Privacy Policy

Effective date: May 13, 2026. Version: 2026-05.

1. Data We Collect

We collect the following categories of personal data:

• Account data: email address, username, business name, and profile information you provide during registration and onboarding.
• Usage data: pages visited, features used, session timestamps, and browser/device information collected automatically.
• Payment data: billing information processed by Stripe. We do not store full card numbers — payment data is handled by Stripe in accordance with PCI-DSS standards.
• Order and business data: orders, products, recipes, inventory, and customer data that you upload or create within Bakerkit.
• Cookie data: see our Cookie Policy.

2. Legal Basis for Processing

We process your personal data on the following bases under Canadian privacy law:

• Consent: Under PIPEDA and Alberta's Personal Information Protection Act (PIPA), we collect, use, and disclose your personal information with your express consent (given at signup) or implied consent where the purpose is reasonably apparent. For marketing communications, consent is always express and separate.
• Legitimate business purposes under PIPA: We may collect and use personal information without consent where permitted by PIPA for purposes including security monitoring, fraud prevention, and platform improvement, provided those purposes would be considered legitimate by a reasonable person.
• Legal obligation: Where required by applicable federal or provincial law.

3. How We Use Your Data

• To create and manage your account.
• To process payments and manage subscriptions.
• To provide customer support.
• To send transactional emails (order confirmations, account alerts).
• To send marketing emails, if you have opted in.
• To monitor and improve platform performance and security.
• To comply with legal obligations.

4. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the service. If you close your account, you are responsible for exporting any data you wish to retain prior to cancellation. Following account closure, Bakerkit may delete your account data at any time. Certain data may be retained where required by applicable law (e.g., financial records for tax purposes), for dispute resolution, fraud prevention, or as part of routine backup systems.

5. Data Sharing

We share your data with the following third-party processors:

• Supabase — database and authentication infrastructure.
• Stripe — payment processing and subscription management.
• Resend — transactional and marketing email delivery.
• Vercel — hosting and edge infrastructure.

We do not sell your personal data to third parties.

6. Your Rights

Under PIPEDA and Alberta's Personal Information Protection Act (PIPA), you have the following rights:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure: request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on our legitimate business interests.
• Withdraw consent: withdraw marketing consent at any time via your account settings or via our contact page.

To exercise any of these rights, contact us via our contact page. We will respond within 30 days.

7. Cookies

We use cookies to operate the platform. See our Cookie Policy for details.

8. Security

We take the security of your personal data seriously and implement industry-standard technical and organisational measures to protect it against unauthorised access, loss, or disclosure:

• Encryption in transit: all data transmitted between your browser and Bakerkit is encrypted using TLS (HTTPS).
• Encryption at rest: data stored in our database (Supabase) is encrypted at rest using AES-256.
• Access controls: access to production data is restricted to authorised personnel on a need-to-know basis and is protected by multi-factor authentication.
• No card storage: we do not store full payment card numbers. All payment card data is handled exclusively by Stripe, which is certified to PCI-DSS Level 1.
• Breach notification: in the event of a material data breach affecting your personal information, we will notify affected users and the applicable privacy regulator as required by PIPEDA and PIPA.

Despite these measures, no system is completely secure. We cannot guarantee absolute security and are not liable for breaches caused by circumstances beyond our reasonable control.

9. International Transfers

Under PIPEDA, Bakerkit remains accountable for your personal information even when transferred to third-party processors outside Canada. We ensure all such transfers are governed by contractual arrangements requiring those processors to provide a comparable level of protection to that required under PIPEDA. Current processors outside Canada include Vercel (US), Stripe (US), and Resend (US). By using the service you acknowledge this transfer may occur.

10. Data Controller / Processor Roles

Bakerkit acts as a data controller for personal information bakers provide about themselves (account data, billing data). For personal information bakers upload about their own customers (customer names, email addresses, order details), bakers are the data controllers and Bakerkit is the data processor, handling that data solely to provide the platform service. Bakers are responsible for ensuring they have appropriate authority to upload their customers' data to Bakerkit.

11. Business Ownership Change

If Bakerkit is acquired, merged, or substantially all of its assets are transferred, your personal information may be transferred to the new owner as part of that transaction. The new owner will be required to honour the commitments made in this Privacy Policy. We will notify you by email and via an in-app notice before your data is transferred to a new owner under materially different privacy terms.

12. Governing Law

This Privacy Policy is governed by the laws of the Province of Alberta and the applicable federal laws of Canada, including PIPEDA and PIPA. Any disputes relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Alberta, Canada.

13. EU General Data Protection Regulation (GDPR)

Bakerkit is a Canadian company and this Privacy Policy is primarily framed under PIPEDA and Alberta's PIPA. To the extent that EU data protection law, including the General Data Protection Regulation (GDPR), applies to our processing of your personal information (for example, if you are located in the European Economic Area), the rights and protections described in this Privacy Policy apply to you accordingly. The legal bases for processing under GDPR include performance of a contract (Article 6(1)(b)), our legitimate interests (Article 6(1)(f)), compliance with a legal obligation (Article 6(1)(c)), and your consent (Article 6(1)(a)) where applicable. If you have questions about how GDPR applies to your use of Bakerkit, please contact us via our contact page.

14. Contact & DPA

For privacy enquiries or to exercise your rights, please use our contact page. If you are a business customer requiring a Data Processing Agreement (DPA), please contact us through the same page.