Privacy Notice

Customer Privacy Notice – Carib and Co Brunch Community Interest Company

  1. Introduction

This Privacy Notice explains in detail the type’s of personal data we may collect about you when you interact with us or access our services. It also explains how we’ll store and process that data and how we’ll keep it safe.

  1. What is Carib and Co Brunch?
  • Carib and Co Brunch was established in 2021 as a Community Interest Company in England and Wales.
  • Carib and Co Brunch
  • Provides an array of activities, workshops and training that aims to benefit the local community, local schools and training organisations. Practitioners in education, health, social care and finances will receive information, training and learning opportunities about mental health and well-being, teaching and safeguarding, special needs and disabilities, financial and mortgage education.
  • In addition, the organisation facilitates a strong platform for small businesses and creative practitioners in arts, fashion, music and financial education to showcase their excellence; thus creating networking in growth.
  • This in turn benefits the local people and local economy through the provision of employment, work experience opportunities and raising money to support local youth development work; whilst also acting as a social community hub for local people.
  • Carib and Co Brunch also provides educational audios, videos, blogs and books that aims to benefit the local community with cultural, financial and mortgage education whilst also promoting people’s experience of current issues such as mental health, covid-19, relationships and financial issues.
  • For simplicity throughout this notice, ‘we’ and ‘us’ means Carib and Co Brunch CIC.
  1. Explaining the legal bases we rely on

The General Data Protection Regulation sets out a number of different reasons for which an organisation may collect and process your data. These include:


In specific situations, we can collect and process your data with your consent. For example, when you tick a box to receive email newsletters. When collecting your personal data, we’ll always make clear to you which data is necessary in condition with a particular service.

Contractual obligations

In certain circumstances, we need your personal data to comply with our contractual obligations. For example, A contract is an agreement between parties which is binding in law and therefore we will have to supply anonymised data to our commissioners who fund us to demonstrate the work we have delivered.

Legal compliance

If the law requires us to, we may need to collect and process your data. For example, we can pass on details of people involved in criminal activity affecting the organisation to law enforcement. 

Legitimate interest

In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.

For example, where processing enables us to enhance, modify, and improve the services we deliver to the community

  1. When do we collect your personal data?

We collect your personal information in a number of ways:

  • Apply to sell with us form (when an individual wants to sell their products and services on our website)
  • List your business with us (when an individual wants to list their products and services on our website)
  • Create an account on our website.
  • Become a stall vendor and exhibitor (when an individual wants to register their interest to sell their products and services at our Brunch events: pop up events, festival events, charity fundraising events, school events, training Events and in store)
  • Become a volunteer (when an individual wants to register their interest to volunteer at our Brunch events: pop up events, festival events, charity fundraising events, school events, training Events and in store)
  • Via our website through the booking form system, subscribing to email newsletters, and ‘Contact Us’ form
  • Questionnaires when first accessing our services
  • Give us some feedback.
  • Via our Carib and Co Brunch Shop website purchasing/payment form/booking form system
  1. What sort of personal data do we collect?

We collect the following personal information;

  • Name
  • Gender
  • Date of Birth
  • Billing Address
  • Delivery Address
  • Email Address
  • Telephone Number
  • Mobile Number
  • Information gathered by the use of cookies in your web browser
  • Information gathered by Google Analytics
  • Credit/debit card information when purchasing via the Carib and Co Brunch Shop website
  • Financial Data means the payment method and card association used to process your payments for your orders. We do not store or process your card details ourselves, they are processed and automatically stored via one of our contracted third party service providers. We encrypt your payment card details in your browser and securely transfer this data to our relevant third party payment provider to process a payment.
  • Transaction Data means details about transactions you have made on our website including any photographs or other details you have provided in respect of an order, the payments to and from you along with other details of products and services you have purchased from us.
  • Technical Data means details about the device(s) you use to access our website including your internet protocol (IP) address, browser type and version, location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • Profile Data includes your username (email address), your login data, purchases or orders made by you, your interests, preferences, feedback and survey responses.
  • Usage Data includes information about how you use our website, products and services. This includes your browsing patterns and information such as how long you might spend on one of our webpages and what you look at and for on our website, the page that referred you to our site and the click stream during your visit to our website, page response times and page interaction information (clicks you make on a page).
  • Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.

We also collect, use and share aggregated and/or anonymised data (“Aggregated Data”) such as statistical or demographic data for analytical purposes. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, where you do not provide suitable delivery instructions to provide you with goods or services). In this case, we may have to cancel a product or service you have through us but we will notify you if this is the case at the time.

  1. How and why do we use your personal data?

We collect this information for the following purposes:

  • To protect our organisation and you from fraud and other illegal activities. (Legal compliance)
  • To comply with our contractual or legal obligations to share data with law enforcement. (Legal compliance)
  • To supply anonymised data to the commissioners who fund us to demonstrate the work we have delivered. (Contractual obligation)
  • To send you email newsletters about our services. (Consent)
  • To send you communications required by law or which are necessary to inform you about our changes to the services we provide to you. For example, updates to this Privacy Notice. These service messages do not require prior consent when sent by email or text message. If we do not use your personal data for these purposes, we would be unable to comply with our legal obligations. (Legitimate interest)
  • To enhance, modify, and improve the services we deliver to the community. (Legitimate interest)
  • To participate in research studies to evidence the benefits our service has on the people and communities it supports. (Your information will not be shared for this purpose without your consent). (Legitimate interest)
  1. How we protect your personal data
  • We know how much data security matters to all of our clients. With this in mind, we will treat your data with the utmost care and take all appropriate steps to protect it.
  • We secure access to all transactional areas of our website using ‘https’ and ‘SSL’ technology.
  • Google Analytics is committed to GDPR and the protection of the data it stores. Google Analytics is certified by the EU Privacy Shield and ISO 27001. Further information regarding how Google Analytics safeguards your data can be found here.
  • Access to your electronic personal data is password-protected and can only be accessed when on Carib and Co Brunch office premises. Copies of paper based personal information is locked away securely in our filing systems and does not leave the premises.
  • We regularly monitor our system for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security.
  1. How long will we keep your personal data for?
  • Whenever we collect or process your personal data, we will only keep it for as long as is necessary for the purpose for which it was collected.
  • At the end of that retention period, your data will either be deleted completely or anonymised so that it can be used in a non-identifiable way for statistical analysis and reporting to funders.

Examples of data retention periods:

  • Employee records are kept for 6 years following termination of Contract.
  • Patient/client data is kept for 7 years and then becomes anonymised for the purposes mentioned above.
  • Personal information collected in relation to children is kept indefinitely.
  1. Who do we share your personal data with?

We sometimes share your personal data with trusted third parties. When we share your data, we make sure that:

  • We provide only the information they need to perform their specific services.
  • They may only use your data for the exact purposes we specify in our contract with them.
  • We work closely with them to ensure that your privacy is respected and protected at all times.
  • If we stop using their services, any of your data held by them will either be deleted or anonymised.

Sharing your data with third parties for their own purposes:

We will only do this in very specific circumstances, for example:

  • We may be required to disclose your personal data to the police or other enforcement, regulatory or Government body, upon a valid request to do so.
  • For fraud management, we may share information about fraudulent or potentially fraudulent activity on our premises or in our systems. This may include sharing data about individuals with law enforcement bodies.

We currently share personal information with the following organisations who will process your data as part of their contracts with us:

  • Our Brands – Sellers: we will share your personal data (name, address, gender, billing address, email, telephone and mobile phone number as well as any personalisation details you’ve provided as part of your order) with a Seller with whom you have placed an order so that they can fulfil and manage your order as part of the sales process we provide under our Customer Terms and Conditions. Any order placed is deemed to be an instruction from you to share your personal data in this way. The Seller will act as an independent data controller, on a stand-alone basis, and process your personal data in accordance with their own policies and security measures. We are not responsible for protecting your information when it is under their control, but you may exercise against such Seller all of the rights which you would otherwise be able to exercise against us as set out in this Privacy Policy.

When we share your personal data with a Seller, you should be aware of the following:

  • The Seller (name and contact details) will be as identified on our site. You will be able to contact the Seller directly through our website with any questions or concerns;
  • The Seller will process your personal data (including name, address, gender, billing address, email and telephone number as well as any personalisation details if supplied by you) for the purposes identified above, namely to manage your order;
  • In all other respects, the Seller shall be responsible for treating your personal data in accordance with Data Protection Laws including in the same way that we do as set out in Sections 8, 9 and 10 below.
  • Essential Service Providers: Sometimes, other businesses give us data about you which we may need for our legitimate interests of conducting business with you and on occasion they are necessary to perform our contract with you. It usually comprises Financial Data or Transaction Data. This happens when we link through to third party payment providers. They tell us that you have paid for your products and, where relevant and/or necessary they will provide us with your Contact Data and Transaction Data. We also might engage third party contractors to provide us with technical or delivery services that are related to your account with us.
  1. Where could your personal data be processed?

The data Carib and Co Brunch collects is processed and stored exclusively within the United Kingdom.

  1. What are your rights over your personal data?

You have the right to request:

  • Access to the personal data we hold about you, free of charge in most cases.
  • The correction of your personal data when incorrect, out of date or incomplete.
  • That we stop any consent-based processed of your personal data after you withdraw that consent.
  • That we stop using your personal data for direct marketing (either through specific channels, or all channels).
  • The right to request that all of your personal data is erased from our systems.

Your right to withdraw consent

Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.

If you opt out of receiving email marketing from us, we will no longer share your email address with other advertising platforms (see List of Third Party Providers). However, you may continue to see our ads through them, due to their general demographic targeting. Please check the social media, search engine or video streaming platforms’ terms for more detail of how to opt out from seeing these ads.

Where you opt out of receiving marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, or related correspondence, and we will continue to process such data in accordance with this Privacy Policy and only ever as permitted by law.

Where we rely on our legitimate interest

In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We will then do this unless we believe we have a legitimate overriding reason to continue processing your personal data.

Direct marketing

You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.


You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookies Policy.

Checking your identity

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice. You can contact us to request to exercise these rights at any time as follows:

If we choose not to action your above requests we will explain to you the reasons for our refusal.

  1. Contacting the Regulator

If you feel that your data has not been handled correctly, or you are unhappy with our response to any request that you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.

You can contact them by calling 0303 123 1113 or go online to

  1. Any questions?

If you have any questions that haven’t been covered please contact us and we will be happy to help you:

Last Amended: 8th April 2021