top of page



Anchor 1


Our Privacy Policy sets out our commitment to meeting its obligations with regard Data Protection and GDPR and ensuring compliance with the rules set out by 2018 UK Data Protection Act/2020 UK GDPR regulations. The Company strictly adhere to the six data processing principles and continue to review and update our procedures with these in mind when making processing changes and project developments. We are registered with ICO and have declared the information we hold.

Contact Details

Company Legal Name: Cauliflower Group Ltd 

Data Privacy Officer: Erika Speirs

Data Controllers

Office Manager: Danielle Kinch

Online Design: Hugh Speirs

Direct Office Contact:

Postal Address: Cauliflower Group Ltd, Unit 52 Woolmer Way, Bordon, GU35 9QF

Telephone Contact for Data Enquiries: 0800 0432273

Lawful Processing

Why we Collect Data?

We collect data to print customised products and despatch these orders. 

Individual Orders: 

Customers enter their own data online, all data collection is limited to the processing and fulfilling of their order and any personalisation of their product. 

Group Orders:

For group projects, organisers may place orders and enter personal details on behalf of a group. For group orders & self-publishing, organisers will be required to seek their own data consent on behalf of individuals they are ordering for where personal details are contained, or personal details will be printed.

Order Communication:

  • Communication will be made in relationship to order processing/dispatch via email or occasionally via phone. 

  • Individual Customers order IDs are required for enquiries by customers relating to any order via phone, ticket, or email. For group projects Organisers are the only point of contact for order enquiries and communication. 

Marketing Communication:

  • Communication will be made to an organiser via email with regard participation in future projects organised by Cauliflower Group Ltd. We consider our customers to have a ‘legitimate interest’. 

  • Communication will be made to any customer who opts into our Newsletter. 

  • Paper based marketing is made using a free schools database to potential customers who could have a ‘legitimate interest’ in our projects for schools. 

What we Collect

Below please find the data we will hold with regard school orders:  


General Customer Information Audit

  • Xero Accounts Software - Invoice Details.

  • Cauliflower Data Base - Customer Contact & Order Details – Stored with Amazon Web Services.

  • Print Files used for production – Stored with Amazon Web Services.

  • Physical Products Manufactured (before shipping) with shipping labels.

  • Online Ordering Data – Stored with Amazon Web Services.

  • Emails - (cleared on regular periods).

  • Parents Hard Copy Order Forms (Processed and then shredded by: Shred on Site Camberley).

  • Parcel Force Database – Organisation/ Customer name and address processed and held for each order.

Card Project Order Information Audit 

  • Order Forms Orders are placed online by parents using the unique order code and school code located on a unique order form. These are delivered to us and photographed. Forms are destroyed on site by ‘Shred on Site -Camberley’.

  • Shop Access An account must be created using a unique login – Cauliflower Group Ltd do not collect account login details.

  • Childs Name Childs Name/Nick Name/Or No Name (can be added to products as required by parent) these are entered by parent online as part of the order information.

  • If no name is given pupils are identified by a unique code printed on their order form - the unique code identifies all files associated with the order.

  • Class Name This is selected by parent and changed to a LETTER by our software on order completion.

  • Delivery Address All initial orders are delivered to organisations address and parents do not provide an address.

  • For reorders a private address is entered by parent online when placing an order from within their account. Parents can choose to have the order delivered to a safe address of their choice.

Organiser Information Audit 

  • Organiser Details Contact details & position.  Entered online by school organiser and held on company database.

  • Organisation Delivery Address - Entered online by school organiser and held on our company database.

  • School Identification Codes - Allocated by office staff and held on our company database.


Data Subjects Rights

  • You have rights to access the information we have stored about you. We can send you a copy of the information stored about you. You will need to be able to prove your identity for this exchange of information to take place.

  • You have rights to correct any information we have stored about you that you feel is incorrect or not relevant.

  • You have right to ask us to erase all information we hold on you.

  • You have the right to object to processing of your data for example to unsubscribe to our Newsletters & removed from our marketing database.

  • You have rights to ask us to transfer your information for example to another location or company however charges may be levied for this service.

Please email to discuss changes you wish to request.


Data Storage

To facilitate reorders & repeat customers we store customer & organiser details for up to three years after last used. 

If required individual customers & organisation information can be requested for removal directly by emailing


Privacy by Design

Online Protection Measures:

  • Schools Name: School names are converted to a unique school code for all products printed & despatched.

  • Pupils Names: All pupils are identified by a unique code. Orders can be placed without a name required to be printed on the products.

  • All pupil order forms used and returned to us are shredded on site once converted to digital format.

  • Class Names: All classes are converted to a letter for processing and despatch purposes.

  • For school projects no product is required to be sent to a personal address only an organisation address is required.

  • Communication: Communication with regard individual orders require an order ID for phone enquiries or must be placed as a ticket from within the customer's account and relate to their order. Organisers are the only point of contact to discuss orders for group ordered projects and school ID code is required.

  • Organiser Accounts: Personal password protected accounts are required for registering for projects.

  • Shopping Accounts: Personal password protected accounts are required for individual ordering on all projects.

  • Database Access: Onsite access to our data base is password protected – different levels of access are given to different users depending on job requirement.

Paper Trail Protection:

All pupil order forms used and returned to us are shredded on site once converted to digital format and no longer required to fulfil an order.

Special Steps for Protecting Sensitive Identities: 

There are processes in place to allow individual pupils within a school, in sensitive situations to participate in our projects without names /school logos/ being associated with products if the rest of the school wish to include these features.

School Name, Childs Name and School Logo are an optional identifying feature which schools may choose to include if they wish - this does not form a requirement for any of our projects.

Communication with regard individual orders require an order ID or must be placed as a ticket from within the customer’s account and relate to their order. Organisers are the only point of contact to discuss orders for group ordered projects.


Third Party Data Transfers/International Transfers

Data is collected and processed online via our website – we do not use a third-party processing company.

We do not sell data to any third party.


Data Security

  • Web & Server Hosting: This is outsourced to a large well-established company: Amazon EC2 Webservices: As the biggest web services supplier it complies with all Physical Security and Data Transfer requirements. This is hosted in Ireland - part of the EEC. Amazon is certified under ISO 27001:2013


  • Online Transactions: These are made directly through Stripe. This company complies with processing procedures for Online Payment Requirements. We do not record or store any bank card details or take over the phone payments.

  • Computer Security Internal computers: Computer have Microsoft Security Essential virus checking software loaded and are set up to receive the latest patches and security updates. Computers are scheduled to connect to the internet during office hours only and time out after a 20min period. Staff only have access to the information they need to do their job and do not share passwords.

  • Disposal of Computers: All personal information is removed before disposing of old computers.

  • Emails: are delivered by a large email supplier 123.Reg and are scanned by Net Intelligence.

  • Physical Security: Doors codes or buzzer is required for entry to both site. Both sites are fully alarmed with red care call out in place.

Data Breaches

Data breaches are required to be reported to ICO and involved parties within 72 hours of becoming aware of a data risk. The appropriate steps will be taken on discovery of a breach. 


How to Complain

If you have any issues with how we are using your data, please contact us first so we can put this right for you.

You can officially complain to ICO if you are unhappy with how we are using your data.

Tel: 0303 123 1113

bottom of page