Privacy Policy

1. Data Controller

The data controller responsible for the processing of personal data is:
Bakeit.app OÜ

Registration number: 17082657
Address: Harju maakond, Tallinn, Kesklinna linnaosa, Veskiposti tn 2-1002, 10138, Estonia

Contact email: privacy@bakeit.app

2. Scope

This Privacy Policy describes how Bakeit OÜ processes personal data in the context of:
  • The use of its website
  • The use of its applications and services
  • The provision of services to customers (businesses)
  • Interactions with users, customers, and third parties

3. Roles in Data Processing

Bakeit may act in different roles depending on the type of processing:

3.1 As Data Processor

In relation to personal data of end customers of merchants using the platform, Bakeit acts as a Data Processor.
In this context:
  • Bakeit provides the technological infrastructure
  • Bakeit does not determine the purposes or means of processing
  • Data is processed strictly in accordance with the client’s instructions
Bakeit’s clients (e.g. restaurants or retail businesses) act as Data Controllers.

3.2 As Data Controller

Bakeit acts as a Data Controller with respect to:
  • Customer data (business clients)
  • Billing and contracts
  • Support and communications
  • Legal compliance

4. Categories of Personal Data Processed

Bakeit may process different types of personal data depending on the use of its services:

4.1 Customer Data (Business Clients)

  • Company name
  • Contact details (email, phone)
  • Billing information
  • Contractual information

4.2 Operational and Transaction Data

  • Sales data generated by merchants
  • Transaction metadata
  • Ticket and operational information
⚠️ Bakeit does not store full payment card data. Payments are processed by authorized third-party payment service providers.

4.3 Technical Data

  • IP addresses
  • System logs
  • Application usage data
  • Diagnostic and error data
Cookies strictly necessary for the operation of the platform (see Cookie Policy)

4.4 Support Data

  • Support requests
  • Communications with users
  • Incident history

5. Purposes of Processing and Legal Basis

Personal data is processed for the following purposes:

5.1 Service Provision

  • Operation of the Bakeit platform
  • Transaction processing
  • Reporting
👉 Legal basis: performance of a contract (Art. 6.1.b GDPR)

5.2 Legal Compliance

  • Tax obligations
  • Applicable regulations (e.g. invoicing requirements)
👉 Legal basis: legal obligation (Art. 6.1.c GDPR)

5.3 Security and Fraud Prevention

  • System monitoring
  • Prevention of unauthorized access
👉 Legal basis: legitimate interest (Art. 6.1.f GDPR)

5.4 Service Improvement

  • Service performance monitoring (non-tracking)
  • Basic system usage analysis (without analytics cookies)
  • Platform optimization
👉 Legal basis: legitimate interest (Art. 6.1.f GDPR)

6. Subprocessors

Bakeit engages third-party service providers (subprocessors) to support its services. These providers process personal data on behalf of Bakeit.
All subprocessors are carefully selected and comply with applicable data protection obligations.

6.1 Infrastructure and Hosting

Bakeit uses infrastructure services provided by:
  • Hetzner Online GmbH, based in Germany
Data is stored and processed within the European Economic Area (EEA), including:
  • dedicated servers
  • cloud infrastructure
  • storage systems

6.2 Payment Processing

Payments are handled through:
  • Stripe
Stripe acts as an independent data controller for payment data and processes financial information directly.
Bakeit does not store full payment card data.

6.3 Limited and Controlled Access

All subprocessors:
  • access only the data necessary for their function
  • are bound by contractual data protection obligations
  • implement appropriate security measures

7. International Data Transfers

As a general rule, personal data processed by Bakeit is stored within the European Economic Area (EEA), particularly via infrastructure providers located in Germany.

However, some external providers (such as payment platforms like Stripe) may process data outside the EEA.
In such cases, Bakeit ensures that transfers are carried out in accordance with applicable law, using:
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Other recognized legal safeguards

8. Additional Features (e.g. video surveillance systems)

In certain cases, Bakeit may offer additional features such as integrations or access to video surveillance systems, only upon explicit request by the client.

In this context:
  • Bakeit acts solely as a technology provider
  • Bakeit does not access, monitor, or analyze any video or recordings
  • Bakeit does not determine the purposes or means of processing such data
The client (e.g. merchant or restaurant) is solely responsible for the use of video surveillance systems and compliance with applicable data protection laws.

9. Data Retention

Bakeit retains personal data only for as long as necessary to fulfill the purposes for which it was collected, as well as to comply with legal and contractual obligations.

9.1 Service-Related Data

Data related to the use of the platform (e.g. customer data, configurations, operations) is retained for the duration of the contractual relationship.
After termination, data may be deleted or anonymized, unless legal retention obligations apply.

9.2 Financial and Accounting Data

Certain data related to transactions and compliance may be retained as required by applicable law, including:
  • sales records
  • tax information
  • accounting documentation

9.3 Technical Data (Logs)

Technical logs are retained as necessary to:
  • ensure system security
  • prevent fraud or unauthorized access
  • detect and resolve errors
  • These data are periodically deleted or anonymized.

9.4 Support Data

Support-related data may be retained to:
  • manage incidents
  • maintain service history
  • improve support quality

10. User Rights

Users have the following rights:
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction
  • Right to data portability
  • Right to object
To exercise these rights or for any inquiries:
privacy@bakeit.app

11. Data Security

Bakeit implements appropriate technical and organizational measures, including:
  • encrypted communications (HTTPS / TLS)
  • access control via credentials (username and password)
  • role-based permission management defined by the client
  • secure infrastructure in EU-based data centers
  • system monitoring
  • regular backups
These measures are designed to protect personal data against unauthorized access, loss, alteration, or disclosure.

12. Access Control and User Management

Bakeit provides tools for managing users, access, and permissions within the platform.
In this context:
  • Each client is responsible for creating and managing user accounts within their organization
  • The client defines roles, access levels, and permissions (e.g. access to sales or operational data)
  • Bakeit does not assign or modify access permissions unless explicitly instructed by the client
Access to the platform is granted via individual credentials (username and password), managed directly by the client.

13. Additional Information

For more information, please refer to: