Privacy Policy

Effective Date: May 18, 2026  |  Last Updated: May 18, 2026

At Apache Pizza, we are deeply committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you visit our website at apacheq.com, place an order with us, use our mobile application, or interact with us in any other way. We encourage you to read this document carefully to understand your rights and our obligations under applicable Irish and European data protection law.

This Privacy Policy applies to all personal data processed by Apache Pizza in connection with our food ordering and delivery services, our website, our marketing communications, and any other interaction you may have with us as a business. By using our services or providing us with your personal information, you acknowledge that you have read and understood this Privacy Policy.

1. Who We Are

Apache Pizza is a food service business operating in Ireland. For the purposes of the General Data Protection Regulation (GDPR) and the Irish Data Protection Acts 1988–2018, we act as the Data Controller in relation to the personal data we collect and process. This means we determine the purposes and means by which your personal data is processed.

Company Name Apache Pizza
Registered Address Ireland
Phone Not provided
Email [email protected]
Website apacheq.com

If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your personal data, please contact us using the details provided above or in the Contact Us section at the end of this document.

2. Legal Framework

We process your personal data in accordance with the following applicable laws and regulations:

  • Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR), which came into effect on 25 May 2018 across all EU Member States, including Ireland.
  • Data Protection Act 2018 — Irish legislation that supplements and gives effect to the GDPR in Ireland, along with the earlier Data Protection Acts 1988 and 2003.
  • ePrivacy Regulations (S.I. No. 336 of 2011) — Irish regulations governing the use of cookies and electronic communications marketing.
  • Consumer Protection Act 2007 — Irish legislation protecting consumer rights in commercial transactions.

The supervisory authority responsible for overseeing data protection compliance in Ireland is the Data Protection Commission (DPC), which can be reached at www.dataprotection.ie.

3. What Personal Data We Collect

We collect various categories of personal data depending on how you interact with us. Below, we outline the types of information we may collect:

3.1 Personal Identification Information

When you create an account, place an order, or contact us, we may collect the following:

  • Full name
  • Email address
  • Phone number
  • Delivery address (including street, city, county, and Eircode)
  • Billing address
  • Date of birth (where required for age verification purposes)
  • Username and password (for registered accounts)

3.2 Payment and Transaction Information

When you place an order with us, we collect information necessary to process your payment and fulfil your order. Please note that we do not store full card numbers or financial credentials on our servers. Payment card data is processed by our PCI-DSS compliant third-party payment processors. We may, however, retain:

  • Order history and details (items ordered, quantities, special requests)
  • Transaction reference numbers
  • Payment method type (e.g., credit card, debit card, cash on delivery)
  • Partial card information (last four digits) for reference purposes
  • Refund and cancellation records

3.3 Usage and Behavioural Data

When you use our website or mobile application, we automatically collect certain information about your browsing and interaction behaviour, including:

  • Pages viewed and time spent on each page
  • Menu items viewed or added to cart
  • Search queries made within our platform
  • Click paths and user journey through the website
  • Order frequency and average spend
  • Timestamps of visits and interactions

3.4 Device and Technical Information

We may collect technical information about the device and connection you use to access our services, including:

  • IP address
  • Browser type and version
  • Operating system
  • Device type (desktop, mobile, tablet)
  • Screen resolution
  • Referring URL (the website that directed you to ours)
  • Mobile device identifiers (where applicable)
  • Approximate geographic location derived from IP address

3.5 Communications Data

If you contact us by email, phone, live chat, or social media, we may collect and retain:

  • The content of your messages and correspondence
  • Your name and contact details
  • The date, time, and nature of your inquiry or complaint
  • Records of any resolution or follow-up actions taken

3.6 Marketing Preferences

If you subscribe to our mailing list or opt in to receiving promotional communications, we collect:

  • Email address or phone number used for marketing
  • Your marketing consent records (including when consent was given or withdrawn)
  • Your stated preferences regarding types of communications

3.7 Cookie and Tracking Data

Our website uses cookies and similar tracking technologies to enhance your experience, analyse website performance, and support marketing activities. For detailed information about the cookies we use, please refer to our Cookie Policy. The data collected through cookies may include session identifiers, preferences, and anonymised analytics data.

4. How We Use Your Personal Data

We process your personal data for specific, lawful purposes. Below we explain each purpose and the legal basis on which we rely under the GDPR:

4.1 Providing Our Food Ordering and Delivery Services

Legal Basis: Performance of a Contract (Article 6(1)(b) GDPR)

We use your personal data to process and fulfil your food orders, including communicating order confirmations, estimated delivery times, and updates on your delivery status. We also use your data to manage your account, process payments, handle refund requests, and resolve order-related issues.

4.2 Customer Support and Communications

Legal Basis: Performance of a Contract / Legitimate Interests (Article 6(1)(b) and (f) GDPR)

We use your data to respond to your queries, complaints, and feedback. We retain records of communications to ensure continuity of service and to train our staff. Our legitimate interest in providing effective customer service supports this processing.

4.3 Website Analytics and Service Improvement

Legal Basis: Legitimate Interests (Article 6(1)(f) GDPR)

We use usage data and analytics to understand how customers interact with our website and services, to identify areas for improvement, to troubleshoot technical issues, and to enhance the overall user experience. This includes the use of third-party analytics tools such as Google Analytics.

4.4 Marketing and Promotional Communications

Legal Basis: Consent (Article 6(1)(a) GDPR) / Soft Opt-In (Regulation 13 ePrivacy Regulations)

Where you have given us your consent, or where we are permitted to do so under the soft opt-in provisions for existing customers, we may send you promotional emails, SMS messages, or push notifications about our latest deals, new menu items, special offers, and events. You may withdraw your consent or opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, by texting STOP in response to an SMS, or by contacting us directly at [email protected].

4.5 Legal Compliance and Regulatory Obligations

Legal Basis: Legal Obligation (Article 6(1)(c) GDPR)

We may process your personal data where necessary to comply with Irish and EU legal obligations, including tax and accounting requirements, food safety regulations, and obligations imposed by regulatory or law enforcement authorities.

4.6 Fraud Prevention and Security

Legal Basis: Legitimate Interests (Article 6(1)(f) GDPR)

We use your data to detect, prevent, and investigate fraudulent transactions, security incidents, and misuse of our services. This processing is in our legitimate interest and in the interest of protecting our customers.

5. Sharing Your Personal Data with Third Parties

We do not sell your personal data to third parties. However, we may share your data with carefully selected third parties in the following circumstances:

5.1 Service Providers and Data Processors

We engage third-party companies and individuals to assist us in operating our business and delivering our services. These service providers act as data processors on our behalf and are contractually bound to process your data only on our instructions and in accordance with the GDPR. Categories of service providers include:

  • Payment processors — to securely handle card transactions and payment gateway services.
  • Delivery and logistics partners — to facilitate the delivery of your food order to your address.
  • Cloud hosting and IT infrastructure providers — to store and manage our data and systems securely.
  • Email and SMS marketing platforms — to send you communications where you have consented or we are otherwise permitted to do so.
  • Analytics providers — such as Google Analytics, to help us understand website usage.
  • Customer relationship management (CRM) systems — to manage our customer database and communications.

5.2 Legal and Regulatory Requirements

We may disclose your personal data to law enforcement agencies, regulatory bodies, or other competent authorities where we are legally required to do so, or where such disclosure is necessary to protect the rights, property, or safety of Apache Pizza, our customers, or others.

5.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or part of our business assets, your personal data may be transferred to the relevant successor entity as part of that transaction. We will notify you if such a transfer occurs and if it materially affects how your data is used.

5.4 With Your Consent

We may share your data with other third parties where you have given us your explicit consent to do so.

6. International Data Transfers

Ireland is a member of the European Union, and the GDPR applies in full. We aim to process and store your personal data within the European Economic Area (EEA) wherever possible. However, some of our third-party service providers — such as cloud platforms and analytics tools — may process data in countries outside the EEA, including the United States.

Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place to protect your data, in accordance with Chapter V of the GDPR. These safeguards may include:

  • Standard Contractual Clauses (SCCs) — the European Commission-approved contractual clauses that impose data protection obligations on the recipient.
  • Adequacy Decisions — transferring data to countries that the European Commission has determined provide an adequate level of data protection.
  • Binding Corporate Rules (BCRs) — where applicable for multinational organisations.

You may request further information about our international transfer mechanisms by contacting us at [email protected].

7. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following table provides an overview of our standard retention periods:

Category of Data Retention Period Reason
Customer account information Duration of account + 3 years after last activity Service provision and legitimate business interests
Order history and transaction records 7 years Irish tax and accounting legal requirements
Payment processing records 6 years Legal obligations and fraud prevention
Marketing consent records Until consent withdrawn + 3 years Demonstrating compliance with ePrivacy obligations
Customer service correspondence 3 years from last interaction Legitimate interests and potential legal claims
Website analytics data 26 months (anonymised thereafter) Analytics and service improvement
Cookie and tracking data As specified in our Cookie Policy See Cookie Policy for details
Legal claim records 6 years from resolution Statute of limitations under Irish law

Once the applicable retention period has expired, your personal data will be securely deleted or anonymised so that it can no longer be associated with you. In some cases, we may retain anonymised, aggregated data for longer periods for statistical and analytical purposes.

8. Data Security

We take the security of your personal data very seriously and have implemented a range of appropriate technical and organisational measures to protect your information against unauthorised access, loss, destruction, alteration, or disclosure. These measures include:

8.1 Technical Measures

  • SSL/TLS encryption — all data transmitted between your browser and our website is encrypted using Secure Sockets Layer (SSL) technology.
  • Secure password storage — user passwords are stored using industry-standard hashing algorithms and are never stored in plain text.
  • Firewalls and intrusion detection systems — to protect our network and servers from external threats.
  • Regular security audits and penetration testing — to identify and remediate vulnerabilities in our systems.
  • Access controls and authentication — limiting access to personal data to authorised personnel only, using role-based access control and multi-factor authentication.
  • PCI-DSS compliance — our payment processing systems comply with the Payment Card Industry Data Security Standard.

8.2 Organisational Measures

  • Staff training on data protection and privacy obligations.
  • Internal data protection policies and procedures.
  • Data processing agreements with all third-party service providers.
  • A documented data breach response and notification procedure.
  • Regular review of data processing activities and risk assessments.

Despite our best efforts, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee the absolute security of your personal data, and you use our services at your own risk in this regard. However, we will notify you and the Data Protection Commission without undue delay, and no later than 72 hours after becoming aware, in the event of a personal data breach that poses a risk to your rights and freedoms, in accordance with Article 33 of the GDPR.

9. Your Data Protection Rights

Under the GDPR and the Irish Data Protection Act 2018, you have a number of important rights in relation to your personal data. These rights are outlined below:

9.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation as to whether we process personal data about you and, if so, to request a copy of that data (a Subject Access Request or SAR). We will respond to your request within one month of receipt, which may be extended by a further two months in complex cases.

9.2 Right to Rectification (Article 16 GDPR)

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you without undue delay.

9.3 Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)

In certain circumstances, you have the right to request that we delete your personal data. This right applies where, for example, the data is no longer necessary for the purpose for which it was collected, you withdraw consent, or you object to the processing and there are no overriding legitimate grounds. This right does not apply where we are required to retain data by law or for the establishment, exercise, or defence of legal claims.

9.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where processing is unlawful and you prefer restriction over erasure.

9.5 Right to Data Portability (Article 20 GDPR)

Where processing is based on your consent or a contract, and processing is carried out by automated means, you have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller.

9.6 Right to Object (Article 21 GDPR)

You have the right to object to the processing of your personal data where such processing is based on our legitimate interests. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or where processing is necessary for the establishment, exercise, or defence of legal claims. You have an absolute right to object to the processing of your personal data for direct marketing purposes, and we will comply immediately upon receipt of such an objection.

9.7 Rights Related to Automated Decision-Making and Profiling (Article 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you. We do not currently engage in solely automated decision-making of this nature in relation to our customers. If this changes, we will update this policy and provide you with the appropriate information and safeguards.

9.8 Right to Withdraw Consent

Where our processing is based on your consent, you have the right to withdraw that consent at any time without detriment. Withdrawal of consent will not affect the lawfulness of any processing carried out before the withdrawal.

How to Exercise Your Rights: To exercise any of the above rights, please contact us in writing at [email protected]. We may need to verify your identity before processing your request. We will respond within one month. There is no fee for making a request, unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to act on the request.

10. Cookies and Tracking Technologies

Our website, apacheq.com, uses cookies and similar tracking technologies (such as web beacons and pixels) to improve your browsing experience, analyse how our website is used, and support our marketing activities.

10.1 What Are Cookies?

Cookies are small text files that are stored on your device (computer, smartphone, or tablet) when you visit a website. They allow the website to recognise your device and remember certain information about your visit, such as your preferences and login status.

10.2 Types of Cookies We Use

  • Strictly Necessary Cookies: Essential for the operation of our website, including enabling you to log in, add items to your cart, and complete your order. These cannot be disabled.
  • Performance and Analytics Cookies: Help us understand how visitors interact with our website by collecting information anonymously, such as page visits and traffic sources.
  • Functional Cookies: Allow the website to remember your preferences, such as your saved address or preferred payment method.
  • Marketing and Targeting Cookies: Used to deliver relevant advertisements to you based on your interests and browsing behaviour, and to measure the effectiveness of our marketing campaigns.

You can manage your cookie preferences using our cookie consent tool, which appears when you first visit our website. You can also manage cookies through your browser settings at any time, though disabling certain cookies may affect the functionality of our website.

For full details of the cookies we use, including their names, purposes, and retention periods, please visit our dedicated Cookie Policy.

11. Children's Privacy

Our services are intended for adults and are not directed at children under the age of 18. We do not knowingly collect personal data from individuals under 18 years of age. If you are under 18, please do not use our website or services or provide us with any personal information.

If you are a parent or guardian and believe that your child under the age of 18 has provided us with personal data without your consent, please contact us immediately at [email protected], and we will take steps to delete such information from our records as promptly as possible.

Under Irish law, the Data Protection Act 2018 sets the age of digital consent at 16 years for the processing of children's data based on consent in the context of information society services. We apply an 18-year threshold for the use of our services in the interest of additional caution and child safety.

12. Links to Third-Party Websites

Our website may contain links to third-party websites, social media platforms, or external services. Please note that we have no control over the privacy practices or content of those external websites. This Privacy Policy applies only to our website and services. We encourage you to read the privacy policies of any third-party websites you visit, as they may differ from ours. We are not responsible for the privacy practices or content of third-party sites.

13. Social Media

We maintain a presence on various social media platforms, including but not limited to Facebook, Instagram, Twitter/X, and TikTok. If you interact with us on these platforms — for example, by commenting, messaging, or tagging us — those platforms will process your data in accordance with their own privacy policies. Please review the privacy policies of the relevant social media platform for more information about how your data is handled.

We may use social media advertising features, including custom audience tools and lookalike audiences, to serve you targeted advertising. Where applicable, we rely on your consent or our legitimate interests as the legal basis for this activity. You can opt out of targeted advertising through the settings of the relevant social media platform or through tools such as the Digital Advertising Alliance's opt-out mechanism.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, changes in applicable law, or other operational, legal, or regulatory reasons. We will post the updated Privacy Policy on this page with a revised "Last Updated" date at the top.

For significant changes that materially affect how we process your personal data, we will endeavour to notify you directly — for example, by email or by displaying a prominent notice on our website — before the changes take effect. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

Your continued use of our services after any changes to this Privacy Policy have been posted will constitute your acknowledgment of the changes and, where applicable, your consent to the updated practices.

15. How to Make a Complaint

We take your privacy rights seriously and are committed to addressing any concerns you may have about the way we handle your personal data. If you are not satisfied with our response or believe that we are processing your data in a manner that is not compliant with the GDPR or Irish data protection law, you have the right to lodge a complaint with the Irish data protection supervisory authority.

Data Protection Commission (DPC)

Website: www.dataprotection.ie

Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

Phone: +353 01 765 0100 / 1800 437 737 (Lo Call)

Email: [email protected]

We would, however, appreciate the opportunity to resolve any complaint directly with you before you escalate the matter to the DPC. Please contact us first at [email protected], and we will do our best to address your concerns promptly and fairly.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please do not hesitate to contact us:

Company Apache Pizza
Address Ireland
Email [email protected]
Website apacheq.com

We aim to respond to all data protection inquiries within 10 business days, and to all Subject Access Requests within one calendar month as required by the GDPR.

Thank you for taking the time to read our Privacy Policy. At Apache Pizza, your trust matters to us. We are committed to being transparent about how we use your data and to upholding your rights as a data subject under Irish and European law. If you ever have questions or concerns, our team is here to help.

This Privacy Policy was last reviewed and updated on May 18, 2026. It is governed by the laws of the Republic of Ireland and the European Union.