Privacy Policy
Last updated: 6 April 2026
We take your privacy seriously and are committed to protecting your personal data. This policy explains what we collect, why we collect it, and how we keep it safe, in plain English.
1. Who We Are
The Nutty Squirrel is a family-run business based in Trowbridge, Wiltshire, England. For the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018), we are the data controller for personal data collected through this website.
Contact: info@thenuttysquirrel.co.uk
2. What We Collect
We collect the following personal data, only when necessary:
| Data | Purpose | Legal basis |
|---|---|---|
| Name & email address | Fulfil your order, send confirmation and dispatch notifications | Contract performance |
| Delivery address | Ship your order | Contract performance |
| Phone number | Contact you about your order if needed | Contract performance |
| Payment details | Process your payment (handled directly by Stripe — we never see full card numbers) | Contract performance |
| Personalisation text | Produce your order to your specifications | Contract performance |
| Marketing preferences | Send you product updates and offers (only if you opted in) | Consent |
| Order history | Customer service, account management, legal record keeping | Legitimate interest / Legal obligation |
| Browser/session data (cookies) | Keep you logged in (admin only), basic site functionality | Legitimate interest |
We do not collect sensitive personal data (such as health or financial information beyond what Stripe needs to process payment).
3. How We Use Your Data
We use your data only for the purposes described above. Specifically:
- Order fulfilment: Processing, producing, and dispatching your order, and communicating with you about it.
- Customer support: Responding to your queries and resolving issues.
- Marketing emails: Only if you ticked the opt-in box at checkout. You can unsubscribe at any time using the link in any email, or by emailing us directly.
- Legal compliance: Retaining order and financial records as required by HMRC and other applicable laws.
We will never sell, rent, or share your personal data with third parties for their own marketing purposes.
4. Third Parties We Share Data With
We share your data only with the following trusted providers who help us run our business, and only to the extent necessary:
- Stripe, Inc. — payment processing. Your card data is handled entirely by Stripe and is never stored on our servers. Stripe is PCI DSS Level 1 certified. Stripe Privacy Policy
- Supabase — secure cloud database where your order details and preferences are stored. Data is held in EU data centres and is encrypted at rest and in transit. Supabase Privacy Policy
- Royal Mail — your name and delivery address are shared to ship your order. Royal Mail is subject to its own data protection obligations.
All third-party providers are required to handle your data in accordance with UK data protection law.
6. How Long We Keep Your Data
We retain personal data for as long as necessary:
- Order data: 7 years, as required by HMRC for financial record keeping.
- Marketing preferences: Until you withdraw consent or we close our business.
- Customer accounts: Until you request deletion (subject to any legal retention obligations above).
When data is no longer needed, it is securely deleted or anonymised.
7. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct inaccurate or incomplete data.
- Erasure: Ask us to delete your personal data where we have no lawful reason to retain it.
- Restriction: Ask us to stop processing your data in certain circumstances.
- Portability: Receive a copy of your data in a structured, machine-readable format.
- Object: Object to processing based on legitimate interests, including direct marketing.
- Withdraw consent: Where we rely on consent (marketing emails), you can withdraw it at any time without affecting anything we've already done.
To exercise any of these rights, email us at info@thenuttysquirrel.co.uk. We will respond within 30 days.
8. Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. This includes:
- HTTPS encryption on all pages
- Encrypted storage of all data in our database (Supabase)
- Payment data handled exclusively by Stripe — we never see your full card details
- Admin access restricted to authorised staff using strong authentication
No method of transmission over the internet is 100% secure. While we take every reasonable precaution, we cannot guarantee absolute security.
9. Children
Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with their data without parental consent, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or the law. We will post any changes on this page with an updated date at the top. For significant changes, we will notify you by email if we have your address.
We recommend checking this page periodically.
11. Contact & Complaints
For any questions about this privacy policy or how we handle your data, please contact:
The Nutty Squirrel
Email: info@thenuttysquirrel.co.uk
Trowbridge, Wiltshire, BA14 7WL
If you are not satisfied with our response, you have the right to lodge a complaint with the UK's data protection regulator:
Information Commissioner's Office (ICO)
ico.org.uk · 0303 123 1113