Privacy Policy

Last updated: 1 June 2026

1. Introduction

Against The Grain, 25 Batchen Street, Elgin, IV30 1BH ("we", "our", or "us") is the controller for personal information collected through this website and our related online services. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

2. Information we collect

We may collect personal information that you provide to us when you contact us, place an order, make a reservation, create or use an account, use third-party sign-in, or participate in promotions, events, or surveys.

This may include your name, email address, phone number, order details, reservation details, account sign-in details provided by a third-party sign-in provider, age-attestation records for alcohol orders, product ratings, customer preferences, and any information you choose to include in a message to us.

3. How we use your information

We use the information we collect only where needed to provide our services, manage our business, protect the website, or comply with our legal obligations.

This includes processing and managing orders, reservations, collections, payments, refunds, substitutions, customer accounts, product ratings, preferences, and support requests.

Our lawful bases may include contract where processing is needed to provide an order, booking, account, or requested service; legal obligation where we must keep accounting, tax, licensing, or regulatory records; legitimate interests where we operate, secure, improve, and administer our services; and consent where we ask you to opt in to marketing communications or optional preferences.

4. Payment information

Payment details are neither stored by nor accessible to us. Payments are handled entirely by our secure payment processor, SumUp.

We may securely store order, payment reference, transaction status, receipt, and contact information you provide where needed to manage your order, reservation, account, refund, or statutory records. We do not store your card number, CVV, or card authentication data.

5. Who we share information with

We use trusted service providers where needed to run the service, including website hosting and security providers, database and authentication providers, payment processors, email providers, and business software providers.

We may also share information where required by law, licensing obligations, payment disputes, fraud prevention, or professional advice.

6. Third-party sign-in

If you use third-party sign-in, such as Google, Apple, or Facebook, the provider may share limited account information with us so we can identify you and operate customer account features.

Your use of the relevant third-party account is also subject to that provider's own terms and privacy notices.

7. Cookies and similar technologies

We use cookies and similar technologies only to facilitate the operation of the site in accordance with UK GDPR and applicable UK cookie legislation. These technologies support core site functions such as site operation, checkout, account sessions, and security.

We do not use tracking, analytics, or advertising cookies, pixels, beacons, or similar technologies on our site, and we do not permit third-party cookies.

8. Marketing

We send marketing communications only where permitted by law and, for customer email campaigns, only to recipients who have opted in. You can withdraw marketing consent at any time by using the unsubscribe option in an email where available or by contacting us.

Transactional messages about orders, bookings, receipts, refunds, substitutions, or service administration are not marketing and may still be sent where needed to provide the service.

9. Retention

We keep personal information only for as long as needed for the purposes described above. Order, payment reference, tax, accounting, licensing, and dispute records may be kept for the period required by law or our legitimate business needs. Customer account preferences are kept while the account remains active or until you ask us to update or delete them, subject to records we must retain.

10. International transfers

Some providers may process information outwith the UK. Where this happens, we rely on appropriate safeguards required by UK data protection law, such as adequacy regulations, approved contractual protections, or provider transfer mechanisms.

11. Your rights

Under UK GDPR and the Data Protection Act 2018, you have rights over your personal data. These may include the right to access the personal data we hold about you, to ask us to correct inaccurate data, to ask us to delete your data, to restrict or object to certain processing, and to request data portability where applicable.

You also have the right to complain to the Information Commissioner's Office if you are unhappy with how we handle your personal data.

To exercise your rights, contact us at [email protected]. We may need to verify your identity before responding.

12. Contact us

If you have any questions about this Privacy Policy, please contact us at [email protected].