1. Introduction

BakeOnyx ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our bakery management platform and related services (the "Service").

By using BakeOnyx, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Name and email address
Phone number (optional)
Bakery name and business details
User role within your bakery
Password (stored in encrypted form)

2.2 Business Data

To provide our Service, we store the business data you enter:

Orders and customer information
Customer contact details including phone numbers, delivery addresses, company names, and tax IDs
Customer dietary requirements and allergen profiles
Recipes, ingredients, and inventory data
Supplier information
Pricing and financial data
Images you upload
Message content and communication history (via integrated messaging)
Delivery tracking information including proof-of-delivery images
Loyalty program data (points, tiers, transactions)

Sensitive Data Acknowledgment (GDPR Art. 9): Customer allergen and dietary requirement data may constitute special category data (health data) under GDPR. Bakeries, as data controllers, are responsible for obtaining appropriate consent from their customers before entering this data. BakeOnyx processes this data solely on the bakery's instructions.

2.3 Usage Data

We automatically collect certain information when you use our Service:

Device information (browser type, operating system)
IP address and approximate location
Pages visited and features used
Session duration and interaction patterns
Referring URLs

2.4 Payment Information

Payment processing is handled by Stripe, a PCI-compliant payment processor. We do not store your credit card numbers or full payment details. We receive only limited information such as the last four digits of your card and billing address.

2.5 Cookies and Tracking

We use cookies and similar technologies for:

Essential cookies: Authentication, security, and basic functionality
Preference cookies: Remembering your settings and preferences

We do not use advertising or third-party tracking cookies. The following cookies are used by the Service:

Cookie	Type	Duration	Purpose
`next-auth.session-token`	Essential	Session	Staff authentication
`store_session`	Essential	30 days	Online store customer authentication
`wholesale_session`	Essential	30 days	Wholesale portal authentication
`twitter_oauth_state`	Essential	Session	OAuth authentication state
`linkedin_oauth_state`	Essential	Session	OAuth authentication state
`meta_oauth_state`	Essential	Session	OAuth authentication state
`selected_location`	Preference	30 days	Multi-location bakery selection
Guest cart cookie	Essential	7 days	Guest shopping cart

You can control cookies through your browser settings. Note that disabling certain cookies may affect Service functionality.

2.6 Staff and Employee Data

When bakeries use our staff management features, we process the following data on their behalf:

Staff names, roles, and location assignments
Hourly rates and labor cost information
Availability preferences and shift history

This data is provided by the bakery in its capacity as the employer and data controller. BakeOnyx processes this data solely on the bakery's behalf.

2.7 Store Customer and Wholesale Customer Data

End consumers may create accounts on a bakery's online store or wholesale portal hosted through BakeOnyx. In these cases, we collect and process:

Name, email address, phone number, and delivery addresses
Dietary requirements and allergen information
Order history and shopping preferences

For wholesale customers, we additionally process:

Company name and tax ID
Payment terms and credit information

BakeOnyx processes this data on behalf of the bakery operating the store. The bakery is the data controller for its store and wholesale customers.

End consumers who have questions about how a specific bakery collects, uses, or stores their personal data should contact that bakery directly. BakeOnyx does not have a direct relationship with end consumers and processes their data solely on the bakery's behalf.

2.8 Third-Party Integration Data

When bakeries connect third-party services to BakeOnyx, we may receive and process data from those services. Integration categories include but are not limited to:

Messaging providers (such as WhatsApp and SMS services)
Calendar services (such as Google Calendar)
Accounting platforms (such as QuickBooks and Xero)

Data stored from integrations may include:

OAuth tokens and API credentials (encrypted at rest)
Synchronization metadata and status information
Message delivery status updates

3. Legal Basis for Processing

For users in the European Economic Area (EEA) and UK: Under the General Data Protection Regulation (GDPR), we are required to identify a lawful basis for each purpose for which we process personal data. The table below sets out the legal bases we rely on.

Processing Purpose	Legal Basis (GDPR Art. 6)
Account creation and management	Contractual necessity (Art. 6(1)(b))
Order processing and fulfillment	Contractual necessity (Art. 6(1)(b))
Service communications (order confirmations, system alerts)	Contractual necessity (Art. 6(1)(b))
AI-powered features (predictions, insights, scheduling)	Contractual necessity (Art. 6(1)(b))
Messaging integration (WhatsApp, SMS)	Contractual necessity (Art. 6(1)(b))
Third-party integrations (calendar, accounting)	Contractual necessity (Art. 6(1)(b))
AI agent auto-execution of low-risk actions	Legitimate interest (Art. 6(1)(f))
Security monitoring and fraud prevention	Legitimate interest (Art. 6(1)(f))
Error tracking and service reliability (Sentry)	Legitimate interest (Art. 6(1)(f))
Platform analytics and service improvement	Legitimate interest (Art. 6(1)(f))
Marketing communications	Consent (Art. 6(1)(a))
Financial record retention	Legal obligation (Art. 6(1)(c))

Special Category Data (Art. 9)

Allergen and dietary requirement data entered by bakeries about their customers may constitute special category data (health data) under GDPR Article 9. Bakeries, as data controllers, are responsible for ensuring they have obtained appropriate consent or another valid legal basis before entering this data into BakeOnyx. BakeOnyx processes this data solely on the bakery's behalf and instructions.

Legitimate Interest Assessment

Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. For AI agent auto-execution, security monitoring, error tracking, and platform analytics, we have determined that these activities are necessary for the operation and improvement of our Service and do not cause unwarranted harm. You have the right to object to processing based on legitimate interest by contacting privacy@bakeonyx.ai.

4. How We Use Information

We use the information we collect to:

Provide, maintain, and improve our Service
Process your orders and transactions
Send service communications (order confirmations, system alerts)
Provide AI-powered features (predictions, insights, recommendations)
Enable bakery-customer communications via integrated messaging channels
Process and track deliveries
Manage loyalty programs on behalf of bakeries
Synchronize data with connected third-party services at the bakery's direction
Manage staff scheduling and labor cost tracking
Personalize your experience
Send marketing communications (with your consent)
Prevent fraud and ensure security
Comply with legal obligations
Respond to your inquiries and support requests

Important Note About AI Features

Our AI features are powered by third-party providers including Anthropic (Claude) and OpenAI. When you use AI features, relevant business data (such as order history, inventory levels, and recipe information) is sent to these providers to generate predictions, insights, and recommendations specifically for your bakery.

We select API configurations designed to minimise data retention by these providers where such options are available. However, how third-party AI providers process your data is governed by their own privacy policies and terms of service. We encourage you to review:

Anthropic: anthropic.com/privacy
OpenAI: openai.com/privacy

Similarly, all other third-party services listed in Section 5 (including payment processors, messaging providers, and accounting integrations) process data in accordance with their own privacy policies. BakeOnyx is not responsible for the data practices of third-party providers.

5. Data Sharing & Third-Party Services

Who We Share With

We may share your information with:

Service Providers: Third parties that help us operate our Service, including payment processors, email delivery services, cloud hosting providers, and similar infrastructure services
Third-Party Integrations (at Your Direction): When you connect external services such as messaging providers, calendar services, or accounting platforms, data is transmitted to those services to enable the integration. Data shared with third-party services is governed by their respective privacy policies. BakeOnyx provides the technical infrastructure for these integrations at the bakery's direction and does not control third-party data processing.
Legal Requirements: When required by law, court order, or government request
Business Transfers: In connection with a merger, acquisition, or sale of assets
With Your Consent: When you explicitly authorize sharing

Data Processor Role

BakeOnyx acts as a data processor for bakery customer data, staff data, and end-consumer data (including store and wholesale customers). The bakery is the data controller and determines what data is collected and how it is used.

For store and wholesale customers, the bakery operating the store is the data controller. BakeOnyx processes this data solely in accordance with the bakery's instructions and these terms.

This Privacy Policy, together with our Terms of Service, constitutes BakeOnyx's data processing terms in compliance with GDPR Article 28. The sub-processor list below and the security measures in Section 9 form part of these processing terms. BakeOnyx will make available to bakeries, on reasonable request, information necessary to demonstrate compliance with these processing obligations.

What We Do NOT Do

We do not sell your personal data
We do not share data with advertisers
We do not use your data to train our own AI models. Third-party providers' data practices are governed by their respective terms of service.
We do not use advertising or third-party tracking cookies

Sub-Processors

The following is a non-exhaustive list of third-party services that may process personal data on our behalf. Not all sub-processors apply to every bakery — some are only engaged when you enable specific features or integrations. We may engage additional sub-processors from time to time to support new features and integrations.

Service	Purpose	Jurisdiction
Hetzner	Cloud hosting and infrastructure	EU (Germany)
Anthropic (Claude)	Primary AI provider	US
OpenAI	Fallback AI provider	US
Stripe	Payment processing	US
Square	Alternative payment processing	US
Resend	Email delivery	US
Sentry	Error tracking and monitoring	US
AWS S3	File and image storage	US
Meta (WhatsApp Business)	WhatsApp messaging	US
Twilio	SMS messaging	US
Google (Calendar)	Calendar synchronization	US
Intuit (QuickBooks)	Accounting integration	US
Xero	Accounting integration	NZ / Global

This list is representative and may not include every service at all times as we add new features and integrations. We will notify affected bakeries of material changes to sub-processors via email or in-app notification.

6. Automated Decision-Making

GDPR Art. 22 Disclosure: BakeOnyx includes AI agent features that can automatically execute certain actions on your behalf. This section explains how automated decision-making works, your controls, and your rights.

AI Agent System

BakeOnyx offers an AI agent system that can analyze your bakery data and generate suggestions for operational improvements (such as inventory reordering, production scheduling, and pricing adjustments). When enabled, the system can also auto-execute certain low-risk actions without requiring manual confirmation.

Safeguards and Controls

Off by default: Auto-execution is disabled by default. The bakery owner must explicitly enable it and choose an auto-execution risk level (read-only or low-risk).
Risk classification: Every action is classified by risk level. High-risk actions (such as cancelling orders or deleting data) can never be auto-executed and always require explicit human approval.
Full audit trail: Every auto-executed action is logged with a complete record of what was done, when, and why, accessible in your agent execution history.
Human oversight: All auto-executed actions can be reviewed, and the auto-execution feature can be disabled at any time from your settings.

Your Rights Regarding Automated Decisions

Under GDPR Article 22, you have the right to:

Disable auto-execution at any time from your notification preferences
Request human review of any automated action
Request an explanation of how an automated decision was reached
Contest any automated decision by contacting privacy@bakeonyx.ai

7. Data Retention

We retain your data according to the following schedule:

Data Type	Retention Period
Active account data	While your account is active
After account deletion	Deleted immediately (cascade deletion of all bakery data)
Database backups	Daily backups: 30-day retention; pre-deployment backups: last 10 kept
Usage and security logs	Retained indefinitely; no automated cleanup currently in place
Financial records	Cascade-deleted with account. We recommend exporting financial data before account deletion to meet your own legal retention obligations.
Messaging data	While account is active; deleted with account
Delivery proof images	Retained while account is active; deleted with account
Integration tokens	While integration is active; deleted or deactivated on disconnect
Guest cart sessions	Cookie expires after 7 days; stale carts cleaned periodically
Platform analytics (DailyMetrics, AIUsagePlatform)	Indefinitely (aggregated, anonymized, non-personal, no bakery identifier)
Feature usage tracking (FeatureUsage)	While account is active; deleted with account (bakery-identifiable)
Support tickets and replies	While account is active; deleted with account
AI agent suggestions and execution history	While account is active; deleted with account
Bake Buddy conversation history	While account is active; deleted with account
Video ad content (platform-level)	Indefinitely (platform marketing content, not tenant data)
Security event logs	Retained indefinitely for security and compliance purposes

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of your personal data
Correction: Correct inaccurate or incomplete information via your account settings
Deletion: Request deletion of your account and data by contacting privacy@bakeonyx.ai (self-service deletion is not currently available)
Export: Download your data via per-page CSV export (customers, orders, recipes, ingredients). A unified single-file export is not currently available.
Opt-out: Unsubscribe from marketing communications
Restriction: Request that we limit processing of your data by contacting privacy@bakeonyx.ai
Objection: Object to processing based on legitimate interest

Storefront and Wholesale Customers

End consumers who interact with a bakery's online store or wholesale portal should direct privacy requests (access, deletion, correction) to the bakery operating the store, as the bakery is the data controller. BakeOnyx will assist bakeries in fulfilling these requests upon instruction.

How to Exercise Your Rights

You can exercise many of these rights through your account settings. For other requests:

Email us at privacy@bakeonyx.ai
We will respond within 30 days
For complex or numerous requests, the response period may be extended by up to two additional months in accordance with GDPR Article 12(3). We will inform you of any extension within the initial 30-day period.
We may need to verify your identity before processing requests

California Residents (CCPA/CPRA)

If you are a California resident, CCPA/CPRA provides additional rights:

No Sale or Sharing: BakeOnyx does not "sell" or "share" personal information as defined by CCPA/CPRA
Right to Know: Request disclosure of categories and specific pieces collected
Right to Delete: Request deletion, subject to certain exceptions
Right to Correct: Request correction of inaccurate information
Right to Limit Use of Sensitive Personal Information: Limit to purposes necessary for the Service
Non-Discrimination: No discrimination for exercising rights
Authorized Agents: May designate an agent; verification may be required
Global Privacy Control (GPC): BakeOnyx recognizes Global Privacy Control signals as valid opt-out requests under CCPA/CPRA

Contact: privacy@bakeonyx.ai or account settings. Response within 45 days per CCPA requirements.

9. Security Measures

We implement appropriate security measures to protect your data:

Encryption in transit: All data transmitted using TLS 1.3
Encryption at rest: Data stored with AES-256 encryption
Credential encryption: Third-party integration credentials encrypted at rest using AES-256-GCM
Access controls: Role-based access and authentication
Regular audits: Security assessments and vulnerability testing
Employee training: Security awareness and best practices
Incident response: Procedures for handling security incidents

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

Data Breach Notification

In the event of a personal data breach that affects your data, BakeOnyx will notify affected bakeries without undue delay and, where required by applicable law (such as GDPR), within 72 hours of becoming aware of the breach. Notification will include, to the extent available:

Nature of the breach including categories and approximate number of records
Likely consequences
Measures taken or proposed
Contact point for further information

As the data controller, you are responsible for determining whether notification to supervisory authorities or affected individuals is required. BakeOnyx will provide reasonable assistance.

10. Children's Privacy

BakeOnyx is a business-to-business service intended for use by adults operating bakery businesses. Our Service is not directed to individuals under 18 years of age, and we do not knowingly collect personal information from children.

If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@bakeonyx.ai.

11. International Data Transfers

BakeOnyx's primary infrastructure is hosted by Hetzner in the European Union (Germany). However, several of our sub-processors are based in the United States and other jurisdictions (see Section 5 for the full list). When your data is transferred to or processed in countries outside the EEA, we implement appropriate safeguards including:

Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to jurisdictions without an adequacy decision
Data processing agreements with all sub-processors
Reliance on the EU-US Data Privacy Framework (DPF) where our US-based sub-processors are certified participants
Compliance with applicable international data transfer frameworks

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

Posting the new policy on this page with an updated date
Sending an email notification for significant changes
Displaying an in-app notification

Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Privacy inquiries: privacy@bakeonyx.ai
General support: support@bakeonyx.ai

Privacy Policy