How we handle your data

This Privacy Policy explains how ÉKAI NOIR CAKES & CO. LTD ("we", "us", "our") collects, uses, stores and protects your personal data when you use The Baker's Suite web application and the associated website at ekainoircakes.com ("the Service").

We are committed to protecting your privacy and handling your data in an open, transparent way that complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

1. What data we collect

Account data

• Your email address and a hashed password (for login)
• Your business name, phone number, postal address, logo, and EHO registration number (if you choose to provide them)
• Your bank details and Stripe/payment link (for generating customer invoices — stored only on your profile, never shared)

Business data you enter into the Service

• Recipes, ingredients, allergens, costings, prices, overheads
• Customer details (names, emails, phone numbers, addresses) that you enter when creating enquiries, quotes, orders and invoices
• Compliance records (opening/closing checks, temperature logs, cleaning rotas, HACCP incidents, waste logs)
• Orders, quotes, enquiries, finance records

Subscription & billing data

• Your subscription plan, trial end date, subscription status
• Stripe customer ID and subscription ID (we do not store your card details — Stripe handles these directly)

Technical data

• IP address, browser type, device type, and session timestamps (via our hosting and authentication providers)
• Error logs and support-ticket context (user agent, URL, timestamp) when you contact support

2. Why we collect it — lawful bases

Under UK GDPR, every use of your data must have a lawful basis. Ours are:

• Contract — to provide the Service you've signed up for (Article 6(1)(b))
• Legal obligation — to comply with tax, accounting, and anti-fraud obligations (Article 6(1)(c))
• Legitimate interest — to operate, secure and improve the Service, to prevent abuse, and to contact you about service issues (Article 6(1)(f))
• Consent — for any optional marketing communications, which you can withdraw at any time (Article 6(1)(a))

3. How we use your data

• To authenticate your login and keep your session secure
• To provide the core Service — store your recipes, costings, orders, compliance records, etc.
• To process your subscription payments via Stripe
• To send you transactional emails (password reset, subscription receipts, order confirmations, enquiry thank-yous on your behalf)
• To respond to your support requests
• To diagnose and fix bugs
• To comply with legal and regulatory obligations (e.g. HMRC record-keeping)

We do not sell your data. We do not use it to train AI models. We do not profile you for advertising.

4. Who we share it with

We share the minimum data necessary with trusted sub-processors that help us run the Service:

• Supabase (database, authentication, file storage, edge functions) — data hosted in the EU
• Netlify (static site hosting, CDN)
• Stripe (payment processing) — Stripe is itself a data controller for card data
• Google Workspace (Gmail SMTP) (transactional email) — being migrated to a dedicated sending service

Each sub-processor is GDPR-compliant and bound by a Data Processing Agreement. We may also disclose your data if required by law, regulator, or valid court order.

5. Where your data is stored & how long we keep it

Your data is stored in the European Union (via Supabase's EU region). Some sub-processors (e.g. Stripe, Netlify) are based in the US but transfer data under UK International Data Transfer Addendum (IDTA) / EU Standard Contractual Clauses safeguards.

Retention

• While your account is active: for as long as you keep the Service
• If you close your account: account data is deleted within 30 days of your deletion request
• Financial records: invoicing and payment records are retained for 6 years after account closure to meet HMRC requirements (UK Companies Act)
• Backups: purged within 35 days

6. Security

• All data is transmitted over HTTPS (TLS 1.2+)
• Passwords are hashed using industry-standard algorithms (bcrypt via Supabase Auth) — we cannot recover them, only reset them
• Database rows are protected by row-level security: you can only read your own data
• Card details are stored only by Stripe, never by us
• We review security practices regularly and patch dependencies promptly

7. Cookies & similar technologies

We use a small number of strictly necessary cookies to keep you signed in and to remember your session preferences. These do not require your consent under UK PECR because they are essential for the Service you requested. We do not use third-party advertising cookies, analytics trackers that profile individuals, or social-media tracking pixels.

If we later introduce optional analytics (e.g. page-load performance), we will request your consent first via a cookie banner.

8. Your rights under UK GDPR

You have the right to:

• Access your data (Article 15) — export a copy anytime from Profile → Export my data
• Rectify inaccurate data (Article 16) — edit directly in the app, or ask us
• Erase your data (Article 17, "right to be forgotten") — delete your account from Profile → Delete my account, or email us
• Restrict processing (Article 18)
• Data portability (Article 20) — export in a machine-readable JSON format from Profile → Export my data
• Object to processing based on legitimate interests (Article 21)
• Withdraw consent at any time where consent is the lawful basis
• Lodge a complaint with the Information Commissioner's Office (see §12)

To exercise any of these rights, either use the built-in tools in the Service or email Bakerssuite@ekainoircakes.com. We will respond within one calendar month.

9. Children

The Service is intended for use by people running a business and is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, contact us and we will delete it.

10. International data transfers

Your personal data is primarily stored in the European Union. Any transfers outside the UK/EU are protected by the UK International Data Transfer Addendum or EU Standard Contractual Clauses, together with appropriate supplementary measures. We review these regularly.

11. Changes to this policy

If we make material changes to this policy we will notify you by email at least 14 days before the change takes effect, and update the "Last updated" date at the top of this page.

12. Complaints

If you're unhappy with how we've handled your data, please email us first so we can try to resolve it. If you're still unsatisfied, you have the right to complain to the UK Information Commissioner's Office: