Privacy Policy

We collect information you provide directly to us when you create an account, place orders, or communicate with our team. This includes:

• Account information: Company name, administrator name, business email address, phone number, and billing details (processed securely via our payment processor; we do not store raw card data).
• Employee records: First and last name, work email address, and birthday. These are imported or entered by your HR team and are used solely to schedule delivery events.
• Delivery addresses: Home or alternate delivery addresses are submitted directly and voluntarily by each employee through a private, individual link. We do not collect employee addresses from the employer, and we do not retain addresses beyond the point of delivery confirmation.
• Usage data: Log data, browser type, IP address, pages visited, and actions taken within the dashboard — collected automatically to maintain and improve the service.

We do not collect sensitive personal data such as government-issued ID numbers, health information, or financial account numbers beyond what is necessary for payment processing.

We use the information we collect for the following purposes:

• Delivery coordination: Routing cake orders to our bakery and logistics partners, communicating delivery windows, and confirming successful delivery.
• Billing and invoicing: Processing payments, generating invoices, and resolving billing disputes.
• Service communications: Sending order confirmations, delivery reminders, and operational updates related to your account.
• Product improvement: Analyzing aggregated, anonymized usage patterns to improve reliability, performance, and features.
• Legal compliance: Meeting our obligations under applicable law, resolving disputes, and enforcing our agreements.

We will not use your personal information for purposes materially different from those described above without first obtaining your consent.

We do not sell, rent, or trade your personal information or your employees' personal information to any third party, ever. We share data only in the following limited circumstances:

• Delivery partners: We share the recipient's name, delivery address, and any special instructions with our vetted bakery and logistics partners solely for the purpose of fulfilling each specific delivery. Partners are contractually prohibited from using this data for any other purpose.
• Payment processors: Billing information is transmitted to our PCI-compliant payment processor. We do not store or have access to raw credit card numbers.
• Infrastructure providers: Cloud hosting, database, and email delivery providers may process data on our behalf under strict data processing agreements.
• Legal requirements: We may disclose information when required by law, regulation, or valid legal process, or to protect the rights, property, or safety of Cake in the Loop, our users, or others.

We retain different categories of data for different periods based on operational necessity and legal obligations:

• Employee delivery addresses: Addresses submitted by employees are used exclusively to coordinate a single delivery and are permanently deleted from our systems within 72 hours of delivery confirmation, or no later than 30 days after the scheduled delivery date if confirmation is unavailable.
• Employee profile data (name, birthday, work email): Retained for as long as your company account is active and for up to 90 days following account closure, unless earlier deletion is requested.
• Billing and transaction records: Retained for a minimum of seven (7) years as required by applicable financial recordkeeping regulations.
• Account information: Retained for the duration of the active account relationship and purged within 90 days of account termination, subject to legal hold obligations.

Depending on your location, you may have certain rights with respect to your personal information under applicable privacy laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

These rights may include:

• Right of access: The right to know what personal data we hold about you and to receive a copy.
• Right to rectification: The right to request correction of inaccurate or incomplete data.
• Right to erasure: The right to request deletion of your personal data, subject to our legal retention obligations.
• Right to restrict processing: The right to ask us to limit how we use your data in certain circumstances.
• Right to data portability: The right to receive your data in a structured, commonly used, machine-readable format.
• Right to opt out of sale: We do not sell personal information. California residents may nonetheless submit an opt-out request for completeness.

To exercise any of these rights, please contact us at hello@cakeintheloop.com. We will respond to verified requests within 30 days (or 45 days where permitted by law). We may require identity verification before processing certain requests.

We use a minimal set of cookies and similar tracking technologies necessary to operate and improve the service:

• Authentication cookies: Strictly necessary session tokens that keep you logged in to the dashboard. These cannot be disabled without preventing use of the service.
• Analytics cookies: We use privacy-respecting analytics to understand how the platform is used at an aggregate level. No personally identifiable cross-site tracking is performed.

We do not use advertising cookies, retargeting pixels, or third-party social media trackers. You can configure your browser to refuse cookies, but some features of the dashboard may not function correctly without authentication cookies enabled.

We take the security of your data seriously and employ industry-standard technical and organizational measures to protect it:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. Employee address invitation links are single-use and expire automatically.
• Encryption at rest: Databases and storage volumes are encrypted at rest using AES-256.
• Access controls: Internal access to customer data is restricted to authorized personnel with a legitimate business need and is logged for audit purposes.
• Vendor security: We evaluate the security posture of all third-party processors before engagement and require compliance with applicable data protection standards.

No method of transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately at hello@cakeintheloop.com.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to our team:

We aim to acknowledge all privacy-related inquiries within 5 business days and resolve them within 30 days.