- Registered in England and Wales
- Company Registration Number: 09189901
- Registered Office Address: Unit 1 & 2 Kingsley Farm, Kingsley Road, Harrogate, North Yorkshire, HG1 4RF
- VAT number: GB 196504190
What Personal Information do we ask for and why?
“Personal Information” is information relating to you, which can be used to identify you personally (either directly or indirectly).
- full name;
- email address;
- telephone number;
- date of birth;
- billing address;
- delivery address for your orders (if different to the billing address);
- where you are buying a product for someone else, the name and delivery details of the person who is to receive the gift;
- your username and password;
- payment details (i.e. card details and billing address);
- delivery instructions;
- Customer Service reports following any communication you have had through that route.
We collect this Personal Information so that it can be used for the purposes set out in the Terms and Conditions of Sale, including, but not limited the following purposes:
- to register you as a customer, manage your account and keep track of your orders;
- to allow you access to your account;
- to communicate with you, in relation to your orders, account details, enquiries and when you contact customer services (this may include recording of telephone calls, but you will be advised of this before the call commences);
- to facilitate your orders, payment and delivery;
- for security purposes, for example to verify your age and identity;
- to communicate with you on Social Media Platforms, by way of response to your messages, likes or other forms of comments that invite reply (depending what permissions you have set on such platforms); and
- where you have given permission, to send you marketing messages about our products.
- We may also collect information about your usage of Our Sites, such as browsing patterns, but information collected in this way will not identify you personally. Our servers also automatically record certain information that your web browser sends whenever you visit any website. This may include your web request, internet protocol address, browser type, browser language, URLs, URLs domain names, pages viewed and other matters together with cookies which may identify your browser. We use this information to find out about how visitors use Our Sites.
- “Personal Information” is information relating to you, which can be used to identify you personally (either directly or indirectly).
What is our lawful basis for using your Personal Information?
- We will only use your Personal Information when we have a valid reason (also known as a lawful basis) to do so. Which lawful basis is applicable will depend on precisely how we are using your Personal Information and for what purpose.
- Most commonly, we will use your Personal Information:
- because it is necessary to pursue our legitimate interests and where there is no undue adverse impact on you;
- in order to prepare to perform and to perform a contract with you;
- in order to comply with a legal obligation to which we are subject;
- because you have consented to us doing so.
- Where we are processing your Personal Information for the purposes of pursuing our legitimate interests, those interests may include:
- responding to any enquiries you may have, providing you with information you request and/or to help us operate and improve Our Sites;
- creating your account and identifying you when you contact us or use our Website;
- performing our contract with you, i.e. to set up and collect payments and to fulfil orders that you place, including delivery via our delivery provider;
- forward planning purposes (in relation to procurement and product stocking) and as part of our processes to detect and avoid fraud;
- retaining records of our transactions with you, so that they are available to us for legal and/or financial purposes and also to you should you request the same;
- managing our relationship with you and to maintain customer satisfaction;
- market research, reporting, analysis and modelling, so as to improve the products and services we provide (including via Social Media Platforms);
- improving our understanding of customer interest in our products and analysing your engagement with Our Sites; and
- ensuring that our service meets all appropriate technical requirements and that we can respond effectively to technical issues and improve the experience you have on Our Sites.
- Where we are processing your Personal Information in order to prepare to perform and to perform a contract with you, the processing we undertake may include:
- recording your personal details to enable us to perform any contract we have with you;
- obtaining authorisation to charge to your nominated bank or credit card charges that you incur when ordering a subscription or products from us;
- processing in order to fulfil any order you have placed with us; and
- maintaining records of your subscriptions in order to fulfil these on a continuing basis.
- in order to comply with a legal obligation to which we are subject, the processing we undertake may include:
- responding to any legal or regulatory enquiry or investigative action;
- initating a product recall;
- co-operating with any audit requirement that we may be subject to.
- Where we are processing your Personal Information when you have given your consent, the processing we undertake may include:
- providing you with marketing communications; and
- responding to enquiries you make through the Website and through our Customer Service team;
Sharing your Personal Information with third parties
We will not share your information with any third parties except:
- where we have your consent;
- where required, in order to fulfil your order, including for the purposes of processing payment from you and delivering the product(s) to you;
- to our professional advisers, for the purposes of obtaining professional advice or establishing, exercising or defending legal rights;
- to Processors that we appoint as detailed at paragraph 3.3 below, together with other service providers and suppliers where necessary, for the purposes of fulfilling your orders or otherwise conducting our business;
- where a third party acquires all or a substantial portion of our business and your Personal Information is, at that time, in our possession as part of the transferred business assets in such sale/ transfer and we may share the same with any prospective purchasers and their advisors; and
- where we are required by law to provide Personal Information to law enforcement agencies, government entities, tax authorities or regulatory bodies.
- We will not share your information with third parties for marketing or market research without your explicit consent.
Data is shared with the Processor for the following purpose(s)
Personal Information Shared
Name on Card
Name for address label
Date of Birth
- We use other service providers from time to time to support transaction processing and dispatch. All service providers are assessed for compliance with General Data Protection Regulation ((EU) 2016/679) (GDPR) and when located in the United Kingdom, compliance with the Data Protection Act. When located outside of the United Kingdom we ensure that their privacy policies incorporate appropriate recognition of GDPR and other relevant Data Protection requirements.
- We will not share your information with any third parties except:
Promotional and marketing information
If you no longer wish to receive this information, you can tell us at any time:
- by clicking the “unsubscribe” link in the marketing emails you receive from us; or
- by contacting our Customer Service Team.
- If you no longer wish to receive this information, you can tell us at any time:
Posting content on Our Sites
Posts and comments on Social Media Platforms (and, if relevant, the Website www.bakeoffbox.co.uk) are publicly available and you should bear this in mind when you post or upload content to Our Sites (including checking your privacy settings to ensure that they reflect the level of privacy that you wish to maintain for the relevant social media account);
www.bakeoffbox.co.uk and the services we provide through the website are not intended for access and use by children under 18. If you are under that age of 18 you should ask your parent’s or legal guardian’s permission before using the Website.
- Posts and comments on Social Media Platforms (and, if relevant, the Website www.bakeoffbox.co.uk) are publicly available and you should bear this in mind when you post or upload content to Our Sites (including checking your privacy settings to ensure that they reflect the level of privacy that you wish to maintain for the relevant social media account);
Providing us with other people’s Personal Information
Keeping your Personal Information up to date
- Please ensure that any Personal Information you provide us with is up to date and accurate. If your Personal Information changes, you can let us know by updating the details through your account on our Website or contacting our Customer Service Team.
Your rights in respect of your Personal Information
You have the right to:
- access your Personal Information (via what is commonly known as a “data subject access request”);
- require us to correct any mistakes in your Personal Information which we hold;
- withdraw your consent to the processing of your Personal Information (if we are relying on consent as our lawful basis for using your Personal Information);
- require the erasure of your Personal Information;
- require us to restrict processing of your Personal Information, in certain circumstances;
- receive the Personal Information you have provided to us, in a structured, commonly used and machine-readable format and/or transmit that information to a third party, in certain situations; and
- object to our continued processing of your Personal Information, in certain situations.
- Please note that not all of these rights are absolute – in some cases they will not apply to you, or to the particular use that we are making of your Personal Information (for example if we have to process the information to comply with our own legal obligations). For further information on each of these rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/. If you wish to access a copy of your Personal Information or exercise any of your other rights your request must be made in writing to DPO@thegbexchange.com and we will endeavour to respond within a reasonable period and in any event, within one month in compliance with applicable data protection legislation. You can also contact us using the same email address if you wish to complain about a marketing communication that you have received in error.
- If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you should contact the UK Information Commissioner's Office, which oversees data protection compliance in the UK. Details of how to do this can be found at ico.org.uk.
- You have the right to:
Keeping your information safe
- We and our Processors employ a variety of physical, technical and organisational measures to keep your information safe and to prevent unauthorised access to, or use of, or disclosure of it. Electronic data and databases are stored on secure computer systems and we control who has access to them (using both physical and electronic means).
- We use Secure Server Technology to ensure that all data submitted through the Website is protected by the highest standards.
- Any payment information you provide will be sent via a secure SSL connection which provides an encrypted link between your web browser and our web servers.
- We cannot absolutely guarantee the security of the internet or external networks or your own device. Accordingly, any online communications (e.g. information provided by email or through the Website) are at your own risk.
- You shall be responsible for keeping any user access information for your account (e.g. username(s)/ password(s)) secure and confidential.
How long will we keep your information?
- We will only keep your Personal Information for as long as necessary for the purposes for which we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.
- We regularly review what data we have and delete that in accordance with our data deletion policy.
- When we share your Personal Information with government bodies, regulatory bodies or law enforcement organisations so that they can carry out their legal functions or the Personal Information is required in connection with legal proceedings, your Personal Information may be held for longer than the periods stipulated below, and held for so long as appropriate in the circumstances.
Details of the review and retention periods for different aspects of your Personal Information are set out in the table below.
Type of Data
Retention Period or Criteria
Date of Birth
(6 months if no orders are placed)
Enquiries made to Customer Services
Details of Enquiry and response given to the Enquiry
Order information, product purchased, total cost, payment information, billing and delivery information including details of recipient if different to the Customer
Eg Internet Protocol (IP) address, login data, browser type and version, time-zone setting and location, browser plug in types and versions, operating system and platform and other technology devices used to access the Website, length of visit, number of pages viewed
Order history, preferences,
Preferences in receiving marketing and communications
Transferring data outside of the UK
- Where we transfer your Personal Information outside the EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements applicable to the Personal Information concerned. This can be done in a number of different ways, for example: the country to which we send the Personal Information may have been assessed by the European Commission as providing an “adequate” level of protection for personal data; the recipient may have signed a contract based on standard contractual clauses, approved by the European Commission. In other circumstances, the law may permit us to otherwise transfer your Personal Information outside the EEA. In all cases, however, any transfer of your Personal Information will be compliant with applicable data protection law.
Third party websites
- We may monitor any communications we receive from you to improve Our Sites, to improve the products that we supply, or to ensure compliance with our practices and procedures.
© The Great Product Exchange Ltd. 2020
Published 12 November 2020