The Prep Lab
Last updated: 15 March 2026
Welcome to The Prep Lab. The Prep Lab ("we", "us", or "our") operates a meal preparation and delivery service in Barbados, accessible through this application (the "Service").
This Privacy Policy explains how we collect, use, store, and share your personal information when you use the Service. By creating an account or placing an order, you agree to the practices described in this policy. If you have any questions, contact us at privacy@thepreplab.bb.
Throughout this policy the following terms have the meanings set out below.
PERSONAL DATA — Any information that identifies or could reasonably identify a living individual, such as a name, email address, or delivery address.
USAGE DATA — Data generated automatically by your use of the Service, such as session duration and pages visited.
DATA CONTROLLER — The entity that determines the purposes and means of processing personal data. For this Service, that is The Prep Lab.
DATA PROCESSOR — A third party that processes personal data on behalf of the Data Controller.
DATA SUBJECT — The individual to whom personal data relates — you, the user of this Service.
COOKIES — Small data files stored on your device by your browser. This Service uses one strictly necessary session cookie.
We collect only the information necessary to operate the Service. Below is a summary of each category of data, the reason we hold it, and the legal basis under the Barbados Data Protection Act 2019.
Name and email address. Collected when you create an account. Used to identify you, send order confirmations, and deliver account verification emails. Legal basis: contract performance.
Password. Stored as a one-way cryptographic hash — we cannot read your password. Used solely to authenticate you. Legal basis: contract performance.
Delivery address. Collected when you place or update an order. Used to fulfil deliveries. Legal basis: contract performance.
GPS coordinates (latitude and longitude). Derived from your delivery address via geocoding. Used solely to plan optimised delivery routes for our drivers. Legal basis: legitimate interest. You may object to this processing at any time (see Section 6).
Order history. Items ordered, quantities, unit prices, and order status. Retained for fulfilment and financial record-keeping. Legal basis: contract performance and legal obligation.
Session tokens. Generated on sign-in and stored in an HTTP-only cookie. Used to keep you authenticated. They expire automatically on sign-out or after 2 hours of inactivity. Legal basis: legitimate interest.
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected or as required by law.
Account data (name, email, password hash) is retained while your account is active and deleted within 30 days of a verified account deletion request.
Order records (items, prices, status) are retained for 7 years to satisfy financial and tax obligations under Barbados law. This is a legal requirement we cannot waive.
Delivery addresses and GPS coordinates attached to orders that are delivered or cancelled are anonymised after 12 months. The order record itself is preserved but location data is removed.
Session tokens expire on sign-out or after 2 hours of inactivity and are not retained beyond that.
Email verification tokens expire within 1 hour of issue.
We do not sell your personal data. We share it only with the following service providers who act as Data Processors on our behalf, and only to the extent necessary to operate the Service.
OpenRouteService — Route optimisation
When a delivery route is calculated, the GPS coordinates of delivery stops are transmitted to OpenRouteService's API. No names, email addresses, or other identifiers are included in these requests. OpenRouteService processes this data under their own Privacy Policy.
OpenStreetMap / Nominatim — Address geocoding
Delivery addresses are sent to the public Nominatim API to obtain GPS coordinates. No personal identifiers beyond the address string are transmitted. See the OSM Foundation Privacy Policy.
Resend — Transactional email
Your email address is shared with Resend solely to deliver account verification emails. No other data is transmitted. See Resend's Privacy Policy.
This Service uses one strictly necessary HTTP-only session cookie. It is set when you sign in and deleted when you sign out or when your session expires. It contains no personally identifiable information — only an opaque session identifier. Because this cookie is essential for the Service to function, no separate consent is required under the Barbados Data Protection Act 2019 or equivalent legislation. We use no tracking, advertising, or analytics cookies.
Under the Barbados Data Protection Act 2019 you have the following rights. To exercise any of them, email privacy@thepreplab.bb and we will respond within 30 days.
Right of access. You may request a copy of all personal data we hold about you.
Right to rectification. You may ask us to correct inaccurate or incomplete data.
Right to erasure. You may request deletion of your account and associated personal data. Note that order financial records must be retained for 7 years by law (see Section 3) but your name, email, and address will be removed or anonymised.
Right to data portability. You may request your personal data in a structured, machine-readable format.
Right to object. You may object to processing based on legitimate interest — in particular, the use of your GPS coordinates for route planning. Contact us and we will manually geocode routes without storing coordinates against your account.
We take reasonable technical and organisational measures to protect your personal data. Passwords are stored as one-way cryptographic hashes and are never readable by staff. The database is hosted on a private server accessible only to authorised personnel. Sessions expire automatically after inactivity. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security but we are committed to protecting your data to the best of our ability.
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will always reflect the most recent revision. Where changes are material, we will notify you by email. Continued use of the Service after a revised policy is posted constitutes your acceptance of the changes.