S Sidobox Smart Fridges Back

Privacy

Last updated · 2 July 2026

This is the privacy notice for sidobox.uk — the website you reach by scanning the QR code on a Sidobox Smart Fridge. It covers what we do with the information you give us when you ask for a refund, suggest a product, get in touch, or enquire about hosting a fridge — and what the fridge itself records when you buy from it.

In short

Who we are

WooSee Limited ("WooSee", "we", "us") is the data controller for personal data collected through this website.

What we collect

We collect different information depending on which form you fill in. Each form asks only for what's needed to handle that request.

Refund request

Product suggestion

Help / general message

"Host a fridge" enquiry (sidobox.uk/host)

Submission metadata

Alongside every form submission we record the IP address and browser identifier (user-agent) the submission came from, and include them in the internal notification email. We use these solely to protect the forms against abuse — spotting spam floods and fraudulent refund claims — and for nothing else.

Purchase records from the fridge

When you buy from a Sidobox fridge, the machine platform (operated by our supplier, HaHa Vending) sends us a record of the transaction: which machine, when, the items taken, the amount, the payment status, and a pseudonymous identifier derived from the payment card. That identifier lets the platform recognise the same card across visits; we cannot reverse it to your card number, your bank, or your identity. We use these records to run the business — matching refund claims to transactions, paying our venue partners their share, and counting aggregate statistics such as unique customers per week. Venue partners only ever see aggregated figures for their own machine, never individual card identifiers.

Camera footage at the fridge

Sidobox fridges use cameras to recognise which items are taken — that's how you're charged without scanning anything. Short video of each opening is recorded and processed by the machine platform (HaHa Vending) for item recognition, and we can review the relevant clip when investigating a refund claim, a payment dispute, or suspected theft. Footage is retained on the platform for a limited period and is not used for any other purpose — no facial recognition, no marketing. The machine carries signage indicating cameras are in use.

Browsing data

We do not currently use website analytics or advertising trackers. The site stores your language preference and the machine ID you scanned in your browser's session storage (cleared when you close the tab) so we can keep your context as you move between pages. This data never leaves your device.

What we don't collect

We do not collect your card details — not your full card number, not the last digits, not the CVV or PIN. Payment is handled by the smart fridge directly through the card networks. The only card-related data we receive is the pseudonymous identifier described under "Purchase records" above, which cannot be turned back into your card number or identity. To match a refund to your purchase we rely on the machine, the amount, and roughly when it happened, cross-referenced against our own transaction records.

Why we use it

Each piece of data is used for a specific purpose with a specific lawful basis under UK GDPR.

PurposeLawful basis
Reviewing and processing your refund request, including contacting you to arrange the refund Contract — to perform our obligation to you
Cross-referencing the machine, amount, and time against our transaction records and camera footage to verify the claim Legitimate interest — preventing fraudulent refund claims
Reading your product suggestion and using it to inform restocking decisions Consent — given when you submit the form
Contacting you when a product you suggested gets stocked (only if you ticked "notify me") Consent — given by ticking the box
Reading and replying to your message via the help form Consent — given when you submit the form
Keeping internal records of refunds and complaints for accounting and dispute resolution Legitimate interest — business record-keeping and legal compliance
Recording the IP address and browser identifier of each submission to detect spam and fraudulent claims Legitimate interest — protecting the service against abuse
Responding to a "host a fridge" enquiry and discussing a possible partnership Legitimate interest — responding to a business enquiry you initiated
Processing purchase records (including the pseudonymous card identifier) to charge correctly, verify refunds, pay venue partners, and compile aggregate sales statistics Contract / Legitimate interest — completing your purchase and running the service
Reviewing camera footage of a specific opening when investigating a refund claim, payment dispute, or suspected theft Legitimate interest — verifying claims and preventing loss

We do not use any of this data for marketing, profiling, or automated decision-making. Submitting a form does not opt you in to anything else.

Who else sees it

We share your data only with the third parties that help us run this service:

We do not share your data with advertisers, data brokers, or analytics providers. We do not sell your personal data.

We may disclose information if required by law, by a court order, or to protect our legal rights.

How long we keep it

We retain all form submissions — refund requests, product suggestions, and help messages — for up to 6 years from submission. This matches the UK accounting and tax record-keeping requirement for financial records, and keeps our retention rules consistent across every form.

If you ticked "notify me" on a product suggestion, we'll delete the contact detail as soon as we've notified you the product is stocked, or sooner if you ask. The 6-year limit otherwise applies if we never get to notify you.

Host enquiries that don't lead to a partnership are kept for up to 12 months, then deleted. Purchase records are kept for up to 6 years (accounting records). Machine status logs (whether a fridge was online — no personal data beyond the machine itself) are kept for 90 days. Camera footage is retained by the machine platform for its own limited operational period, not by us.

You can ask us to delete your data sooner at any time — see "Your rights" below.

Where it's stored

Your data is stored and processed within the United Kingdom and the European Economic Area (UK and EU only). We do not currently transfer your personal data outside this region.

If this changes in the future — for example if we add a partner in another country — we will update this notice and ensure appropriate legal safeguards are in place (such as the UK GDPR International Data Transfer Agreement or Standard Contractual Clauses).

Your rights

Under UK GDPR, you have the right to:

There is no charge to exercise any of these rights. We will respond within one calendar month. Email info@sidobox.uk.

Cookies and browser storage

This site does not use third-party cookies, advertising trackers, or web analytics services.

We use the browser's session storage to remember the machine ID from the QR code as you navigate between pages. Session storage is cleared automatically when you close the tab. You can clear it at any time through your browser settings. All fonts and other page resources are served from sidobox.uk itself — visiting this site sends no request to any third-party service.

The host partner portal (host.sidobox.uk — invite-only, for venue partners) additionally stores a sign-in token in the browser's local storage while the partner is signed in. Partner accounts consist of a name, email address, and password (stored only as a salted hash).

Complaints

If you're unhappy with how we've handled your data, please email us first at info@sidobox.uk — we'll do our best to resolve it.

You also have the right to complain to the UK Information Commissioner's Office (ICO):

Changes to this notice

We may update this notice from time to time — for example if we add new forms or change how a form works. The current version is always available at this page, with the "Last updated" date at the top.