Privacy Policy

The Grove Cake Co.
Last updated: 5 February 2026

Who we are
The Grove Cake Co. is a sole trader business run by Pamela John, based at 3 Byron Avenue, Grove, Wantage, OX12 0RF, United Kingdom.
Email: pam@thegrovecakeco.co.uk

This Privacy Notice explains how I collect, use and protect your personal information when you visit my website www.thegrovecakeco.co.uk, place an order, or make an enquiry.

I am the data controller for the personal data I process. I comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

What personal data I collect
I collect and process the following personal data:

Identity and contact information: name, email address (and delivery/postal address and phone number if you place an order or request delivery)
Order/purchase information: details of cakes or products you order, date of order, payment references (but not full card details — these are handled securely by my payment provider), name and age if provided for cake design
Communication data: messages you send via contact form, email or social media
Technical data: IP address, browser type, pages visited, time and date of visit (collected automatically via cookies and similar technologies — see my separate Cookie Notice if applicable)

I do not collect special category data (e.g. health information).

How I collect your data

Directly from you when you place an order, fill in a contact/enquiry form, sign up to my newsletter, or email/call me
Automatically through website cookies and analytics (essential cookies only unless you consent to others)
From third parties (e.g. payment processor confirmation of transaction)

Why I process your data (lawful basis)
I process your personal data for the following reasons under UK GDPR Article 6:

Performance of a contract — to process and fulfil your cake orders, deliver products, handle payments and provide customer service
Legal obligation — to keep basic records for tax, accounting and food safety purposes
Legitimate interests — to respond to enquiries, improve my website/services, prevent fraud, and (where soft opt-in applies) send occasional direct marketing about similar products
Consent — where you have specifically opted in (e.g. to a marketing newsletter) — you can withdraw consent at any time

Who I share your data with
I share data only when necessary:

Payment providers (e.g. Stripe/PayPal) — they act as separate controllers and have their own privacy policies
Delivery couriers (if you order delivery)
My accountant/bookkeeper (for tax purposes — under strict confidentiality)
IT/email service providers (e.g. Microsoft Outlook, Google Workspace, Mailchimp) acting as processors under contract

I do not sell your data. I do not transfer your data outside the UK/EEA unless using approved safeguards (e.g. UK International Data Transfer Agreement or adequacy decision).

How long I keep your data

Order and payment records: 6 years (legal/tax requirement)
Newsletter/marketing lists: until you unsubscribe or object
Enquiry data: 12 months unless it leads to an order
Website logs: up to 26 months (analytics)

After these periods, I securely delete or anonymise the data.

Your rights
Under UK GDPR you have the right to:

Access your data
Correct inaccurate data
Erase data (in certain circumstances)
Restrict processing
Object to processing (especially marketing)
Data portability
Withdraw consent (where consent is the basis)
Complain to the Information Commissioner’s Office (ico.org.uk)

To exercise any right, email me at pam@thegrovecakeco.co.uk. I will respond within one month (free of charge in most cases).

Security
I take reasonable technical and organisational measures to protect your data (e.g. secure hosting, password protection, limited access). However, no transmission over the internet is 100% secure.

Changes to this notice
I may update this notice from time to time. The date at the top shows when it was last revised.

If you have any questions, contact me at pam@thegrovecakeco.co.uk.