Privacy Policy

1. How We Use Information

We collect and use information to run the ibakepro platform and support your bakery's growth.

• For Bakery Owners (Merchants): We collect your name, business details, and contact info to manage your subscription. We store your “Operational Data” - including customers, orders, recipes, inventory/pantry stock, production tasks, blocked dates, compliance logs, supplier details, sales reports, and staff schedules - to provide and improve the ERP services you signed up for.
• For Bakery Customers (End Users): We process data on behalf of the bakery (as a processor). This includes names, delivery addresses, and any Custom Fields created by the bakery. End users should direct access or deletion requests to their bakery; we assist the bakery in fulfilling these as required.
• Your Rights: You have rights to access, correct, delete, and otherwise control your personal information. See Section 6 for the full list and how to exercise them.

2. Payments & Financial Security

We maintain a “Zero-Storage” policy for sensitive payment credentials.

• Processing: All transactions are handled by Tier-1 partners: Stripe, PayPal, or Square.
• Security: ibakepro never sees or stores your credit card number, CVV, or full payment details. We receive only a secure encrypted token to confirm payment status.

3. Data Security & Encryption

We implement industry-standard technical and organisational safeguards in line with APP 11:

• Authentication & Identity: User login and authentication are managed via Google Cloud Identity Services. This provides enterprise-grade protection for your credentials.
• Hosting: Our services run on Google Cloud Platform (GCP), utilising world-class physical and network security infrastructure.
• Encryption at Rest: All stored data, files, and backups are encrypted using AES-256 standards.
• Encryption in Transit: All data transmitted between your device and the ibakepro platform is protected via TLS (Transport Layer Security).
• Field-Level Encryption: Sensitive items (such as third-party API keys or integration tokens) are additionally encrypted at the field level within our database.

4. AI Features & Aggregate Statistics

The AI features in ibakepro (collectively, “Choux”) are powered by a trusted enterprise-grade cloud AI provider, contracted under terms that prohibit retention of, or training on, customer inputs. We protect your privacy through a multi-stage process:

• Strictly voluntary: No data is processed by our AI features unless you explicitly trigger one (e.g., clicking “Generate” or “Analyse”).
• Pseudonymisation before transmission: Before any query is sent to the AI provider, direct identifiers — customer names, business names, emails, phone numbers, and addresses — are pseudonymised or redacted by the Service. Names are substituted with neutral placeholders (e.g. “Customer 1”) and restored only in the response shown to you.
• No model training: We do not train AI models on Your Data, and we do not use Your Data to improve the underlying AI models. Your inputs are not retained by the AI provider beyond the immediate request.
• Human oversight: Our AI provides “insights” and “mockups” for decision support only; it does not make automated legal, financial, or food-safety decisions on your behalf.
• Industry benchmarks: Where Choux references “industry benchmarks” (e.g., typical bakery profit margins or average order values), these are static reference figures we maintain and update internally. They are not computed from your data or from any other customer's data.
• Aggregate statistics: We may compute aggregate or statistical measures across the platform (e.g., total orders processed, popular product categories, end-of-year usage summaries) for product analytics and to surface non-identifying insights to users. Aggregates do not identify you, any individual, or your specific business.

5. Data Retention

We retain information only as long as necessary to provide our services and meet legal obligations:

• Operational Data: Retained while your account is active. Following account closure, we retain this data for up to 2 years to support reactivation or export. We provide two advance warnings (at 6 months and 1 month) before permanent, unrecoverable deletion.
• Account & Subscription Data: Retained for the life of your account and for up to 7 years after closure to meet financial, tax, and corporate compliance obligations.
• End-User Order Data: Retained in line with the 2-year post-closure period unless the bakery (the Data Controller) provides different instructions.

6. Your Rights & Lawful Bases

Your rights. Depending on where you live, you have some or all of the following rights in relation to personal information we hold about you:

• Access - a copy of the personal information we hold about you.
• Correction - to update or correct inaccurate information.
• Deletion - to request erasure, where applicable (subject to legal or contractual retention obligations such as tax records).
• Portability - a copy of information you provided to us in a structured, commonly used, machine-readable format.
• Restriction - to limit how we process your information in specific circumstances.
• Objection - to processing based on legitimate interests, including direct marketing (you can always unsubscribe).
• Withdraw consent - at any time, without affecting the lawfulness of processing before withdrawal.
• Not be subject to solely automated decisions producing legal or similarly significant effects - ibakepro does not make such decisions about you.

To exercise any of these rights, email privacy@ibakepro.com. We respond within 30 days (sooner where required by law). We may need to verify your identity before acting on a request.

Lawful bases for processing (EU / UK GDPR). Where the EU or UK GDPR applies, we rely on the following lawful bases:

• Performance of a contract - to provide the Service you signed up for, including operating your account, processing orders, and sending transactional emails.
• Legitimate interests - for service security, fraud prevention, product improvement, aggregate analytics, and customer support, balanced against your rights and freedoms.
• Consent - for marketing communications, optional third-party integrations, and cookies that are not strictly necessary; you may withdraw consent at any time.
• Legal obligation - to comply with tax, accounting, anti-money-laundering, and data-breach notification laws.

7. Data Breach Notification

In the event of an eligible data breach likely to cause serious harm, we will assess the breach promptly and notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breach (NDB) scheme.

8. Global Data Residency

We offer local data hosting to support compliance with regional laws (e.g. the UK GDPR, EU GDPR, and Australian Privacy Principle 8):

• Primary hosting: You select your data region at signup — Australia (Sydney), the United States, or the United Kingdom (London). The London region serves European customers and is governed by the UK GDPR and the UK Data Protection Act 2018. Transfers from the EU/EEA to our London region are currently permitted under the European Commission's adequacy decision for the United Kingdom.
• Cross-region processing: In limited cases (for example, AI feature processing, customer support, or backups), data may be processed outside your selected region. In those cases, identifiers are pseudonymised or redacted before transmission where feasible, and transfers are governed by appropriate safeguards — the European Commission's Standard Contractual Clauses (Decision 2021/914), the UK International Data Transfer Addendum, or other contractual measures consistent with the Australian Privacy Principles. See our Data Processing Addendum for full transfer terms.

9. Integrations & Third Parties

When you enable an integration, you authorise secure data sharing with the relevant third party. All integrations are optional and can be disconnected at any time from your ibakepro Settings.

• Social & Search: Meta (Instagram, Facebook), TikTok, and Google (Calendar, Tasks, and Google Business Profile).
• Accounting: Xero (one-way export of expenses, orders, and sales to your Xero account).
• Logistics: Delivery data shared with authorised drivers via the Driver Portal.

Google Workspace integrations

ibakepro offers optional integrations with Google Calendar, Google Tasks, and Google Business Profile so you can sync your bakery schedule and manage your business listing. Connecting these is voluntary and is not required to use ibakepro.

Google API Services User Data Policy. ibakepro's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to provide and improve the user-facing features you have requested (calendar sync, task sync, and Google Business Profile reviews management).
• We do not transfer this data to others except as necessary to provide or improve those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you.
• We do not use this data for advertising.
• We do not allow humans to read this data unless we have your affirmative agreement for specific messages, it is necessary for security purposes (such as investigating a bug or abuse), or to comply with applicable law.

You can disconnect any Google integration at any time from your ibakepro Settings, or revoke ibakepro's access directly in your Google Account permissions.

We do not sell personal information.

10. Contact & Complaints

If you have questions or wish to make a complaint:

Privacy Officer, CRADD PTY LTD
Email: hello@ibakepro.com

If you are not satisfied with our response, you may contact the OAIC.