Baked By Steph (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how your personal information is collected, used, and disclosed by Baked By Steph.

Baked By Steph Ltd (“we”, “us”, “our”) is a bakery based in East London. Our registered address is 258 Paradise Row, London, E2 9LE.

We are registered with the Information Commissioner’s Office (ICO) as a data controller. We are committed to protecting your personal data and processing it in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions about this policy or how we handle your data, you can contact us at:

• Email: Help@bakedbysteph.co.uk
• Phone: 020 3916 5426
• Post: 258 Paradise Row, London, E2 9LE

When you use our website or place an order with us, we may collect the following personal data:

• Name and delivery address – to fulfil and deliver your order
• Email address – to send order confirmations and, where you have opted in, marketing emails
• Payment information – processed securely by our payment provider; we do not store card details on our systems
• Website usage data – collected via cookies and analytics tools (see Section 6)

We only use your personal data where we have a lawful basis to do so. The table below sets out what we use your data for and our legal basis under UK GDPR:

• Processing and fulfilling your order – necessary for the performance of a contract with you
• Sending order confirmations and updates – necessary for the performance of a contract with you
• Sending marketing emails – only where you have given us your consent; you can withdraw consent at any time
• Improving our website and services – our legitimate interest in running and improving our business
• Complying with legal obligations – for example, keeping financial records for HMRC

We do not sell your personal data. We share it only with trusted third-party service providers who help us run our business, and only to the extent necessary. These include:

• Payment processors – to securely handle payment transactions
• Delivery partners – to fulfil and deliver your order
• Email marketing platform – to send marketing emails to opted-in customers
• Website hosting and analytics providers – to operate and improve our website

All third parties we work with are required to handle your data securely and in accordance with UK GDPR. We do not allow them to use your data for their own purposes.

We may also disclose your personal data where we are legally required to do so, for example to comply with a court order or regulatory requirement.

Some of our third-party service providers may process your data outside the UK. Where this happens, we ensure that appropriate safeguards are in place, such as the use of the UK’s International Data Transfer Agreement (IDTA) or adequacy decisions, to ensure your data receives a level of protection equivalent to that provided under UK GDPR.

Cookies are small text files stored on your device when you visit our website. We use cookies for the following purposes:

• Essential cookies – required for the website to function (for example, remembering your login or basket). These cannot be disabled.
• Analytics cookies – we use tools such as Google Analytics to understand how visitors use our site. This helps us improve it. These are only set with your consent.
• Marketing cookies (Facebook Pixel) – we use Meta’s Facebook Pixel to measure the effectiveness of our advertising and to show relevant ads to people who have visited our site. This is only set with your consent.

When you first visit our website, you will be asked to accept or decline non-essential cookies. You can change your preferences at any time via your browser settings. Note that disabling cookies may affect how some parts of our website function.

We keep your personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. In practice, this means:

• Order records – retained for up to 7 years to meet our legal and tax obligations
• Marketing data – retained until you unsubscribe or withdraw consent
• Account data – retained while your account is active; deleted within a reasonable period following account closure on request

When we no longer need your data, we will securely delete or anonymise it.

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access – to request a copy of the personal data we hold about you
• Right to rectification – to ask us to correct inaccurate or incomplete data
• Right to erasure – to ask us to delete your data in certain circumstances
• Right to restrict processing – to ask us to limit how we use your data in certain circumstances
• Right to data portability – to receive your data in a structured, machine-readable format
• Right to object – to object to us processing your data for direct marketing or on the basis of legitimate interests
• Right to withdraw consent – where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at Help@bakedbysteph.co.uk. We will respond within one calendar month.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.

Our website and services are not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at Help@bakedbysteph.co.uk and we will delete it promptly.

We take reasonable technical and organisational measures to protect your personal data from unauthorised access, loss, or misuse. All payment information is transmitted using Secure Socket Layer (SSL) encryption and processed by our payment provider. We do not store card details on our own systems. While we take security seriously, no method of transmission or storage is completely secure. We cannot guarantee the absolute security of data transmitted to us over the internet.

We may update this policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will notify you by updating the date at the top of this page and, where appropriate, by email. Continued use of our website after changes are posted constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests relating to this policy or how we handle your data, please contact us:

• Email: Help@bakedbysteph.co.uk
• Phone: 020 3916 5426
• Post: Baked By Steph Ltd, 258 Paradise Row, London, E2 9LE
• Online: www.bakedbysteph.co.uk/contact