Privacy Policy

Data Protection Policy


Introduction. 2

Data protection law.. 2

Privacy policy. 2

Policy scope. 2

Data collection. 2

Cookies policy. 3

Are our cookies safe?. 3

The cookies we use. 3

The five types of cookies we use are explained below: 3

  1. Essential cookies allow us to: 3
  2. Customer cookies allow us to: 4
  3. Analytics cookies allow us to: 4
  4. Third-party cookies send information to trusted websites, allowing us to: 4
  5. Social cookies allow you to: 4

Data protection risks. 4

Responsibilities. 4

General Guidelines. 5

Storage of Data. 5

Use of data. 6

Accuracy of data. 6

Subject Access Requests. 7

Other reasons for disclosing data. 7

Providing Information. 7




Melin Tregwynt may collect and process information relating to you, companies and/or individuals.

It could be any person using our services, customers, suppliers, business contacts, employees, students and other people we have a relationship with or may need to contact.

This policy describes how this personal data is collected, handled and stored to meet the company’s data protection standards – and to comply with the law.

This data protection policy ensures that we:

  • Comply with data protection law and follow good practice
  • Protect the rights of staff, customers and partners
  • Are open about how we store and process individuals’ data
  • Protect the company from the risks of a data breach

Data protection law

The Data Protection Act 1998 and the General Data Protection Regulation (GDPR) describes how organisations – including Melin Tregwynt Ltd – must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. The Data Protection Act and GDPR is underpinned by eight important principles which state that personal data must:

  • Be processed fairly and lawfully
  • Be obtained only for specific, lawful purposes
  • Be adequate, relevant and not excessive
  • Be accurate and kept up to date
  • Not be held for any longer than necessary
  • Processed in accordance with the rights of data subjects
  • Be protected in appropriate ways

Privacy policy

Policy scope

This policy applies to:

  • All employees of Melin Tregwynt Ltd and its Directors
  • All contractors, suppliers and other people working on behalf of Melin Tregwynt Ltd
  • All data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998 and GDPR

Data collection

  • When you order products over the phone or in our mill shop, we collect your name, billing address, delivery contact and address if different, phone number, transaction and credit card information and phone number in order to process your order and offering you the best service we can. Once payment is made your credit card information is destroyed securely. We make sure that we comply with the latest PCI DSS (Payment Card Industry - Data Security Standard). We will keep this data for a minimum of 6 years for our accounts administration and financial records.
  • When you agree to enter our mailing list over the phone or in our mill shop for our monthly newsletters and special offers, we collect your name and email.
  • When you visit our website, we collect your IP address in both our mill website and our e-store in order to analyse the traffic and improve our products and services. For more details, please see our cookies policy below.
  • When you register on our e-store, we collect your name, email and IP address in order to create an account with us. Our website will send you an automated notification email about your new contact submission. This email is not sent via encrypted channels. This registration will be for your own purposes and can be removed whenever you wish to, only if no orders were made, by calling us on 01348 891 644 or emailing us at for your account to be deleted from our records.
  • When you order products using your account on our e-store, we collect your name, billing address, delivery contact and address if different, phone number, transaction and credit card information, phone number and IP address during the checkout process in order to process your order and offering you the best service we can. Our website will send you automated emails. These emails are not sent via encrypted channels. We do not store your card payment information.
  • When you subscribe to receive our newsletter by email we collect your name and email address and when you subscribe to receive our printed catalogue we collect your postal address as well. This personal data is exported via our subscription centre for marketing purposes to our mailshot services. You can unsubscribe at any time online via our subscription centre or by phone on 01348 891 644, by email at and by post at Melin Tregwynt, Castlemorris, Haverfordwest, Pembrokeshire, SA62 5UX.

Cookies policy

We've updated our website so that you can decide if you want to accept cookies from us or not. Our website relies on some cookies because without them, important parts of the website will not work. We will however always honour your preference and only read or write to cookies based on the settings you choose.

Are our cookies safe?

  • Yes – they don’t harm your computer.
  • Yes – they do not contain any confidential details such as your email address or payment details.

The cookies we use

The cookies we use help us to enhance your shopping experience. Enabling cookies enhances your visit to our website, lets us check everything is working properly, and enables us to give you a more personalised web experience, such as helping us to show you products and offers we believe will interest you. They are 100% safe and secure and we recommend they are switched on.

The five types of cookies we use are explained below:

1. Essential cookies allow us to:

  • Ensure the site works properly so it’s easy to shop.
  • Make sure the correct items are kept in your basket.
  • Select the right version of our website for your computer, whether it’s a PC, iPad, mobile phone or other device.

These cookies are always enabled as they make sure essential features, like the shopping basket, work as they should. These cookies do not gather personal information or remember where you’ve been on the internet. If your browser is set to refuse these cookies, our site will not work correctly.

2. Customer cookies allow us to:

  • Remember what’s in your basket between visits.

These cookies help us to tailor your visit to make your online shopping experience better. So that we can offer you all features of our website, we recommend that these cookies are enabled.

3. Analytics cookies allow us to:

  • Raise the standard of our service by understanding how our customers use our site.
  • Help identify any errors so we can fix them.
  • Gather information which helps us continually improve our website.

We use our webhosts analysis tools with Shopify and also Google analytics for both our mill website with Shopify.

4. Third-party cookies send information to trusted websites, allowing us to:

  • Show you the most relevant products, offers and adverts when you visit other sites, including social networks.

5. Social cookies allow you to:

  • Share our website pages with social networks such as Facebook. For example, when viewing a product on our website you may see a ‘like’ button. By clicking this, you will share the product on your Facebook page and Facebook will add a cookie to your computer.

To remember your chosen settings, a cookie will be stored in your current browser. If you delete all cookies from your browser, you will have to update these settings again. If you use a different device, different account on your PC or a different browser, you will need to set your preference for them too. The settings you have chosen today will only apply to device and browser you are using now.


Please note: there may be additional Cookies in use on the website that are not found in the cookie table above. These are provided by the website platform "Shopify" and can be seen in the Merchant Storefronts section here. These Cookies & Data Sharing are handled by Shopify's Privacy Consent API which is connected to the Cookie Management Platform used on the website.

Data protection risks

This policy helps to protect Melin Tregwynt Ltd from data security risks, including:

  • Breaches of confidentiality. For instance, information being given out inappropriately.
  • Failing to offer choice. For instance, you are free to choose how we use data relating to you.
  • Reputational damage. For instance, we could suffer if hackers successfully gained access to sensitive data.


Everyone who works for or with Melin Tregwynt Ltd has some responsibility for ensuring data is collected, stored and handled appropriately.

Anyone handling personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibility:

  • The board of directors is ultimately responsible for ensuring that Melin Tregwynt Ltd meets its legal obligations.
  • The designated Data Protection Manager is responsible for:
    • Keeping colleagues updated about data protection responsibilities, risks and issues.
    • Reviewing all data protection procedures and related policies, in line with an agreed schedule.
    • Arranging data protection training and advice for the people covered by this policy.
    • Handling data protection questions from staff and anyone else covered by this policy.
    • Dealing with requests from individuals to see the data Melin Tregwynt Ltd holds about them (also called ‘subject access requests’).
    • Checking third parties’ Data Protection policies.
    • Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
    • Checking our IT services to ensure security hardware and software.
    • Evaluating any third-party services, the company is considering using to store or process data. For instance, cloud computing services.


  • Where necessary, working with colleagues to ensure marketing initiatives abide by data protection principles.

General Guidelines

  • The only people able to access data covered by this policy should be those who need it for their work.
  • Data WILL not be shared informally. When access to confidential information is required, employees can request it from the Directors.
  • Melin Tregwynt Ltd will provide training to all employees to help them understand their responsibilities when handling data.
  • Employees WILL keep all data secure by using password and locked cabinets, taking sensible precautions and following the guidelines.
  • When staff leave the company, entry codes must be changed. Their computer login must be set inactive and denied access.
  • In particular, strong passwords must be used and they should be secured and never be shared.
  • Personal data should not be disclosed to unauthorised people, either within the company or externally.
  • Data WILL be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of safely.
  • Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.

Storage of Data

Questions about storing data safely can be directed to the responsible Director.

Our developers and webhosts store basic server access logs for debugging, security and service review to perform maintenance and occasional debugging.

When data is stored on paper, it will be kept in a secure place where unauthorised people cannot see it.

These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:

  • When not required, the paper or files will be kept in a locked drawer or filing cabinet.
  • Employees must make sure paper and printouts are not left where unauthorised people could see them.
  • Data printouts must be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

  • Data will be protected by strong passwords that are changed when staff is leaving and never shared between employees.
  • If data is stored on removable media (like a CD, DVD, USB key or backup tape), these should be kept locked away securely when not being used.
  • Data should never be saved directly to computers, laptops or other mobile devices like tablets or smart phones.
  • Data should only be stored on designated drives and servers so not on computers “desktop”, and should only be uploaded to approved cloud computing services.
  • Servers containing personal data are sited in a secure location and password protected only accessible by our IT service providers.
  • Data is backed up daily. Those backups must be secure and tested daily.
  • Servers and computers containing data are protected by approved security software and a firewall.

Use of data

We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:

  • Internal record keeping.
  • To analyse the use of the Melin Tregwynt website.
  • To improve Melin Tregwynt's products and services.
  • For follow up by phone or email, to people who have purchased goods from us as part of Melin Tregwynt's customer care procedures.
  • With your consent, to send promotional e-mail about new products, special offers and events at Melin Tregwynt. You can withdraw your consent at any time by calling 01348 891 644, emailing or visiting our subscription centre
  • To pass your phone number to a carrier service if needed.
  • With your consent, we may also from time to time use your information to contact you for market research purposes by e-mail.

We will not sell, distribute or lease your personal information to third parties unless required to do so by law.

Melin Tregwynt may disclose your personal information to Melin Tregwynt's service providers who assist us with the operation of the website (for example, by administering or hosting the site or, with your consent, sending you promotional communications), but they will act only on Melin Tregwynt’s behalf and under strict conditions of confidentiality and security.

Personal data is of no value to Melin Tregwynt Ltd unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

  • When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
  • Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not encrypted.
  • In the event that data is transferred to a Third Party, it must be encrypted before being transferred electronically. No password are to be communicated by email but over the phone. Alternatively, if available, a secure data upload will be used.
  • Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.

Accuracy of data

The law requires Melin Tregwynt Ltd to take reasonable steps to ensure data is kept accurate and up to date.

It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

  • Data will be held in as few places as necessary.
  • Staff should not create any unnecessary additional data sets.
  • Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
  • Melin Tregwynt Ltd will make it easy for you to update the information we hold about you. For instance, you can visit our website to update your account and your subscription preference or you can call us on 01348891644.
  • Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
  • It is the marketing manager’s responsibility to ensure marketing databases are checked against industry suppression files.
  • When catalogues are returned to us the data used must be deleted securely.

Subject Access Requests

All individuals who are the subject of personal data held by Melin Tregwynt Ltd are entitled to:

  • Ask what information the company holds about them and why.
  • Ask how to gain access to it.
  • Be informed how to keep it up to date.
  • Be informed how the company is meeting its data protection obligations.

If an individual contacts the company requesting this information, this is called a subject access request.

Subject access requests from individuals should be made by email, addressed to the data controller. The data controller can supply a standard request form, although individuals do not have to use this.

The data controller will aim to provide the relevant data within 14 days.

The data controller will always verify the identity of anyone making a subject access request before handing over any information.

Other reasons for disclosing data

In certain circumstances, the Data Protection Act and GDPR allow personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, Melin Tregwynt Ltd will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the Directors and from the company’s legal advisers where necessary.

Providing Information

Melin Tregwynt Ltd aims to ensure that individuals are aware that their data is being processed, and that they understand:

  • How the data is being used
  • How to exercise their rights

To these ends, this document sets out how data relating to you is used by Melin Tregwynt Ltd.