Privacy Policy

Privacy Policy

Xi Home Dumplings Bay Operated by WJX Food UK Limited

Last updated: 27 May 2026 Effective from: 27 May 2026

1. About this Policy

WJX Food UK Limited ("we", "us", "our") operates the restaurant brand Xi Home Dumplings Bay, with locations at 43 Chandos Place, Covent Garden, London, and 10 Blossom Street, Liverpool Street, London. This Privacy Policy explains how we collect, use, store, and protect your personal information when you interact with us — whether you visit our restaurants, place an order with us, use our website, or engage with our marketing.

We are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025 (DUAA), and the Privacy and Electronic Communications Regulations (PECR).

For the purposes of UK data protection law, the data controller is:

WJX Food UK Limited‍ ‍ Email: admin@xihomedumplingsbay.co.uk

2. What personal data we collect

We collect only the personal data we genuinely need to operate our business. Depending on how you interact with us, this may include:

Contact and identification data

  • Name

  • Email address

  • Telephone number

  • Delivery address (for takeaway orders placed directly with us)

Transaction data

  • Order details (items ordered, date, time, location)

  • Payment confirmation data — we do not store full card details on our own systems; all card payments are processed by PCI-DSS compliant third-party payment providers

Reservation data

  • Booking date, time, party size, and any dietary requirements or special requests you tell us about

Communications data

  • The content of any emails, messages, or enquiries you send us, including via social media

Website usage data

  • IP address, browser type, device type, pages visited, and referral source

  • Cookie data, where you have given consent (see Section 8)

Marketing data

  • Your preferences for receiving marketing communications, and your responses to them

We do not knowingly collect personal data from children under the age of 13. If you believe we have inadvertently done so, please contact us and we will delete the data.

3. How we collect your data

We collect personal data:

  • Directly from you — when you make a reservation, place a takeaway or telephone order, contact us by email or phone, sign up for our mailing list, or fill in a form on our website

  • Automatically — when you visit our website, through cookies and similar technologies (see Section 8)

  • From third parties — when you place an order through a delivery platform (Deliveroo, Uber Eats, Just Eat), we receive the order information necessary to fulfil that order. Those platforms operate as separate data controllers under their own privacy policies, and we encourage you to review them

4. Why we use your data and our legal basis

Under UK GDPR, we must have a valid legal basis for each purpose for which we use your personal data. Our purposes and the corresponding legal bases are:

Purpose Legal Basis under UK GDPR To process and fulfil reservations and orders you place with us Contract (Article 6(1)(b)) — necessary to perform our contract with you To process payments Contract (Article 6(1)(b)) To respond to your enquiries and provide customer service Legitimate interests (Article 6(1)(f)) — to operate our business and assist customers To send you marketing emails about our menu, offers, and events Consent (Article 6(1)(a)) — given by you when you opt in To analyse website usage and improve our website Consent (Article 6(1)(a)) — given via our cookie banner To comply with legal, accounting, tax, and food safety obligations Legal obligation (Article 6(1)(c)) To protect our business against fraud, disputes, and legal claims Legitimate interests (Article 6(1)(f))

You can withdraw your consent at any time where we rely on it (see Section 7).

5. Who we share your data with

We do not sell your personal data to anyone. We share it only with the following categories of recipients, and only where necessary:

  • Payment service providers (e.g. our card terminal provider and online payment processor) — to process payments

  • Delivery platforms (Deliveroo, Uber Eats, Just Eat) — where you have placed an order through them, we exchange order and fulfilment data

  • Email marketing platforms (e.g. Mailchimp or similar) — to send marketing communications to subscribers who have opted in

  • Website hosting and analytics providers (e.g. our website host, Google Analytics) — to operate our website and understand how visitors use it

  • Advertising platforms (Google Ads, Meta) — where you have consented to advertising cookies, we may share limited data to measure ad performance

  • Professional advisers — our accountants, lawyers, and consultants, where they need access for specific advisory work, under a duty of confidentiality

  • Regulatory authorities and law enforcement — where we are legally required to disclose data (e.g. HMRC, local authority food safety inspectors, the police on a valid request)

All third parties who process personal data on our behalf are bound by written data processing agreements and may only use your data for the purposes we specify.

6. International transfers

Some of our service providers (for example, certain analytics or email platforms) may store or process personal data outside the United Kingdom. Where this happens, we ensure that an appropriate safeguard is in place — typically either:

  • The country has been recognised by the UK government as providing an adequate level of data protection; or

  • We have entered into the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses with the provider

You can request further information about international transfers by contacting us.

7. How long we keep your data

We keep your personal data only for as long as we need it for the purposes set out in this Policy, after which it is securely deleted or anonymised. Typical retention periods are:

  • Reservation and order data: up to 2 years after your last transaction with us

  • Accounting and tax records: 6 years, as required by HMRC

  • Marketing list data: until you unsubscribe, and then deleted within 30 days

  • Website analytics data: typically 14 months (Google Analytics default), or as configured

  • Customer service correspondence: up to 2 years from the date of the enquiry

  • CCTV footage (where operated at our restaurants): typically 30 days, then automatically overwritten

8. Cookies and similar technologies

Our website uses cookies and similar technologies. We follow the ICO's April 2026 guidance on storage and access technologies and the requirements of the DUAA 2025.

Strictly necessary cookies are used to make our website work and do not require your consent.

All other cookies — including analytics, functional, and advertising cookies — are used only with your prior consent, which you give through our cookie banner when you first visit our site. You can change or withdraw your consent at any time by clicking the cookie settings link in our website footer.

We use the following categories of cookies:

  • Necessary: session management, security, and basic site function

  • Analytics: Google Analytics, to understand how visitors use our website (with consent)

  • Advertising: Google Ads and Meta pixels, to measure the performance of our advertising campaigns (with consent)

  • Functional: to remember your preferences such as language or location (with consent)

9. Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access — to ask us for a copy of the personal data we hold about you

  • Right to rectification — to ask us to correct inaccurate or incomplete data

  • Right to erasure ("right to be forgotten") — to ask us to delete your data, where there is no compelling reason for us to continue processing it

  • Right to restrict processing — to ask us to pause processing in certain circumstances

  • Right to data portability — to receive a copy of your data in a structured, commonly used, machine-readable format

  • Right to object — to processing based on legitimate interests, and to direct marketing at any time

  • Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal

  • Right not to be subject to automated decision-making — we do not currently use any automated decision-making or profiling that produces legal or similarly significant effects

To exercise any of these rights, please contact us using the details in Section 12. We will respond within one month, as required by UK GDPR.

10. How we keep your data secure

We use a range of technical and organisational measures to protect your personal data, including:

  • Restricting access to personal data to authorised staff on a need-to-know basis

  • Using PCI-DSS compliant payment providers, so that card details never touch our own systems

  • Securing our IT systems with passwords, multi-factor authentication where appropriate, and up-to-date software

  • Using encrypted connections (HTTPS) for our website

  • Training our staff on data protection and confidentiality

  • Maintaining written contracts with our service providers requiring equivalent security standards

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, inform you directly.

11. Children's privacy

Our restaurants welcome families with children, but our website and marketing communications are directed at adults. We do not knowingly collect personal data from children under 13. Where a booking is made for a family, only the adult making the booking provides their personal data to us.

12. Contact us and complaints

If you have any questions about this Privacy Policy, or you wish to exercise any of your rights, please contact us:

WJX Food UK Limited Email: [insert privacy contact email] Postal address: [insert registered office address]

If you are not satisfied with our response, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Helpline: 0303 123 1113 Website: https://ico.org.uk

We would, however, appreciate the opportunity to resolve your concerns directly before you approach the ICO.

13. Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or via a notice on our website. We encourage you to review this Policy periodically.