Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

We are not required to appoint a Data Protection Officer (DPO) under BDSG Section 38, as fewer than 20 persons are regularly involved in the automated processing of personal data. For all data protection inquiries, please contact us using the details above.

2. Data We Collect

We collect the following categories of personal data:

• Account data: name, email address, phone number, password (hashed)
• Business data: bakery name, locations, staff information
• Operational data: orders, inventory records, recipes, customer records
• Usage data: login timestamps, feature usage, browser type
• Technical data: IP address, device information, session identifiers

We do not collect sensitive personal data (e.g., health data, biometric data) unless explicitly provided by you in your business records.

Indirect data collection (Art. 14 GDPR): When you use the Service to manage your bakery, you may enter personal data of your own customers, employees, and suppliers (e.g., names, contact details, delivery addresses). We process this data on your behalf as a data processor under the Data Processing Agreement (DPA). You, as the data controller, are responsible for informing these individuals about the processing of their personal data and for obtaining any necessary consents. We do not use this indirectly collected data for any purpose other than providing the Service to you.

Providing your account data (name, email, password) is a contractual requirement necessary to create your account and provide the Service. Without this data, we cannot offer you access to BakeWind. All other data you enter into the Service (business data, customer records, orders) is provided voluntarily as part of your use of the platform.

3. How We Use Your Data & Legal Basis (GDPR)

We process your personal data for the purposes listed below. Each purpose is matched to its legal basis under the GDPR:

• Providing and maintaining the Service — Contract performance (Art. 6(1)(b))
• Processing your subscription and billing — Contract performance (Art. 6(1)(b))
• Sending transactional emails (account verification, password resets, order notifications) — Contract performance (Art. 6(1)(b))
• Providing customer support — Contract performance (Art. 6(1)(b))
• Improving the Service and fixing bugs based on aggregated usage patterns — Legitimate interest (Art. 6(1)(f)): our interest in maintaining and improving a reliable service
• Ensuring security, preventing fraud, and detecting unauthorized access — Legitimate interest (Art. 6(1)(f)): our interest in protecting the Service and its users
• Retaining billing records and invoices — Legal obligation (Art. 6(1)(c)): German tax law (§ 147 AO, § 14b UStG)
• Marketing communications (newsletters, product updates) — Consent (Art. 6(1)(a)), which you may withdraw at any time. We do not currently send marketing emails; if introduced, this will require your explicit opt-in

4. Right to Object (Art. 21 GDPR)

Where we process your data based on legitimate interest (Art. 6(1)(f)), you have the right to object at any time on grounds relating to your particular situation. Upon receiving your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims.

To exercise your right to object, contact us at privacy@bakewind.com.

5. Data Sharing

We do not sell your personal data. We share data only with:

• Hetzner Online GmbH (Falkenstein, Germany) — Infrastructure hosting and data storage. All data is hosted within the European Union.
• Stripe, Inc. (United States / European Union) — Payment processing and subscription billing (PCI DSS compliant). Stripe also acts as an independent data controller for its own fraud prevention and regulatory compliance obligations under its own privacy policy.
• Mailtrap by Railsware Products, Inc. (United States) — Transactional email delivery (account verification, password resets, notifications).
• Legal authorities — When required by law, court order, or regulatory request

All third-party processors are bound by Data Processing Agreements (DPAs) in compliance with GDPR Article 28. For details on sub-processors and international data transfers, see our Data Processing Agreement.

6. Cookies & Analytics

BakeWind uses Umami, a privacy-friendly, self-hosted, open-source analytics tool hosted on our own infrastructure within the EU. Umami does not use cookies, does not track users across websites, and does not store personal data. IP addresses are transiently processed for geolocation but are not stored or logged.

We use strictly necessary first-party cookies for authentication only. These cookies are exempt from consent under TTDSG Section 25(2) and the ePrivacy Directive because they are essential for the Service to function. The specific cookies we set are:

• bw_access — Purpose: authentication (JWT access token). Duration: 15 minutes. Type: httpOnly, secure, sameSite: lax, first-party.
• bw_refresh — Purpose: session renewal (JWT refresh token). Duration: 7 days when "remember me" is selected, otherwise session-only (expires when browser closes). Type: httpOnly, secure, sameSite: lax, first-party.

We do not use advertising cookies, third-party tracking scripts, or any cookies requiring user consent.

7. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of your personal data
• Right to rectification (Art. 16): Correct inaccurate or incomplete data
• Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten")
• Right to restriction (Art. 18): Restrict processing in certain circumstances
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON or CSV)
• Right to object (Art. 21): Object to processing based on legitimate interest — see Section 4 above for details
• Right to withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing
• Right not to be subject to automated decision-making (Art. 22): We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you
• Right to lodge a complaint (Art. 77): Lodge a complaint with a supervisory authority — see Section 12 below

To exercise any of your rights, contact us at privacy@bakewind.com. We will respond without undue delay and in any event within one month of receiving your request, as required by Art. 12(3) GDPR. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account termination:

• Account and business data: Deleted within 30 days of account termination
• Billing records (invoices, payment references): Retained for 10 years as required by German tax law (§ 147 AO, § 14b UStG). Only financial data is retained; associated personal data is minimized.
• Usage data (login timestamps, feature usage): Retained for the duration of the account. Deleted within 30 days of account termination.
• Security logs (authentication events, access logs): Retained for 90 days for fraud prevention and security monitoring
• Technical data (IP addresses, session identifiers): Retained for 90 days, then automatically purged
• Backups: Encrypted backups follow a 7 daily, 4 weekly, and 12 monthly retention cycle. After data is deleted from the live system, it may persist in existing backups until those backups are rotated out — up to a maximum of 12 months for the oldest monthly backup. Backups are encrypted and access-restricted.

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• AES-256-GCM encryption for sensitive data at rest
• TLS/HTTPS encryption for all data in transit
• Hashed passwords using bcrypt with salt rounds
• Role-based access control with principle of least privilege
• Regular security audits and vulnerability assessments
• Token blacklisting and rotation for session management

10. International Data Transfers

Your data is primarily hosted on servers located within the European Union (Hetzner, Falkenstein, Germany). Certain Sub-Processors (Stripe, Mailtrap) may transfer limited data to the United States for payment processing and email delivery. These transfers are protected by Standard Contractual Clauses (SCCs) and, in the case of Stripe, certification under the EU-US Data Privacy Framework. For full details on transfer mechanisms per Sub-Processor, see our Data Processing Agreement (Section 8).

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice within the Service at least 30 days before the changes take effect.

The latest version of this policy is always available on our website.

12. Contact & Complaints

For questions, concerns, or to exercise your data protection rights, contact us at:

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. The competent authority for Berlin is: