Privacy Policy

Privacy Policy
Last updated: 23 February 2026
We are committed to ensuring your privacy is protected. This Privacy Policy explains what personal
data we collect, how we use it, who we share it with, and the rights you have under the UK General
Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. When using our
websites, this Privacy Policy should be read alongside any website terms and conditions.
1 – ABOUT US
This Privacy Policy describes how Twenty Two Ventures Group, trading as Spitroast / Luca / The Big
Sandwich Club / Sin City Social (“we”, “us”, “our”) collects and processes personal data.
For the purposes of the UK GDPR and the Data Protection Act 2018, the data controller is Twenty
Two Ventures Group Limited, Ayrton House, Commerce Way, Liverpool L8 7BA.
Our Data Protection Officer (or privacy contact) can be contacted at dpo@twentytwoventures.com.
2 – WHAT INFORMATION WE COLLECT AND WHEN
We only collect information that we genuinely need and use. Depending on how you interact with us,
we may collect:
A) Information you give us

  • Identity and contact data: name, email address, phone number and (where relevant)
    billing/delivery address.
  • Booking information: venue, date/time, party size, booking notes and communication
    preferences.
  • Order information: items purchased, order notes, delivery instructions, fulfilment details, and
    customer service communications.
  • Gift card information: purchaser and recipient details (where provided), delivery details, gift
    messages, and gift card transaction history and balance.
  • Loyalty information: account details, visit/purchase history, points, rewards, offers redeemed, and
    preferences you choose to share.
  • Account information: log-in details (if you create an account) and settings.
    B) Information we collect automatically
  • Technical data: IP address, device identifiers, browser type/version, time zone settings,
    operating system and platform.
  • Usage data: information about how you use our websites, apps and services (for example pages
    visited and links clicked).
  • Cookie and similar technology data: cookie IDs, advertising identifiers and analytics data (see
    Section 3).
    C) Information we receive from third parties
    We may receive personal data from third parties such as: booking providers, online ordering/delivery
    partners, payment service providers, gift card providers, loyalty platform providers, analytics
    providers, advertising networks and social media platforms (where you have consented to such
    cookies or advertising activity).
    Special category data (allergies and dietary requirements)
    We do not actively seek to collect special category data. However, if you choose to provide
    information about allergies, intolerances or dietary requirements (for example in a booking note or
    order note), this may be special category (health) data. We will:
  • use it only to help prepare and serve food/drink safely and to respond to your request;
  • keep it to the minimum necessary and restrict access to staff who need to know; and
  • delete it in line with our retention periods (see Section 9), unless we must keep it longer for legal
    or safety reasons.
    Our lawful basis/condition for processing this type of information will typically be your explicit consent
    (where you provide it) and/or where processing is necessary for reasons of substantial public interest
    in safeguarding individuals’ health and safety, as applicable.
    If you fail to provide personal data
    If you do not provide personal data that we need to perform a contract with you (for example to
    process a booking, order, gift card purchase, or loyalty account), we may not be able to provide the
    requested service.
    3 – COOKIES
    We use cookies and similar technologies (such as pixels and local storage) to make our websites
    work, to understand how they are used, and (where you agree) to measure the effectiveness of
    marketing and show relevant advertising.
    A) Cookie categories
  • Strictly necessary cookies: required for the website to function (cannot be switched off).
  • Analytics/performance cookies: help us measure and improve our website (set only with your
    consent).
  • Functional cookies: remember choices you make (set only with your consent where not strictly
    necessary).
  • Marketing/advertising cookies: used to deliver and measure advertising and build audiences (set
    only with your consent).
    B) Managing cookies
    When you first visit our websites, you will be offered choices via a cookie banner. You can change or
    withdraw your consent at any time using the cookie settings link on our website (where available)
    and/or by adjusting your browser settings. For more detail, see our Cookie Policy.
    4 – PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA
    We use your personal data for the following purposes:
  • to provide and manage bookings, orders, delivery/collection, and customer service;
  • to process payments and prevent fraud;
  • to issue, deliver and administer gift cards and vouchers;
  • to provide and manage loyalty accounts, points and rewards;
  • to send service communications (e.g., booking confirmations, order updates, important service
    notices);
  • to operate and improve our websites (including analytics and troubleshooting);
  • to keep our premises and customers safe (including CCTV where used);
  • to market our services where permitted (see marketing section below); and
  • to comply with legal obligations (e.g., tax and accounting, licensing, and regulatory
    requirements).
    5 – HOW WE USE YOUR INFORMATION (LAWFUL BASES)
    UK GDPR requires us to have a lawful basis for using your personal data. Depending on the activity,
    we rely on:
  • Contract: where processing is necessary to perform a contract with you or to take steps at your
    request (bookings, orders, gift cards, loyalty accounts).
  • Legal obligation: where we must comply with law (tax/accounting, regulatory requests).
  • Legitimate interests: to run and improve our business (fraud prevention, security, improving
    services, website analytics where permitted, and direct marketing to existing customers where
    allowed by PECR).
  • Consent: for non-essential cookies; and for marketing to new customers (and for some types of
    personalised/targeted advertising).
    Marketing
    We may send marketing communications by email/SMS to:
  • people who have opted in; and/or
  • existing customers where the “soft opt-in” applies (for similar services, and where we gave you a
    clear opportunity to opt out when we collected your details and in every message).
    You can opt out at any time by using the unsubscribe link in emails, replying STOP to SMS, changing
    your preferences (where applicable), or contacting us at dpo@twentytwoventures.com.
    Online advertising and “lookalike”/custom audiences
    Where you consent to marketing cookies or where otherwise permitted, we may share limited
    identifiers (for example hashed email addresses or cookie IDs) with advertising partners (such as
    social media platforms) to:
  • measure advertising performance;
  • create custom audiences; and
  • create lookalike audiences to find new customers.
    You can opt out by changing your cookie preferences and/or contacting us. Note: opting out of
    cookie-based advertising may require clearing cookies or changing browser/device settings.
    6 – WHO WE MAY SHARE YOUR INFORMATION WITH
    We may share your personal data with trusted third parties that help us provide our services,
    including:
  • booking/reservation platform providers;
  • online ordering, delivery and fulfilment partners;
  • payment service providers (we do not store full card details; payments are handled by our
    payment provider);
  • gift card and voucher providers;
  • loyalty platform providers;
  • IT and website hosting/support providers;
  • email/SMS and customer communications providers;
  • analytics and search providers; and
  • professional advisers (lawyers, accountants, insurers) and regulators where required.
    We require third parties to respect the security of your personal data and to treat it in accordance with
    the law.
    7 – KEEPING YOUR DATA SECURE
    We use appropriate technical and organisational measures to protect personal data (including access
    controls, staff training, and supplier due diligence). Where you have a password, you are responsible
    for keeping it confidential.
    8 – SENDING INFORMATION OUTSIDE THE UK
    Some of our suppliers may process data outside the UK. Where this happens, we ensure appropriate
    safeguards are in place, such as:
  • UK adequacy regulations; and/or
  • the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard
    Contractual Clauses; and/or
  • other safeguards permitted by UK GDPR.
    9 – HOW LONG WE WILL STORE YOUR DATA
    We keep personal data only for as long as necessary for the purposes we collected it for, including
    legal, accounting, or reporting requirements. Typical retention periods include:
  • Bookings: up to 24 months (to manage customer service, disputes, and repeat bookings), unless
    we need longer for legal reasons.
  • Orders and payment records: up to 6 years (tax and accounting).
  • Gift cards/vouchers: for the life of the card plus up to 6 years (fraud prevention and accounting).
  • Loyalty accounts: while your account remains active, and up to 24 months after inactivity, unless
    you ask us to delete it earlier (subject to legal obligations).
  • Marketing lists: until you unsubscribe/opt out, or we remove inactive records.
  • CCTV (where used): typically 30 days unless required longer for an incident/investigation.
    Retention may vary depending on the nature of the data and the purposes for which it is kept.
    10 – YOUR RIGHTS
    Under UK GDPR, you have rights including: access, rectification, erasure, restriction, data portability,
    objection (including to direct marketing), and the right to withdraw consent at any time (where we rely
    on consent).
    To exercise your rights, contact us at dpo@twentytwoventures.com. We may need to request
    information to verify your identity.
    You also have the right to complain to the Information Commissioner’s Office (ICO) in the UK.
    11 – CHILDREN
    Our websites and services are not directed at children. If you believe a child has provided us with
    personal data without appropriate consent, please contact us and we will take steps to delete it where
    required.
    12 – WHAT HAPPENS IF OUR BUSINESS CHANGES HANDS?
    We may, from time to time, expand or reduce our business and this may involve the sale and/or the
    transfer of control of all or part of our business. Any personal data you have provided that is relevant
    to the transferred part of the business may be transferred to the new owner or controlling party, who
    will be permitted to use it in accordance with this Privacy Policy.
    13 – CHANGES TO OUR PRIVACY POLICY
    We may update this Privacy Policy from time to time. We will post the updated version on our
    websites and, where appropriate, notify you.
    14 – CONTACT
    Questions, requests, and complaints should be sent to: dpo@twentytwoventures.com
    Data controller: Twenty Two Ventures Group Limited, Ayrton House, Commerce Way, Liverpool L8
    7BA