Privacy policy
Last updated: 2026-05-11.
Worldwide Confectionery Ltd (trading as Sweet and Glory) runs the preorder site at preorder.sweetandglory.com. This policy describes how we handle your data. If you have any questions, please email us at info@sweetandglory.com.
This site is a UK wholesale-only ordering portal. Every account on the site is a trade account — we don't sell to consumers here.
Cookies
We use cookies — small files stored in your browser — to make the site work and (with your permission) to understand how it is used. Under UK PECR and GDPR, we ask for your consent before setting any cookies that aren't strictly necessary for the site to function.
Strictly necessary (always on)
These cookies are required for the site to work. They cannot be disabled because the site would stop functioning. We do not need your consent for these.
- Cart session — remembers what you've added to your basket between page loads.
- Sign-in session — keeps you logged in after you click your magic-link email.
- CSRF token — protects checkout submissions from cross-site request forgery.
Analytics (requires consent)
If you accept, we use Google Analytics 4 (GA4) to measure how the site is used — pages visited, time on site, conversion to preorder. This helps us improve the site. GA4 sets cookies starting _ga and _ga_*. We do not use these cookies for advertising or share the data with third parties beyond Google.
If you reject, GA4 still records aggregate "cookieless" metrics (page-view counts, traffic sources) but does not set any cookies on your browser and does not track you across visits.
Advertising (requires consent)
If you accept, Google Ads conversion tracking fires when you complete a preorder. This tells Google whether ads we run for the site led to actual orders, so we can budget accordingly. It does not show you targeted ads on this site.
If you reject, no advertising cookies are set and no conversion data is sent to Google Ads from your visit.
Changing your choice
You can change your cookie preferences at any time using the Manage cookies link in the site footer. Choosing again will reset your preferences and reload the page so the new setting takes effect.
Data we collect
We collect the minimum personal data we need to run a trade ordering portal: enough to set up your account, take your order, deliver it, and keep the records HMRC requires us to keep.
When you sign up
The signup form asks for your name, work email, company name, phone number, and billing address (plus an optional separate delivery address and an optional "why you'd like to preorder" message). We need these to vet you as a trade applicant and, once approved, set up your account in our wholesale order-management system.
Once your account is approved
Approved customers are created in OrderWise, our wholesale ERP. From then on, your customer record there is the master copy of your contact details. We sync a partial copy back to this site each night so that signing in and placing orders works — your name, company, phone, billing and delivery addresses, and account status.
When you sign in
We use passwordless sign-in by magic link: you ask for a link, we email it to you, you click it. We don't store passwords. When you request a magic link or sign in with one we record the time, your IP address, and your browser's user-agent string. We use that strictly to detect suspicious activity on your account (e.g. someone trying to log in from a country you've never visited).
When you place an order
We snapshot the billing and delivery address you choose, your contact email, the items and quantities, and the totals (subtotal, VAT, grand total). Payment itself is taken by Stripe — we never see your card number, expiry, or security code. Stripe sends us back a transaction ID and the payment status, which we store with your order so we can reconcile and refund if needed.
If you save additional addresses
You can save extra delivery addresses on your account page (e.g. multiple branches). Each saved address can carry a label, contact name, phone, and the address itself. Deleting your account also deletes these.
Email we send you
We use Postmark to deliver transactional email (sign-in links, order confirmations, despatch notifications, invoices). Postmark retains a copy of each message — including its body — for 45 days, then deletes it.
What about cookies and analytics?
See the Cookies section above. If you accept analytics cookies, Google Analytics records anonymous usage patterns (which pages you visited, what you bought) but never your name, email, or address.
Who else handles your data
To run this site we share certain personal data with the following providers. Each one is contractually bound to handle your data only for the purpose we engage them for, and each is covered by a data processing agreement.
| Provider | What we share | Why |
|---|---|---|
| OrderWise (UK) | Full customer record + orders | Wholesale ERP — our master record of customers and orders |
| Stripe (US, EU) | Name, email, billing address, order amount | Payment processing |
| Postmark (US) | Email address, name, message body | Transactional email delivery |
| Google Analytics & Google Ads (US, EU) | Anonymous usage + conversion data (only if you accept cookies) | Measuring how the site is used |
| Vultr (UK datacentre) | All site data — hosts the application and database | Cloud hosting (server in London) |
| Amazon Web Services S3 (UK region) | Encrypted database backups | Off-site backup storage (London region eu-west-2) |
| Microsoft 365 OneDrive (UK) | Same encrypted database backups, mirrored | Belt-and-braces second backup copy |
Where your data is stored
Wherever possible we keep data in the UK. Our application server, primary backups, and second-copy backups are all hosted in UK regions (London datacentres for Vultr and AWS; UK tenant for Microsoft 365). Our wholesale ERP OrderWise is also UK-based.
Three providers route some processing through the US: Stripe (payments), Postmark (transactional email), and Google (analytics, only with your consent). Each of these is covered by the UK's international data transfer agreement (IDTA) and the EU-US Data Privacy Framework, which together provide the legal mechanism for the transfer.
We do not transfer your data to any country outside the UK, EU, or US.
Your rights
If you have an account on this site, you can exercise two of your GDPR rights yourself, without contacting us:
- Download your data (Art. 15 / Art. 20). Sign in and visit your account → Privacy & data → Download my data. You'll get a JSON file with your profile, address book, and order history.
- Edit your details (Art. 16). Your account → Your details lets you update your display name and phone number. Address book is editable on the same page.
- Delete your account (Art. 17). Your account → Privacy & data → Delete my account. Your data is anonymised after a 7-day grace window during which you can cancel.
For any other right (restriction, objection), or for personal data we may hold outside this site (e.g. in our main order-management system or in support correspondence), contact us below.
Data retention
We hold personal data for as long as we have a legitimate reason to. The main timescales:
- Order records (orders, invoices, address used at checkout) — retained for 6 years after your last order. This is required by HMRC for tax-record-keeping and is the lawful basis under UK GDPR Article 6(1)(c) (legal obligation).
- Active accounts — retained while you have an active account on this site. You can delete your account at any time (see above).
- Inactive accounts (signed up but never ordered) — we'll send a notification email after 36 months of no activity. If you don't sign in within 6 months of that notification, we'll automatically anonymise the account using the same erasure flow described above.
- Email logs (transactional emails sent to you) — 45 days, via our email provider Postmark.
- Off-site backups of our database — expire automatically after 90 days.
Contacting us
For privacy questions, data subject access requests, or to exercise any of your rights under GDPR, email info@sweetandglory.com.
We aim to respond to subject access requests within 14 calendar days. The legal maximum under UK GDPR is 30 calendar days; complex cases that require legal review may take the full 30 days, in which case we'll let you know.
You also have the right to lodge a complaint with the UK's Information Commissioner's Office (ICO) at ico.org.uk if you believe we have mishandled your data.