Privacy Policy




Why do we have a Privacy Policy?

Nairn’s respects individuals’ rights to privacy and to the protection of personal information. The purpose of this Privacy Policy is to explain how we collect and use personal information in connection with our business, including any data you may provide through this website when you sign up to our Mailing List or complete the Contact Us form.

We created this Privacy Policy to help you understand the types of information we collect, how we use and disclose it, your options related to it, and our responsibilities in safeguarding it.

We may update our Privacy Policy from time to time. When we do, we will publish the updated Privacy Policy on our website. We would encourage you to visit our website regularly to stay informed of the purposes for which we process your information and your rights to control how we process it.

If you have any questions at all about this policy or the Website, or about how we use and process your personal information, please do not hesitate to contact us by e-mail at or in writing to Nairn’s Oatcakes, 90 Peffermill Road, Edinburgh, EH16 5UU.



For the purpose of this Privacy Policy, the data controller is Nairn’s Oatcakes Ltd (SC165734).

We have appointed a data protection officer who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the Data Protection Officer.If you wish to contact us, our full details are:

Full name of legal entity: Nairn’s Oatcakes Ltd (SC165734)

Name of Data Protection Officer: Chris Thomson

Email address:   

Postal address: 90 Peffermill Road, Edinburgh, EH16 5UU


What kind of personal data do we collect?

We collect the following types of information:

  • Identity Data includes name and title.
  • Contact Data includes address, email address and telephone numbers.
  • Financial Data includes payment card details from transactions on our online shop.
  • Transaction Data includes details about payments from you and other details of products and services you have purchased from us.
  • Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • Usage Data includes information about how you use our website, products and services.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
  • Visual Data includes information derived from images collected from surveillance cameras.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.


How do we collect your personal data?

We use different methods to collect data from and about you including through:

Direct interactions.

You may give us your Identity, Contact, Financial Data, Transaction Data, Usage Data and Marketing and Communications Data by engaging with us or by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

  • order our products;
  • sign up for our marketing to be sent to you;
  • complete our contact form on our website;
  • enter a competition or promotion; or
  • give us feedback.


Automated technologies or interactions.

As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, and other similar technologies

Third parties or publicly available sources.

We may receive personal data about you from various third parties including:

  • Contact, Financial and Transaction Data from providers of technical, payment and delivery services.
  • Technical Data from analytics providers.


How do we use your personal information?

When you order our products through our online shop:

We will use your Identity Data, Contact Data, Financial Data and Transaction Data to process and deliver a product or service that you have ordered from us.  We may also use your personal information to maintain our records, communicate with you about operational changes to our products and services, gather your feedback by asking you to leave a review or take a survey and to act in response to any feedback you have given us. We do this in order to perform the contract we have with you and because it is Necessary for our Legitimate Interests for running our business.

When we have a relationship with you:

To manage our relationship with you and to protect our business, we may use your Identity Data, Contact Data, Financial Data, Usage Data, Transaction Data and Marketing and Communications Data. This is Necessary for our Legitimate Interests for running our business, in order to carry out necessary administration and in some instances, in the context of a business reorganisation or business sale.

When you use our website:

In order to operate our website, we require to carry out administration including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data. To do this, we may use your Identity Data, Usage Data, Marketing and Communications Data and Technical Data. Our basis for doing this is that it is Necessary for our Legitimate Interests for the provision of IT services and to ensure network security.

When we market to you:

We may use your Identity Data, Contact Data, Usage Data and Marketing and Communications Data to promote our products, services and offers which may be relevant for you or which may be of interest to you. We do this on the basis of your Consent. You may withdraw this consent at any time by contacting us.

In addition, we use your Marketing and Communications Data, Technical Data and Usage Data to use data analytics to improve our website, products and services, marketing, customer relationships and experiences. This is necessary for our Legitimate Interests to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy.

When you visit our office or production sites:

We use your Identity Data and Contact Data to register you as a visitor to our premises in accordance with our visitor access policies. This is necessary for our legitimate interests to ensure your health and safety whilst on our premises and for our business interests.

In order to operate CCTV inside and outside our premises, we use your Visual Data. This is necessary for our Legitimate Interests to keep our employees and visitors safe and secure by preventing crime, preventing employee misconduct and ensuring compliance with health and safety procedures.


When do we disclose your information?

Please note that, in some instances, we may have to share your personal data with third parties.

We may allow our staff and/or external service providers named above who are acting on our behalf to access and use your personal data for the activities we have described above.  For example, if you consent to receiving marketing communications from Nairn's, your data will be sent to our email service provider, ‘Campaign Monitor’ and partner agency, ‘The Lane Agency’ (who manage our database, website and email marketing).  We only permit them to use it to deliver the relevant service on our behalf as instructed by us, and if they apply an appropriate level of security protection and they have an agreement with us to treat your personal data in accordance with the law.

We may share your personal information with our professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, legal, insurance and accounting services.

We may access, preserve, and disclose your personal information, if we believe doing so is required or appropriate to comply with our legal and regulatory obligations.

We reserve the right to transfer Personal Information in the event Nairn’s Oatcakes Ltd acquires or merges with or is acquired by another company or during other corporate changes. Any information disclosed as a result of one of these events or other corporate changes will be subject to the Privacy Policy in effect at the time.

We do not rent, sell, or share Personal Information about you with other people or non-affiliated companies for their direct marketing purposes.


Third Party Links

The Nairn’s Website contains links to other websites. Please be aware that we are not responsible or liable for the privacy practices of other websites. We encourage you to be aware when you leave the Website and to read the privacy policies of each and every website that collects personally identifiable information. This privacy policy applies solely to information collected by us on the Website.


International Transfers

We may need to transfer your personal data outside the European Economic Area (EEA), for example, if one of our suppliers or group companies is located outside the EEA. We will ensure that any transfer of your data will be subject to appropriate safeguards, such as a European Commission approved contract (if appropriate) that will ensure you have appropriate remedies in the unlikely event of a security breach.


Safeguarding your personal information

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

While we will use all reasonable efforts to safeguard your personal data, you acknowledge that the use of the internet is not entirely secure and for this reason, we cannot guarantee the security or integrity of any personal data that are transferred via the internet. If you have any particular concerns about your information, please contact us (see our contact details below).

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator (such as the Information Commissioners Office) of a suspected breach where we are legally required to do so.


Data retention period

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. 

In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer our customer, we will retain and securely destroy your personal information in accordance with applicable laws and regulations.


Opting Out

If you have provided your personal information to opt-in to receive emails about Nairn’s products, promotions, special offers and company updates, you can unsubscribe at any time from these commercial electronic messages by using the “unsubscribe link” located in the email, or by contacting us at  or in writing to Data Protection Officer, Nairn’s Oatcakes,  90 Peffermill Road, Edinburgh, EH16 5UU.


Your rights are governed by law

Your rights in connection with personal information is governed by law.  Under certain circumstances, you have the right to:

1. Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a confirmation from us as to whether we hold any of your personal information or not, and if this is the case, to receive a copy of such personal information and to check that we are lawfully processing it.

2. Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

3. Request erasure of your personal information (often referred to as “the right to be forgotten”). This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.

4. Object to processing of your personal information where we are relying on a legitimate interest  and there is something about your particular situation which makes you want to object to processing on this ground. 

5.  Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it, or if we no longer need your data for our legitimate interests but we need to hold some of it for the purpose of legal proceedings.

6. Request the transfer of your personal information to another party.

7. Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK’s supervisory authority for data protection issues ( We would, however, always appreciate the chance to deal with your concerns before you approach the ICO, so please consider contacting us in the first instance.


Exercising your rights

If you would like to exercise any of the above rights, please contact us by e-mail at or in writing to Data Protection Officer, Nairn’s Oatcakes, 90 Peffermill Road, Edinburgh, EH16 5UU.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity to ensure that personal data is not disclosed to any person who has no right to receive it. In some instances, we may also contact you to ask you to clarify your request.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.


Information About Our Use Of Cookies

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a better experience when you browse.

Cookies are pieces of data that are often created when you visit a website and are stored in the cookie directory of your own computer. Cookies are used to store a session ID which allows you to log-in and make comments. No personal information is stored in the Cookie.

Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. Other websites linked from this site are not covered by this privacy policy. We would always recommend you check the privacy statements of third party websites that you visit.

All websites who operate across certain parts of the European Union are required to obtain consent to use or store cookies (or similar technologies) on your computer or mobile device. In using our website, you are agreeing to our placing cookies on your computer in order to analyse the way you use our website. 

If you do not wish to accept cookie, you should disable cookies in your browser. You block cookies by activating the setting on your browser that refuses the setting of all or some cookies. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies as soon as you visit our site. Turning off or deleting cookies will not prevent device identification and related data collection from occurring.

You can also turn cookies off when using our website.  Internet browsers allow you to change your cookie settings. These settings are usually found in the ‘options’ or ‘preferences’ menu of your internet browser.



Nairn’s Oatcakes is a "data controller". This means that we are responsible for deciding how we hold and use personal information about you. You should view this privacy notice if you are looking to apply for work with us (whether as an employee, worker or contractor). It makes you aware of how and why your personal data will be used, namely for the purposes of the recruitment exercise, and how long it will usually be retained for. It provides you with certain information that must be provided under the General Data Protection Regulation ((EU) 2016/679) (GDPR).




benefits of oats

Site designed by The Lane Agency.