Skip to main content
The Cottage Bakery

Privacy Policy

Last updated: 12 May 2026

The Cottage Bakery takes your privacy seriously. This policy explains what personal data we collect, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

The Cottage Bakery is the data controller for personal information collected through this website and our services. As data controller, we determine how and why your personal data is processed.

Registered company name: The Cottage Bakery (Ampthill) Limited

Trading as: The Cottage Bakery

Telephone: 01525 402348

Email: sales@thecottagebakery.uk

Website: www.thecottagebakery.uk

Location: Bedfordshire, United Kingdom

2. What Personal Data We Collect

Contact and enquiry forms

When you use our contact form or send a wholesale or general enquiry, we collect your first name, last name, email address, enquiry type, and the content of your message.

Buffet order requests

When you submit a buffet order enquiry, we collect your name, email address, telephone number, event type, event date, number of guests, and the products you have selected.

Newsletter subscriptions

When you subscribe to our newsletter, we collect your email address, the date and time you gave consent, and your IP address (retained for audit and anti-abuse purposes). We use a double opt-in process: you will receive a confirmation email and must click the link before being added to the mailing list.

Job applications

If you submit a job application through our website, we collect your name, email address, and any information you include in your application.

Cookies and technical data

Our website uses strictly necessary cookies to keep the site functioning correctly. No tracking or analytics cookies are currently set for standard website visitors. Please see our Cookie Policy for full details.

3. Our Legal Basis for Processing

We process your personal data under the following lawful bases:

  • Legitimate interests (Article 6(1)(f)): responding to contact and buffet enquiries, processing job applications, and running our business. Our legitimate interest is to communicate with customers and potential employees. We have assessed that our interests do not override your rights and freedoms.
  • Consent (Article 6(1)(a)): sending our newsletter. You may withdraw your consent at any time by clicking the unsubscribe link in any newsletter email, or by contacting us directly.
  • Legal obligation (Article 6(1)(c)): retaining certain records for tax, accounting, and food safety compliance purposes as required by UK law.

4. How We Use Your Data

  • To respond to your enquiries and provide the services you have requested.
  • To send our newsletter to subscribers who have given explicit consent.
  • To process and fulfil buffet orders and wholesale enquiries.
  • To maintain business records of transactions and communications.
  • To consider you for employment where you have submitted an application.
  • To improve the performance and usability of our website using anonymised data.

We will never use your personal data for any purpose that is incompatible with the reason it was originally collected, and we will not sell, rent, or trade your data to third parties.

5. How Long We Keep Your Data

Data typeRetention period
Contact and enquiry submissions2 years from date of submission
Buffet order requests6 years (UK accounting and tax obligations)
Newsletter subscribersUntil you unsubscribe, then 30 days for suppression records
Job applications (unsuccessful)6 months from date of submission
Admin session cookiesSession duration, or up to 30 days if "stay signed in"

After these periods, data is securely deleted or anonymised.

6. Who We Share Your Data With

We share personal data only with the service providers necessary to operate our website and business. All processors are bound by data processing agreements and may only use your data as instructed by us.

  • Vercel Inc. (USA): website hosting and content delivery. Transfers are safeguarded under the UK International Data Transfer Agreement (IDTA) and the EU-US Data Privacy Framework.
  • Hostinger (Lithuania, EU): database hosting, file storage, and email delivery. As an EU-based processor, transfers comply with UK adequacy decisions for the EEA.

We do not share your data with any third party for their own marketing purposes.

7. International Data Transfers

Our website is hosted by Vercel Inc., which is based in the USA. Personal data processed by Vercel is safeguarded under the UK International Data Transfer Agreement (IDTA) and the EU-US Data Privacy Framework. Our database, file storage, and email delivery are handled by Hostinger, which is based in Lithuania (EU), and transfers comply with UK adequacy decisions for the European Economic Area.

8. Data Security

We take appropriate technical and organisational measures to protect your personal data from unauthorised access, loss, disclosure, or destruction. These measures include:

  • HTTPS encryption for all data in transit.
  • Authentication and role-based access controls for administrative systems.
  • Secure, encrypted database storage.
  • Double opt-in process for newsletter subscriptions.

No method of internet transmission is completely secure. If you believe your data has been compromised, please contact us immediately.

9. Analytics and Marketing Tools

We intend to introduce website analytics and marketing tools in future, including Google Analytics and Meta Pixel. When implemented, these will only be activated with your prior consent via a cookie consent banner displayed on your first visit to this website. Until that time, no analytics or advertising cookies are placed on your device.

This policy will be updated when those tools are introduced to reflect how your data is used for analytics and advertising purposes.

10. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you (a Subject Access Request).
  • Right to rectification: Ask us to correct inaccurate or incomplete personal data.
  • Right to erasure: Request that we delete your personal data, subject to any legal retention obligations.
  • Right to restriction: Ask us to pause processing of your data in certain circumstances.
  • Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
  • Right to object: Object to processing based on legitimate interests, including for direct marketing purposes.
  • Right to withdraw consent: Where we rely on consent (such as for our newsletter), withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at sales@thecottagebakery.uk. We will respond within one calendar month. We may need to verify your identity before processing your request.

11. Changes to This Policy

We review and update this Privacy Policy periodically to reflect changes in our practices or legal requirements. The date at the top of this page shows when it was last revised. We encourage you to check back from time to time.

12. Contact and Complaints

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact us:

Email: sales@thecottagebakery.uk

Phone: 01525 402348

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

Website: ico.org.uk

Helpline: 0303 123 1113

Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF