Privacy Policy & GDPR Notice
Last updated: May 2026 · The Biscuit Tin
In plain English: When you place an order or send us a message, we collect only the details we need to bake and post your order or reply to you. We do not sell your data and we do not use it for third-party marketing. You can ask us to delete your data at any time.
1. Who We Are
The Biscuit Tin is a small-batch home bakery making handmade iced biscuits and personalised gift boxes, posted across the UK.
For the purposes of UK GDPR, The Biscuit Tin is the Data Controller for personal data collected through this website. Our website is hosted and maintained by Generative Solutions UK on servers located in the United Kingdom.
To contact us about your data: info.thebiscuittin@yahoo.com
2. What Data We Collect
We collect personal data only when you actively provide it — by placing an order or sending a message.
| Data | Collected via | Why we need it |
|---|---|---|
| Name | Checkout, contact form | To identify you and address your order |
| Email address | Checkout, contact form | To send order confirmations and reply to enquiries |
| Phone number | Checkout (optional), contact form | To contact you about your order if needed |
| Delivery address | Checkout | To post your order to you |
| Personalisation details | Birthday Tin & personalised items | The name & age you ask us to ice onto your order |
| Order details | Checkout | To fulfil and keep a record of your purchase |
| Account login (email + password) | Account registration | To let you sign in, save your details and view your order history. Passwords are stored only as a secure one-way hash — never in plain text. |
| Saved card reference | Optional, at checkout | If you choose to save a card, we store only the card type and last 4 digits for your reference. The card itself is held securely by our payment provider — never by us. |
What We Do Not Collect
- Full payment card details — all card payments are processed by our payment provider on their secure (PCI-DSS) servers. We never see or store your full card number, expiry or CVV. A saved card is stored by us only as its type and last 4 digits for display.
- Sensitive personal data (health, religion, ethnicity, etc.)
- Tracking or advertising profiles
3. How We Use Your Data
- To bake, package and post your order, including any personalised details
- To send transactional emails (order confirmations and receipts)
- To respond to enquiries submitted through the website or by email
- To maintain your customer account (saved address, order history) if you choose to create one
- To keep accurate financial records
We do not use your data for unsolicited marketing, profiling, or automated decision-making, and we will never sell or share it with third parties for their own marketing.
4. Legal Basis for Processing
- Contract — to fulfil your order or to take steps at your request before entering into a contract.
- Legitimate interests — to respond to enquiries and prevent fraud.
- Legal obligation — to retain financial records for HMRC compliance.
5. How Your Data Is Stored
Your data is stored in a secure database on a private UK server operated by Generative Solutions UK, protected by firewall rules and not publicly accessible. All data in transit is encrypted using TLS (HTTPS). Payment processing is handled entirely by a PCI-DSS compliant payment provider.
6. How Long We Keep Your Data
- Order records — retained for 7 years to meet HMRC requirements.
- Account details (login, saved address, saved card reference) — kept while your account is active. You can update them, remove a saved card, or ask us to delete your account at any time.
- Enquiries — retained for 12 months, then deleted.
7. Sharing Your Data
- Payment provider — to process your payment securely under their own PCI-DSS compliance.
- Delivery carriers — your name and delivery address are shared with the carrier (e.g. Royal Mail) to post your order.
- Legal obligation — where required by law to disclose information to authorities.
8. Cookies
We use only essential cookies. See our full Cookie Policy for details. We do not use advertising or third-party tracking cookies.
9. Your Rights Under UK GDPR
To exercise any of these rights, email info.thebiscuittin@yahoo.com. We will respond within 30 days at no charge.
If you are unsatisfied with our response, you may complain to the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint or 0303 123 1113.
10. Children's Privacy
Our website is not directed at children under 13 and we do not knowingly collect their data.
11. Changes to This Policy
We may update this policy from time to time. The "last updated" date above always reflects the current version.
12. Contact Us
- Email: info.thebiscuittin@yahoo.com
- Instagram: @thebiscuittinlady