GDPR Policy
How we comply with the UK General Data Protection Regulation. This sits alongside our Privacy Policy and goes into more detail on our internal practices.
1. Our position on data
We hold the minimum amount of personal data we need to run a small business. We have never knowingly sold, shared, or monetised customer data outside of fulfilling orders, and we never will. The principles set out in Article 5 of the UK GDPR — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability — are not aspirations for us. They are the operating standard.
2. Roles and responsibilities
The Sourdough Hub is the data controller for the personal data of our customers, newsletter subscribers, and people who contact us. Our founder, Clara Ashworth, is responsible for data protection across the business. Because of our size, we are not legally required to appoint a designated Data Protection Officer (DPO), but the responsibilities of that role are owned by Clara directly.
Operational data handling is performed by Tom Ashworth (operations) and James Pryor (customer care). Both have been trained on our data handling rules and renew that training annually.
3. Lawful bases we rely on
For every piece of processing we do, we have identified a single, specific lawful basis under Article 6 of the UK GDPR. The mapping is:
| Activity | Lawful basis |
|---|---|
| Processing orders, taking payment, delivering goods | Contract |
| Customer service correspondence about an order | Contract / legitimate interest |
| Sending marketing emails | Consent |
| Site analytics (anonymised) | Legitimate interest |
| Fraud prevention and detection | Legitimate interest |
| Tax records, accounts, statutory reporting | Legal obligation |
Where consent is the basis, we treat it as it should be treated — freely given, specific, informed, unambiguous, and revocable. We never use pre-ticked checkboxes. Withdrawing consent is as easy as giving it.
4. Data minimisation in practice
We have explicitly chosen not to collect data we don't need:
- We don't ask for date of birth.
- We don't ask for gender or pronouns at checkout.
- We don't profile customers for any purpose.
- We don't track customers across sites.
- We don't run remarketing or behavioural advertising.
- We don't share email addresses with social media platforms or advertising networks.
5. Special category data
We do not knowingly collect or process special category data — that is, data relating to race or ethnic origin, political opinions, religious beliefs, trade union membership, genetics, biometrics, health, or sexual orientation — in the ordinary course of our business. If a customer voluntarily shares such data with us (for example, to explain a dietary requirement), we treat it with extra care and delete it as soon as it has served its purpose.
6. Children's data
Our products are not designed for, marketed to, or sold to children. Accounts on our site are restricted to people aged 16 or over. If we become aware we hold data on a child without proper consent, we'll delete it.
7. Records of processing activities
We maintain a record of processing activities (RoPA) covering each category of data we process, why we hold it, where it lives, who we share it with, and how long we keep it. This document is reviewed at least annually and made available to the Information Commissioner's Office on request, as required by Article 30(1).
8. Data Protection Impact Assessments
We complete a written Data Protection Impact Assessment (DPIA) before introducing any new processing that is likely to result in a high risk to the rights and freedoms of individuals — for example, before adopting a new analytics tool or changing the way we market. To date, no processing we conduct has triggered the prior consultation requirement under Article 36.
9. Subject access and data subject rights
You have a complete set of rights under UK GDPR, set out in our Privacy Policy. Internally:
- Subject access requests are handled within one calendar month, free of charge for ordinary requests.
- If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse — but only with a written explanation and notice of the right to complain to the ICO.
- We verify the identity of the requester proportionately. We won't ask for ID where the request can be authenticated by reply to the email address we already hold for an account.
- We log the request, the response, and the resolution. The log is reviewed annually for trends.
10. Data breach response
If we discover a personal data breach — that is, accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data — we follow this procedure:
- The breach is logged immediately. The log records what happened, when, what data was affected, and the categories and approximate number of people affected.
- We assess the risk to the rights and freedoms of individuals using the ICO's risk assessment framework.
- If the risk is non-negligible, we notify the ICO within 72 hours of becoming aware (Article 33).
- If the risk is high, we also notify affected individuals directly without undue delay (Article 34), in plain language, with practical advice on protective steps.
- We conduct a post-incident review within 14 days and act on the lessons.
11. Suppliers and processors
Where we engage a supplier who processes personal data on our behalf, we put in place a written data processing agreement that meets the requirements of Article 28. Our principal processors are Shopify, Klaviyo, Stripe, Royal Mail and Evri. We assess each one for security, legal basis for any international transfers, and ability to support our compliance with subject rights.
12. International transfers
Where data is transferred outside the UK, we rely on:
- UK adequacy decisions (currently the EEA and certified US recipients under the UK-US Data Bridge).
- The UK International Data Transfer Addendum to the EU Standard Contractual Clauses, where adequacy is unavailable.
We document the basis of every international transfer in our RoPA.
13. Training and accountability
Every member of the team completes data protection training annually. New starters complete it within their first week. Training is recorded and signed off. Our internal data handling guide is reviewed each January.
14. Review of this policy
This GDPR policy is reviewed at least annually. The most recent review date is shown at the top.
15. Contact and complaints
For all GDPR matters, please email hello@thesourdoughhub.co.uk. If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office at ico.org.uk.