Privacy Policy

Privacy Policy

Last updated: 7th October 2021


This Privacy Policy details how the Cambridge Organic Food Company Ltd (‘We’) collect, use and disclose your information when you use the service, in accordance with the General Data Protection Regulation (GDPR) and other relevant legislation. It tells you about your privacy rights and how the law protects you.

We collect information to enable us to run the best service we can. It is important to us to be transparent about why we need the personal information we collect, what we do with this information, and how we keep you and your information safe.

By using the service and providing us with your personal information, you consent to the collection and use of this information in accordance with this Privacy Policy.

Data Protection Principles

There are broad principles of data protection law that we must comply with. These principles state that the personal information we hold about you must be:

  • used lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’)
  • collected for legitimate and clearly stated purposes and not used in any way that is incompatible with those purposes (‘purpose limitation’)
  • relevant and limited to the necessary purposes we have told you about (‘data minimisation’)
  • accurate and kept up to date (‘accuracy’)
  • kept only for as long as is necessary for the purposes we have told you about (‘storage limitation’)
  • securely stored and processed (‘integrity and confidentiality’)

For the purposes of GDPR, the data controller is The Cambridge Organic Food Company Ltd.

Legal basis for collecting and processing data

The law on data protection (GDPR) sets out a number of lawful reasons for which a company can collect and use personal information. These include:

‘Contract’: it may be necessary for us to use your information to fulfil a contract or service that you have entered into. For example, it is necessary for us to use your address and payment details to process and fulfil your order, and it may be necessary for us to use your contact information to communicate details relating to your order.

‘Consent’: we may use your information to contact you for specified reasons you have consented to. For example, we may send you details of relevant offers, news, products and competitions if this is something you have agreed to. You can choose to remove this consent at any time, either by contacting us or clicking the unsubscribe link within the recieved emails.

‘Legitimate interest’: this states that use of your data is in your legitimate interest or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Types of data collected

Personal data

Personal data refers to any information about an individual from which that person can be identified. When using our service, such as by placing an order on our site, or by conversing with us over the phone or by email, we may ask you to provide us with certain personal information that can be used to contact or identify you. Personal data you give to us may include, but is not limited to:

  • First name and last name
  • Address
  • Email address
  • Phone number
  • Payment information
  • Login information
  • Other information you give to us may include shopping preferences

Usage data

We also collect usage data. Usage data refers to data collected automatically, either generated by the use of the service or from the service infrastructure itself, for example when you interact with our website.

Usage data may include information such as your device's Internet Protocol (IP) address, browser type, browser version, the pages of our service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When you access the service by or through a mobile device, we may collect certain information automatically, including, but not limited to: the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data.

We may also collect information that your browser sends whenever you visit our website or when you access the service by or through a mobile device.

How we use your data

We use your data to provide a better service that is tailored to the needs and wants of our customers.

If you do not wish to share your personal data with us there may be aspects of the service we are unable to provide.

If you purchase a veg box from us for someone else, for example as a gift or competition prize, we will need to collect and use their data to process and fulfil that order. However, we will not use their data for anything other than these purposes.

If you want to change how your data is used, please see the section on ‘your rights’ below.

The following list outlines how we use your data, and the legal basis under which we can do so:

To fulfil a contract/provide our service we may use your data to:

  • process and fulfil your orders
  • process payments
  • respond to any queries and complaints
  • keep a record of your relationship with us
  • remind you of the deadline for placing a Choice order
  • let you know if you have not checked out your basket
  • let you know about changes to the service, for example if a product is unavailable
  • contact you if we think there is something unusual with your order

If you consent we may use your data to:

  • send you email newsletters to keep you informed, for example about the growers we work with and the values you are supporting
  • let you know about any competitions or events
  • inform you of new products and services you may be interested in

If there is a legitimate interest we use your data to:

  • protect our customers and site, for example from fraudulent activity.
  • send you customer feedback surveys that enable us to improve our service
  • to contact you if you permanently cancel your orders with us, in order to understand your reasons for leaving
  • to develop and improve our site and systems

Sharing your personal data

Sometimes we share your data with third parties in order to fulfil our service, if you consent to it, or if there is a legitimate interest.

We may also be legally bound to disclose your data in the following situations. This comes under an additional legal basis of ‘legal compliance’:

Business transactions: If the company is involved in a merger, acquisition or asset sale, your personal data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different Privacy Policy.

Law enforcement: Under certain circumstances, the company may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency), if we become aware of criminal activity such as fraud or non-payment, and to protect the personal safety of users of the service or the public.

We will share your data with selected business partners you consent to hear from, e.g. if you enter a competition where we have partnered with another business, and consent to receiving promotion information from them. Consent would be gained each time.

Your data may be shared with the following service providers:

For the purposes of communications and email marketing, we use Gmail and MailChimp.

We use Facebook, Instagram, Twitter and LinkedIn to show you information about our products.

Please click on the above links for more information on how these third parties control your data and the use of ads on their platforms.

We only share information with a third party that is required to perform the specified service specified. It is important to us to ensure your privacy is respected. If we stop using a third party, data will be deleted or made anonymous.

Use of external tools on our website

We have integrated tools from different companies with our website which allow us to analyse user behaviour or establish links with other websites.

For this purpose we work with the following service providers:

Google Analytics

The third-party data processor has integrated the component Google Analytics on this website (with anonymization function).

Google Analytics is a website analysis service. Website analysis refers to the collection, recording and analysis of data regarding the behavior of visitors to the website. A website analysis service records e.g. data showing from which website a data subject has come to a website (so-called referrer), which subpages of the website were accessed or how often and how long a subpage was viewed. Website analysis is used mainly for the optimization of a website and for a cost-benefit analysis of Internet adverting.

Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA, is the operator of the Google Analytics component.

Google Analytics uses cookies. The information about your use of our website generated by the Google Analytics cookie is normally transmitted to a Google server in the USA and stored there. Google might disclose these personal data collected via the technical procedure to third parties.

However, when you by activate IP anonymization on our website, Google shortens your IP address within the Member States of the European Union or in other countries that are parties to the European Marketing Area Treaty. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. Google uses this information to analyze your use of the website in order to compile a report about your website activities and provide us with other services associated with your website and Internet use. The IP address of your browser transmitted by Google Analytics is not linked to any other Google data.

This website also uses the UserID functions of Analytics in order to be able to track interaction data. This User ID is also anonymized and encrypted and is not linked to other data.

You may prevent the storage of cookies by setting your browser software accordingly, but you might then not be able to fully use all functions of our website.

You may furthermore prevent the disclosure of the data generated by the cookie which refer to the use of the website (incl. your IP address) to Google as well as the processing of these data by Google by downloading and installing the browser plug-in available under the following link:

This browser add-on notifies Google Analytics via JavaScript that no data or information about website visitors may be transmitted to Google Analytics.

Besides, a cookie left behind by Google Analytics may be erased at any time via the Internet browser or other software programs.

Additional information and the applicable privacy policy of Google may be downloaded from and from . Google Analytics is explained in more detail under this link:

Our website also uses Google Analytics performance reports by demographic factors and interests as well as reports about impressions in the Google Display Network. You may deactivate Google Analytics for display advertising and set the displays in the Google Display Network by accessing the display settings under this link:

Google Tag Manager

This website uses Google Tag Manager. This service allows you to administer so-called website tags centrally via an interface. Google Tag Manager implements only tags. No cookies are used and no personal data are collected.

Google has a suitable privacy policy for such data collection by third-party providers:

However Google Tag Manager does not access these data. If certain domains/websites or cookies were deactivated, it remains in place for all tracking tags provided that they are implemented using Google Tag Manager.

Where we keep your personal data

All data that we collect from you is stored within the European Economic Area. Your data may be stored outside of the EU where it is shared with third parties, but is still under the jurisdiction of GDPR.

All details, except for card details, are stored on our internal system, Boxmaster. This includes information such as your name, address (delivery and billing), email address and order details. The data is stored on encrypted discs on secure virtual private servers hosted by Linode LLC. All data is transmitted securely using HTTPS. This uses Transport Layer Security (TLS), which encrypts communications and transactions.

Our direct debit provider is London and Zurich, who store your card payment details. You can find their own Privacy Policy at:

Our service may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

Any sensitive information entered when making an online purchase (such as credit or debit card details) is encrypted and protected by our third-party associates. When you are on a secure page, a lock icon should appear to the right of the URL in your browser.

Non-sensitive details (such as your email address) are transmitted normally over the internet, and this can never be guaranteed to be entirely secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where you have chosen a password which enables you to access certain parts of our websites, you are responsible for keeping this password secure.

How long we keep your data for

We will retain your personal data only for as long as is necessary for the purposes set out in this Privacy Policy, or when you give consent for your account to be kept open for longer.

After your last order or delivery we will keep your details for a period of 24 months, unless you ask for us to close your account and remove your data. During this period, we may communicate with you from time to time. After this period, your data will be removed and you will no longer receive any communication from us. This means if you were to return as a customer, you would have to set up a new account.

We will retain and use your personal data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

We will also retain usage data for internal analysis purposes. Usage data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our service, or we are legally obligated to retain this data for longer time periods.

Your rights

You reserve the right to the following:

To request access to all of the information we hold about you (Article 15 GDPR, the right of access)


Write to: Unit 7 Penn Farm Studios, Harston Road, Haslingfield, CB23 1JZ

To ask us to erase all of the personal data we hold about you (Article 17 GDPR, the right to erasure/‘right to be forgotten’)


Write to: Unit 7 Penn Farm Studios, Harston Road, Haslingfield, CB23 1JZ

We have a duty to fulfil this request within one month of receipt.

To have inaccurate personal data rectified, or incomplete data completed (Article 16 GDPR, right to rectification)


Write to: Unit 7 Penn Farm Studios, Harston Road, Haslingfield, CB23 1JZ

Call: 01223873300

To ask us not to process your data for marketing purposes (Article 18 GDPR, right to restrict processing)


Call: 01223873300

Log in to your account and change your preferences under ‘Update your personal details’.

To ask us not to process your data for the purpose of our legitimate interest (Article 18 GDPR, right to restrict processing). We will action your request unless we believe the legitimate interest overrides your circumstances.


Changes to this policy

We may update this policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and we will update the ‘Last updated’ date at the top of this Privacy Policy. Where appropriate, you will be notified via email prior to the change becoming effective.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact us

If you have any questions about this Privacy Policy you can contact us:


Write to: Unit 7 Penn Farm Studios, Harston Road, Haslingfield, CB23 1JZ

Call: 01223873300

If you are unhappy with the way we have responded to your query, or are unhappy with the handling of your data, you have the right to submit a complaint to the Information Commissioner’s Office.

Cookie Policy

This site uses cookies. Cookies are text files with small pieces of data that are placed on your machine to help the site provide a better user experience. They are used to retain user preferences, store information for things like shopping baskets, and provide anonymised tracking data to third party applications like Google Analytics. Cookies are intended to make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. For more information, we suggest consulting the Help section of your browser or looking at the About Cookies website which offers guidance for all modern browsers.



Staff | Copyright ©2024 Cambridge Organic Food Co Ltd | Powered by Boxmaster®