PRIVACY & COOKIES POLICY

PRIVACY & COOKIES POLICY

 

By using our website or providing your personal information to us, you agree that we may collect and use it as described in this policy. If you do not agree, please do not provide personal details — or, if you have already done so and wish to change your preferences, contact us at hello@cutterandsquidge.com.

1. Who We Are

Cutter & Squidge Limited (and any group entity) is the Data Controller of your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data (Use and Access) Act 2025 (DUAA 2025).
We are not required to appoint a Data Protection Officer (DPO) but you may direct all data-related queries to:
Cutter & Squidge Limited 2 Amalgamated Drive, Brentford, TW8 9EZ hello@cutterandsquidge.com

2. Data We Collect

We collect and process the following categories of personal data:
Identity & Contact: Name, billing address, delivery address, email address, and phone number. Provided directly by you.
Transactional: Order history, products purchased, and fulfilment details. Payment card data is encrypted via SSL — we do not store full card numbers on our servers. Provided by you and payment processors.
Product Preferences: Dietary or ingredient preferences selected when placing an order (e.g., vegan, wheat-free, made without eggs or nuts). This is product specification information used to fulfil your order and is not collected or held as health or medical data. Provided directly by you.
Marketing & Preferences: Competition entries, survey responses, loyalty programme activity, and communication preferences. Provided directly by you.
Correspondence: Records of contact via email, phone, or social media channels (Facebook, Instagram, TikTok, etc.). Provided directly by you.
Survey Data: We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them. Provided directly by you.
IP address, operating system, browser type, device identifiers, and browsing behaviour on our site. Collected automatically via cookies and web tools.
Usage: Traffic data, location data, weblogs, pages visited, and abandoned shopping cart contents (used for SMS/email reminders). Collected automatically.
Third-Party Supplied: Delivery status and address updates from carriers; account and credit information from payment processors. Supplied by our service partners.
 
Dietary and ingredient preferences you select when placing an order (such as vegan, wheat-free, or made without eggs or nuts) are used solely to fulfil your order correctly. This is product specification information and is not classified or processed as health or Special Category data under UK GDPR.

3. Lawful Basis for Processing

Under UK GDPR Article 6, we must identify a lawful basis before processing your personal data. We rely on the following:
Performance of a Contract [Art. 6(1)(b)]
Processing your name, address, and order details to deliver your purchase and manage your account.
Legitimate Interests [Art. 6(1)(f)]
For activities including marketing to existing customers (soft opt-in), fraud prevention, website security, business analytics, and improving our product range. Where we rely on legitimate interests, we have carried out a Legitimate Interests Assessment (LIA) and are satisfied our interests do not override your fundamental rights and freedoms.
Explicit Consent [Art. 6(1)(a)]
For marketing to new contacts or via specific channels where a soft opt-in does not apply (e.g., SMS marketing to new subscribers). You may withdraw your consent at any time by contacting hello@cutterandsquidge.com or by clicking "Unsubscribe" in any message. Withdrawal does not affect the lawfulness of processing before withdrawal.
Legal Obligation [Art. 6(1)(c)]
To comply with applicable law, assist law enforcement, and maintain financial records as required (e.g., HMRC requirements for 6 years).

4. How We Use Your Data

We use your personal data for the following purposes:
• To process and fulfil your orders, and to notify you about order status changes
• To present website content effectively on your device
• To contact you with information about products or services similar to those you have previously purchased (existing customers only, soft opt-in basis)
• To send marketing communications where you have consented to receive them
• To send SMS cart reminders where you have provided your phone number and abandoned a cart
• To allow you to participate in loyalty programmes, competitions, and interactive features
• To prevent fraud, misappropriation, identity theft, and other misuse
• To collect fees and debts
• To comply with applicable law and assist law enforcement where required
• To take action in the event of any dispute or legal proceedings
• To carry out business analysis and improve our product range (including via AI tools — see Section 6)
 
We do not make any decisions that produce a significant legal or similarly significant effect on you using solely automated means. Our AI tools are used for internal business analysis only. If this changes, we will update this policy and notify you where required.

5. Partners & Data Sharing

To fulfil our contract with you and operate our services, we share your data with the following categories of third parties. All partners are contractually required to handle your data securely and in accordance with UK data protection law.
Delivery & Fulfilment
DPD, Royal Mail, Evermile or similar: We share your name, delivery address, and contact details to arrange delivery of your order. These carriers act as independent Data Controllers for logistics purposes.
Third-Party Fulfilment Partners (e.g., Freddie's Flowers): Where a product is dispatched by a third-party partner, we share your delivery details solely to fulfil that order. These partners are strictly prohibited from using your data for their own marketing without your separate, explicit consent.
Marketing & Loyalty
Klaviyo (or a similar email and SMS marketing platform): Email and SMS marketing, personalisation, and abandoned cart reminders. Our email and SMS marketing platform processes data as our Data Processor.
Rivo (or a similar loyalty platform): Management of our "Squidge Society" loyalty rewards programme. See loyaltylion.com/privacy for details on how Rivo stores your data.
Nosto (or a similar personalisation platform): Personalised product recommendations on our website.
Rakuten Advertising (or a similar affiliate marketing platform): Affiliate marketing and advertising analytics. See rakutenadvertising.com/legal-notices/services-privacy-policy/ for full details. To submit a privacy rights request visit: rakutenadvertising.com/legal-notices/services-privacy-rights-request-form
Gift Recipients & Corporate Gifting Many of our customers purchase on behalf of someone else, including individual gift buyers and corporate clients sending gifts to multiple recipients. Where you provide us with the personal data of a recipient (such as their name, delivery address, email address, or phone number), that information is used solely to fulfil and deliver that specific order.
By providing a recipient's personal data to us, you confirm that you have the right to do so and that the recipient would reasonably expect their details to be used for the purpose of receiving a delivery.
Recipient data may be shared with our delivery partners (such as DPD, Royal Mail, and Evermile) for the sole purpose of fulfilling the delivery. Depending on the delivery method selected by the buyer, recipients may receive delivery notifications directly from our courier partners. We may also use recipient contact details if a problem arises with an order (for example, a failed delivery or query about the shipment).
We do not use recipient personal data for marketing purposes without their separate and explicit consent. Recipient data is retained for as long as is necessary to fulfil the order and resolve any related queries, and in line with our legal obligations, in practice this aligns with our standard order record retention period.
For corporate gifting clients providing lists of multiple recipients, the corporate client is responsible for ensuring they have the right to share recipient details with us for this purpose. We will process those details solely to fulfil the agreed order and will not use them for any other purpose without express authorisation.
Website & Analytics
Google Analytics: Website traffic analysis and UX improvement. Uses anonymised and aggregated data. You may opt out via the Google Analytics Opt-Out Browser Add-On at tools.google.com/dlpage/gaoptout.
SMS Abandoned Cart Reminders
This website uses cookies to track items in your shopping cart, including when you have abandoned your cart. This information may be used to send cart reminder messages via SMS. We will not share your SMS opt-in or consent status with any third party for purposes unrelated to providing this messaging service. We may share this data only with platform providers and carriers involved in delivering text messages.
Social Networking & User-Posted Content
Information that you post via social networking (such as Facebook and Instagram) is generally accessible to, and may be collected by, others and may result in unwelcome communications. For your own safety and security you should not provide information about yourself on the aforementioned areas of our site or via social networking.
If you disclose any information via social networking, we do not accept any responsibility or liability for any breach of privacy, loss, damage, effect on your reputation or otherwise whatsoever.
Group Companies & Legal Disclosure
We may disclose your personal data to any member of our group (our subsidiaries, ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006), in the event of a business sale or acquisition, or where required by law, court order, or to protect our legal rights.
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our website Terms & Conditions of supply and other agreements; or to protect the rights, property, or safety of Cutter & Squidge Limited or any group entity, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
In the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets.
If Cutter & Squidge Limited or any group entity or substantially all of its assets are acquired by a third party, personal data held by it about its customers will be one of the transferred assets.

6. AI & Advanced Analytics

We use artificial intelligence and advanced analytics tools to support our internal business operations. The tools we currently use include:
Google Gemini: Business data analysis (e.g., sales trend analysis, product range decisions).
Anthropic Claude: Business data analysis and operational support tasks.
We use only Enterprise-grade tiers of these services, under which your data is processed in isolated environments and is never used to train public AI models. Our lawful basis for this processing is Legitimate Interests (business analysis and product improvement). AI tools are not used to make automated decisions that have a significant legal effect on you.


7. Cookies & Tracking

Our website uses cookies and similar technologies (including pixel tags and web beacons/GIFs) to distinguish you from other users, improve your experience, and for the purposes described in this policy.

Types of Cookies We Use
Strictly Necessary: Essential for the website to function (e.g., shopping cart). These cannot be disabled and no consent is required.
Session: Temporary cookies that expire when you close your browser. They remember your preferences during a single visit.
Persistent: Remain on your device after you close your browser. They recognise you as a returning visitor and help us improve our services.
Analytics: Set by Google Analytics to collect statistical information about site usage. This data does not identify you individually.
Marketing & Personalisation: Used by our marketing, personalisation, and affiliate partners (currently including Klaviyo, Nosto, Rakuten, and Rivo) to personalise content, display relevant advertising, and track marketing effectiveness.
Managing Cookies
In accordance with UK ICO guidance, we obtain your consent before placing non-essential cookies. You may update your cookie preferences at any time via our cookie consent banner. You can also manage or delete cookies through your browser settings — note that disabling cookies may limit certain site functionality.
To prevent Google Analytics tracking, install the Google Analytics Opt-Out Browser Add-On at: tools.google.com/dlpage/gaoptout
IP Addresses
We may collect your IP address and browser information for system administration purposes. This data is statistical and used to improve user experience — it does not, by itself, identify you as an individual.

8. Retention Periods

We retain your personal data only for as long as is necessary for the purposes for which it was collected, or as required by law:

Order & transaction records: 6 years from transaction date (HMRC legal obligation).
Gift recipient data: Retained for as long as necessary to fulfil the order and resolve any related queries, in line with our legal obligations. In practice this aligns with our standard order record retention period.
Customer account data: Duration of your account, plus 2 years after account closure or last purchase.
Marketing data: Until you unsubscribe or withdraw consent, or after 2 years of inactivity.
Product preference data: Retained only for the duration necessary to fulfil your order, then deleted.
Correspondence records: Up to 3 years.
Technical / cookie data: As set by individual cookies; typically 13 months for analytics.
 
We reserve the right to retain data beyond these periods where we reasonably believe it may be required to defend a future legal claim.

9. International Data Transfers

The data we collect may be transferred to and stored at a destination outside the United Kingdom. It may also be processed by staff operating outside the UK who work for us or for one of our suppliers.

EU/EEA (Shopify): Protected by UK Adequacy Regulations (EU Adequacy Decision).
United States (Klaviyo, Rivo, Nosto, Google, Anthropic, and similar platforms we may use): Protected by the UK-US Data Bridge (UK Extension to the Data Privacy Framework) or Standard Contractual Clauses where applicable.
Other countries (delivery partners): Protected by UK International Data Transfer Agreements (IDTAs) or equivalent UK Standard Contractual Clauses.
 
By submitting your personal data, you acknowledge this transfer, storage, or processing. We take all steps reasonably necessary to ensure your data is treated securely and in accordance with this privacy policy.
All information you provide to us is securely stored on our servers. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

10. Your Rights

Under the UK GDPR and the Data (Use and Access) Act 2025, you have the following rights in relation to your personal data. To exercise any of these rights, contact us at hello@cutterandsquidge.com. We will respond to your Subject Access Request (SAR) within 30 days (we may pause the clock if we need clarification to locate your data).

Right of Access: Request a copy of the personal data we hold about you (a Subject Access Request).
Right to Rectification: Request that we correct inaccurate or incomplete data.
Right to Erasure: Request that we delete your data ("the right to be forgotten"), subject to legal retention obligations.
Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
Right to Data Portability: Request your data in a structured, machine-readable format for transfer to another organisation (applies to data processed by consent or contract).
Right to Object: Object to processing based on Legitimate Interests, including for direct marketing. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to Withdraw Consent: Where processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing.
Rights Regarding Automated Decisions: Request human intervention if you are subject to a decision made solely by automated means that significantly affects you (Article 22). We do not currently use such processing.
 
You may opt out of marketing at any time by clicking "Unsubscribe" in any email or SMS, or by contacting us directly. This does not affect our right to contact you for transactional or service-related purposes.

11. Complaints Procedure

We take data privacy seriously. If you have a concern about how we handle your personal data, complaints must be submitted in writing and sent by post to our registered address:
1. Data Complaints, Cutter & Squidge Limited, 2 Amalgamated Drive, Brentford, TW8 9EZ
2. We will acknowledge your concern within 5 working days
3. We will provide a full written response within 30 days
 
If you remain unsatisfied with our response, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO) www.ico.org.uk 0303 123 1113 Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

12. Changes to This Policy

We may update this policy from time to time. Any changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this policy periodically. Where changes are material, we will notify you by email or via a prominent notice on our website.
Your continued use of our website or services after changes are posted constitutes your acceptance of the revised policy.

13. Contact Us

Questions, comments, and requests regarding this privacy policy are welcome and should be addressed to:
Cutter & Squidge Limited 2 Amalgamated Dr, Brentford, TW8 9EZ hello@cutterandsquidge.com
Our website may contain links to third-party websites. We do not accept responsibility for the privacy practices of those sites. Please review their own privacy policies before submitting any personal data to them.
This Privacy Policy was last updated on 24 June 2026.

 

Choose a Delivery Day

Please pop in the delivery postcode below to see if we deliver this tasty product to your area, and if so on what days! Delivery cost is applied at the checkout.