Call our Shop079897684620115 986 9279

Privacy Policy

Who we are?

We are Flowerpot Men Supplies LTD Our website address is:

Company Number: 09073711
VAT Number: GB 193045019

What personal data we collect and why we collect it?


When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: After approval of your comment, your profile picture is visible to the public in the context of your comment.


If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

If you request a quote using the contact forms the information within will be stored on our system until your quote request is answered, This information is not shared with any third parties.


If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.


Our site uses google analytics tracking for internal marketing purposes we have enabled anonymised user IP addresses to protect your privacy.

Who we share your data with?

We do not share your data with any third party’s.

How long we retain your data?

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data?

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you, Alternatively if you have created an account you will have the option to delete your account within you account page. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data?

Visitor comments may be checked through an automated spam detection service.


Our contact information

If you wish to contact us regarding any privacy-specific concerns please email us at

Alternatively you can write to us at the following address:

Unit A4
Wholesale Fruit & Veg Market
Clarke Road

How we protect your data?

Personal data shall be subject to additional safeguards to ensure this data is processed securely. For example, we work hard to ensure data is encrypted when in transit and storage, and access to this data will be strictly limited to a minimum number of individuals and subject to confidentiality commitments.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to any of our websites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. When possible, encryption is used, both in transit and storage. Access controls within the organisation limit who may access information.

What data breach procedures we have in place

Under the General Data Protection Regulation (GDPR), certain personal data breaches must be notified to the Information Commissioner’s Office (ICO) and sometimes affected data subjects need to be told too.

The purpose of this policy is to outline the internal breach reporting procedure of Two Pilots D.O.O. (hereafter “Company”) and our internal and external response plan and it should be read in conjunction with our data protection policy. 

What constitutes a personal data breach?

A personal data breach is a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

A breach is therefore a type of security incident and there are three different types of breach that may occur:

  1. Confidentiality breach – an accidental or unauthorised disclosure of, or access to, personal data.
  2. Availability breach – an accidental or unauthorised loss of access to, or destruction of, personal data.
  3. Integrity breach – an accidental or unauthorised alteration of personal data.

A breach can concern confidentiality, availability and integrity of personal data at the same time, as well as any combination of these.

A personal data breach would, for example, include:

  • personal data being disclosed to an unauthorised person, e.g. an email containing personal data being sent to the wrong person.
  • an unauthorised person accessing personal data, e.g. an employee’s personnel file being inappropriately accessed by another member of staff due to a lack of appropriate internal controls.
  • a temporary or permanent loss of access to personal data, e.g. where a client’s or customer’s personal data is unavailable for a certain period of time due to a system shut down, power, hardware or software failure, infection by ransomware or viruses or denial of service attack, where personal data has been deleted either accidentally due to human error or by an unauthorised person or where the decryption key for securely encrypted data has been lost.

This list is not exhaustive. 

Notification to the ICO

Not all personal data breaches have to be notified to the ICO. The breach will only need to be notified if it is likely to result in a risk to the rights and freedoms of data subjects, and this needs to be assessed by the Company on a case-by-case basis. A breach is likely to result in a risk to the rights and freedoms of data subjects if, for example, it could result in:

  • loss of control over their data
  • limitation of their rights
  • discrimination
  • identity theft
  • fraud
  • damage to reputation
  • financial loss
  • unauthorised reversal of pseudonymisation
  • loss of confidentiality
  • any other significant economic or social disadvantage.

Where a breach is reportable, the Company must notify the ICO without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. If our report is submitted late, it must also set out the reasons for our delay. Our notification must at least include:

  • a description of the nature of the breach including, where possible, the categories and approximate number of affected data subjects and the categories and approximate number of affected records
  • the name and contact details of the Company’s CEO
  • a description of the likely consequences of the breach
  • a description of the measures taken, or to be taken, by the Company to address the breach and mitigate its possible adverse effects.

We can provide this information in phases, without undue further delay, if it cannot all be provided at the same time.

Awareness of the breach occurs when we have a reasonable degree of certainty that a breach has occurred. In some cases, it will be relatively clear from the outset that there has been a breach. However, where it is unclear whether or not a breach has occurred, we will have a short period of time to carry out an initial investigation after first being informed about a potential breach in order to establish with a reasonable degree of certainty whether or not a breach has in fact occurred. If, after this short initial investigation, we establish that there is a reasonable degree of likelihood that a breach has occurred, the 72 hours starts to run from the moment of that discovery. 

Communication to affected data subjects

Where the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Company also needs to communicate the breach to the affected data subjects without undue delay, i.e. as soon as possible. In clear and plain language, we must provide them with:

  • a description of the nature of the breach
  • the name and contact details of the Company’s CEO
  • a description of the likely consequences of the breach
  • a description of the measures taken, or to be taken, by the Company to address the breach and mitigate its possible adverse effects.

We will also endeavour to provide data subjects with practical advice on how they can themselves limit the damage, e.g. cancelling their credit cards or resetting their passwords.

We will contact data subjects individually, by e-mail, unless that would involve the Company in disproportionate effort, such as where their contact details have been lost as a result of the breach or were not known in the first place, in which case we will use a public communication, such as a notification on our website.

However, we do not need to report the breach to data subjects if:

  • we have implemented appropriate technical and organisational protection measures, and those measures have been applied to the personal data affected by the breach, in particular those that render the personal data unintelligible to any person who is not authorised to access them, such as state-of-the-art encryption, or
  • we have taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise. 

Assessing “risk” and “high risk”

In assessing whether a personal data breach results in a risk or high risk to the rights and freedoms of data subjects, the Company will take into account the following criteria:

  • the type of breach
  • the nature, sensitivity and volume of personal data affected
  • ease of identification of data subjects – properly encrypted data is unlikely to result in a risk if the decryption key was not compromised in the breach
  • the severity of the consequences for data subjects
  • any special characteristics of the data subject
  • the number of affected data subjects
  • special characteristics of the Company. 

Data breach register

The Company will maintain a register of all personal data breaches, regardless of whether or not they are notifiable to the ICO. The register will include a record of:

  • the facts relating to the breach, including the cause of the breach, what happened and what personal data were affected
  • the effects of the breach
  • the remedial action we have taken. 

Data breach reporting procedure

If you know or suspect that a personal data breach has occurred, you must immediately both advise your line manager and contact the Company’s CEO. You must ensure you retain any evidence you have in relation to the breach and you must provide a written statement setting out any relevant information relating to the actual or suspected personal data breach, including:

  • your name, department and contact details
  • the date of the actual or suspected breach
  • the date of your discovery of the actual or suspected breach
  • the date of your statement
  • a summary of the facts relating to the actual or suspected breach, including the types and amount of personal data involved
  • what you believe to be the cause of the actual or suspected breach
  • whether the actual or suspected breach is ongoing
  • who you believe may be affected by the actual or suspected breach.

You must then follow the further advice of the CEO. You must never attempt to investigate the actual or suspected breach yourself and you must not attempt to notify affected data subjects. The Company will investigate and assess the actual or suspected personal data breach in accordance with the response plan set out below and the data breach team will determine who should be notified and how. 

Response plan

The Company’s CEO will assemble a team to investigate, manage and respond to the personal data breach. They will lead this team and the other members will consist of nominated senior members of the management team. The data breach team will then:

  1. Make an urgent preliminary assessment of what data has been lost, why and how.
  2. Take immediate steps to contain the breach and recover any lost data.
  3. Undertake a full and detailed assessment of the breach.
  4. Record the breach in the Company’s data breach register.
  5. Notify the ICO where the breach is likely to result in a risk to the rights and freedoms of data subjects.
  6. Notify affected data subjects where the breach is likely to result in a high risk to their rights and freedoms.
  7. Respond to the breach by putting in place any further measures to address it and mitigate its possible adverse effects, and to prevent future breaches.
Translate »