Data sharing and vendor data addendum

Effective date: 1 June 2026

Last updated: 27 April 2026

This Data Sharing and Vendor Data Addendum sets out the data-handling rules that apply between Cosycookie and vendors using the marketplace.

It is intended to reflect the practical reality of a marketplace model. Cosycookie and the vendor may each need access to certain customer, order, complaint, and compliance data, but that access must remain limited, lawful, secure, and proportionate.

1. Purpose and scope

This addendum applies to personal data shared between Cosycookie and vendors in connection with onboarding, listings, orders, fulfilment, customer support, complaints, refunds, reviews, safety issues, and legal compliance.

It supplements the Vendor and Baker Terms and does not reduce any stricter requirement imposed by data-protection law.

2. Roles of the parties

Cosycookie acts as a controller for the personal data it uses for platform operation, marketplace administration, payments coordination, support, analytics, security, vendor due diligence, and legal compliance.

Each vendor acts as a controller for the personal data it needs for its own order acceptance, preparation, fulfilment, customer service, complaint handling, food-safety obligations, and related legal record-keeping.

If a vendor is ever asked to process personal data solely on Cosycookie’s documented instructions for a defined task outside the vendor’s own independent purposes, the vendor must treat that activity as processor-like and comply with any additional written instructions or contract terms we provide.

3. Categories of personal data that may be shared

Shared data may include customer names, delivery or collection details, contact details, order contents, notes relevant to fulfilment, complaint details, refund information, safety-incident information, review-related information, and vendor onboarding or compliance records where relevant.

Sensitive data should not be requested or used unless clearly necessary and lawfully justified. Vendors must take particular care with identity documents, verification records, and any information that could create heightened privacy risk if mishandled.

4. Permitted uses

Vendors may use customer and order data only to accept, prepare, fulfil, support, refund, investigate, document, or defend marketplace orders and related legal obligations. Cosycookie may use shared data for marketplace administration, support, monitoring, legal compliance, and dispute resolution.

Neither party may use shared data for unrelated profiling, sale to data brokers, unrelated marketing, or other incompatible purposes without a separate lawful basis and any required notices or consents.

5. Restrictions on marketing and off-platform use

Vendors must not add Cosycookie customers to email, SMS, or other marketing lists unless the vendor has an appropriate legal basis and has provided any required notices and opt-out mechanisms independently of the marketplace order itself.

Vendors must not use customer data to divert customers away from Cosycookie in breach of platform rules or to build independent databases for unrelated commercial use.

6. Security, confidentiality, and access control

Each party must take reasonable technical and organisational measures to protect shared personal data, including limiting access to people who genuinely need it, using secure credentials and systems, and maintaining appropriate confidentiality expectations.

Shared data must not be downloaded, copied, or retained in unnecessary locations. Where printed materials or exports are used for fulfilment or record-keeping, they must be handled and disposed of securely.

7. Rights requests, complaints, and incident cooperation

If either party receives a privacy request, complaint, regulator contact, or legal claim that materially affects shared marketplace data, it should notify the other party where reasonably necessary so that the matter can be handled consistently and lawfully.

Where a request relates to data held by both Cosycookie and the vendor, each party should assist the other with reasonable factual information about what data was shared, why it was used, and whether any deletion or retention restriction applies.

If a personal-data breach, accidental disclosure, or security incident affects shared data, the affected party must notify the other without undue delay and cooperate in containment, investigation, remediation, and any legally required notifications.

8. Sub-processors and international transfers

A party must carry out reasonable diligence on third-party providers that store or process shared data on its behalf and must ensure that any required contractual protections are in place.

Where shared data is transferred outside the United Kingdom without a relevant adequacy decision, the responsible party must ensure an appropriate lawful transfer mechanism and proportionate safeguards are used.

If Cosycookie later requires the vendor to act strictly on documented instructions for a defined processing task, the parties should put in place a more specific processor-style data-processing agreement before that processing begins.

9. Retention and deletion

Each party must retain shared personal data only for as long as reasonably necessary for the relevant purpose, including fulfilment, complaints, refunds, food-safety obligations, fraud prevention, accounting, or legal defence.

When shared data is no longer needed, it must be securely deleted, anonymised, or archived only to the extent required by law or a documented retention obligation. Transaction, payout, complaint, and safety records may need to be retained for up to 6 years where accounting, legal defence, or regulatory expectations justify that period.

10. Audit, cooperation, and priority

Cosycookie may require vendors to confirm compliance with this addendum, provide information about relevant controls, or cooperate with reasonable compliance checks where privacy, safety, or complaint issues arise.

If there is any conflict between this addendum and the Vendor and Baker Terms, the stricter data-protection requirement will apply to the relevant issue.

Contact details

Agate International LTD trading as Cosycookie

Website: https://www.cosycookie.com

Registered office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

Registered in England and Wales

Company number: 12996873

Customer support: customers@cosycookie.com

General and privacy enquiries: info@cosycookie.com