Privacy Policy (UK & EEA Users)

Last updated: 23rd March 2026

This Privacy Policy explains how Korto Restaurant (“we”, “us”, “our”) collects, uses, and protects personal data when you visit https://korto.co.uk/ (the “Website”) and interact with our services.

This policy is intended for users in the United Kingdom and the European Economic Area (EEA) and is designed to meet the requirements of the UK GDPR, EU GDPR, and applicable ePrivacy rules (including UK PECR).

1) Who we are (Data Controller)

Data Controller: Korto Restaurant (UK)
Registered address: 126 Alexandra Park Road, Muswell Hill, London, N10 2AH
Email: [pr*****@********in.com]

2) Personal data we collect

2.1 Information you provide to us

We may collect personal data you choose to provide, for example:

• Contact details (e.g., name, email address) when you contact us via forms or email
• Message content and any other information you include in your communications

We do not collect payments online and do not process payment card information via the Website.

2.2 Information collected automatically (when you use the Website)

• Technical data: IP address, device type, browser type/version, operating system
• Usage data: pages viewed, links clicked, time spent on pages, referring pages, approximate location (derived from IP)
• Cookie/identifier data: stored and accessed via cookies or similar technologies (see Section 5)

3) How we use your personal data

We use your personal data to:

• operate, maintain, and improve the Website
• respond to enquiries and provide support
• monitor and improve performance and user experience
• protect the Website and users (security, fraud/abuse prevention)
• comply with legal obligations and enforce our rights

4) Lawful bases for processing (UK GDPR / EU GDPR)

We process your personal data on one or more of the following lawful bases:

• Legitimate interests: to operate and improve the Website, administer and respond to communications, and keep our services secure (balanced against your rights).
• Consent: where required for non-essential cookies (including analytics cookies) and certain marketing activities (if used).
• Legal obligation: where we must comply with UK/EU law.
• Contract (if applicable): where you request or use a service that requires processing to perform a contract with you.

5) Cookies, consent, and Google Analytics 4 (GA4)

5.1 Cookie control

We use cookies and similar technologies. Under UK PECR and EU ePrivacy rules:

• Strictly necessary cookies may be used without consent.
• Analytics cookies (including those used by GA4) are used only with your consent, where required.

You can manage your preferences at any time via [Cookie Settings link].
See our Cookie Policy: [Insert link].

5.2 GA4 (Google Analytics)

We use Google Analytics 4 (GA4) to understand how visitors use our Website (e.g., page views, navigation paths, engagement). This helps us improve the Website.

GA4 may process:

• online identifiers (including cookie identifiers)
• device and browser information
• IP-derived location (GA4 uses IP to determine approximate location; Google states IP addresses are not logged or stored in a way that can be accessed by customers, subject to configuration)

Provider: Google Ireland Limited (for EEA/UK services), with possible processing by Google LLC.
More information:

• Google Privacy Policy: https://policies.google.com/privacy
• Google Analytics: https://policies.google.com/technologies/partner-sites

6) Who we share personal data with

We may share personal data with:

6.1 Service providers (processors)

Third parties that help us operate the Website, such as:

• Website hosting / IT providers
• Analytics provider: Google (GA4)

We only share what is necessary and require appropriate contractual and security safeguards (including GDPR-compliant processor terms).

6.2 Legal and regulatory disclosures

We may disclose personal data if required by law, regulation, court order, or to protect our rights and the safety of users.

6.3 Business changes

If we are involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, subject to legal protections.

7) International transfers (outside the UK/EEA)

Some of our service providers (including Google) may process personal data outside the UK/EEA.

Where personal data is transferred internationally, we use appropriate safeguards such as:

• UK International Data Transfer Agreement (IDTA) and/or UK Addendum, and/or
• EU Standard Contractual Clauses (SCCs), and/or
• transfers to countries with an adequacy decision (where applicable)

You can request more information about relevant safeguards by contacting us (see Section 12).

8) Data retention

We keep personal data only as long as necessary for the purposes described in this Privacy Policy.

Typical retention periods (customise):

• Contact/enquiry messages: up to [12–24 months]
• Basic security logs: up to [30–180 days]
• Analytics data (GA4): retained according to our GA4 settings (e.g., [2 months/14 months])

We may retain certain information longer where required by law or to establish, exercise, or defend legal claims.

9) Security

We use appropriate technical and organisational measures to protect personal data. However, no website or transmission is completely secure, and we cannot guarantee absolute security.

10) Your rights (UK & EEA)

You have the right to:

• Access your personal data
• Rectify inaccurate or incomplete personal data
• Erase personal data (in certain cases)
• Restrict processing (in certain cases)
• Object to processing based on legitimate interests and to direct marketing
• Data portability (in certain cases)
• Withdraw consent at any time (where processing is based on consent)

To exercise your rights, contact us. We may need to verify your identity. We generally respond within one month (this can be extended where permitted by law).

Complaints

• UK: Information Commissioner’s Office (ICO) – https://ico.org.uk/
• EEA: Your local supervisory authority (via the EDPB list) – https://edpb.europa.eu/about-edpb/about-edpb/members_en

11) Children’s privacy

The Website is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact us and we will delete it.

12) Contact us

If you have questions about this Privacy Policy or wish to exercise your rights, contact:

Korto
Address: 126 Alexandra Park Road, Muswell Hill, London, N10 2AH
Tel: 0208 292 5841