Legal
Privacy Policy
This Privacy Policy explains how Optana Limited, trading as Bakerly ("Bakerly", "we", "us", "our"), collects, uses and protects personal data when you sign up for and use the Bakerly platform at bakerly.co.uk and its subdomains (the "Service").
For the purposes of UK GDPR and the Data Protection Act 2018, Bakerly is the data controller for personal data of bakery owners and team members who register and use the platform. Bakerly is a data processor for personal data that bakeries (our customers) collect from their own end-customers through their Bakerly storefront — those bakeries are the controllers of that data.
1. Who we are
Bakerly is a trading name of Optana Limited, a company registered in England and Wales under company number 16486606. Optana Limited is registered with the UK Information Commissioner's Office under registration number ZC142386. Our service is operated from the United Kingdom and our primary contact email for privacy enquiries is privacy@bakerly.co.uk.
2. What we collect
From bakery owners and team members (you)
When you create an account, run your bakery on Bakerly, or contact us:
- Account information: name, email address, phone number (optional), password (stored as a hash by our authentication provider).
- Business information: bakery name, slug, logo, address, opening hours, contact details, social links and any other content you publish to your storefront.
- Subscription and payment information: plan, billing cadence, invoice history. Card details are handled directly by Stripe and are never stored on Bakerly's systems.
- Operational data: products, recipes, ingredients, orders, customer records, expenses and any other content you create in the portal.
- Usage data: IP address, browser type, pages visited, timestamps — used to operate, secure and improve the Service.
- Support correspondence: messages you send via the in-product help surface or email.
From your end-customers (when you use Bakerly as a bakery)
Customers who place orders, reserve cake-shed items, sign up to your newsletter or send you an enquiry through your storefront provide:
- Name, email, phone, delivery or collection address
- Order details and any notes they leave
- Cookie data described in our Cookie Policy
We process this data on your behalf as a processor; you remain the controller. We do not market to your end-customers without your explicit instruction (e.g. when you send a newsletter through Bakerly).
3. How we use personal data
We rely on the following lawful bases under UK GDPR:
| Purpose | Lawful basis |
|---|---|
| Provide and maintain the Service | Contract |
| Process payments and invoices | Contract / Legal obligation |
| Send service emails (order receipts, billing alerts, security notices) | Contract / Legitimate interests |
| Send marketing emails about Bakerly | Consent (newsletter) / Legitimate interests (in-product) |
| Respond to support requests | Legitimate interests |
| Detect, prevent and respond to fraud or abuse | Legitimate interests |
| Comply with legal and regulatory obligations | Legal obligation |
You can opt out of marketing emails at any time using the unsubscribe link in any marketing message or by emailing us.
4. Sub-processors
We share personal data with the following sub-processors who provide the infrastructure and tooling we run on. Each is bound by a written data processing agreement and is required to apply appropriate technical and organisational measures.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, file storage | EU |
| Vercel | Application hosting, edge network | Global (CDN) |
| Stripe | Payment processing, subscription billing | EU / US (SCC) |
| Worldpay | Payment processing (when enabled by tenant) | UK |
| Postmark | Transactional and broadcast email | US (SCC) |
| Sentry | Error tracking and performance monitoring | EU (when enabled) |
| Google (Tag Manager + Analytics 4) | Marketing-site analytics. Runs with Consent Mode v2 default-denied — see Cookie Policy §3 | US (SCC) |
Where data is transferred outside the UK, we rely on the UK International Data Transfer Addendum or the European Commission's Standard Contractual Clauses, as appropriate.
In addition, your bakery may enable third-party tools on your storefront — for example Google Analytics 4 or Meta Pixel. When you do, those tools become independent controllers of any data they collect from your visitors and you are responsible for disclosing them in your own privacy policy.
5. How long we keep data
- Active accounts: for as long as the account is open.
- After account closure: account data is retained for 30 days in case you change your mind, then deleted from primary storage. Encrypted backups are retained for up to 90 days.
- Invoices and tax records: retained for at least six years to meet HMRC requirements.
- Email logs: retained for 90 days for deliverability investigations.
- Audit logs: retained for 24 months for security and compliance purposes.
6. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Have inaccurate data corrected
- Have your data erased (subject to legal retention obligations above)
- Restrict or object to certain processing
- Receive your data in a portable format
- Withdraw consent where consent is the lawful basis
To exercise any of these rights, email privacy@bakerly.co.uk. We will respond within 30 days. If you believe we have mishandled your data you can complain to the Information Commissioner's Office (ico.org.uk), though we'd appreciate the chance to put it right first.
7. Security
Bakerly applies industry-standard technical and organisational measures to protect personal data, including encryption in transit (TLS), encryption at rest, role-based access control, audit logging of administrative actions, and isolation between tenants at the database level. We restrict internal access to personal data to staff who need it to operate the Service.
No system is perfectly secure. If a breach occurs that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware of it.
8. Children
Bakerly is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe we have done so, please contact us so we can remove it.
9. Changes to this policy
We may update this Privacy Policy from time to time. The "updated" date at the top reflects the most recent change. Material changes will be highlighted in-product or by email.
10. Contact
Questions, requests or complaints about this policy: privacy@bakerly.co.uk.