Skip to content

Privacy Policy

1. Privacy Policy Overview

This Privacy Policy explains how your personal data is collected, used and protected when you interact with Chunk through our website, ordering systems, customer service channels and marketing communications.

We operate two specialist bakeries under one Chunk of Devon brand:

•    Chunk Original – Ottery St.Mary

•    Chunk Gluten Free – Honiton (formerly Baked to Taste)

Although these operate under the Chunk brand, they are run by two separate limited companies.

2. Who We Are (Data Controllers)

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the “Data Controller” is the organisation responsible for deciding how and why your personal data is processed.

Chunk is operated by the following separate legal entities:

2.1 Chunk of Devon Ltd

Responsible for personal data collected in relation to Chunk Original orders, customer enquiries and related services.

2.2 Gluten Free Bakers Ltd

Responsible for personal data collected in relation to Chunk Gluten Free orders, customer enquiries and related services (including customers who previously purchased from Baked to Taste).

2.3 Working together under the Chunk brand

Because Chunk Original and Chunk Gluten Free operate under one shared brand experience (including mixed baskets and shared customer service), your personal data may be used by either or both legal entities where necessary to:

  • Manage orders and fulfilment
  • Provide customer service and resolve issues
  • Run shared customer accounts and systems
  • Manage payments and deliveries
  • Send operational communications
  • Maintain business reporting and administration

In these situations, Chunk of Devon Ltd and Gluten Free Bakers Ltd act as separate Data Controllers in respect of the personal data each entity uses.

If you would like to confirm which entity is responsible for your personal data in a particular situation, please contact us using the details on our website Contact page.

3. The Data We Collect

We only collect the information needed to run our services, process orders and provide customer support.

3.1 Information you provide directly

  • Name
  • Billing and delivery addresses
  • Email address
  • Phone number
  • Order details
  • Payment details (card details are handled securely by our payment provider)
  • Customer service messages
  • Online account information (if you create an account)

3.2 Information collected automatically

When you use our website, we may collect:

  • IP address
  • Device and browser details
  • Pages visited and time spent
  • Shopping behaviour (such as items viewed or added to basket)
  • Cookie data (see our Cookie Policy)

3.3 Special category data

We do not request or store special category personal data.

If you voluntarily share dietary or allergy information (for example in a message to customer services), it will only be used to respond to your enquiry or support your order.

4. How We Use Your Data

We use your personal information to:

  • Process and fulfil orders
  • Manage payments and deliveries
  • Contact you about order updates or problems
  • Provide customer support
  • Operate and improve our website
  • Prevent fraud and maintain security
  • Meet legal and regulatory obligations
  • Send marketing communications (where permitted)

We do not use personal data for purposes that are incompatible with those listed above.

5. Our Lawful Bases for Processing

Under UK GDPR, we rely on the following lawful bases:

5.1 Contract

We process your data to fulfil our contract with you, including:

  • Processing orders
  • Delivering purchases
  • Managing payments
  • Handling returns, issues and customer service

5.2 Legitimate interest

We process your data where it is necessary for our legitimate interests, including to:

  • Improve the website and services
  • Analyse purchasing behaviour and product performance
  • Maintain site security and prevent misuse
  • Manage operations and service standards
  • Communicate essential service updates (non-marketing)
  • We ensure these interests do not override your rights and freedoms.

5.3 Consent

We rely on consent for:

  • Marketing emails
  • Optional cookies

You can withdraw consent at any time.

5.4 Legal obligation

We process personal data where required to:

  • Comply with accounting and tax laws
  • Meet regulatory requirements
  • Respond to lawful requests from authorities

6. Marketing Communications (PECR)

We only send marketing emails when we are legally permitted to do so under the Privacy and Electronic Communications Regulations (PECR).

6.1 When we send marketing emails

We will send marketing emails if:

  • You opted in to marketing at checkout, or
  • You subscribed to our mailing list voluntarily

6.2 Legacy Baked to Taste customers

If you previously purchased from or subscribed through Baked to Taste, your data may still be held and used by Gluten Free Bakers Ltd, and marketing communications may be sent under the Chunk Gluten Free branding while remaining issued by Gluten Free Bakers Ltd as the responsible legal entity.

6.3 Chunk marketing going forward

New customer marketing preferences may be collected under the Chunk brand. Where this is the case, marketing may be sent by:

  • Chunk of Devon Ltd, and/or
  • Gluten Free Bakers Ltd

Sender will depend on the products you purchase, the bakery you order from, and your preferences.

6.4 Personalised marketing and preferences

Where permitted, we may tailor marketing communications based on:

  • Your stated preferences (for example, gluten free preference)
  • The content of your basket or your order history
  • Your interaction with our emails (for example opens/clicks)
  • Cookie-based analytics (where you have accepted optional cookies)

You can opt out at any time.

6.5 Opting out

You can unsubscribe from marketing at any time by:

  • Clicking the unsubscribe link in our emails, or
  • Contacting us via our Contact page

We do not sell or provide your personal details to third parties for their marketing purposes.

7. Who We Share Your Data With

We only share personal data with trusted third parties where needed to operate our services.

7.1 Delivery partners

Delivery partners receive necessary information such as your name, delivery address and contact details.

7.2 Payment providers

Payments are processed using secure payment systems. We do not store full card details.

7.3 Technical service providers

We may share data with service providers supporting:

  • Website hosting
  • Email platforms
  • Analytics tools
  • Security and IT services
  • Order management systems

These providers act under contract and only process data as instructed.

7.4 Regulators and legal bodies

We may share information when legally required.
We do not sell personal data.

8. International Transfers

Where personal data is processed outside the UK, we ensure suitable safeguards are in place, including:

  • UK-approved Standard Contractual Clauses
  • Adequacy decisions
  • Contractual and technical protections

Where possible, we prefer UK or EU data centres.

9. How Long We Keep Your Data

 

Data Type

Retention

Order data

6 years (legal requirement)

Customer service messages

12–24 months

Online account data

while the account remains active

Marketing data

until you unsubscribe

Analytics data

anonymised / short retention

 

Data no longer needed will be securely deleted or anonymised.

10. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion (where legally allowed)
  • Restrict processing
  • Object to processing (including direct marketing)
  • Request data portability
  • Withdraw consent (marketing and cookies)

To exercise your rights, please contact us using our Contact page.

You may also contact the Information Commissioner’s Office (ICO) if you believe your data has been handled incorrectly.

11. Cookies & Analytics

Our website uses cookies to:

  • Keep the site functioning
  • Remember your basket
  • Improve website performance
  • Understand how visitors use the site
  • Support optional personalisation and targeting

Our Cookie Policy explains cookie categories and matches the choices available in our cookie banner.

12. Data Security

We take reasonable steps to protect your personal data, including:

  • SSL encryption
  • Secure servers and firewalls
  • Limited-access systems
  • Staff training and confidentiality controls
  • Reputable third-party processors
  • Regular security reviews

No online system is completely risk-free, but we take active steps to reduce risk.

13. Children’s Data

We do not knowingly collect personal data from individuals under 16.
If you believe a child has provided personal data, please contact us so we can remove it.

14. Trade Customers (Wholesale / B2B Accounts)

Trade customer personal data may be processed differently due to the nature of business operations.

14.1 Information collected for trade accounts

  • Business name and trading name
  • Delivery addresses
  • Business contact details
  • VAT or registration number
  • Named contacts
  • Order history
  • Account and credit status
  • Delivery access information

14.2 Ordering & payment

There are two types of trade ordering:

Online trade orders (card-only)

•    online trade orders must be paid at checkout by card
•    credit terms cannot be used for online orders

Credit accounts (phone/email orders)

•    credit terms require direct application
•    credit may be offered depending on order levels and checks
•    credit orders are placed by phone/email

14.3 Lawful basis

Trade data is processed on the basis of:

  • Contract
  • Legitimate interest
  • Legal obligation
  • Consent (where marketing is sent to personal email addresses)

14.4 Credit checks

If applying for credit, information may be shared with approved credit agencies solely for assessment.

14.5 Retention

Trade data may be held for 6–7 years due to financial and regulatory obligations.

14.6 Rights

Trade contacts have the same rights as consumer customers.

15. Changes to This Policy

We may update this policy from time to time to reflect legal changes or improvements to our services.
The latest version will always be available on our website.

16. Contact Us

For questions about this Privacy Policy or to exercise your data protection rights, please contact us via our Contact page.

You may also contact the Information Commissioner’s Office (ICO) if you believe your personal data has not been handled correctly.