Who we are
At Impact Food Group (“IFG”, “we”, “our”, or “us”), we are committed to protecting your privacy and ensuring transparency about how we handle your personal information.
Impact Food Group is a UK-based education catering company dedicated to providing nutritious, chef-led meals to schools across the country. Through our specialist brands—Innovate, Cucina, Hutchison and Chapter One we serve thousands of pupils every day, focusing on fresh ingredients, sustainability, and positive food culture. Our work is rooted in health, education, and community partnership.
This Privacy Policy explains how we collect, use, and protect your personal data when you visit our website, contact us, or use our services.
We act as a data controller for things like our employee records, recruitment processes, day-to-day operations, relationships with clients, and interactions with our trusted suppliers.
We’re also a data processor when we’re working with information shared by our clients—most often schools—to help us deliver our catering services.
Here’s a simple example:
- If you work for us, we manage your personal data as a controller.
- If you're a parent or student using one of our catering services through a school, we handle that data as a processor, based on the school’s instructions.
- If you are a client
- Contractually to manage our contract with you
- Operationally for all other data processing
Like many organisations, we sometimes work with carefully selected third parties who help us process data securely—details of which are outlined in this privacy notice.
Impact Food Group is made up of several companies, including Cucina, Innovate, Hutchisons and Chapter One. This privacy notice applies across our entire group, covering all the brands and teams that are part of what we do.
Data we collect and how we collect it
Clients of Impact Food Group
We act as both a data controller and a data processor, depending on the nature of our relationship with you.
- As a controller, we manage information such as contact details stored in our CRM systems (like Microsoft and Zoho) and any data related to invoicing and the services we provide.
- As a processor, we handle data on your behalf and under your instructions—usually to support our catering services. This includes staff, student, parent, or representative information (inclusive of MIS integration).
When you are the controller and we are the processor, you stay in charge of how your data is used. In these cases, our work is guided by a data processing agreement or similar contract. If you’d like to review this agreement, feel free to get in touch with us at [email protected]
When we are a controller we will send emails to our clients, our services. These can be opted out of at any time.
We process client data based on one or more of the following: contractual obligations, legal requirements, or legitimate interests.
Parents and students of our clients
If your school uses our catering services, we will process some of your personal data to help us deliver those services.
Your school (our client) shares relevant details with us—like allergy information, payment balances, or contact info—so we can provide meals safely and effectively.
In this situation, your school is the data controller, meaning they manage how your data is collected and used. This includes any consent needed, such as for biometric data or allergy details. If you ever want to withdraw consent, please contact your school directly.
If you’ve given your email address, we will send you updates about menus, nutritional info, invoices, or other helpful information to support your child’s experience with our service. These messages are sent based on legitimate interests, not consent—but you’re welcome to opt out at any time via the unsubscribe link in any of our communications. These messages also contain a pixel to help us understand things like open rates and where an email has been read.
In some cases, we may need to send you important administrative messages. These messages cannot be unsubscribed from.
Job applicants
If you apply for a role with us or we’ve contacted you about an opportunity, we’ll use your personal data to manage your application.
This typically includes things like your name, contact details, career history, and anything else you choose to share during the recruitment process. We process this data under legitimate interests to evaluate your suitability for the role.
If you're successful and join our team, your information will then be processed as part of your employment, based on contractual, legal, or legitimate interests.
Employees of Impact Food Group
If you work with us—whether full-time, part-time, permanent, or temporary—you’ll be given access to our data protection and information security policies, along with relevant training.
If you ever have questions about how your personal data is being used, please speak to your line manager, the Head of Learning, or reach out to our Data Protection Officer at [email protected].
Website visitors
If you’re just browsing our website—welcome! We collect a small amount of data to help us make sure the site works well for you and to understand how people are using it.
This might include things like your IP address, the type of device you're using, the pages you visit, and how long you stay. We use this information to improve our website and make your experience smoother. Sometimes we use cookies (small text files) to do this—these help us understand things like what content is popular or whether the site is running properly.
Any non-essential cookies are only collected if you choose to allow them via the cookie banner when you visit our site.
We don’t use this information to identify you personally, and we don’t sell or share it with anyone for marketing purposes. Any data we collect from your visit is handled with care and only used for legitimate interests, like improving our website and keeping it secure.
You can manage or disable cookies at any time through your browser settings—more on that in the Cookie section below.
Your Privacy Choices and Rights
Your choices
Your privacy is important to us, and we want you to feel in control of your personal data.
You’re welcome to browse our website without giving us any personal information. If you choose not to share certain data, some features might not work, but you’ll still be able to explore most of the site.
When it comes to cookies, you’re in charge. You can turn off non-essential cookies by using the cookie banner when you first visit our site. You can also delete cookies or manage your preferences anytime through your browser settings. Just note—some parts of the website may not function properly without cookies.
Your rights
You have several rights when it comes to your personal data—and we’re here to help you exercise them. Just drop us a line at [email protected]
Here’s what you can ask us for:
- What data we’re processing and why
- Who we might share it with
- How long we plan to keep it (or how we decide that)
- Any other rights you have under data protection law
We aim to get back to you within one month. If we think your request might affect someone else’s privacy or rights, we’ll let you know and explain what we can do.
You also have the right to:
- Ask us to correct anything that’s wrong or out of date in your data
- Say no to certain types of data use—like profiling or automated decision-making
- Ask for a copy of your data (we’ll provide it in a format like CSV so you can pass it to another service)
- Request that we transfer your data directly to another service, if technically possible
- Ask us to erase your data (sometimes called the "right to be forgotten") if we no longer need it
And if you ever feel we’ve not handled your data properly, we’d really appreciate the chance to make it right. If you’re still not happy, you can contact the Information Commissioner’s Office (ICO) in the UK—just visit www.ico.org.uk for details.
These rights apply to all the types of data we process.
Keeping your data safe
We take your privacy seriously—and that means doing everything we can to protect your personal information.
In today’s connected world, keeping data secure is more important than ever. We’ve put strong safeguards in place to help keep your information safe from misuse, loss, or unauthorised access.
Some of the key measures we use include:
- Partnering with a UK Leading IT Managed service provider for all IT support who are ISO 27001, 9001, Cyber essentials and ITIL regulated
- Regular penetration testing to spot and fix any vulnerabilities
- Ongoing security patch updates for both 3 rd party solution and internal
- SSO and Multi-factor authentication for access to our critical systems
- Strict access controls, so only the right people can access the right information
- Dark-Web scanning, Enterprise SIEM, EDR, MDR, Web-filtering, email filtering and Phishing protection solutions all deployed across IFGs technical estate
Everyone who works for Impact Food Group is committed to confidentiality. That means your data is only ever accessed or shared when it’s absolutely necessary—and only by people who are authorised to do so.
Where your data is stored
Like most organisations, we work with trusted third-party providers to help us deliver our services—and that includes storing and processing personal data.
Most of these partners are based in the UK or the European Economic Area (EEA), but in some cases, your data may be processed outside these regions. That said, any data we handle on behalf of our school clients—such as information about parents or students extracted from the schools MIS system is always stored and processed within the UK or the EU.
Where data is stored outside of the UK or the EU we have ensured an appropriate safeguard is in place such as an UK International Data Transfer Agreement (IDTAs) or EU Standard Contractual Clauses (SCCs).
We take your data security seriously, so we carefully review all of our third-party providers. This includes putting solid data protection agreements in place and making sure that any company we work with meets our high standards for privacy and security.
If there';s ever a chance that using a particular system could pose a higher risk to your data, we carry out a Data Protection Impact Assessment (DPIA) to assess and manage that risk. You’re welcome to request a copy of any relevant DPIA by contacting us.
3rd parties
Impact Food Group works with several 3 rd parties to offer our services. The list below relates to the processing of website visitors, our clients and clients data such as parents and students.
Third parties who process employee and recruitment data are available via our suite of employee policies.
Payment processing
Impact Food Group does not collect or access payment details or process them in any way. Payment is managed by specialist third parties such as Parent Pay and will never be shared with Impact Food Group.
How long we keep your data
We only keep your personal data for as long as we need it—and no longer.
If we’re acting as a data controller, we carry out a full review of our records once a year to make sure we’re only holding on to information that’s still relevant and linked to an active relationship with Impact Food Group. If your data is no longer needed, it’s securely deleted as part of this annual clean-up.
We’ve also set clear time limits for storing different types of data in our Record of Processing Activities, so we can manage data retention responsibly and consistently.
When we’re acting as a data processor—typically when working on behalf of our school clients—we follow their instructions on how long to keep data and when it should be deleted.
If you’d like more detail about how long we keep your specific data, just drop us a message at [email protected] and we’ll be happy to help!
Cookies
We use cookies to enhance your browsing experience and improve our website. Cookies are small files stored on your device that help us recognize you when you return.
Our cookies include:
- Necessary cookies – essential for site functionality.
- Analytics cookies – track site usage to help us improve.
- Preference cookies – remember your settings like language or location.
- Advertising cookies – deliver relevant ads and measure campaign effectiveness.
You can manage your cookie preferences via the cookie banner. For more on cookies and how to control them, visit aboutcookies.org.
First-party cookies are set directly by our site and are required for full functionality. Disabling them may affect site use.
Third-party cookies include tools that collect anonymous data on how you interact with our site (e.g., mouse clicks, scrolling) to improve usability. This data is aggregated and not shared externally.
Breaches
If a data breach occurs that may impact the rights and freedoms of individuals, Impact Food Group will notify affected parties and, where required, the ICO within 72 hours.
Additional information
Impact Food Group has appointed an independent statutory Data Protection Officer (DPO) to oversee all data protection activities. The DPO reports directly to the board and holds no other roles within the company or its group, ensuring full independence and neutrality in all data processing matters.
The DPO can be contacted at: [email protected]
Impact Food Group maintains a Record of Processing Activities (ROPA), detailing the lawful basis for all data processing in the UK and EU. Where Legitimate Interests is the basis, a supporting impact assessment has been completed and is available upon request to affected individuals.
As Impact Food Group does not offer goods or services to individuals outside the UK, we are not required to appoint an EU representative under Article 27 of the GDPR.
This notice will be reviewed at least once per year. The next review is scheduled for August 2026.
If you would like to speak to a human concerning your data, please feel free to email us at: [email protected], and we will be happy to talk further.