Skip to main content
The Local Harvest
Back to Home

Privacy Policy

How CDM Marketing Ltd (trading as The Local Harvest) handles your personal data.

Effective:2 May 2026

In plain English

  • We keep what we need to run the marketplace and pay producers, and not much more.
  • We never sell your personal data, and we never run profiling that has a legal effect on you.
  • Card details are handled directly by Stripe — they never touch our servers.
  • We only load Google Analytics, Google Maps and Crisp after you accept the relevant cookies.
  • You can export or delete your data from your dashboard, or by emailing privacy@thelocalharvest.co.uk.
  • If you think we have got something wrong, you can complain to us first and then to the UK Information Commissioner’s Office (ICO).

1. Who we are and how to contact us

Data controller: CDM Marketing Ltd, a company registered in England and Wales with company number 14010841.

Trading name: The Local Harvest.

Registered office: 34 Clarence Street, Southend-on-Sea, SS1 1BD, United Kingdom.

VAT registration: not currently VAT-registered (turnover below the HMRC £90,000 threshold).

ICO registration: [TO BE COMPLETED — ICO registration number, e.g. "ZA123456"] (you can verify this on the ICO public register at ico.org.uk).

General privacy enquiries: privacy@thelocalharvest.co.uk.

Postal address for data-subject requests: as above. Mark the envelope FAO Data Protection Officer.

2. What this notice covers

This notice explains how we process personal data when you visit www.thelocalharvest.co.uk, register as a producer or consumer, place an order, contact us, or otherwise use any service we operate at that domain (the “Service”).

It applies to processing carried out by CDM Marketing Ltd as data controller. When you place an order with a producer through our marketplace, the producer is an independent business and may also be a controller for the fulfilment data you share with them — see § 5.

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

3. The data we collect, why, and for how long

We only collect personal data that we genuinely need. The table below sets out each category, the lawful basis we rely on under UK GDPR Art. 6, and how long we keep it.

CategoryExamplesSourceLawful basisRetention
Account identityName, email address, hashed password, role (consumer / producer / admin), email-verification timestamp.You, when you register or sign in.UK GDPR Art. 6(1)(b) — performance of a contract.For as long as the account is active, and 30 days after deletion (extended only where required for tax, fraud or legal claims — see § 9).
Producer business profileBusiness name, description, category, fulfilment locations and radius, certifications, opening hours, public phone (if you choose to make it visible), website, profile and product images.You — visible to the public on your business page.UK GDPR Art. 6(1)(b) for the listing contract; Art. 6(1)(a) (consent) for any optional public details (e.g. phone number visibility).While the listing is published. Hidden but retained for 6 months after suspension to allow recovery; then deleted unless required for an open dispute or by law.
Order and payment metadataOrder ID, line items, quantities, prices, delivery address (if delivery selected), order status, refund records. We never see or store your raw payment-card details — those are handled by Stripe.You at checkout; Stripe webhooks.UK GDPR Art. 6(1)(b) (contract) and Art. 6(1)(c) (legal obligation — VAT / record-keeping under HMRC rules).7 years from the end of the tax year of the transaction (Companies Act 2006 s.388, VAT Act 1994 s.58).
Reviews, messages and support contentOrder reviews you leave, contact-form messages, live-chat transcripts.You.UK GDPR Art. 6(1)(b) (provision of the service) and Art. 6(1)(f) (legitimate interests in moderation and abuse prevention).Reviews remain public for as long as the seller and product are listed. Support / contact emails: up to 12 months unless we need them longer for an open dispute.
Cookie / consent recordsYour essential / analytics / chat / marketing toggle states, an `anon_id` (random ID stored in your browser), a salted SHA-256 hash of your IP, your browser User-Agent, the policy version you accepted.You via the cookie banner / preferences modal.PECR reg. 6 (consent) and UK GDPR Art. 6(1)(c) — required to demonstrate consent under UK GDPR Art. 7(1).24 months from the date of consent, then deleted (consent must be refreshed at least every 12 months).
Security and abuse signalsIP address, request paths, rate-limit counters, failed-login counters, reCAPTCHA scores, audit-log rows.Automatic — generated when you use the service.UK GDPR Art. 6(1)(f) — legitimate interests in keeping the platform secure.Up to 90 days for raw security logs; up to 24 months for tamper-evident audit logs (admin actions, payments).
Analytics (only if you consent)Pseudonymous Google Analytics 4 events, page paths, referrers, device and browser info. IP is truncated client-side via the `anonymize_ip` flag.Your browser if you give analytics consent.PECR reg. 6 (consent).14 months in GA4 (default Google Analytics retention); we do not export it elsewhere.
Marketing communicationsNewsletter sign-up email, mailing-list segment, unsubscribe state.You — only if you sign up.UK GDPR Art. 6(1)(a) (consent) under PECR reg. 22 for non-customer marketing; soft opt-in (PECR reg. 22(3)) for similar products to existing customers, with an unsubscribe link in every message.Until you unsubscribe; suppression list kept indefinitely so we never email you again after you opt out.

We do not knowingly collect special-category data (health, race, religion, biometrics etc.) and we do not process children’s data — the Service is intended for users aged 16 and over.

4. How we choose the lawful basis

  • Performance of a contract (Art. 6(1)(b)) for everything you have to give us in order to use your account, list a product, place an order, receive a payout, or contact a producer about a delivery.
  • Legal obligation (Art. 6(1)(c)) for tax, accounting, anti-money-laundering checks performed by Stripe, and for responding to lawful requests from regulators.
  • Legitimate interests (Art. 6(1)(f)) for fraud prevention, network security, abuse moderation, debugging, internal reporting, and protecting the rights of other users. We balance these against your rights and have carried out written legitimate-interests assessments — available on request to privacy@thelocalharvest.co.uk.
  • Consent (Art. 6(1)(a) read with PECR reg. 6) for non-essential cookies, optional analytics, the live-chat widget, and any marketing emails. Consent can be withdrawn at any time without affecting processing carried out before withdrawal.

5. Who we share data with

We share personal data only with the categories of recipients set out below.

  • Producers you order from. When you place an order, the relevant producer receives your name, email, delivery / pickup address, the order line items and any notes you added at checkout, so they can fulfil the order. Each producer is an independent data controller for the fulfilment processing they then perform.
  • Service providers acting as our processors — see § 7. Each is bound by a written data-processing agreement with confidentiality, security and breach-notification obligations.
  • Professional advisers (accountants, solicitors, auditors) under duties of confidence, where reasonably necessary for the running of the business.
  • Public authorities where we are required to disclose by law (e.g. HMRC, the police, the ICO, courts).
  • A successor in the event of a sale, merger or restructuring of the business — bound by this notice and applicable law.

We never sell your personal data. We do not run any cross-context behavioural advertising, third-party re-targeting pixels, or data brokerage.

6. Cookies and similar technologies

Cookies and similar storage are governed by PECR reg. 6. We set strictly necessary cookies as soon as you visit, and only set non-essential cookies after you accept them via the banner.

Strictly necessary

Authentication (Supabase session tokens), CSRF protection, your stored cookie preferences, basic load balancing. Cannot be turned off.

Analytics

Google Analytics 4 with IP anonymisation. Loaded only with your consent. We do not run session recording or heatmap tools.

Chat / Support

Crisp live chat. Loaded only with your consent. When you are signed in, we share your name, email and account type with Crisp so support can identify you.

Marketing

We do not currently set advertising or behavioural-tracking cookies. The toggle is shown for transparency only.

You can change your choice at any time via the “Cookie settings” link in the footer, or by clearing the tlh_cookie_preferences cookie in your browser. Each accept / reject / change is logged in our consent_events table for as long as needed to evidence your consent (UK GDPR Art. 7(1)).

7. Sub-processors and overseas transfers

We rely on the following third parties to run the Service. Each one is contracted as our processor (or, where indicated, as an independent controller for limited purposes).

ProviderPurposeWhere data is processedTransfer mechanism
Supabase, Inc.Database, authentication, file storageHosted in the EU (Frankfurt). Some operational metadata may be processed in the USA.UK IDTA / EU SCCs in Supabase Data Processing Addendum.
Stripe Payments Europe Ltd / Stripe, Inc.Payment processing, marketplace payouts (Stripe Connect), tax/invoice metadataStripe Payments Europe Ltd contracts as our processor in the UK / EEA. Onward transfers occur to Stripe, Inc. in the USA.UK Extension to the EU-US Data Privacy Framework and / or UK IDTA, as set out in Stripe's DPA.
Resend, Inc.Transactional email delivery (account confirmation, order emails, password resets)USAUK Extension to the EU-US Data Privacy Framework and / or UK IDTA, per the Resend DPA.
Google Ireland Limited (Google Maps Platform)Embedded maps and geocoding for the directoryIreland with onward transfer to Google LLC in the USA.UK Extension to the EU-US Data Privacy Framework / Google's SCCs.
Google Ireland Limited (Google Analytics 4)Aggregate site analytics. IP anonymisation is enabled. Loaded only with your consent.Ireland with onward transfer to Google LLC in the USA.Consent (PECR reg. 6) plus UK-US Data Privacy Framework.
Google Ireland Limited (reCAPTCHA)Bot / abuse protection on registration and high-value formsIreland with onward transfer to Google LLC in the USA.Legitimate interests (UK GDPR Art. 6(1)(f)) — security of the service.
Crisp IM SASLive chat support (only loaded after you opt in via the cookie banner).France (EU)Consent (PECR reg. 6) plus UK GDPR Art. 6(1)(b) for support enquiries.
Vercel, Inc.Web hosting, edge network, build pipelineEU edge for the user-facing site, with build / log infrastructure in the USA.UK Extension to the EU-US Data Privacy Framework / UK IDTA per Vercel's DPA.

Where data is transferred outside the UK we rely on the UK Extension to the EU-US Data Privacy Framework, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with appropriate supplementary measures including encryption in transit (TLS 1.2+), encryption at rest, and contractual onward-transfer restrictions. A copy of the relevant transfer instruments is available from privacy@thelocalharvest.co.uk.

8. Your rights under the UK GDPR

You have the following rights, subject to the conditions set out in the UK GDPR:

Access — a copy of the personal data we hold about you (Art. 15).
Rectification — correct inaccurate or incomplete data (Art. 16).
Erasure — delete your data where the legal grounds in Art. 17 are met.
Restriction — pause our processing in the cases listed in Art. 18.
Portability — receive your data in a structured, machine-readable format and have it transmitted to another controller (Art. 20).
Object — to processing based on legitimate interests, or to direct marketing (Art. 21). For direct marketing, the right is absolute.
Withdraw consent — for any processing based on consent, at any time, without affecting earlier processing.
Automated decisions — we do not make decisions about you that have legal or similarly significant effects using automated processing alone.

If you have an account: sign in and use Dashboard → Settings → Privacy. You can export a JSON copy of your data and request account deletion directly from there.

If you cannot sign in — for example because you have lost access to your email — write to our DPO at privacy@thelocalharvest.co.uk. We may ask you to provide enough information for us to identify you (typically a copy of photo ID matching the email on the account); we keep that ID for the minimum period needed to verify your identity, then delete it.

We respond within one calendar month of receiving a valid request (UK GDPR Art. 12(3)), extendable by a further two months for complex requests.

If you are not happy with our response, you can complain to the Information Commissioner’s Office: ico.org.uk/make-a-complaint, 0303 123 1113. We would prefer the chance to put things right first.

9. How long we keep data

Specific retention periods are listed alongside each data category in § 3. The general principles are:

  • Active accounts: data is kept for as long as you keep your account, plus a short grace period after closure (usually 30 days) to allow recovery.
  • Tax / accounting records: 7 years from the end of the tax year of the transaction (Companies Act 2006 s.388 and HMRC guidance for VAT-registered businesses).
  • Limitation periods for legal claims: up to 6 years (Limitation Act 1980 s.5) for contract claims; longer where we reasonably believe a claim may be made.
  • Marketing suppression list: kept indefinitely so we honour your opt-out.

10. How we secure data

  • HTTPS / TLS 1.2+ on every page, HSTS, and a strict Content Security Policy.
  • Encryption at rest for the database (Supabase) and object storage.
  • Passwords stored only as Argon2 / bcrypt hashes by Supabase Auth.
  • Strong password policy (minimum 12 characters, scored with zxcvbn).
  • Row-level security on the database; admin actions logged to a tamper-evident audit table.
  • CSRF protection, IP-based rate limiting, reCAPTCHA on registration and high-value forms, signed Stripe webhook verification.
  • Card details are tokenised by Stripe (PCI DSS Level 1) and never reach our servers.
  • Periodic dependency and secret-scanning checks in CI (TruffleHog, npm audit, semgrep).

No system can be perfectly secure. We will notify the ICO within 72 hours of becoming aware of a personal-data breach that is likely to result in a risk to your rights and freedoms (UK GDPR Art. 33). Where the breach is likely to result in a high risk, we will also notify you without undue delay (Art. 34).

11. Children

The Service is intended for users aged 16 and over. We do not knowingly market to or collect personal data from children under 13, and we apply the higher protections required by the ICO’s Age Appropriate Design Code if we ever identify that we are processing data of users under 18. If you believe a child has registered without parental consent, email privacy@thelocalharvest.co.uk and we will remove the account.

12. Changes to this notice

We may update this notice from time to time. The “Effective” date at the top reflects the current version. Where the change is material — for example, a new processor or a new lawful basis — we will email account holders and display an in-product banner at least 14 days before the change takes effect, except where the change is required to take effect sooner by law.

13. Talk to us first

If you have any questions or concerns about this notice or our processing, please contact us before complaining to the regulator — we want the chance to put things right.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — 0303 123 1113 — ico.org.uk.

Owner action required before launch: the company’s Companies House number, registered office and ICO registration number have not yet been completed inlib/legal/company.ts. Fill these in to satisfy Companies Act 2006 s.1300A and the Electronic Commerce Regulations 2002 before the public launch. This banner only renders until the placeholders are replaced.