Home Privacy Policy

Privacy Policy

Each of our brands has its own privacy policy, you can view them at the relevant website(s).

Bonacia Ltd Privacy Policy

UK GDPR, Data Protection Act 2018, Privacy and Electronic Communications Regulations (PECR), and Data (Use and Access) Act 2025

Last updated: 06.05.2026 (updated in line with legislation updates or annually)


1. Who we are

This privacy policy explains how Bonacia Ltd collects, uses, shares and protects personal data. It applies to Bonacia Ltd and the brands and services operated by Bonacia Ltd, including:

  • Young Writers
  • Book Printing UK
  • Leavers' Books
  • School Products
  • SPaG Monsters
  • Young Artists

Bonacia Ltd is usually the controller of the personal data described in this policy. This means we decide why and how personal data is used. In some cases, we process personal data on behalf of other organisations (in cases such as book fulfilment for Book Printing UK). In those cases, that organisation may be the controller and Bonacia Ltd may act as its processor. Where we act as a processor, we process personal data only in accordance with the controller's instructions and the terms of our contract with them.


2. Our contact details

Bonacia Ltd
Remus House
Coltsfoot Drive
Woodston
Peterborough
England
PE2 9BF

Phone: 01733 890099
General email: [email protected]
Privacy contact: [email protected] (Data, Risk, Compliance & Facilities Manager)
Company number: 5368980
ICO registration number: ZA230462

Our Data, Risk, Compliance & Facilities Manager is responsible for all data protection queries and is currently undergoing a DPO qualification (May 2026 due to complete June 2027). See above for contact details.


3. Personal data we collect

We may collect and use the following categories of personal data, depending on your relationship with us and the brand or service you use:

  • Identity and contact details: Name, address, email address, telephone number, school or organisation, job title, account username and contact preferences.
  • Order and service information: Order details, delivery details, billing details, email addresses, phone numbers, returns, customer service records (paper and digital), account records, order history and correspondence.
  • Payment and transaction information: Payment status, transaction references and limited payment information. We do not store full card numbers where payment is handled by a payment provider. No card information is stored during call recordings.
  • School, pupil and parent/guardian data: Information provided by schools, childcare and learning providers, teachers, parents/guardians or pupils for competitions, yearbooks, educational products, publications, printing services or school-related orders. This may include pupil names, parent names, teacher names and job roles, parent/teacher and student emails, class/year group, school name, submitted poetry or story entries, artwork, photographs or other content.
  • Competition, publication and creative content: Entries, manuscripts, artwork, book content, author details, contributor details, permissions, publication preferences and communications about submissions.
  • Website and device information: IP addresses, cookie identifiers, device identifiers, browser type, operating system, website usage, analytics information and marketing preferences.
  • Marketing information: Marketing preferences, consent records (opt-ins), unsubscribed records, campaign engagement and communication history.
  • CCTV and premises security information: Images of people and vehicles at our premises, together with the date, time and location of footage.

4. How we collect personal data

We collect personal data in several ways:

  • Directly from you when you place an order, create an account, make an enquiry, get a quote, enter a competition, submit content, apply for a role, sign up for marketing (such as resource requests, downloads and newsletters), or communicate with us.
  • From schools, childcare and learning providers, teachers, parents/guardians, business customers, competition organisers or other organisations that ask us to provide services involving personal data.
  • From service providers such as payment processors, delivery partners, website analytics providers, email platforms, IT providers and fraud prevention or security services.
  • Automatically when you use our websites, apps or online services, including through cookies and similar technologies.
  • From CCTV cameras at our premises.
  • From referees, job applications, former employers, DBS providers or public sources relevant to recruitment, employment or safeguarding.

5. How and why we use personal data

The items below explain our main purposes for using personal data and the lawful bases we rely on. More than one lawful basis may apply depending on the circumstances.

  • Process orders, provide services, arrange delivery, manage returns and handle customer requests.
    Data used: Identity/contact, order, delivery, payment, service correspondence.
    Lawful basis: Contract; legitimate interests where we support business customers or resolve issues.
  • Provide accounts and online services.
    Data used: Identity/contact, account details, website/device information.
    Lawful basis: Contract; legitimate interests in managing secure services.
  • Provide services to schools, parents, pupils and educational customers, including yearbooks, competitions and publications.
    Data used: School, pupil and parent/guardian data; creative content; order information.
    Lawful basis: Contract with the relevant customer; legitimate interests; consent where required; legal obligation where applicable.
  • Publish, print or distribute books, yearbooks, artwork, stories or competition materials.
    Data used: Creative content, contributor names, school details, permissions and related communications.
    Lawful basis: Contract; legitimate interests; consent where required, especially for optional publication or marketing uses.
  • Respond to enquiries and provide customer service.
    Data used: Contact details, correspondence, order history.
    Lawful basis: Contract; legitimate interests in responding to customers and improving our services.
  • Send marketing and service updates.
    Data used: Contact details, marketing preferences, engagement data.
    Lawful basis: Consent; legitimate interests where permitted by law; compliance with PECR for electronic marketing.
  • Manage unsubscribe requests and suppression lists.
    Data used: Contact details, marketing preferences.
    Lawful basis: Legal obligation; legitimate interests in ensuring we do not contact people who have opted out.
  • Maintain website functionality, analytics and online security.
    Data used: Website/device data, cookies, analytics data.
    Lawful basis: Consent for non-essential cookies; legitimate interests for security and strictly necessary operations.
  • Protect premises, staff, visitors, property and vehicles using CCTV.
    Data used: CCTV images and associated metadata.
    Lawful basis: Legitimate interests in safety, security and crime prevention; legal obligation where applicable.
  • Establish, exercise or defend legal claims.
    Data used: Relevant records across categories.
    Lawful basis: Legitimate interests; legal obligation; Article 9 or Schedule 1 conditions where special category or criminal offence data is involved.

6. Legitimate interests

Where we rely on legitimate interests, we consider whether our interests are overridden by your rights, freedoms and interests. Our legitimate interests may include:

  • Providing, managing and improving our services and brands.
  • Responding to enquiries and supporting customers.
  • Managing orders, publications, competitions and school-related services.
  • Business administration and intra-group administration across Bonacia brands.
  • Direct marketing where permitted by law.
  • Network, information and premises security.
  • Fraud prevention, debt recovery and legal claims.
  • Supplier, customer and relationship management.

You may object to processing based on legitimate interests. We will consider your objection and stop processing unless we have compelling legitimate grounds or need to continue for legal claims. To object, please email [email protected].


7. Consent and withdrawing consent

Where we rely on consent, you can withdraw your consent at any time. This will not affect processing carried out before consent was withdrawn. You can withdraw marketing consent by using the unsubscribe link in our emails or by contacting us. Where a school, parent/guardian or other organisation provided consent or permissions, we may need to refer the request to the relevant controller or requester.


8. Children's personal data

Some of our brands and services are used by schools, parents/guardians, teachers, pupils (secondary schools), and children (nursery and primary school children), as well as students (middle and high).

We may process children's personal data for purposes including school orders, yearbooks, educational products, competitions, publications, creative submissions, communications with schools, childcare and learning providers or parents/guardians, safeguarding-related matters and customer support. The data may be provided by a school, childcare and learning provider, educator, parent/guardian, pupil, or another customer.

When we act for a school or other organisation, that organisation may be the controller and may be responsible for telling pupils, parents/guardians and staff how their data is used. Where we are the controller, we will provide clear privacy information and will use children's data only where we have a lawful basis.

We will consider children's best interests and needs when designing and operating online services that children are likely to use. This includes considering age-appropriate information, default settings, data minimisation, transparency, security and parental or school involvement where appropriate.

We will not use children's personal data for unrelated marketing or profiling without an appropriate lawful basis and any required consent under applicable law. We will also avoid publishing children's personal data unless this is necessary for the service, has been agreed with the relevant school/customer/parent/guardian where required, or is otherwise lawful and appropriate.


9. Marketing

We may send marketing about Bonacia Ltd brands, products and services where permitted by law. This may include email, post, telephone, SMS, WhatsApp, or other communications. We will comply with UK GDPR and PECR.

For electronic marketing, we will use consent where required. In some cases, we may rely on the soft opt-in for existing customers or on legitimate interests for business-to-business marketing where permitted. You can unsubscribe from marketing at any time by using the unsubscribe link in our marketing/transactional emails.

We may keep a suppression record so that we can respect your opt-out and avoid sending further marketing.


10. Cookies and similar technologies

Our websites may use cookies and similar technologies. Cookies are small files placed on your device. We use strictly necessary cookies to operate our websites and may use analytics, preference or marketing cookies where permitted and, where required, with your consent.

Our cookie banner or cookie policy should explain the cookies used, their purposes, providers and duration, and how you can accept, reject or change your preferences:


11. Who we share personal data with

We may share personal data where necessary with:

  • Other Bonacia Ltd brands and internal teams where relevant to the service or enquiry.
  • Schools, teachers, parents/guardians, business customers or competition organisers where relevant to a service, publication, yearbook, order or request.
  • Delivery and courier partners such as Royal Mail, DPD, Amazon Logistics, WS Transport or alternative delivery providers.
  • Payment processors and payment service providers such as PayPal, Braintree or alternative providers.
  • IT, hosting, cloud, security and data storage providers, including Amazon Web Services or alternative hosting providers.
  • Email, CRM and marketing service providers such as Mailchimp, Ontraport or alternative providers.
  • Website analytics, cookie and advertising technology providers, such as Google Analytics where used in accordance with cookie and marketing rules.
  • Professional advisers, insurers, auditors, banks and debt recovery providers.
  • Regulators, law enforcement bodies, courts, HMRC, government agencies or other third parties where required or permitted by law.
  • Potential buyers, investors or advisers in connection with a business sale, restructuring or due diligence exercise.

Where we use processors, we require them to protect personal data and use it only in accordance with our instructions and applicable law.


12. International transfers

We are based in the UK. Some of our suppliers, systems or support services may process personal data outside the UK. Where we transfer personal data outside the UK, we will do so only where permitted by UK data protection law.

This may include transfers to countries covered by UK adequacy regulations or transfers protected by appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, binding corporate rules, or another lawful transfer mechanism.


13. How we keep personal data secure

We use technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration or disclosure. These may include access controls, user permissions, secure network storage, cloud security controls, backups, staff training, supplier due diligence, logging, password controls, encryption where appropriate, and incident response procedures.

Personal data is held within Bonacia's secure network using per-user access controls or on secure cloud servers. Each brand has its own folder structure so that access can be limited to staff who need the information for their role.


14. CCTV

We use CCTV at our offices at Remus House, Coltsfoot Drive, Woodston, Peterborough, PE2 9BF for safety, security, crime prevention, protection of staff and visitors, protection of property and investigation of incidents. CCTV may capture images of people and vehicles.

We rely on legitimate interests for CCTV, and legal obligation where applicable. CCTV footage is accessed only by authorised personnel and may be shared with law enforcement, insurers, professional advisers or other parties where necessary and lawful.

CCTV recordings will normally be retained for 6 to 10 days from the date of recording. After this period, footage will be automatically or securely deleted from the system. Recordings may be retained for longer only where they are required for an active investigation, health and safety review, legal claim, insurance matter, disciplinary matter, or lawful request by an authorised body.


15. How long we keep personal data

We keep personal data only for as long as necessary for the purposes for which it was collected, including to meet legal, accounting, reporting, contractual, operational and dispute resolution requirements. Where we act as a processor, we retain and delete personal data in accordance with the controller's instructions.

Retention periods and criteria:

  • Customer enquiries: 2 years after last contact, unless needed for order/legal records.
  • Order, delivery and customer account records: To support repeat orders and reprints, Bonacia retains customer files and order information for 10 years or longer where necessary, because many customers return to reorder previously purchased books; we periodically review this information to ensure it is not kept longer than needed for this purpose.
  • Payment transaction records: Bonacia retains order details and payment amounts (no card details) for 5 years.
  • Yearbook and competition administration: 1 year.
  • Creative submissions, artwork, stories and publication records: 1 year; published work is kept indefinitely to allow re-orders of published work.
  • Marketing consent and preference records: Until consent is withdrawn.
  • Website analytics and cookie data: 14 months.
  • CCTV footage: 6 to 10 days after recording.
  • Legal claims and dispute records: 5 years.

When a retention period expires, we will securely delete, anonymise or dispose of personal data unless we are legally required or permitted to keep it for longer.


17. Automated decision-making and profiling

We do not currently make decisions about you based solely on automated processing, including profiling, that produce legal effects or similarly significant effects.

If this changes, we will update this policy and provide information about the logic involved, the significance and likely consequences of the processing, the lawful basis, and your safeguards, including the right to obtain human intervention, make representations and contest the decision where required by law.


18. Your data protection rights

Depending on the circumstances, you have the following rights under data protection law:

  • Right of access: You can ask for a copy of your personal data.
  • Right to rectification: You can ask us to correct inaccurate personal data or complete incomplete personal data.
  • Right to erasure: You can ask us to delete your personal data in certain circumstances.
  • Right to restriction: You can ask us to restrict how we use your personal data in certain circumstances.
  • Right to object: You can object to processing based on legitimate interests, direct marketing or certain other grounds.
  • Right to data portability: You can ask us to provide certain personal data in a structured, commonly used and machine-readable format.
  • Right to withdraw consent: Where we rely on consent, you can withdraw it at any time.
  • Rights relating to automated decision-making: You have rights relating to solely automated decisions that have legal or similarly significant effects, where applicable.

You normally do not have to pay a fee to exercise your rights. We may ask for information to confirm your identity or to clarify your request. The time limit for responding starts when we receive your request, any information reasonably required to confirm your identity, and any fee that is lawfully required for manifestly unfounded or excessive requests.

We will usually respond within one month. In some cases, we may extend the response period by up to two further months if the request is complex or if you have made multiple requests. If we need clarification to respond to a subject access request, we may pause the response period while waiting for that clarification, where permitted by law.

To exercise your rights, please contact: [email protected]


19. Complaints

If you are unhappy with how we use your personal data, please contact us first so that we can try to resolve your concern.

You can make a data protection complaint by emailing [email protected]. We will acknowledge your complaint within 30 days and respond without undue delay.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK regulator for data protection.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline: 0303 123 1113
Website: https://ico.org.uk/make-a-complaint/

20. Changes to this policy

We will review this policy annually and make any necessary updates as needed to reflect changes to our services, suppliers, technology, legal requirements or data protection practices. The latest version will be published on our websites with the date of the update. Where changes are significant, we may take additional steps to bring them to your attention.