Privacy Policy

1. Who we are

The Sourdough Hub ("we", "us", "our") is a small business based in Frome, Somerset. We sell sourdough starter kits and related products, both directly through our website and to a small number of partners. For the purposes of UK data protection law, we are the data controller for the personal information we process about you.

Our trading address is The Sourdough Hub, Frome, Somerset, BA11. You can reach us at hello@thesourdoughhub.co.uk.

2. What we collect

We try hard to collect only what we genuinely need. Concretely, that's:

• Order information — your name, delivery address, billing address, email, phone number (optional), and the items you ordered.
• Payment information — we don't see or store your card number. Payment is processed by Shopify Payments and, where applicable, PayPal, Apple Pay, Google Pay, Klarna or Shop Pay. We receive a token confirming the payment succeeded and the last four digits of the card.
• Account information — if you create an account, we store your email and password (hashed). You don't need an account to order.
• Customer service correspondence — the messages you send us, the order numbers they relate to, and our replies.
• Marketing preferences — whether you've subscribed to our newsletter and what categories of email you've consented to.
• Website usage — basic analytics about how the site is used: pages viewed, devices, approximate location based on IP, referring source. We do this through Shopify's first-party analytics and Google Analytics 4 (with IP anonymisation enabled).
• Cookies and similar technologies — described in our Cookie Policy.

3. Why we use it

We use your information for the following purposes:

• To take, fulfil, deliver and account for your order.
• To answer your customer service questions and resolve any issues with your order.
• To send you transactional messages (order confirmation, dispatch notification, delivery updates).
• To send you marketing emails — only if you've opted in. You can unsubscribe at any time from the link at the bottom of every email.
• To improve our website, products and customer experience based on aggregated, anonymised analytics.
• To detect, prevent and respond to fraud, payment disputes, and abuse.
• To comply with our legal obligations — principally HMRC tax records, consumer protection law, and our duties under UK GDPR.

4. Legal basis under UK GDPR

We process your personal data on one of the following legal bases:

• Contract — processing your order, taking payment, delivering goods, and dealing with returns are all necessary to perform the contract you entered into when you placed an order.
• Legitimate interest — we rely on this for fraud prevention, basic site analytics, securing our infrastructure, and contacting customers about issues with orders. We've considered the impact on you and we believe these uses are reasonable, expected, and not intrusive.
• Consent — we rely on consent for marketing emails, non-essential cookies, and any optional data we ask for. You can withdraw consent at any time without affecting any prior processing.
• Legal obligation — we must keep certain records for tax, accounting and consumer protection purposes.

5. Who we share it with

We do not sell your data. Ever. The categories of organisation we share data with are:

• Shopify Inc. — our e-commerce platform. Shopify processes orders, hosts our site, and provides the underlying admin and payment infrastructure.
• Shipping carriers — principally Royal Mail and Evri (formerly Hermes), who need your name, delivery address and a reference to deliver your kit.
• Email service provider — Klaviyo, who sends our newsletter and transactional emails.
• Payment processors — Shopify Payments (powered by Stripe), and any alternative provider you select at checkout (PayPal, Klarna, Apple Pay, Google Pay, Shop Pay).
• Accountants — our accountancy firm, who may see invoice-level data as part of preparing our books.
• Authorities and lawyers — if we're legally required to disclose information (for instance, in response to a court order) or if we genuinely need legal advice about a matter.

All of these parties are bound to handle your data only for the purposes we instruct, in accordance with UK GDPR or its equivalent in their jurisdiction.

6. How long we keep it

The general rule: only as long as we need it.

• Order records — six full tax years after the year of order, as required by HMRC.
• Customer service messages — three years from the last message, then deleted.
• Marketing email subscriptions — until you unsubscribe, after which we keep a minimal suppression record (your email and the fact you've unsubscribed) so we don't accidentally contact you again.
• Account data — until you ask us to delete it, or three years after your last login, whichever is sooner.
• Analytics — aggregated, non-identifying data is kept for up to 26 months, after which it's reset.

7. Your rights

Under UK GDPR you have the right to:

• Be informed about how we process your data — this policy is part of how we meet that obligation.
• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data (the "right to be forgotten"), subject to our overriding legal obligations.
• Restrict our processing while you contest its accuracy or our legal basis.
• Object to processing based on legitimate interest, including profiling.
• Data portability — receive a copy of your data in a structured, commonly used format.
• Withdraw consent at any time where consent is the basis for processing.
• Complain to the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113 if you think we've handled your data incorrectly. We'd appreciate the chance to fix it first — but you don't have to come to us before going to the ICO.

To exercise any of these rights, email hello@thesourdoughhub.co.uk. We'll respond within one calendar month, and will not charge you a fee for ordinary requests.

8. International transfers

Some of the services we use (Shopify, Klaviyo, Stripe, Google Analytics) involve transferring data outside the UK — principally to the United States, Ireland and Canada. Where we do this, we rely on:

• Adequacy decisions made by the UK government, where they exist (currently the EEA, and a UK-US Data Bridge for certified US recipients).
• Standard Contractual Clauses (the UK International Data Transfer Addendum) where adequacy isn't available.

9. How we protect your data

We use industry-standard practices to protect your information:

• HTTPS encryption on every page of our website.
• PCI-DSS compliant payment processing — we never see or store full card numbers.
• Two-factor authentication on all admin accounts that hold customer data.
• Strict access controls — only the people who need access to a particular type of data have it.
• Regular review of suppliers and their security practices.

If we ever discover a data breach that puts your rights or freedoms at risk, we'll notify the ICO within 72 hours and contact affected individuals directly.

10. Changes to this policy

We'll update this policy when our practices change, when the law changes, or when we use new services. The "last updated" date at the top reflects the latest version. For material changes, we'll notify subscribers by email and post a prominent notice on the site for at least 30 days.

11. How to contact us

If you have any question about this policy, your data, or anything else — we genuinely want to hear from you.