Privacy Policy

Last updated: 20 April 2026 · Effective immediately

ShelfCheck is a product of SJC Distributions Ltd ("we", "us", "our"). We are committed to protecting the personal data of our customers and their staff. This policy explains what data we collect, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.

1. Who we are

Data Controller: SJC Distributions Ltd
ICO Registration Number: C1919620
Contact: sjcdistributionsltd@gmail.com
Website: shelfcheck.co.uk

SJC Distributions Ltd is registered with the Information Commissioner's Office (ICO) under the UK Data Protection Act 2018. You can verify our registration at ico.org.uk/ESDWebPages/Search.

2. What data we collect

We collect the following categories of personal data:

Account holders (managers/retailers): First name, last name, email address, phone number, business name, store type
Staff members: First name, last name, 4-digit PIN (stored as a SHA-256 hash — never stored as plain text)
Scan data: Barcode numbers, expiry dates, product names, timestamps, and which staff member performed each scan
Payment data: Handled entirely by Stripe. We do not store card numbers or bank details.
Usage data: App activity logs for debugging and service improvement

3. How we use your data

We use your data to:

Provide the ShelfCheck service — scanning, logging, and reporting on expiry dates
Send weekly compliance reports and daily expiry alerts to account holders
Send transactional emails (welcome email, login reminders)
Process subscription payments via Stripe
Provide customer support
Comply with legal obligations

We do not sell your data to third parties. We do not use your data for marketing to third parties.

4. Legal basis for processing

Contract: Processing necessary to deliver the ShelfCheck service you have subscribed to
Legitimate interests: Service improvement, security, fraud prevention
Legal obligation: Compliance with applicable UK laws

5. Who we share data with

We use the following sub-processors to deliver the service:

Supabase Inc — Cloud database (data stored in EU)
Netlify Inc — Website and serverless function hosting
Resend Inc — Transactional email delivery
Stripe Inc — Payment processing (PCI DSS compliant)
Anthropic PBC — AI product identification (photo analysis only; images are not retained by Anthropic beyond the API request)

All sub-processors are bound by data processing agreements and appropriate safeguards.

6. Data retention

Scan records and audit trails are retained for the lifetime of your account plus 12 months after cancellation. This enables you to access your compliance history for EHO, Trading Standards, or CQC purposes. After 12 months post-cancellation, all personal data is permanently deleted.

7. Your rights

Under UK GDPR you have the right to:

Access the personal data we hold about you
Correct inaccurate data
Request deletion of your data ("right to be forgotten")
Object to processing or request restriction
Data portability — receive your data in a machine-readable format
Withdraw consent at any time (where processing is based on consent)

You can exercise several of these rights directly within the ShelfCheck app: managers can download all site data (JSON export) and permanently delete their account from the Profile screen. To exercise any other right, email us at sjcdistributionsltd@gmail.com. We will respond within 30 days.

8. Cookies

ShelfCheck uses only essential functional cookies (session management). We do not use advertising or tracking cookies. No cookie consent banner is required for essential cookies under UK law.

9. Security

All data is transmitted over HTTPS. Our database is hosted on Supabase with access controls and encryption at rest. We do not store payment card data. Staff PINs are hashed using SHA-256 with a unique per-site salt and are never stored as plain text. PIN verification happens server-side with rate limiting to prevent brute-force attacks.

10. International transfers

Your data is primarily processed within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g. to Anthropic in the USA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses.

11. Changes to this policy

We may update this policy from time to time. We will notify account holders by email of any material changes. Continued use of ShelfCheck after notification constitutes acceptance of the updated policy.

12. Complaints

If you have concerns about how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

For all privacy enquiries: sjcdistributionsltd@gmail.com