Last updated: May 2026
Between: CRADD PTY LTD (“Processor”) and the Bakery/Merchant (“Controller”).
This DPA forms an integral part of the ibakepro Terms of Service. It applies where ibakepro processes “Personal Data” on your behalf to provide our SaaS services.
Controller: You (the Merchant/Bakery) determine the purpose of collecting customer data. You are responsible for ensuring you have a legal basis (e.g., consent) to collect this data.
Processor: We (ibakepro) process that data only to provide the ERP and AI services you have requested.
Data Categories: This includes but is not limited to: customer names, delivery addresses, contact details, order history, and custom bakery-specific fields (allergies, event locations, cake preferences).
ibakepro agrees to:
The Controller provides a general authorisation for the Processor to engage sub-processors to provide the Service. An up-to-date list is also maintained at ibakepro.com/sub-processors.
| Sub-processor | Role | Location |
|---|---|---|
| Google Cloud Platform | Hosting, database, authentication, storage, and core platform functionality | AU / US / EU |
| Vercel | Application hosting and edge delivery | Global edge |
| Typesense | Search indexing across customer, product, and order records | AU / US / EU |
| Stripe | Subscription billing for ibakepro | AU / US / EU |
| Twilio | Outbound and inbound communications (SMS and email) | US / AU |
Independent third parties. Payment gateways the Controller chooses for accepting payments from their own customers (Stripe, PayPal, Square), and accounting integrations the Controller chooses to connect (e.g. Xero), act as independent controllers (or the Controller's own processors) for the data the Controller pushes to them. They are not engaged by ibakepro as sub-processors.
Changes to sub-processors. ibakepro will give at least 30 days' prior notice of any addition or replacement of a sub-processor by email or in-app notice. The Controller may object on reasonable data-protection grounds. If ibakepro cannot accommodate the objection, the Controller may terminate the affected portion of the Service for convenience and receive a pro-rata refund of any prepaid fees.
Data residency. ibakepro stores your primary database in the region selected at signup: Australia (Sydney), the United States, or the United Kingdom (London). The London region serves European customers and is subject to the UK GDPR and the UK Data Protection Act 2018.
EU / EEA transfers. Personal Data transferred from the EU/EEA to ibakepro's London (United Kingdom) region is currently permitted under the European Commission's adequacy decision for the United Kingdom (Decision 2021/1772, as renewed). Where ibakepro must transfer EU/EEA Personal Data to a country without an adequacy decision (for example to its team or sub-processors in Australia or the United States), the parties incorporate by reference the European Commission's Standard Contractual Clauses (Commission Implementing Decision 2021/914) (the “EU SCCs”):
UK transfers. Personal Data subject to the UK GDPR that is transferred outside the United Kingdom (for example to ibakepro in Australia or to sub-processors in the United States) is governed by the UK International Data Transfer Addendum to the EU SCCs (Version B1.0, in force 21 March 2022). Transfers within the United Kingdom do not require an additional mechanism.
Swiss transfers. Where Personal Data subject to the Swiss FADP is transferred, the EU SCCs apply by analogy, with references to “EU Member State” and “EU supervisory authority” read as references to Switzerland and the Swiss FDPIC.
Australia (APP 8). Where ibakepro discloses Personal Data subject to the Australian Privacy Act to overseas recipients, ibakepro takes reasonable steps to ensure the recipient handles that data in a manner consistent with the Australian Privacy Principles, as required by APP 8.
ibakepro pseudonymises direct identifiers (customer names, business names, emails, phone numbers, and addresses) before transmitting any query to its AI provider. The AI provider is contracted under terms that prohibit retention of, or training on, customer inputs.
ibakepro may compute aggregate or statistical measures from Personal Data (for example, total orders processed across the platform, popular product categories, or end-of-year usage summaries) for the purpose of operating, analysing, and improving the Service, and surfacing non-identifying benchmarks to users. Such aggregate outputs do not identify any individual, Controller, or specific business and are not Personal Data once produced. ibakepro does not train AI models on Personal Data and does not use Personal Data to improve the underlying AI models. See the Terms of Service for the licence grant supporting this processing.
In the event of an “eligible data breach” (as defined by the Australian Privacy Act) or a “personal data breach” (as defined by GDPR) affecting your customer data, ibakepro will notify you without undue delay and in any event no later than 72 hours after becoming aware of a confirmed Personal Data Breach. You are responsible for notifying your customers and the relevant regulator (e.g. the OAIC, ICO, or your local EU supervisory authority) if required.
Upon termination of your account, ibakepro will handle data as follows:
In the event of any conflict between this DPA and the Terms of Service, the terms of this DPA shall prevail regarding the processing of Personal Data.