The Chicken Shed

Privacy Notice


The following information is given to you in accordance with

the General Data Protection Regulation (the GDPR).


Data Controller: The Chicken Shed (a trading name of Chamomile Barn Ltd.), Rose Cottage, Bates Lane, Souldern OX27 7JU (“we”, “our” and “us”)


Under the GDPR, you have a right to be informed about the collection and use of your personal data. This Privacy Notice is intended to set out how we collect and use your personal data in a clear and open manner.



1.   Why do we process your personal data?

We collect and process your personal data to provide you with good customer service, e.g. to update you on orders, and to let you know about offers and new developments in the world of The Chicken Shed chocolate.


2.   What is the source of your personal data?

The source of the data we collect will generally be you; you will have provided us with your personal data when you placed an order with us, chose to subscribe to our emails or made an enquiry in some other form, e.g. through email or by telephone. If you are a wholesale contact, we may have found your personal data in the public domain or through a referral.


3.   What lawful basis do we have for processing your personal data?

We process your personal data where:

-     processing is necessary to comply with a legal obligation on us, for example to make sure we submit accurate company accounts and tax returns;

-     we have a legitimate interest in processing personal data, for example to provide you with news and offers that may be of interest to you; or to make sure we keep you posted about an order you have placed with us.


4.   What personal data do we process and who do we share it with?


If you place an order with us, we will process your contact details including your name, email address, postal address (and the address of the recipient if you’d like us to send your order to someone else). We will also process email and/or social media communications with you based on which form of communication you have chosen to contact us with or have asked us to use. Our default communication method to contact you is email and we don’t store copies of social media contact details on our systems.

We share your personal data internally with relevant staff only, and, in the event of an order, our accountancy firm may also have access to your personal data as well as HMRC if they decide to take a closer look at our transactions.

External IT staff may also, very rarely, have access to your personal data for IT purposes only, e.g. to install technological safeguards to protect your data.

Data is stored in a range of different places, including our email system (which is provided by a UK-based host that is subject to EU privacy rules), iCloud, our accounting software, Mailchimp, and PayPal.

Mailing List Subscriptions

If you subscribe(d) to our mailing list without having placed an order, we will only store your name and email address until you ask us to delete it. Until your request to delete, this data will only be stored in Mailchimp, on our own system and iCloud backup.

Wholesale Contacts and Customers/Distributors

We store contact details of potential, current and past wholesale customers/distributors together with previous order history (where applicable) in a range of different places, including our email system (which is provided by a UK-based host that is subject to EU privacy rules), iCloud, our accounting software, Mailchimp, PayPal, our own systems and on Zoho.




5.   How do we protect your personal data?

We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by employees in the performance of their duties.

Where we transfer your personal data to third parties, we ensure there is a contract in place that provides sufficient guarantees that the requirements of the GDPR will be met and your rights protected.


6.   Personal data transfers to third countries or international organisations.

We use Apple’s iCloud for data storage. Apple uses approved Model Contractual Clauses for the international transfer of personal information collected in the European Economic Area and Switzerland. Their privacy policy can be found here.


We sometimes use Mailchimp to communicate with you. Mailchimp’s servers and offices are located in the United States, so your information may be transferred to, stored, or processed in the United States. MailChimp participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. To learn more about the Privacy Shield Frameworks, and to view Mailchimp’s certification, visit the U.S. Department of Commerce’s Privacy Shield website, here.   Their privacy policy can be found here.


Our accounting software is provided by Intuit Ltd. who may transfer your personal information to and process and store your information in other countries. Intuit has certified certain Services under the E.U. – U.S. Privacy Shield Framework and Swiss – U.S. Privacy Shield Framework. For more information please go to the “International Transfers”  section of their privacy statement which can be found here.


If you place an order with us through our website, your payment will be processed via PayPal. PayPal has taken specific steps, in accordance with EEA data protection law, to protect your Personal Data. In particular, for transfers of your Personal Data within PayPal related companies, they rely on Binding Corporate Rules approved by competent Supervisory Authorities (available here). Other transfers may be based on contractual protections. Please contact PayPal directly for more information about this. Their privacy notice can be found here.


If you are a wholesale contact or customer, we may also process your data using Zoho. Whilst Zoho is based in the EEA, your personal data may be accessed on a need basis for support functions that are provided by Zoho India from India. Zoho uses approved Model Contractual Clauses for the international access of personal information collected in the European Economic Area. Their privacy policy can be found here.



7.   How long do we keep personal data for?


We will keep your personal data for as long as is necessary to fulfil the purposes for which we collected it:


If you have placed an order with us, we will keep your personal data for 7 years after the date of the order, primarily for accounting purposes, and also to keep you posted about Chicken Shed news and special offers we would like to offer you (although you can of course unsubscribe from our mailing list any time you like).


If you subscribed to our mailing list (but haven’t placed an order with us), we will keep your details until you ask us to delete them. If that’s the case, we will delete your details as quickly as possible (normally within a day or two), but please allow one month in case we’re not able to action your request straight away.


8.   What are your rights in respect of the processing?

-     You have the right to be informed about the collection and use of your personal data, as provided for in this privacy notice. At the time we collect your personal data, you are entitled to know our purposes for processing it, our retention periods, who it will be shared with and other information, which is all set out in this privacy notice (there are a few circumstances when we do not need to provide you with privacy information, such as if you already have the information or if it would involve a disproportionate effort to provide it to you). If we obtain personal data from other sources, you are entitled to receive privacy information within a reasonable period of obtaining the data and no later than one month. The information we provide to you must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language – if you feel this is not the case, then please let us know.

You can also (verbally or in writing):

-     ask us to give you access to the personal data we hold about you;

-     ask us to correct or complete incorrect or incomplete data; and

-     ask us to erase or restrict/stop processing your personal data (although this right is not absolute and only applies in certain circumstances)

Finally, you have the right to object to the processing of your data where we are relying on legitimate interests as the legal ground for processing. However, we may be able to continue processing if we have a compelling reason for doing so.


If you would like to exercise any of these rights or have any queries or concerns about them, please contact us by emailing or by calling us on 0845 47 48 509.

You also have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (Tel. 0303 123 1113).


Because the processing of your personal data is not carried out by automated means and consent/contract, the right to data portability does not apply.


9.   Can we oblige you to provide personal data, and what happens if you don’t?

If you would prefer not to provide us with your personal details but still want to receive marketing information from us, you can follow us on social media instead (although we don’t post all offers there – we keep some for our subscribers). Whilst – depending on your username - this may reveal personal data about you, we do not store this information.

If you would prefer not to provide us with your personal data for the purpose of purchasing our yummy chocolate, you can buy from our stockists instead or nicely ask someone to buy it for you ;).


10. Automated decision-making

No decisions are based on automated decision-making.


11. Questions and Comments

If you have any questions or comments at all, please don’t hesitate to email us via or call us on 0845 47 48 509.


Privacy Notice version 2 (12 June 2018).

Please contact us if you wish to see the previous version.