Privacy Policy

Who we are

Our website address is:, we are a family run online sweet shop.

What personal data we collect and why we collect it



When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.


If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms



If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.


Ads appearing on any of our Services may be delivered by advertising networks. Other parties may also provide analytics services via our Services. These ad networks and analytics providers may set tracking technologies (like cookies) to collect information about your use of our Services and across other websites and online services. These technologies allow these third parties to recognize your device to compile information about you or others who use your device. This information allows us and other companies to, among other things, analyze and track usage, determine the popularity of certain content, and deliver ads that may be more targeted to your interests. Please note this Privacy Policy only covers the collection of information by Automattic and does not cover the collection of information by any third-party advertisers or analytics providers.

Who we share your data with

We have a long-standing policy that we do not sell our users’ data. We aren’t a data broker, we don’t sell your personal information to data brokers, and we don’t sell your information to other companies that want to spam you with marketing emails.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service, we also send your data to third party suppliers to fuffill your order.

Your contact information

If you have a question about this Privacy Policy, or you would like to contact us about any of the rights mentioned in the sections above, please contact us through our contact us page or via email at These are the fastest ways to get a response to your inquiry, but you can also contact us by telephone on 02380 200559.

Additional information


How we protect your data

We take appropriate technical and organisational measures to ensure that the information disclosed to us is kept secure, accurate and up to date and kept only for so long as is necessary for the purposes for which it is used.

We use a secure service when you make a purchase through our website, via a virtual gateway operated by PayPal and/or Stripe. Our online payment system is Payment Card Industry Data Security Standard compliant.

You should be aware that the use of the Internet is not entirely secure and although we will do our best to protect your personal data we cannot guarantee the security or integrity of any personal information which is transferred from you or to you via the Internet. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features such as encryption to try to prevent unauthorised access.

What data breach procedures we have in place


1. Purpose

Tracey’s Tempting Treats have this procedure is in place to provide a standardised response to any reported data breach incident, and ensure that data breaches are appropriately logged and managed in accordance with the law and best practice.

2. Scope

This procedure applies in the event of a personal data breach and applies to all employees of Traceys Tempting Treats and any other associated companies at all times and whether located within the physical offices or not

The document applies to all information we hold and all information technology systems utilised by us.

3. Responsibility

  • All employees/Staff, contractors or temporary employees/staff and third parties working for or on behalf of us are required to be aware of, and to follow this procedure in the event of a personal data
  • All Employees/Staff, contractors or temporary personnel are responsible for reporting any personal data breach to James Exton who’s contact details are as follows: 
  • Telephone: 02380 200559
  • Email:

4. Definition

The GDPR defines a “personal data breach” in Article 4(12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Examples include:

  • Loss or theft of data or equipment on which data isstored
  • Access by an unauthorised thirdparty
  • Sending personal data to an incorrectrecipient
  • Alteration of personal data withoutpermission
  • Loss of availability of personal data such as equipmentfailure
  • Unforeseen circumstances such as a fire orflood
  • Hackingattack
  • ‘Blagging’ offences where information is obtained by deceit for the purposes of this procedure data security breaches include both confirmed and suspected

*If you suspect a data breach or are unsure whether the incident which has occurred constitutes a data breach please refer the matter to James Exton for consideration*

5. Reporting an incident

  • Any individual who accesses, uses or manages information within our business is responsible for reporting data breach and information security incidents immediately to James Exton.
  • If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is
  • The report will include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, the nature of the information, and how many individuals are involved.

6. Next Steps

  • James Exton will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the
  • An initial assessment will be made by James Exton in liaison with relevant persons (which may include IT services) to establish the severity of the breach and who will take the lead investigating the breach (this will depend on the nature of the breach).
  • An investigation will be undertaken immediately and wherever possible within 24 hours of the breach being discovered/reported.
  • James Exton will investigate the risks associated with the breach, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to cause serious consequences.
  • James Exton will then establish whether there is anything that can be done to recover any losses and limit the damage the breach could
  • James Exton will identify who may need to be notified. The relevant procedures from those identified below will then be followed. Every incident will be assessed on a case by case basis.

7. Procedure – Breach notification data processor to datacontroller

  • Traceys Tempting Treats must report any personal data breach or security incident to the data controller without undue delay. These contact details are recorded in the Internal Breach Register (GDPR REC 4.5). Tracey’s Tempting Treats provides the controller with all of the details of the breach.
  • The breach notification should be made by email or phone
  • A confirmation of receipt of this information should be requested and made by email or phone call.

8.  Procedure – Breach notification data controller to supervisoryauthority

  • James Exton will determine if the supervisory authority (the Information Commissioner’s Office (ICO) in the UK) need to be notified in the event of a breach.

  • If the breach affects individuals in different EU countries, the ICO may not be the lead supervisory authority. We will also need to establish which European data protection agency would be the lead supervisory authority for the processing activities that have been subject to the
  • We will assess whether the personal data breach is likely to result in a risk to the rights and freedoms of the data subjects affected by the personal data breach, by conducting an investigation and/or an impact assessment. If we decide that we do not need to report the breach to the ICO we will justify and document our findings.
  • If a risk to data subject(s) is likely, We will report the personal data breach to the ICO without undue delay, and not later than 72 hours after becoming aware of the breach.
  • If the data breach notification to the ICO is not made within 72 hours, we will submit notification electronically with a justification for the breach.
  • If it is not possible to provide all of the necessary information at the same time we will provide the information in phases without undue further delay.
  • The following information needs to be provided to the supervisory authority:
    • A description of the nature of the breach
    • The categories of personal data
    • Name and contact details of James Exton.
    • Likely consequences of the breach.
    • Any measures taken to address the breach.
    • Any information relating to the data
    • Approximate number of data subjects
    • Approximate number of personal data records
  • The breach notification should be made via telephone – ICO: 0303 123 1113. Alternatively, we may choose to report it online if we are still investigating and will be able to provide more information at a later date or if we are confident that the breach has been dealt with
  • In the event the ICO assigns a specific contact in relation to a breach, these details are recorded in the Internal Breach Log.

9. Procedure – Breach notification data controller to datasubject

  • If the personal data breach is likely to result in high risk to the rights and freedoms of the data subject, Tracey’s Tempting Treats will notify those/the data subjects affected without undue delay.
  • A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO.

In any event James Exton will document their decision-making process.

  • We will describe the breach in clear and plain language, in addition to information specified in clauses 8.7.1-8.7.6
  • The data controller takes subsequent measures to ensure that any risks to the rights and freedoms of the data subjects are no longer likely to
  • If the breach affects a high volume of data subjects and personal data records, we will make a decision based on assessment of the amount of effort involved in notifying each data subject individually, and whether it will hinder our ability to appropriately provide the notification within the specified time frame. In such a scenario a public communication or similar measure informs those affected in an equally effective manner and will be considered by James Exton who’s decision will be final.
  • If we have not notified the data subject(s), and the supervisory authority considers the likelihood of a data breach will result in high risk, Traceys Tempting Treats will communicate the data breach to the data subject by telephone or email.
  • We will document any personal data breach(es) within the Data Breach Register, incorporating the facts relating to the personal data breach, its effects and the remedial action(s)

10. Documentation requirements

Internal breach register: there is an obligation for us to document each incident “comprising the facts relating to the personal data breach, its effects and the remedial action taken”.

11. Evaluation

  • Once the initial incident is contained, we will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be
  • Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents
  • The review will consider various points, including but not limited to:

  • Where and how personal data is held and where and how it is stored
  • Where the biggest risks lie, and will identify any further potential weak points within its existing measures
  • Whether methods of transmission are secure; sharing minimum amount of data necessary Identifying weak points within existing security measures
  • Staff awareness

Share this: