GDPR Statement



I am a sole trader so there is no one else in my organisation to make aware.

The information I hold:

  • Email addresses of people who have emailed me and to whom I have replied – automatically saved in gmail.
  • Email addresses, postal addresses (for physical items) and names of people who have bought something from my website. Orders are saved by default in the background of my shop website (Big Cartel), which is securely password-protected.
  • I do not run a mailing list, so therefore hold no subscriber details.
  • I do not share this information with anyone. Ever.

Communicating privacy information

I am taking the following steps:

  • I have added a link to this page to my email signature.
  • I have added this page to my website menu.

Individuals’ rights

On request, I will delete data.

Subject access requests

I aim to respond to all requests within 24 hours and usually much sooner.

Lawful basis for processing data

  • If people have emailed me, they have given me their email address. I do not actively add it to a list but gmail will save it. I will not add it to any database or spreadsheet unless someone asks me to or gives me explicit and detailed permission.
  • If people have bought something from my website, their postal and email addresses are saved in my orders folder in two places: an excel spreadsheet on my computer/dropbox and the orders folder behind my website. This is standard practice for purchasing online but I do not use their data for anything other than contacting them about a problem with the order. I will delete their email addresses and postal addresses after one year.


I have never harvested email addresses, nor would I.  Anyone on my lists has contacted me.


Young people sometimes email me but I don’t know their age unless they tell me – and I only have their word for that. I would not deliberately keep their email address (but gmail would save it in my account.) Since I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and don’t contact them again.

Data breaches

I have done everything I can to prevent this, by strongly password-protecting my computer, Google, Big Cartel and Dropbox accounts. If any of those organisations were compromised I would take steps to follow their advice immediately.

Data Protection Officers

I have appointed myself as the Data protection Officer, in the absence of anyone else!

If there is something that is missing from statement, please do let me know by email.

Thanks for reading.

Special thanks to Nicola Morgan and the Society of Authors for the template statement, for which I have slightly modified for relevance. What heroes! Thank you.