Privacy Policy
Effective date: 2026-06-29 · Last updated 2026-06-29
1. What data we collect
- Account data: your email address and a hashed password.
- Baker profile: your bakery name, the state whose cottage-food law you operate under, and your pickup address. Your address is treated as private (see the address-privacy guarantee above).
- Listings: baked-good menu items, photos, pricing, ingredient and allergen information, and pickup windows.
- Customer order data: customer name, email, phone, order line items, special instructions, and pickup slot. Provided by your customers when they place an order with you.
- Stripe billing metadata: Stripe customer ID, subscription ID, and payment intent IDs received via the Stripe SDK. We do not store full payment card numbers.
2. What data we DON'T collect
- Full payment card numbers — these are tokenized and held by Stripe. Ovenkin only receives reference IDs (e.g.,
payment_intent_id). - Behavioural analytics, advertising IDs, or third-party tracking pixels.
- Sensitive demographic data (race, religion, sexual orientation, health) — we have no field for it and no interest in collecting it.
3. How we use your data
- To provide the Ovenkin service to you.
- To process your subscription billing through Stripe.
- To respond to support requests you send us via email or in-app channels.
- To send transactional notifications (order placed, payment received, refund issued, account security).
- We do not sell your data, share it with third-party advertisers, or use it to train external machine-learning models.
4. Third-party processors
- Stripe — processes your $19/month Ovenkin subscription only. Customer order payments happen directly between buyer and baker (Venmo, Zelle, Cash App, PayPal, or cash) and never pass through Ovenkin or Stripe. Stripe's privacy policy applies to data they hold.
- Calendly — used only when a baker books an optional 30-minute onboarding call with the founder. Calendly receives the attendee's name, email, and chosen time slot.
- Google Cloud Platform (GCP) — hosts the Ovenkin backend, database, and static assets. GCP is the infrastructure provider; they do not access application data.
- Resend — sends our transactional order and account emails (order placed, payment received, account security) on our behalf. Resend receives only the recipient's name and email address.
- Google Gemini (AI menu import) — when a baker uses the optional menu-import tool, the menu text they provide (no customer personal information) is sent to Google's Gemini model to suggest column mappings. This data is not used to train models, and the AI suggestion step is opt-out.
5. Data retention
We retain your account and operational data for as long as your account is active. After account closure, billing records are retained for 90 days for reconciliation and tax purposes, after which we delete them on a rolling schedule. You may request earlier deletion at any time (see §7).
6. Your rights
- Export: you may export your menu, customer, and order data as CSV from your dashboard at any time.
- Correct: you may edit your account, baker profile, and listings directly.
- Delete: email hello@ovenkin.com to request full deletion of your account and associated data.
7. Cookies
Ovenkin uses essential session cookies to keep you logged in and to remember dashboard preferences (e.g., a dismissed welcome banner). We do not run third-party analytics, ad networks, or behavioural tracking. We do not have a cookie consent banner because we do not set non-essential cookies.
8. Children
Ovenkin is intended for users 18 years of age or older. The service is not directed at children, and we do not knowingly collect personal information from minors. If we discover such data, we will delete it.
9. Contact
Privacy questions, data-export requests, and deletion requests: hello@ovenkin.com.