Now Booking Summer 2026 — Weekend Dates Filling Fast Get a quote
Skip to main content

Data Processors

Last updated March 2026 — GDPR Article 28

Under Article 28 of the UK General Data Protection Regulation (UK GDPR), we are required to enter into a Data Processing Agreement (DPA) with every third party that processes personal data on our behalf. The table below lists all processors we currently use, what data each one handles, and confirms that a DPA is in place.

Where processors provide their DPA as part of standard terms of service (the most common approach for SaaS providers), acceptance of those terms constitutes the agreement. All processors listed below have complied with this requirement.

If you have questions about any of these arrangements, please contact us at [email protected].

Processor Register

1. Wix

Role: Platform provider — hosts our website, CRM, and product data.
Data processed: Contact and enquiry data, blog content, product catalogue, and website visitor data collected via Wix's own infrastructure.
DPA: In place via Wix's standard Data Processing Addendum, incorporated into their Terms of Service and accepted upon account creation.
Privacy policy: wix.com/about/privacy

2. Square

Role: Payment processor and customer management.
Data processed: Payment card data (handled and tokenised entirely by Square — we never store raw card details), billing information, and transaction records.
DPA: In place via Square's standard Data Processing Agreement, available at squareup.com/gb/en/legal/general/dpa and accepted upon account creation.
Privacy policy: squareup.com/gb/en/legal/general/privacy

3. Google LLC (Google Workspace / Gmail)

Role: Transactional and operational email delivery via Google Workspace (saltwind.catering).
Data processed: Recipient email addresses, names, and content of transactional notifications (booking confirmations, enquiry acknowledgements, and similar operational emails).
DPA: In place via Google's Cloud Data Processing Addendum, accepted as part of Google Workspace Terms of Service.
Location: USA (EU-US Data Privacy Framework and UK adequacy decision).
Privacy policy: policies.google.com/privacy

4. Cloudflare

Role: Website hosting, CDN, and security (DDoS protection, WAF, edge caching).
Data processed: IP addresses, HTTP request metadata, and website traffic logs for security and performance purposes. Cloudflare acts as a network-layer processor for all traffic to our website.
DPA: In place via Cloudflare's standard Data Processing Addendum, available at cloudflare.com/cloudflare-customer-dpa and accepted upon account creation.
Privacy policy: cloudflare.com/privacypolicy

5. Google

Role: Analytics and tag management (Google Analytics 4 and Google Tag Manager).
Data processed: Anonymised website usage data, device and browser characteristics, and session behaviour. Analytics scripts are only loaded after a visitor has given explicit consent to analytics cookies via our cookie banner.
DPA: In place via Google's standard Data Processing Terms, available at business.safety.google/dataprocessingterms and accepted upon account creation.
Privacy policy: policies.google.com/privacy

6. Meta (Facebook)

Role: Marketing analytics (Meta Pixel / Facebook Pixel).
Data processed: Browser identifiers and page-view events used to measure the effectiveness of advertising campaigns. The Meta Pixel is only loaded after a visitor has given explicit consent to marketing cookies via our cookie banner.
DPA: In place via Meta's standard Data Processing Terms, incorporated into their Business Terms and accepted upon account creation.
Privacy policy: facebook.com/privacy/policy

7. Microsoft (Clarity)

Role: UX analysis — session recordings and heatmaps via Microsoft Clarity.
Data processed: Anonymised session recordings, click heatmaps, and scroll-depth data. No personally identifiable information is captured. Clarity is only loaded after a visitor has given explicit consent to analytics cookies via our cookie banner.
DPA: In place via Microsoft's standard Data Processing Addendum, incorporated into their Online Services Terms and accepted upon account creation.
Privacy policy: privacy.microsoft.com/en-gb/privacystatement

8. GitHub (Microsoft)

Role: Source code hosting and version control (GitHub.com).
Data processed: Source code and commit history only. No customer personal data is stored in our repositories. GitHub is used internally by our development team and has no direct access to live customer data.
DPA: In place via GitHub's standard Data Protection Agreement, incorporated into their Terms of Service and accepted upon account creation.
Privacy policy: docs.github.com — GitHub Privacy Statement

International Transfers

Several of the processors above are headquartered outside the United Kingdom. Details of the transfer mechanisms in place for each (UK–US Data Bridge, Standard Contractual Clauses, or ICO adequacy decision) are documented in our Privacy Policy — Section 4a: International Data Transfers.

Sub-processors

Each processor above may in turn use sub-processors to deliver their service. We rely on the processor's own sub-processor disclosure pages, linked via their privacy policies above, to document those arrangements. Material changes to sub-processors that affect our customers are notified via our Privacy Policy update process.

Requesting Further Information

You may request a copy of any DPA or sub-processor list by contacting us at [email protected] or writing to:

Salt Wind Catering
37 Fore Street
Redruth, Cornwall TR15 2AE
United Kingdom