Privacy Policy

Effective date: January 1, 2025  •  Last updated: January 1, 2025
Plain-English Summary: We collect only what we need to run BakeryOS. We never sell your personal data. Your bakery customers' data belongs to you. You can request deletion of your data at any time. We use Stripe for billing -- we never store your payment card details.

1. Introduction

BakeryOS ("we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our service.

This Policy applies to two categories of people: (1) Tenants -- bakery owners and their staff who subscribe to our platform; and (2) End Users -- the bakery customers who shop on storefronts powered by BakeryOS.

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you disagree with this policy, please discontinue use of the Service.

2. Information We Collect

2.1 Information You Provide

Category Examples Who Provides It
Account Information Name, email, password (hashed), phone, bakery name, subdomain Tenants at signup
Billing Information Billing address; Stripe payment method token (we never store raw card numbers) Tenants at subscription
Business Content Product listings, photos, pricing, business hours, branding assets Tenants in admin
Customer Account Data End-user name, email, password (hashed), shipping/billing addresses, order history End users on storefront
Order Data Product selections, custom order notes, fulfillment preferences, timestamps End users at checkout
Support Communications Emails, chat messages, support tickets you send to us Tenants and end users

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

  • Log Data: IP address, browser type, operating system, referring URLs, pages visited, timestamps, and HTTP request information.
  • Device Information: Device type, screen resolution, and browser version.
  • Usage Data: Features used, pages viewed, actions taken within the admin dashboard, and session duration.
  • Cookies and Similar Technologies: Session cookies, preference cookies, and analytics identifiers. See Section 5.

2.3 Information from Third Parties

We may receive information from:

  • Stripe: Subscription status, payment method type (card brand, last 4 digits), billing events, and customer IDs.
  • Email Service Providers: Delivery and open status for transactional emails we send on your behalf.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To provision accounts, process subscriptions, operate the platform, and provide technical support.
  • Billing: To manage your subscription, process payments through Stripe, send invoices, and notify you of billing issues.
  • Communications: To send transactional emails (account confirmation, password reset, trial reminders, billing notices) and, with your consent, product updates and announcements.
  • Improvement: To analyze usage patterns, diagnose technical issues, improve features, and develop new functionality.
  • Security: To detect fraud, prevent abuse, and protect the integrity of the platform.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes.

We do not sell your personal information to third parties, and we do not use it for targeted advertising.

4. Information Sharing and Disclosure

We share your information only in the following limited circumstances:

4.1 Service Providers

We share information with trusted third-party service providers who assist us in operating the Service, subject to confidentiality agreements:

  • Stripe, Inc. -- Payment processing and subscription billing. Stripe Privacy Policy
  • SendGrid (Twilio) -- Transactional email delivery.
  • Cloud Hosting Provider -- Infrastructure and data storage.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). We will attempt to notify you of such requests to the extent permitted by law.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website before your information is transferred and becomes subject to a different Privacy Policy.

4.4 With Your Consent

We may share your information with third parties when you give us explicit consent to do so.

5. Cookies and Tracking Technologies

We use the following types of cookies:

Cookie TypePurposeDuration
Session Cookies Maintain your login session and CSRF protection tokens Session (deleted when browser closes)
Preference Cookies Remember your display preferences (e.g., billing cycle selection) 30 days
Analytics Cookies Understand how the platform is used to improve features (anonymized) Up to 2 years

You can control cookies through your browser settings. Disabling session cookies will prevent you from logging in to the Service.

6. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL.
  • Password Hashing: All passwords are hashed using bcrypt with an appropriate cost factor. We never store plaintext passwords.
  • Tenant Isolation: Each bakery's data is logically isolated using strict tenant-scoped database access controls. No tenant can access another tenant's data.
  • Payment Security: We use Stripe for all payment processing. We never store, transmit, or have access to raw payment card numbers.
  • Access Controls: Internal access to production systems is restricted to authorized personnel and protected by multi-factor authentication.
  • Nightly Backups: Data is backed up nightly and retained per our backup retention policy.

No method of transmission over the Internet, or method of electronic storage, is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide you with the Service. Specifically:

  • Active accounts: Data is retained for the duration of the subscription.
  • Cancelled accounts: We retain your data for 30 days after cancellation, during which you may request an export. After 30 days, your data is permanently deleted.
  • Billing records: We retain billing and payment records for 7 years as required by applicable tax laws.
  • Log data: Server logs are retained for up to 90 days.

You may request early deletion of your data by contacting us at privacy@bakeryos.net. Note that some information may need to be retained to fulfill legal obligations.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request that we correct inaccurate or incomplete information.
  • Deletion: Request that we delete your personal information (subject to legal retention requirements).
  • Portability: Request your data in a machine-readable format.
  • Objection: Object to certain types of processing (e.g., marketing emails).
  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Withdraw Consent: Where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, please contact us at privacy@bakeryos.net. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

California Residents (CCPA): California residents have the right to know what personal information we collect, the right to delete it, and the right not to be discriminated against for exercising these rights. We do not sell personal information.

9. Tenant Customer Data (Data Processor Role)

When you use BakeryOS to collect and manage data from your bakery customers (including their names, email addresses, and order history), you are the data controller and we are the data processor acting on your instructions.

As a data controller, you are responsible for:

  • Having a lawful basis for collecting and processing your customers' personal data.
  • Providing your customers with appropriate privacy notices about how their data is used.
  • Responding to your customers' requests to access, correct, or delete their personal data.
  • Complying with applicable data protection laws in your jurisdiction.

We process your customers' data only as necessary to provide the Service to you and in accordance with your instructions. We do not use your customers' data for our own marketing purposes or share it with third parties except as necessary to provide the Service.

10. Children's Privacy

The Service is not directed to individuals under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly.

If you believe we may have inadvertently collected information from a child under 13, please contact us at privacy@bakeryos.net.

11. Third-Party Services and Links

The Service may contain links to third-party websites or integrate with third-party services (such as Stripe). These third parties have their own privacy policies and we are not responsible for their practices. We encourage you to review the privacy policies of any third-party services you use.

Key third-party privacy policies:

12. International Data Transfers

Our servers are located in the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

By using the Service, you consent to this transfer. We take steps to ensure that your data receives an adequate level of protection regardless of where it is processed.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by sending an email to the address associated with your account and by posting a notice in your admin dashboard at least 14 days before changes take effect.

The "Last updated" date at the top of this page indicates when this Policy was last revised. Your continued use of the Service after any changes take effect constitutes your acceptance of the revised Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy team:

We aim to respond to all privacy inquiries within 5 business days.

This Privacy Policy was last updated on January 1, 2025. See also: Terms of Service.