymised website usage data, device and browser characteristics, and session behaviour. Analytics scripts are only loaded after a visitor has given explicit consent to analytics cookies via our cookie banner.
DPA: In place via Google's standard Data Processing Terms, available at business.safety.google/dataprocessingterms and accepted upon account creation.
Privacy policy: policies.google.com/privacy

5. Meta (Facebook)

Role: Marketing analytics (Meta Pixel / Facebook Pixel).
Data processed: Browser identifiers and page-view events used to measure the effectiveness of advertising campaigns. The Meta Pixel is only loaded after a visitor has given explicit consent to marketing cookies via our cookie banner.
DPA: In place via Meta's standard Data Processing Terms, incorporated into their Business Terms and accepted upon account creation.
Privacy policy: facebook.com/privacy/policy

6. Microsoft (Clarity)

Role: UX analysis — session recordings and heatmaps via Microsoft Clarity.
Data processed: Anonymised session recordings, click heatmaps, and scroll-depth data. No personally identifiable information is captured. Clarity is only loaded after a visitor has given explicit consent to analytics cookies via our cookie banner.
DPA: In place via Microsoft's standard Data Processing Addendum, incorporated into their Online Services Terms and accepted upon account creation.
Privacy policy: privacy.microsoft.com/en-gb/privacystatement

7. GitHub (Microsoft)

Role: Source code hosting and version control (GitHub.com).
Data processed: Source code and commit history only. No customer personal data is stored in our repositories. GitHub is used internally by our development team and has no direct access to live customer data.
DPA: In place via GitHub's standard Data Protection Agreement, incorporated into their Terms of Service and accepted upon account creation.
Privacy policy: docs.github.com — GitHub Privacy Statement

8. Supabase

Role: Primary database hosting (PostgreSQL) for customer, booking, and order records.
Data processed: Customer names, contact details, booking information, order history, and related operational data stored in our application database.
Location: European Union (Frankfurt region), within UK adequacy scope.
Legal basis: Contract (performance of services).
DPA: In place via Supabase's standard Data Processing Addendum, available at supabase.com/legal/dpa and accepted upon account creation.
Privacy policy: supabase.com/privacy

9. Sentry (Functional Software, Inc.)

Role: Application error monitoring and performance tracing.
Data processed: Error stack traces, browser metadata, page URLs, and anonymised user identifiers. No payment data or submitted form content is captured.
Location: USA.
Legal basis: Legitimate interest (service reliability and security).
DPA: In place via Sentry's standard Data Processing Addendum, available at sentry.io/legal/dpa.
Privacy policy: sentry.io/privacy

10. Ideal Postcodes

Role: UK address lookup and postcode validation for booking forms.
Data processed: Partial postcode strings submitted during address entry. No persistent storage of customer data on our behalf.
Location: United Kingdom.
Legal basis: Contract (delivery of accurate quotations and services).
DPA: In place via Ideal Postcodes' standard Data Processing Agreement, available at ideal-postcodes.co.uk/data-processing-agreement.
Privacy policy: ideal-postcodes.co.uk/privacy-policy

International Transfers

Several of the processors above are headquartered outside the United Kingdom. Details of the transfer mechanisms in place for each (UK–US Data Bridge, Standard Contractual Clauses, or ICO adequacy decision) are documented in our Privacy Policy — Section 4a: International Data Transfers.

Sub-processors

Each processor above may in turn use sub-processors to deliver their service. We rely on the processor's own sub-processor disclosure pages, linked via their privacy policies above, to document those arrangements. Material changes to sub-processors that affect our customers are notified via our Privacy Policy update process.

Requesting Further Information

You may request a copy of any DPA or sub-processor list by contacting us at [email protected] or writing to:

Salt Wind Catering
37 Fore Street
Redruth, Cornwall TR15 2AE
United Kingdom

Plan your event

Cornwall’s coast on the menu — let’s plan yours.

Tell us a little about your event and we’ll come back with a full quote within 24 hours.

Get a quote in 60 seconds Or check your postcode

Behind the pass

Fire, food, and what we’re cooking next.

Seasonal menus, off-menu specials, and early-bird pricing — one short email a month.

Request a callback