← Back to site

The Fine Print

Privacy Policy

Last updated: 29 April 2026

The Crumb Cartel takes your privacy seriously. This policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and the rights you have over it under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to everyone who uses thecrumbcartel.co.uk, places a retail order, or applies for a wholesale account.

1. Who we are

The Crumb Cartel is a UK sole-trader business operating on the South Coast. We are the data controller responsible for your personal data under UK GDPR.

Contact: thecookiedealer@thecrumbcartel.co.uk
Postal address: Available on request via the email above.
Data controller's full name: Available on request via the email above.

2. What we collect

Depending on how you interact with us, we may collect:

  • Account details: name, email address, and a password (stored hashed - we never see or store it in plaintext).
  • Order details: delivery address, phone number, order contents, order history, and any notes you provide at checkout.
  • Wholesale-specific details: business name, business address, business phone, and the information you provide on your wholesale application.
  • Payment confirmation data: we receive confirmation that a payment has succeeded or failed via Stripe. We do not see, handle, or store full card details - those are processed entirely by Stripe.
  • Technical data: essential session and authentication tokens used to keep you logged in. We do not run analytics, advertising, or tracking cookies.

3. Why we collect it (lawful basis)

Under UK GDPR every use of your data needs a lawful basis. Ours are:

  • Performance of a contract - to take and fulfil your order, communicate about it, and process payment.
  • Legal obligation - to keep transaction records for HMRC and to handle any food-safety or consumer-protection matters.
  • Legitimate interest - to operate, secure, and improve the website, and to respond to enquiries you send us.
  • Consent - for marketing emails, where you have opted in. You can withdraw consent at any time.

4. Who we share it with

We don't sell your data. We use a small number of trusted service providers to run the business. Each is bound by their own data-protection terms and only processes your data on our instructions:

  • Supabase - secure database and login authentication.
  • Netlify - website hosting and delivery.
  • Stripe - payment processing. Stripe acts as the controller for the card data it handles directly; their privacy notice is at stripe.com/gb/privacy.
  • Couriers / delivery partners - to deliver your order we share the name, address, and contact number you provide.
  • Email service provider - when we begin sending marketing emails we will use a third-party email platform. This policy will be updated with the provider's name before that goes live.

We may also disclose your data where we are legally required to - for example, in response to a court order or a lawful request from a regulator.

5. International transfers

Some of our processors (notably Stripe and parts of Supabase or Netlify infrastructure) may store or process data outside the UK. Where they do, transfers are protected by appropriate UK GDPR safeguards - typically the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or a UK adequacy decision.

6. How long we keep it

  • Order and transaction records: 7 years from the date of the order. This is the minimum retention required by HMRC for tax and accounting records.
  • Account details: for as long as your account is active. If you close your account we will delete or anonymise your account record, but order history linked to it will be retained for the 7-year period above.
  • Marketing consents: until you withdraw consent or unsubscribe.
  • Wholesale applications that are not approved: up to 12 months, then deleted.

7. Your rights

Under UK GDPR you have the right to:

  • Be informed about how we use your data (this policy).
  • Access the personal data we hold about you.
  • Correct data that is inaccurate or incomplete.
  • Erase your data, where we have no overriding lawful reason to keep it.
  • Restrict processing of your data in certain circumstances.
  • Port your data to another service in a portable format.
  • Object to processing based on legitimate interests, and to direct marketing at any time.
  • Withdraw consent for any processing that relies on it.

To exercise any of these rights, email thecookiedealer@thecrumbcartel.co.uk. We will respond within one calendar month.

8. Cookies and tracking

We only use essential cookies and similar technologies that are strictly necessary to run the site - specifically the session and authentication tokens used to keep you logged in, and any cookies set by Stripe during checkout for fraud prevention. We do not run Google Analytics, Meta Pixel, advertising cookies, or any other non-essential tracking. If we ever add analytics in the future, this policy will be updated and a cookie banner added at that point.

9. Marketing

We will only send you marketing emails if you have specifically opted in. Every marketing email will contain a one-click unsubscribe link, and you can also opt out at any time by emailing us. Unsubscribing from marketing does not affect transactional emails relating to orders you have placed - order confirmations, delivery updates and similar.

10. Security

We use standard measures to protect your data, including HTTPS encryption in transit, hashed password storage, and access controls on the underlying database. No system is perfectly secure, but we take this seriously and will notify you and the ICO without undue delay if a personal data breach occurs that is likely to affect your rights and freedoms.

11. Children

The Crumb Cartel is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with their data, please contact us so we can delete it.

12. Complaints

If you have a concern about how we have handled your data, please contact us first - we'd rather have the chance to put it right. You also have the right to complain to the UK supervisory authority, the Information Commissioner's Office (ICO), at ico.org.uk/make-a-complaint.

13. Changes to this policy

We may update this policy from time to time - for example if we add a new processor, change retention periods, or start using marketing tools. The "Last updated" date at the top of this page will always reflect the most recent version. Material changes will be flagged on the website.