1. Data controller
Glitch Tavern Ltd, Unit 12, Hoxton Yard, 28 Coronet Street, N1 6HD London, United Kingdom. Email: [email protected].
2. What we collect
When you order: name, shipping address, email, phone (optional), payment reference. When you browse: standard server logs (IP, timestamp, requested URL, browser user-agent), retained 7 days. When you sign up to wishlist (Signal): nothing personal — it lives in your PHP session cookie only.
3. Legal basis (UK GDPR Article 6)
- Contract performance — Article 6(1)(b) — your order is a contract; we need your address to ship it.
- Legal obligation — Article 6(1)(c) — HMRC requires us to retain invoices for 6 years.
- Legitimate interest — Article 6(1)(f) — fraud prevention, server logs, basic site analytics (no profiling).
4. Sharing
Order data goes to: Stripe (card processor, EU/UK datacentres) and PayPal (where chosen) for payment, and Royal Mail for parcel delivery. We do not sell or rent data to anyone.
5. Retention
Order records: 6 years (HMRC requirement). Server logs: 7 days. Wishlist session: until you close the browser or 30 days max.
6. Your rights (UK GDPR Articles 15–22)
You can request access, rectification, erasure, restriction, portability and object to processing. Send requests to [email protected]. We respond within 30 days.
7. Complaints
You can complain to the UK Information Commissioner's Office at ico.org.uk. We'd appreciate the chance to fix it first — email us before going to the ICO.
8. International transfers
Servers are in the UK. No data leaves the UK except: Stripe (US payment processor — covered by Standard Contractual Clauses) and Google Fonts (EU-served by default; fallback to US). Both have adequate safeguards.
9. Cookies
We use one PHP session cookie (GLITCH) for cart and wishlist. No third-party trackers. Full table on the Biscuits page.
Last updated: 09 Jun 2026
