Privacy Policy

Bakery My Day · Effective Date: May 18, 2026

Bakery My Day ("we," "our," or "the app") is a software service that helps small bakery businesses manage recipes, ingredients, orders, customers, and production workflows. This Privacy Policy explains what information we collect, how we use it, and the choices you have. By using the app or website, you agree to the practices described here.

1. Who this policy applies to

This policy applies to two groups of users:

• Bakery operators — owners and staff who sign in to manage their bakery's data.
• Bakery customers — people who place orders through a bakery's public online ordering page, use the in-store self-checkout, or access a customer portal that the bakery operator has invited them to.

For bakery customers, the bakery you're ordering from is the primary controller of your data. We act as a service provider to that bakery and only process your information on its behalf.

2. Information we collect

From bakery operators (account holders)

• Account info: email address and password (managed by Firebase Authentication).
• Bakery profile: bakery name, address, phone, public email, website, logo, hours.
• Business data you enter: recipes, ingredients, suppliers, customers, orders, quotes, invoices, transactions, inventory lots, equipment, production schedules.
• Payment integration credentials: if you enable Square integration, your Square API token and webhook signing key. These are stored in a write-only location that is never sent back to your browser after being saved.
• Subscription billing info: handled by Stripe directly; we receive only your customer ID, subscription status, and plan tier — never card numbers.
• Team members: email addresses and roles of staff you invite to your account.
• Push notification tokens: if you install the mobile app, we store a device-specific token to deliver notifications about your orders and inventory.
• Audit log: records of who in your team made which changes (delete, update, status change), used for accountability inside your bakery.
• Usage of AI features: images you upload for recipe parsing, prompts you submit for recipe ideas / menu generation / pricing suggestions. These are sent to Google Vertex AI for processing.

From bakery customers (end customers)

• Order information: name, email, phone, pickup date, items ordered, payment method, total amount.
• Order history visible to the bakery you ordered from, and to you via a customer portal if the bakery enables it.
• Allergy/dietary notes you provide so the bakery can avoid serving you something harmful.
• Gift certificate transactions you participate in.

Automatic / technical data

• App Check / reCAPTCHA tokens to verify requests come from a legitimate app or browser, not a bot.
• Standard server logs: IP address, browser type, request timestamps. Retained for operational and security monitoring.
• Rate limit counters for AI and email functions to prevent abuse.

We do not collect: precise geolocation, advertising identifiers, contact lists, browsing history outside the app, or biometric data.

3. How we use information

• Provide the core bakery management features (orders, recipes, inventory).
• Send transactional emails on the bakery's behalf — order confirmations, "your order is ready" notifications, payment reminders. These can be disabled in the bakery's settings.
• Send push notifications to the bakery owner about new orders, low stock, etc.
• Process payments via Stripe (subscriptions) and Square (per-bakery customer payments).
• Run AI features you trigger (recipe parsing, menu generation, sales forecasts, etc.).
• Maintain an audit log of administrative changes within your bakery account.
• Prevent abuse, secure the service, comply with legal obligations.

We do not use your information for advertising, sell it to third parties, or train AI models on your business data.

4. When we share information

We share information only in these specific cases:

• Within your bakery account: the owner and any team members invited to your bakery can see the bakery's data, per the role you assign them.
• With your customers: if you invite a customer to the customer portal, that customer can see their own orders and invoices.
• With service providers we use to run the platform (see Section 5).
• To comply with the law: if compelled by a valid legal request.
• In a business transfer: if the app changes ownership, your data may be transferred to the new owner. We would notify you first.

We never sell your information.

5. Third-party services we rely on

The app is hosted on and integrates with the following services. Each has its own privacy policy:

• Google Firebase (Authentication, Firestore database, Cloud Functions, Hosting, Cloud Messaging) — policies.google.com/privacy
• Google Vertex AI (Gemini models for AI features) — same Google privacy policy
• Stripe (subscription billing) — stripe.com/privacy
• Square (optional, per-bakery payment integration) — squareup.com/legal/privacy
• Brevo (transactional emails) — brevo.com/legal/privacypolicy
• Open Food Facts (used when you scan a product UPC for ingredient lookup) — openfoodfacts.org
• Google reCAPTCHA (bot protection on signup) — policies.google.com/privacy

6. Where your data is stored

Data is stored in Google Firebase data centers in the United States. By using the app you consent to this storage location. If you access the app from outside the US, you understand that your information will be transferred to and processed in the US.

7. How long we keep information

• Active account data is retained as long as the bakery account is active.
• Deleted records are soft-deleted into a recycle bin and can be restored. We may permanently delete recycle-bin contents after 90 days.
• Audit logs are retained for at least 12 months for accountability.
• Account closure: if you close your bakery account, your data is retained for 30 days (for recovery in case of accidental closure), then permanently deleted, except where law requires longer retention (e.g., tax records).
• Customer order data belongs to the bakery operator and is retained on their account per their policies.

8. Security

We take reasonable measures to protect your information:

• All connections use HTTPS/TLS encryption.
• Account passwords are hashed and managed by Firebase Authentication — we never see them in plain text.
• Bakery data is isolated per account via Firestore security rules — no bakery can read another bakery's data.
• Sensitive credentials (Square API tokens) are stored in a write-only location that the browser cannot read back.
• Server-side functions verify your identity (Firebase Auth) and app authenticity (App Check) before processing requests.
• Rate limits prevent abuse of expensive operations (AI, email).

No system is perfectly secure. If you become aware of unauthorized access, contact us immediately.

9. Your choices and rights

Depending on where you live, you may have rights including:

• Access: request a copy of your data. Bakery operators can use the built-in Settings → Data Management → Export Data feature any time.
• Correction: edit any data through the app's normal interfaces.
• Deletion: close your account or delete specific records.
• Portability: the export feature produces a JSON file you can take elsewhere.
• Opt-out of marketing: we don't send marketing emails. Transactional notifications can be disabled per category in settings.

If you're a bakery customer, contact the bakery you ordered from directly to exercise these rights regarding your orders — they control that data.

10. Children's privacy

Bakery My Day is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us information, contact us and we'll delete it.

11. Changes to this policy

We may update this policy from time to time. We'll change the "Effective Date" at the top of the page and, for material changes, notify account holders via email or an in-app notice.

12. How to contact us

← Back to home · Open the app