Sun & Spice Ltd takes the privacy of trade buyers and their representatives seriously. This Privacy Policy explains who we are, what personal data we collect, why we collect it, how long we keep it, who we share it with, and the rights you have over your data. It is written to meet our obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
If you have any question about how we handle your data, or if you wish to exercise any of the rights described in this policy, contact us at info@sunandspice.co.uk.
1. Who we are and how to contact us
1.1 Sun & Spice Ltd is the data controller for the personal data we collect through this website, through trade enquiries, sample requests, catalogue requests, and through our trading relationship with you. We are a company incorporated in England and Wales.
1.2 For the purposes of this Privacy Policy, "we", "us" and "our" mean Sun & Spice Ltd. "You" means an individual whose personal data we process, including buyers, named contacts at trade customer organisations, and visitors to our website who submit a form.
1.3 We have not appointed a statutory Data Protection Officer because our processing does not meet the criteria in Article 37 UK GDPR. The single point of contact for all data protection matters is our trade contact email above.
1.4 We aim to respond to any privacy matter within 30 days, in line with the response time set by UK GDPR for individual rights requests.
2. The personal data we collect
We collect and process the following categories of personal data:
| Category | Examples |
|---|---|
| Identity data | First and last name, job title, signature on a delivery acknowledgement |
| Contact data | Business email address, business telephone number, business postal address, address line at the delivery point |
| Business data | Trading name, registered company name, company number, VAT number, trading address, sector, products of interest, indicative volumes and supply route |
| Transaction data | Orders placed, products supplied, dispatch dates, invoice references, account balance, payment history, credit limit |
| Financial data | Bank details supplied for credit-account setup, payment references (we do not store full payment card data; payments are taken by bank transfer or BACS) |
| Marketing and communications data | Preferences for receiving marketing communications, opt-out status, communication history |
| Technical data | IP address, device identifiers, browser type and version, time zone setting, operating system, technical log information necessary for the secure operation of the site |
| Usage data | Pages of our website visited, links clicked, time on page, referring URL, where the visitor consents to analytics cookies being set |
We do not knowingly collect special category data (for example data revealing health, political opinions, religious belief, or trade union membership). If you submit any such data to us inadvertently (for example through a free-text field in a form), we delete it on identification.
We do not collect personal data relating to children. Our services are directed exclusively at business buyers who are at least 18 years of age.
3. How we collect your personal data
3.1 We collect personal data:
(a) Directly from you when you submit a form on our website, request a sample, request a catalogue, apply for a trade account, send us an enquiry, or place an order;
(b) Through the course of our trading relationship with you, including by email, telephone, or in writing, as orders, claims, queries, payments, and reorders are exchanged;
(c) From third-party sources, including publicly available business directories, Companies House, credit reference agencies (when assessing a credit account application), and from referees you have nominated;
(d) Automatically through our website, including from cookies and similar technologies as described in clause 11.
3.2 Where we obtain personal data from a third-party source, we make a record of the source and provide the information required under Article 14 UK GDPR.
4. The purposes for which we use personal data, and the lawful basis for each
Under UK GDPR we are required to identify a lawful basis for every purpose for which we process personal data. The table below lists each purpose, the categories of data involved, and the lawful basis we rely on.
| Purpose | Data categories | Lawful basis (UK GDPR Article 6) |
|---|---|---|
| Responding to trade enquiries, sample requests, catalogue requests, and questions submitted through the website or by email | Identity, Contact, Business | Legitimate interests (Article 6(1)(f)): handling pre-contract trade enquiries to grow our wholesale business |
| Assessing a trade account application, including verifying business identity and creditworthiness | Identity, Contact, Business, Financial | Legitimate interests (assessing risk before extending trade credit), and where consent has been given for a credit search, Consent (Article 6(1)(a)) |
| Performing a confirmed Order, including dispatching Goods, raising invoices, accepting payment, and providing post-sale support | Identity, Contact, Business, Transaction, Financial | Performance of a contract (Article 6(1)(b)) |
| Keeping records required by UK accounting, tax and company law | Identity, Contact, Business, Transaction, Financial | Legal obligation (Article 6(1)(c)) |
| Sending B2B marketing emails to corporate subscribers (limited companies, public limited companies, limited liability partnerships, Scottish partnerships and incorporated entities) about our products, range updates, and trade events | Contact, Marketing | Legitimate interests, with PECR opt-out provided in every message |
| Sending marketing emails to sole traders, ordinary partnerships, and named individuals at non-corporate trading entities | Contact, Marketing | Consent (Article 6(1)(a)), with PECR-compliant opt-in for the first message and opt-out provided in every message |
| Investigating service issues, dealing with claims, defending or making legal claims, and responding to regulatory enquiries | All categories as relevant | Legitimate interests (defence of legal claims), and where applicable Legal obligation |
| Improving our website, our product range, and our trade processes through aggregated and de-identified analysis of how trade buyers use our site and our services | Technical, Usage | Legitimate interests (commercial improvement), with PECR consent for any non-essential cookies that drive the analysis |
| Maintaining the security of our website and systems, including fraud prevention | Technical | Legitimate interests (security of our service) |
Where we rely on legitimate interests, we have carried out a Legitimate Interests Assessment for each purpose and concluded that our processing is necessary and does not override your rights and freedoms as the representative of a trade buyer. A summary of any such assessment is available on request.
You have the right to withdraw consent at any time where we rely on consent as the lawful basis. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
5. Marketing communications
5.1 We may send you marketing communications by email about our products, range updates, trade events, and other matters we reasonably consider relevant to your trade interests. We do this on the lawful basis set out in clause 4, distinguishing between corporate subscribers and individual subscribers in line with the Privacy and Electronic Communications Regulations 2003.
5.2 Every marketing email contains a clear unsubscribe link. You can opt out at any time by clicking that link or by emailing info@sunandspice.co.uk with "unsubscribe" in the subject line. We action opt-out requests promptly and at the latest within one month.
5.3 We do not share your contact details with any third party for that third party's marketing purposes.
5.4 Opting out of marketing does not affect transactional, contractual, or service emails relating to an order or trade account (for example dispatch notifications, claim updates, invoices, statements).
6. Who we share your personal data with
6.1 We share personal data with carefully selected categories of recipient where it is necessary for the purposes set out in clause 4.
6.2 Service providers we use as data processors under Article 28 UK GDPR (each under a written data processing agreement):
(a) Vercel Inc. (website hosting and content delivery)
(b) Shopify Inc. (product catalogue and storefront infrastructure)
(c) Resend, Inc. (transactional email delivery for order confirmations, dispatch notes, and account communications)
(d) Our accountants and bookkeepers (for financial record-keeping and tax compliance)
(e) Our IT support providers (for system maintenance and security)
6.3 Carriers and freight providers used to deliver Goods, including APC Overnight, DPD, Royal Mail, and pallet network operators. These recipients receive the minimum data needed to deliver an order (name of receiving contact, business address, contact telephone number).
6.4 Professional advisers we instruct from time to time, including legal, accounting, insurance and audit advisers, under a professional duty of confidentiality.
6.5 Credit reference agencies, where you apply for a trade credit account and have consented to a credit search. The credit reference agency keeps a record of the search.
6.6 Regulatory authorities, government bodies, and law enforcement, where we are required to disclose data by law, by court order, or to defend our legal rights.
6.7 A buyer or potential buyer of our business, or a buyer of any part of our business, where we propose to transfer the relevant part of our business. Any such recipient is bound by confidentiality obligations.
6.8 We require every processor to:
(a) provide sufficient guarantees that the processing will meet UK GDPR requirements;
(b) process personal data only on our documented instructions;
(c) keep the data confidential and secure;
(d) assist us in responding to data-subject rights requests and security incidents;
(e) return or delete the data at the end of the contract.
7. International transfers
7.1 Some of our processors are located outside the United Kingdom. Where personal data is transferred internationally, we put appropriate safeguards in place to protect it.
7.2 Specific arrangements for current processors:
(a) Shopify Inc. processes data in Canada (its primary processing location) and may onward-transfer data to the United States through its sub-processors. The UK has formally recognised Canada as providing an adequate level of data protection. Onward transfers to the United States are protected by Standard Contractual Clauses with the UK International Data Transfer Addendum.
(b) Vercel Inc. processes data in the United States and across its global edge network. Transfers are protected by the UK Extension to the EU-US Data Privacy Framework where applicable, and otherwise by Standard Contractual Clauses with the UK International Data Transfer Addendum.
(c) Resend, Inc. processes data in the United States. Transfers are protected by Standard Contractual Clauses with the UK International Data Transfer Addendum.
7.3 You may request a copy of the relevant safeguards in place by emailing info@sunandspice.co.uk.
8. Data security
8.1 We have put in place reasonable technical and organisational measures to protect personal data against accidental loss, unauthorised access, disclosure, alteration, and destruction.
8.2 Measures we operate include:
(a) HTTPS encryption in transit for all communications between your browser and our website;
(b) restricted access to personal data on a need-to-know basis;
(c) two-factor authentication for administrative access to processor accounts;
(d) regular review of processor security practices;
(e) staff training on data handling.
8.3 No internet transmission or storage system is completely secure. While we work to protect personal data, we cannot guarantee absolute security.
8.4 If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, and we will notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms, in line with Articles 33 and 34 UK GDPR.
9. How long we keep your personal data
We do not keep personal data for longer than is necessary for the purposes for which it was collected. Specific retention periods are set out below.
| Category | Retention period | Reason |
|---|---|---|
| Trade enquiries, sample requests, catalogue requests that did not result in a trade account | 24 months from your last contact with us | Legitimate interests for follow-up, then deletion or anonymisation |
| Active trade customer account and order data | Duration of the trading relationship, plus 6 years after the last transaction | Limitation Act 1980 (6-year contract claim window) |
| Invoices, VAT records, and other accounting records | 6 years after the end of the accounting period in which they were created | Companies Act 2006, VAT Act 1994, HMRC retention requirements |
| Marketing list entries | Until you opt out or for 24 months from the last engagement, whichever is the earlier | PECR and ICO direct marketing guidance, reviewed periodically |
| Website and infrastructure logs | Typically 30 days from creation | Operational security, then automatic deletion |
| Email correspondence held in our inbox | 3 years from the date of the last reply on the thread, unless retained as part of a transaction record | Legitimate interests, evidential value |
| Records of subject access requests and other rights requests | 3 years from the date the request was closed | Demonstration of compliance with UK GDPR |
| Records relating to a claim, dispute, or regulatory matter | For the duration of the matter, plus 6 years from its resolution | Limitation Act 1980 and defence of legal claims |
At the end of the retention period we securely delete or, where deletion is not technically feasible, anonymise the data so that it can no longer be linked to an identifiable individual.
10. Your rights
10.1 Under UK GDPR you have the following rights:
(a) The right to be informed about how we use your personal data. This Privacy Policy is the principal way we discharge that duty.
(b) The right of access. You can request a copy of the personal data we hold about you, free of charge unless the request is manifestly unfounded or excessive.
(c) The right to rectification. You can ask us to correct inaccurate or incomplete data.
(d) The right to erasure (the "right to be forgotten"). You can ask us to delete personal data we hold about you in defined circumstances. This right is not absolute; we may need to keep some data to meet a legal obligation (for example HMRC retention) or to defend a legal claim.
(e) The right to restrict processing. You can ask us to limit how we process your data while a complaint or objection is being resolved.
(f) The right to data portability. You can ask us to provide a copy of certain data in a structured, commonly used, machine-readable format and, where technically feasible, transmit it to another controller. This right applies only to data processed by automated means under consent or contract.
(g) The right to object. You have the right to object to processing carried out on the basis of legitimate interests, including profiling. You have an unconditional right to object to processing for direct marketing purposes.
(h) Rights in relation to automated decision-making and profiling. We do not currently carry out any automated decision-making or profiling that has a legal or similarly significant effect on you. If that changes, we will update this Privacy Policy.
(i) The right to withdraw consent at any time where we rely on consent as the lawful basis.
(j) The right to lodge a complaint with the Information Commissioner's Office (see clause 13).
10.2 To exercise any of these rights, contact us at info@sunandspice.co.uk. We will respond within one month, or, where the request is complex or we have received several requests from you, within three months (in which case we will tell you within the first month).
10.3 We may need to verify your identity before responding to a request. We do this to protect personal data against improper disclosure.
10.4 There is no fee for exercising your rights. We may charge a reasonable administrative fee, or refuse to act, where a request is manifestly unfounded or excessive, in which case we will explain our decision in writing.
11. Cookies and similar technologies
11.1 A cookie is a small text file stored on your device when you visit a website. We use cookies for two purposes only: to make the site work properly, and (where you give consent) to understand how visitors use the site so that we can improve it.
11.2 We categorise the cookies we use as follows:
(a) Strictly necessary cookies. These are required for the website to function. Examples include cookies that hold the state of the cart widget, deliver content from our content delivery network, and support secure form submission. They do not require consent under PECR.
(b) Analytics cookies. Cookies set to measure how visitors use our site (for example which pages are most read, how visitors arrive at our site). These are not strictly necessary and we set them only where you have given consent through the cookie banner.
(c) Functional cookies. Cookies that remember your preferences (for example a chosen language or palette). These are set only with consent.
(d) Marketing cookies. We do not currently set any marketing cookies. If that changes in future, we will update this Privacy Policy and obtain consent before any such cookie is set.
11.3 You can withdraw consent at any time by clicking the cookie preferences link on any page of the site, or by clearing cookies through your browser settings. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal.
11.4 You can also block or delete cookies directly through your browser. Information on how to do this for the major browsers is available at aboutcookies.org. Blocking strictly necessary cookies may prevent parts of the site from working.
12. Changes to this Privacy Policy
12.1 We review this Privacy Policy at least annually, and whenever a material change to our processing requires it. The version date at the top of this page reflects the date of the most recent substantive update.
12.2 Where a change is material (for example a new processor in a third country, or a change to lawful basis), we will draw it to the attention of trade customers through a direct communication where we have an email address on file.
13. Complaints and contact
13.1 If you have a complaint about how we have handled your personal data, please raise it with us first by emailing info@sunandspice.co.uk. We aim to resolve every complaint promptly and fairly.
13.2 If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office, the UK's independent supervisory authority for data protection. Contact details for the ICO:
- Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- Telephone: 0303 123 1113
- Online: ico.org.uk/make-a-complaint
13.3 We would, however, appreciate the opportunity to address your concerns directly before you approach the ICO.