Privacy Policy 2.0
Privacy Policy
Last updated: 8 October 2025 Version: 2.0 (2025)
1. Introduction & Purpose
Welcome to Grape Tree (“we”, “us”, “our”). We are committed to protecting and respecting your privacy and handling your personal information in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
This Privacy Policy explains how we collect, use, store, share and protect your personal data when you:
• Use or shop on our website (https://www.grapetree.co.uk);
• Purchase goods in store;
• Join or use our loyalty programme;
• Contact us by email or post; or
• Engage with us through social media or marketing campaigns.
By using our services, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller & Contact Information
Data Controller: JG Foods Ltd (t/a Grape Tree)
Registered address: Unit 2, Dandy Bank Road, Pensnett Trading Estate, Kingswinford, DY6 7TD, United Kingdom
JG Foods Ltd is registered with the Information Commissioner’s Office (ICO).
Email (for privacy or data protection enquiries): [email protected]
If you wish to contact the ICO, you may do so via https://ico.org.uk or telephone 0303 123 1113.
3. Definitions & Legal Bases
• Personal data: Information relating to an identified or identifiable person.
• Special category data: Sensitive data (e.g. health, racial or biometric information).
• Processing: Any operation performed on personal data, such as collection, storage, use or deletion.
We process personal data only where a legal basis applies:
• Consent – you have clearly agreed;
• Contractual necessity – required to perform or prepare a contract;
• Legal obligation – required by law;
• Legitimate interests – necessary for our business purposes, balanced against your rights;
• Public interest / official authority – where required by law.
4. What Data We Collect & How
|
Category |
Examples |
Source |
|
Identity & Contact |
Name, title, email, postal address |
Provided by you |
|
Account & Login |
Username, hashed password |
You create these |
|
Transactions & Payments |
Order details, billing/delivery address (excl. full card data) |
When you shop online or in store |
|
Technical / Usage |
IP address, browser, pages visited, referral URL |
Automatically via cookies & analytics |
|
Preferences & Profile |
Purchase history, saved items, communication preferences |
Derived from activity |
|
Correspondence & Feedback |
Emails, enquiries, reviews |
When you contact us |
|
Loyalty Programme |
Loyalty card number, redemption history |
From registration or use |
|
CCTV / Security |
Video footage in stores |
Captured locally for security |
|
Social Media Interactions |
Public profile data you share |
From platform interactions |
We do not intentionally collect special category data. If such data is provided (e.g. in a review), we handle it with additional safeguards and delete it once no longer needed.
5. How We Use Your Data & Legal Bases
|
Purpose |
Legal Basis |
Retention / Criteria |
|
Order fulfilment & delivery |
Contractual necessity |
7 years (accounting / tax) |
|
Payment processing & fraud prevention |
Contractual / legal obligation |
7 years or as required by law |
|
Customer accounts |
Contractual / legitimate interest |
Deleted after 3 years of inactivity |
|
Loyalty programme |
Consent / legitimate interest |
Membership + 2 years |
|
Marketing emails / SMS / post |
Consent or soft opt-in (PECR) |
While subscribed + 5 years suppression record |
|
Website analytics & improvement |
Consent / legitimate interest |
Logs 12 months; aggregated data longer |
|
Customer service & complaints |
Legitimate interest / legal obligation |
5–7 years |
|
CCTV security (in-store) |
Legitimate interest / legal obligation |
30–90 days unless required |
|
Legal compliance & claims |
Legal obligation / legitimate interest |
As required by law |
We retain personal data only as long as necessary for each purpose.
6. Cookies & Tracking
We use cookies and similar technologies to operate our website, improve performance, and personalise your experience.
When you first visit, a cookie banner allows you to accept or reject non-essential cookies. You may change your choices anytime via the Cookie Settings link.
|
Category |
Purpose |
Example / Provider |
Typical Duration |
|
Strictly necessary |
Site operation (login, basket) |
Session ID |
Session |
|
Preferences |
Save settings |
Language preference |
1 year |
|
Analytics |
Usage metrics |
Google Analytics |
14 months |
|
Marketing |
Advertising / retargeting |
Meta Pixel, Google Ads |
90–180 days |
You can also manage cookies in your browser. Disabling some may limit functionality.
7. Sharing Your Information
We share data only when necessary and under contract with:
• Payment providers and couriers;
• IT and hosting providers;
• Email and marketing platforms (for opt-in communications);
• Analytics and advertising partners (with consent);
• Professional advisers or regulators (where legally required);
• Successor entities in business reorganisation or sale.
All third parties act only on our instructions and must protect your data.
8. International Transfers
We primarily store and process your personal data within the United Kingdom (UK).
However, some of our service providers or systems may transfer or access data from outside the UK or the European Economic Area (EEA).
Transfers of personal data from the UK to the EEA are permitted because the UK Government recognises the EEA as providing an adequate level of data protection.
If your personal data is transferred outside the UK or the EEA, we will ensure that appropriate safeguards are in place, such as:
- A UK Government adequacy regulation for that destination country;
- The use of UK International Data Transfer Agreements (IDTAs) or UK Addenda to the EU Standard Contractual Clauses (SCCs); or
- Other lawful transfer mechanisms approved by the Information Commissioner’s Office (ICO).
You will be informed if such transfers occur and, where applicable, what safeguards are in place to protect your data and your rights.
9. Security Measures & Data Breaches
We apply appropriate technical and organisational measures including:
• Encryption (in transit and at rest);
• Access controls & authentication;
• Secure network architecture;
• Staff training and confidentiality agreements;
• Vendor risk assessments and regular audits.
If a personal data breach occurs:
• We assess and contain it immediately;
• Notify the ICO within 72 hours where required;
• Inform affected individuals if there is a high risk to their rights.
10. Your Data Protection Rights
You have the right to:
1. Access your personal data and receive a copy;
2. Rectify inaccurate or incomplete information;
If you believe that any personal data we hold about you is incorrect or incomplete, please email [email protected]. We will promptly review, correct or update your information, and confirm when this has been completed;
3. Erase your data (“right to be forgotten”) subject to legal requirements;
4. Restrict processing in certain circumstances;
5. Data portability – receive or transfer your data electronically;
6. Object to processing based on legitimate interests or to direct marketing;
7. Withdraw consent at any time (where applicable);
8. Not be subject to automated decision-making or profiling with legal or similar effects;
9. Complain to the ICO if you believe your rights have been infringed.
To exercise any rights, contact [email protected]. We may verify your identity and will respond within one month (extendable to two for complex requests).
11. Children and Minors
Our services are not directed to anyone under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we hold such data, please contact [email protected] and we will delete it promptly.
12. Business Changes & Transfers
If Grape Tree (JG Foods Ltd) is merged, reorganised or sold, your data may be transferred to the new owner under equivalent privacy protections. We will notify you of any material changes in ownership or data use.
13. Third-Party Links & Content
Our website may include links to external sites or embedded content (e.g. social media widgets, videos). We are not responsible for those third parties’ privacy practices. Please review their policies before providing personal data to them.
14. Retention & Deletion Policy
We retain personal data only for as long as necessary to meet the purpose for which it was collected and to comply with legal and regulatory requirements. When data is no longer required, it is securely deleted or anonymised beyond identification.
15. Complaints and How to Contact Us
If you have questions, concerns or complaints about how we handle your data, please contact us first – we aim to resolve any issue promptly and fairly.
Contact Grape Tree:
Email: [email protected]
Post: JG Foods Ltd (t/a Grape Tree), Unit 2, Dandy Bank Road, Pensnett Trading Estate, Kingswinford, DY6 7TD, United Kingdom
We will acknowledge your complaint and respond within one month (or inform you if we need more time).
If you remain dissatisfied, you may contact the UK Information Commissioner’s Office (ICO):
Information Commissioner’s Office (ICO)
Website: https://ico.org.uk/make-a-complaint
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect legal or operational changes. Any updates will be posted on this page with a revised “Last updated” date. We encourage you to review it periodically. Older versions are available on request.
Controller: JG Foods Ltd (t/a Grape Tree)
Contact: [email protected]
Version: 2.0 (2025) | Last updated: 8 October 2025