Privacy Policy
Last updated: 19 April 2026 · Version 2.0
At a glance
- Who we are: Shelfdrop Ltd, a UK drinks distribution company. We run the Shelfdrop Supplier Portal.
- What we collect: your name, contact details, business details, financial information needed to pay you, and standard technical data.
- Why: to run your account, pay you on time, stay compliant with HMRC and licensing rules, and improve the Portal.
- Who we share it with: a small set of trusted processors (hosting, email, payments, CRM). Full list in Section 5.
- How long we keep it: as long as you have an account, plus 7 years for financial records to meet HMRC rules.
- Your rights: access, correct, delete, export, or object. Email privacy@shelfdrop.com.
This summary is for convenience. The full policy below is what legally applies.
1. Who we are
Shelfdrop Ltd ("Shelfdrop", "we", "us", "our") is a company registered in England and Wales:
- Company number: 16604856
- Registered office: 105 Piccadilly, London, W1J 7NJ
- VAT number: 497 6877 02
- AWRS number: XAAW00000123535
- ICO registration: ZC026169
We operate the Shelfdrop Supplier Portal at portal.shelfdrop.com (the "Portal"), providing drinks-supplier consignment distribution, warehousing, and sales channel management across Amazon, Tesco, Ocado, quick commerce, and direct-to-consumer channels.
Shelfdrop Ltd is part of Decant Group Limited.
Our data protection contact is privacy@shelfdrop.com. You can also write to us at the registered office above, marked "FAO Data Protection".
2. Controller and processor roles
Shelfdrop acts in two capacities, depending on the data involved:
As a controller, we decide how and why we process:
- your account, contact, and login information
- our commercial relationship records (contracts, payments, correspondence)
- technical logs and security data from your use of the Portal
As a processor, we handle data on your behalf and under your instructions where:
- your supplier's product catalogue, pricing, or commercial data is uploaded to the Portal
- we process end-customer data on your behalf for direct-to-consumer fulfilment
- we process data you submit through Portal tools that we run on your instructions
Where Shelfdrop acts as a processor, the terms of processing are set out in the Data Processing Addendum to your Master Distribution Agreement. This Privacy Policy describes our controller activities. If you want a copy of the DPA, email privacy@shelfdrop.com.
3. Who this policy covers
This policy applies to:
- supplier founders, directors, and employees who register for and use the Portal
- finance, operations, and commercial contacts at suppliers we work with
- visitors to portal.shelfdrop.com and shelfdrop.com
- prospective supplier partners we are in discussion with
Separate notices apply to job candidates and Shelfdrop employees, available on request.
The Portal is not directed at individuals under 18, reflecting UK restrictions on alcohol sales. We do not knowingly collect data from anyone under 18.
4. What personal data we collect
Account identifiers: full name, email address, mobile phone number, password (stored hashed and salted).
Supplier and business details: company name, registered address, trading address, phone, website, VAT number, company number, AWRS number, finance contact, account manager, sales team contacts.
Financial data: bank account details, sort code, payment references, invoices, payouts, duty entries, credit notes, Direct Debit mandate details.
Compliance data: licence-holder details, bond warehouse location, UK labelling attestations, product compliance declarations.
Commercial data: product catalogue, pricing, sales data, purchase orders, promotions, support tickets and attachments, meeting notes, contract correspondence.
Technical data: IP address, browser user agent, device information, session cookies, error reports, page and feature usage within the Portal.
5. Where the data comes from
Most of the data we hold comes directly from you when you register, onboard, upload product information, or communicate with us.
We also obtain data from:
- Companies House — to verify company details during onboarding
- HMRC public registers — to verify VAT and AWRS status
- your colleagues at your supplier — if they refer you or add you to a supplier account
- referral partners — if you were introduced to us via a third-party referrer
- marketplace platforms (Amazon Vendor / Seller Central, Tesco, Ocado) — sales and fulfilment data relating to your products, where we act as your distributor
6. Why we collect it and our legal basis
| Purpose | Legal basis (UK GDPR Art. 6) |
|---|---|
| Create and operate your Portal account | Performance of a contract |
| Process invoices, payouts, Direct Debits, duty collection | Performance of a contract; legal obligation (HMRC, AWRS) |
| Send transactional emails (shipment, payment, contract status) | Performance of a contract |
| Respond to your support queries | Performance of a contract |
| Comply with HMRC, AWRS, ICO, and licensing obligations | Legal obligation |
| Detect fraud, abuse, and security incidents | Legitimate interests (protecting our business and customers) |
| Improve the Portal, debug errors, analyse feature usage | Legitimate interests (running a reliable service) |
| Send service updates and relevant commercial communications to existing supplier contacts | Legitimate interests (you would reasonably expect these) |
| Send marketing to prospective suppliers who have not yet signed | Consent (where required) or legitimate interests |
We have documented our legitimate interests assessments and can share a summary on request.
7. Automated decision-making
We do not make decisions that produce legal or similarly significant effects on you through fully automated means. Tools such as AI-assisted research and market intelligence support our team in making decisions, but a Shelfdrop employee always reviews and takes responsibility for decisions that affect your account, pricing, or commercial relationship.
8. How long we keep your data
| Data type | Retention period |
|---|---|
| Account and contact data | Duration of your account + 30 days after closure |
| Contract records | 7 years after end of contract |
| Financial records (invoices, payouts, duty entries, Direct Debit mandates) | 7 years after the end of the tax year to which they relate, per HMRC rules |
| Support tickets | 2 years from last activity |
| Meeting notes and commercial correspondence | 6 years after end of relationship |
| Server access logs | 90 days, then deleted |
| Error and performance monitoring data | 90 days, then deleted |
| Marketing contact records (prospects who never signed) | 2 years from last engagement, or until you unsubscribe |
At the end of the retention period, data is deleted or anonymised.
9. Who we share your data with
We use the following processors and service providers. All have signed data processing agreements with us that meet UK GDPR requirements.
| Processor | Purpose | Region |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | UK / EU (London, eu-west-2) |
| Vercel Inc. | Application hosting, CDN | Global edge network |
| Cloudflare Inc. | DNS, security, bot protection | Global edge network |
| Resend Inc. | Transactional email delivery | United States |
| Sentry.io (Functional Software Inc.) | Error and performance monitoring | United States |
| HubSpot Inc. | CRM, sales pipeline, commercial records | EU / United States |
| Google LLC (Workspace, Gmail, Drive, Calendar) | Email, file storage, calendars | EU / United States |
| Slack Technologies LLC | Internal team communications | United States |
| DocuSign Inc. | Contract signature and storage | EU / United States |
| GoCardless Ltd | Direct Debit collection | United Kingdom |
| ClickUp (Mango Technologies Inc.) | Project management, supplier onboarding tracking | United States |
| Anthropic PBC | AI-assisted research (admin tool) | United States |
| Keepa GmbH | Amazon market intelligence (admin tool) | Germany |
We may also share data with:
- HMRC and other regulators where legally required
- professional advisers (accountants, auditors, lawyers) under duties of confidentiality
- banks and payment providers to process payments to and from you
- a buyer or successor in the event of a sale, merger, or reorganisation of Shelfdrop, with notice to you
We do not sell your personal data.
10. International transfers
Some of our processors are based outside the UK. Where data is transferred internationally we rely on one of the following safeguards:
- UK Adequacy Regulations for transfers to countries the UK government recognises as providing adequate protection (including EU member states)
- UK Extension to the EU-US Data Privacy Framework for transfers to US providers certified under the Framework
- International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) with the UK Addendum, supported by a Transfer Risk Assessment, for all other transfers
Copies of the transfer mechanisms for any specific processor are available on request.
11. Security
We take technical and organisational measures to protect your data, including:
- encryption of data in transit (TLS) and at rest
- hashed and salted password storage
- role-based access controls and audit logging inside the Portal
- multi-factor authentication for Shelfdrop staff accounts
- regular backups, with tested restore procedures
- principle of least privilege across internal systems
No system is completely secure. If a personal data breach occurs and is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware, and notify you without undue delay where the risk is high.
12. Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you
- correct inaccurate or incomplete data
- erase your data, subject to our legal retention obligations
- restrict our processing in certain circumstances
- object to processing based on legitimate interests, including direct marketing
- portability receive your data in a structured, commonly used, machine-readable format
- withdraw consent where processing is based on consent, without affecting the lawfulness of earlier processing
- complain to the Information Commissioner's Office at ico.org.uk or 0303 123 1113
To exercise any of these rights, email privacy@shelfdrop.com. We will respond within one month. In complex cases we may extend this by a further two months and will tell you if we need to.
We may ask you to verify your identity before acting on a request.
13. Cookies
We use strictly-necessary cookies to keep you signed in (set by Supabase Auth) and to protect the service against automated abuse (set by Cloudflare).
We do not currently use analytics, advertising, or tracking cookies. If that changes, we will update this policy and ask for your consent where required.
14. Changes to this policy
When we make material changes to this policy we will notify you by email at least 30 days before the change takes effect. Minor clarifications and corrections may be made without advance notice, and the "Last updated" date at the top of this page will reflect the most recent change.
15. Version history
| Version | Date | Summary |
|---|---|---|
| 2.0 | 19 April 2026 | Full revision: added controller/processor split, automated decision-making section, complete processor list, retention detail, security detail, breach notification commitment, version history, plain-English summary. |
| 1.0 | 19 April 2026 | Initial holding draft. |
16. Contact
Questions or concerns about your data? Email us at privacy@shelfdrop.com or write to:
Data Protection
Shelfdrop Ltd
105 Piccadilly
London
W1J 7NJ
Shelfdrop Ltd · Company no. 16604856 · VAT 497 6877 02 · AWRS XAAW00000123535 · England and Wales