GDPR for Nutrition Program and Ridgwell Press

GDPR  is a privacy law to make sure we protect personal data of European residents. Ridgwell Press uses Shopify to process orders and data is processed by Shopify International Ltd and this data is transferred to Canadian and US operations by EU approved legal mechanisms.

Personal data can be name, address, email address, social media account or IP address. Data Controller is Ridgwell Press. Jenny Ridgwell is the Data Protection Officer conducting impact assessments. We need consent to process your personal data so are including an opt in consent button.

GDPR gives you the right to request a copy of personal data that is being processed. You can ask for your data to be erased. If so, we will delete your order and all your information. We will be unable to issue repeat invoices, resend any downloads or update and help with your Nutrition Program subscription as your data will be erased. We get your consent during checkout.

If you subscribe to The Nutrition Program we do not store personal student data, only the email from the school purchaser and the school address. At the school you give students usernames and passwords.

Do not use your student names for usernames – this infringes GDPR and also can lead to sabotage and changing of work.

Under the new regulations out of date Nutrition Program subscriptions and their data can no longer be renewed as we must delete personal data and content, usernames and passwords. You will need to set up a new subscription to join the Program.

Ridgwell Press and the Nutrition Program use your personal data to give better customer service. We respect your privacy and don’t sell your data to third parties.

GDPR and Ridgwell Press

Ridgwell Press Ltd is committed to protecting and processing your personal data in accordance with the General Data Protection Regulations and the Data Protection Act 2018 (the legislation). For the purpose of the legislation and your personal data at Ridgwell Press Ltd  is the Data Controller, Jenny Ridgwell is the person responsible for data protection and can be contacted at

The General Data Protection Regulations are to safeguard your personally identifiable information or personal data. This privacy notice will be regularly reviewed and updated.

Information held

The personal data we process includes Contact Name, email, address, phone number which are given when The Nutrition Program is purchased. Where the provision of data is a contractual requirement or a requirement necessary to enter into a contract, a refusal to provide the data may mean that we are unable to provide you with our services.

To ensure that we provide you with the best service possible we will need to collect and retain certain personal data. 

Data controller Ridgwell Press Ltd
Information heldHow is it collected?
Name of purchaserSelf registration on internet site
Email, address, phone numberSelf registration on internet site

Lawful basis of processing

When you visit our website we may collect information about your computer, including where available your IP address, operating system and browser type, for system administration. 

We may obtain information by using a cookie file which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive.

Data controller Ridgwell Press Ltd
Why is data collected?Lawful basis for processingWith whom might we share this data?
To process website orderConsent by purchaserStaff, software provider, purchaser
How may it be stored?When will it be deleted?
Shopify, the web processing used by Ridgwell Press for orders, has incorporated a data processing addendum for requirement Article 28 (3) of GDPR.Cloud based storage provider, with backup.If purchaser does not renew Nutrition Program within 1 month, data is deleted. Shopify has a tool to delete all personal information when an erasure request is received.

Your personal data is stored within the European Union or outside of the European Union but with an organisation operating under the General Data Protection Regulations.

Retention period and criteria used to determine the retention period

We will retain some elements of your personal data for up to one year after your purchase. If the lawful basis for processing your data was consent then you may withdraw such consent at any time.

Your rights

You have a right of access to check your personal data to verify the lawful basis of processing. We are obliged to respond to an access request within 30 days and may not charge a fee unless the request is unfounded, excessive or repetitive. If a fee is charged it is to be a reasonable fee based upon the administrative cost of providing the information.

You have a right to rectification if the data we hold is either inaccurate or incomplete. If your data has been disclosed to third parties then we must inform them of the rectification, where possible.

You have a right to require erasure of your data when consent is our basis of processing (the right to be forgotten). You may request that your personal data be erased, for example, where there is no compelling reason for its continued processing or where you withdraw consent. We will comply with your request unless we have another basis of processing justifying our retaining the data (for example a legal requirement or the defence of a legal claim).

You have some rights to ask us to restrict processing i.e. to block or suppress processing where, for example, the data may be incorrect and whilst the accuracy is verified. We are permitted to store the data.

Your right to object

You do have a right to object to further processing of your personal data. We may be required to stop processing unless there is some other legitimate basis of processing such as a legitimate interest or a requirement for the exercise or defence of a legal claim.

How to lodge a complaint with the supervisory authority

The supervisory authority responsible for data protection is the Information Commissioners Office (ICO) to whom concerns may be reported by phone on 0303 123 1113 or +44 1625

545 745 if calling from outside the UK, by email using the form on the website or the livechat function.

EU GDPR Processor Art 28 

  1. (1)Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
  2. (2)The processor shall not engage another processor without prior specific or general written authorisation of the controller. 2In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
  3. (3)Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. 2That contract or other legal act shall stipulate, in particular, that the processor:
    1. a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
    2. b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
    3. c) takes all measures required pursuant to Article 32;
    4. d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
    5. e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;
    6. f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32to 36 taking into account the nature of processing and the information available to the processor;
    7. g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
    8. h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
    With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.
  4. (4)Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. 2Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.
  5. (5)Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.
  6. (6)Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.
  7. (7)The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).
  8. (8)A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.
  9. (9)The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.
  10. (10)Without prejudice to Articles 8283 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.