Privacy and Data Policy

Secret Cinderella Cakes believes it is important to protect your Personal Data (as defined in Chapter 1, Article 4 of the General Data Protection Regulations (GDPR - Regulation (EU) 2016/679)) and we are committed to giving you a personalised service that meets your needs in a way that also protects your privacy. This policy explains how we may collect Personal Data about you.

o   Your privacy as a user and protection of your data are human rights

o   We have a duty of care to the people whose data we collect and process

  • o Data is a liability, it should only be collected and processed when absolutely necessary
  • o We dislike spam as much as you do!
  • o We will never sell or rent your data, and will only distribute your data with our third party partners with your specific consent. Only in exceptional circumstances would your information be shared when appropriate to comply with the law, enforce our site policies or protect the rights of others or ourselves, property or safety.


Personal information – what this website collects, when and why…

When using our contact form on our site, as appropriate, you will be asked to enter your name, email address, phone number or other details to help you with your experience and allow us to contact you with the information you have requested.


We collect information from you when you respond to a survey, fill out a form or enter information on our site. This allows us to respond to enquiries, provide you with a service or it can provide us with feedback on our products or services.


We may use the information we collect from you when you contact us, make a purchase, respond to a survey, in marketing communication, use our website, or use certain other site features, in the following ways:

  • To allow us to better service you in responding to your customer service requests.
  • To administer a contest, promotion, survey or other site feature.
  • To quickly process your transactions.
  • To ask for ratings and reviews of services or products
  • To follow up with them after correspondence (email or phone inquiries)

What lawful basis do we rely on to use your personal data?

The lawful basis that we rely on for processing your personal data are:

  • o You have provided your consent to us using your personal data for a specific purpose. We will ask for your consent to use your personal data to send you electronic communications such as emails. You always have the right to withdraw your consent at any time.


  • o It is necessary in connection with the performance of a contract with you. Sometimes it is necessary to process your personal data so that we can enter into contractual relationships with you. For example, if you wish to order a product or service, we will need to process certain information in order to provide you with that service.


  • o It is necessary for compliance with a legal obligation to which we are subject. This would include where we have to retain certain records, for example. Or where we are required to disclose personal data to any regulators or law enforcement agencies.

  • o It is within our legitimate interests. Applicable law allows personal data to be collected and used if it is reasonably necessary for our legitimate interests or a third party’s legitimate interests (as long as the processing is fair, balanced and does not unduly impact individuals’ rights). We will rely on this ground to process your personal data when it is not practical or appropriate to ask for your consent, and where we are confident that this will not impact your rights.

When we process your personal data to achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws.

We will not use your personal data for activities where our interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law)

Sensitive or special category data

Secret Cinderella Cakes does not collect sensitive data from you (i.e. data on health, ethnicity, race, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, sex life or sexual orientation) unless you explicitly share this information in regards to specific aspects of a cake order e.g. wedding cake topper. This information is not stored or used for any purpose after the event or delivery of your order.


Your rights

  • Right to restrict processing

In certain circumstances you have a right to require us to stop processing your personal data in a particular way. You can request that we stop processing personal data about you for certain purposes at any time by contacting us at or in writing to the address at the end of this policy.


  • Right to removal

You have the right to request that your personal data is removed from our database in certain circumstances. Please email or in writing to the address at the end of this policy and inform us of what information you wish to have removed and we will action your request within 2 working days.


  • Right of access

You have a right to ask for a copy of the personal data we hold about you. If you want to access your personal data, please send a description of the personal data you want to see and proof of your identity to, data provision is free of charge.


  • Right to rectification

Secret Cinderella Cakes want to make sure that your personal data is accurate and up to date. We may check accuracy with you when processing any order information however please also let us know if your details change. You may also ask us to correct or remove personal data which is inaccurate. You can email information updates, corrections or request removals to or in writing to the address at the end of this policy.


  • Right to object

You can also opt-out of receiving all or some of our marketing communications or request that we stop processing personal data about you for certain purposes at any time by contacting us at or in writing to the address at the end of this policy.


  • Right to data portability

In certain circumstances you have a right to data portability which means we will provide you (or a third party you nominate) with your personal data in a structured, commonly used and machine-readable format.


Please note that you may only use/ benefit from some of these rights in limited circumstances. For more information, we suggest that you consult guidance from the Information Commissioner’s Office (ICO)  or please contact us using the details below.


  • Data retention

We keep personal data for as long as there is a need to keep it in connection with the purposes for which it was collected and in accordance with our Data Retention Policy. In the event that you ask us to stop sending you marketing communications, we will retain certain details, such as your name, to help us ensure that you are not contacted again.

Website visitation tracking & Third Party Data Processors

Like most websites, this site uses Google Analytics (GA) to track user interaction. We use this data to determine the number of people using our site, to better understand how they find and use our web pages and to see their journey through the website.


Although GA records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you to us. GA also records your computer’s IP address which could be used to personally identify you but Google do not grant us access to this. We consider Google to be a third party data processor.


GA makes use of cookies, details of which can be found on Google’s developer guides. Disabling cookies on your internet browser will stop GA from tracking any part of your visit to pages within this website.


You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings. Since browser is a little different, look at your browser’s Help Menu to learn the correct way to modify your cookies.

If you turn cookies off, some of the features that make your site experience more efficient may not function properly. It won’t affect the user’s experience that make your site experience more efficient and may not function properly.


  • who host this site also use Mixpanel. You can opt-out of Mixpanel’s analytics service at Mixpanel Opt Out.
  • You can opt-out of FullStory’s analytics service at FullStory Opt Out.
  • Javascript tracking: We and certain Third Party Services may employ tracking, which enables them and us to improve our Services by measuring their effectiveness and performance.


About Website server:

This website is hosted by

Yola complies with the EU–US Privacy Shield Framework and the Swiss–US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from the European Union and Switzerland and the United States, respectively. Yola has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit


Full details of and how they store data can be found here


How do we protect your information?

Our website is scanned on a regular basis for security issues and known vulnerabilities in order to make your visit to our site as safe as possible. who host the site use CloudFlare to provide DDoS protection and DNS services for the Yola Toolset, Yola Site and customer websites. CloudFlare privacy policy can be viewed on their website.


Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential.


We implement a variety of security measures when a user enters, submits, or accesses their information to maintain the safety of your personal information

No payment details are stored as these are made directly to our bank account and we do not currently have any other form of payment service available.

Order forms, once confirmed as accurate by you the client, are used to create your order to ensure accuracy in design and detail. These are securely stored and only made available to the staff who are directly working on your order. Personal data will be removed from order forms following 2 years since the order completion date. Non identifying information such as dates, order number and cost will be stored further for accounting purposes as required by HMRC.

Data Breaches:

We will report any unlawful data breach of this website’s database or the database(s) of any of our third party data processors to any and all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data stored in an identifiable manner has been stolen.

Third-party disclosure

We do not sell, trade, or otherwise transfer to outside parties your personal information unless we provide users with advance notice. The only exception to this is where an outside party needs your address to deliver an order. Currently this only happens with mail order brownies.

This does not include website hosting partners and other parties who assist us in operating our website, conducting our business, or serving our users, so long as those parties agree to keep this information confidential. We may also release information when its release is appropriate to comply with the law, enforce our site policies, or protect ours or others’ rights, property or safety.

However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses. 

Third-party links

Occasionally, at our discretion, we may include or offer third-party products or services on our website. These third-party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites

Child Protection

We do not specifically market to children under the age of 13 years old. Children under the age of 16 should seek parent or guardian permission before providing their contact details

Contacting Us

If there are any questions regarding this privacy policy, you may contact us using the information below.

Jo Wright 106 Newtown Road, Hereford, HR4 9RZ UK