Privacy Policy

1. Who we are

Bakeculator is operated as an independent software service. The data controller for personal data processed through this website and the Bakeculator application (app.bakeculator.com) is the operator of Bakeculator.

If you have any questions about this policy or your personal data, please contact us at: privacy@bakeculator.com

2. What personal data we collect

Account and profile data

• Email address (used to create and identify your account)
• Password (stored as a cryptographic hash — we never see your plaintext password)
• Business name, phone number, address, and website (if you choose to add them in Settings)
• Logo image (uploaded in Settings, stored as a base64 encoded image in our database)

Business data you create

Bakeculator stores the following data that you create while using the application. This data belongs to you:

• Ingredient lists, pack sizes, and costs
• Supplier details
• Product recipes, costings, and methods
• Customer names, email addresses, phone numbers, and addresses
• Quotes and invoices (including line items, prices, and deposit details)
• Expense records and ingredient purchase logs

Payment data

We do not store payment card details. Subscription payments are handled entirely by Stripe, Inc. We store a Stripe Customer ID and Stripe Subscription ID to manage your subscription status. See Stripe's privacy policy at stripe.com/gb/privacy.

Technical data

• IP address and approximate location (logged by our infrastructure provider, Supabase/AWS, for security purposes)
• Browser type and device type (standard web server logs)
• Pages visited and actions taken within the application (via Supabase's built-in logging)

3. How we use your data

We use your personal data for the following purposes and on the following legal bases:

• To provide the Bakeculator service — Legal basis: Contract performance. We need your account data and business data to operate the app.
• To manage your subscription and process payments — Legal basis: Contract performance. We share minimal data with Stripe to process payments.
• To send transactional emails — Legal basis: Contract performance. We use Resend to send emails you initiate (quote emails, invoice emails) from our system on your behalf. These are sent to your customers at your direction.
• To send service notifications — Legal basis: Legitimate interests. We may email you about important service changes, security updates, or subscription billing events.
• To improve the service — Legal basis: Legitimate interests. We may review aggregate usage patterns (not individual content) to prioritise product development.
• To comply with legal obligations — Legal basis: Legal obligation. We retain certain records as required by law.

We do not use your data for advertising, profiling, or sell it to third parties.

4. Third-party services

The following third-party services process personal data on our behalf as data processors:

• Supabase Inc. — our database, authentication, and backend infrastructure provider. Data is hosted on AWS in the EU (eu-west-2). Supabase Privacy Policy.
• Stripe, Inc. — payment processing. Stripe processes payment card data under their own security and compliance standards (PCI DSS Level 1). Stripe Privacy Policy.
• Resend — transactional email delivery. Used to send quote and invoice PDFs to your customers at your direction. Resend Privacy Policy.

We do not use Google Analytics, Facebook Pixel, or any third-party advertising or tracking services.

5. Data retention

We retain your personal data for as long as your account is active. If you delete your account:

• All your application data (ingredients, products, quotes, invoices, customers, expenses) is permanently and immediately deleted from our database.
• Your authentication record is deleted.
• Stripe's records of your payment history are retained by Stripe in accordance with their own retention policies and applicable financial regulations.

You can delete your account at any time from Settings → Account → Delete account.

6. Your rights under UK GDPR

You have the following rights regarding your personal data:

• Right of access — you can request a copy of the personal data we hold about you.
• Right to rectification — you can update most of your data directly within the application. For data you can't access, contact us.
• Right to erasure — you can delete all your data by deleting your account from Settings, or by contacting us.
• Right to data portability — you can request your data in a machine-readable format. Contact us at privacy@bakeculator.com.
• Right to restriction of processing — in certain circumstances you can ask us to pause processing your data.
• Right to object — you can object to processing based on legitimate interests.

To exercise any of these rights, email us at privacy@bakeculator.com. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk, helpline: 0303 123 1113.

7. Data security

We take reasonable technical and organisational measures to protect your data, including:

• All data is transmitted over HTTPS (TLS 1.2+)
• Passwords are hashed using bcrypt via Supabase Auth — we never store plaintext passwords
• Row-level security (RLS) policies in our database ensure users can only access their own data
• Database access is restricted to authenticated API calls — there is no direct public database access

8. Children's privacy

Bakeculator is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has created an account, please contact us and we will delete it.

9. Changes to this policy

We may update this privacy policy from time to time. When we make significant changes, we will notify you by email (if you have an account) or by displaying a prominent notice on the website. The "last updated" date at the top of this page reflects the most recent revision.

10. Contact us

For any privacy-related questions or requests:

Email: privacy@bakeculator.com
Website: bakeculator.com