Introduction

The Data Protection Act 2018 ("DPA 2018") and the UK General Data Protection Regulation ("UK GDPR") impose legal obligations on the collection and processing of personal data. Lemon House Bakery is a data controller. This notice explains how we collect, use, store, and share personal information, and your rights regarding your data.

What Information We Collect & Why

We process personal data for the following purposes:

• To Provide Bakery Services: We collect names, contact details, and addresses to process orders, manage 30-minute collection slots, and communicate about your bakes.
• Food Safety: We record allergen information provided by you to ensure your order is prepared safely in accordance with food standards.
• Legal Obligations: We process financial transaction data to fulfil our obligations under UK tax legislation and reporting requirements.

Lawful Bases for Processing

Under UK GDPR, we rely on the following lawful bases:

• Contract: We have to collect or use the information so we can enter into or carry out a contract with you (fulfilling your order).
• Legal Obligation: We have to collect or use your information so we can comply with the law (HMRC tax records and food safety regulations).
• Legitimate Interests: We use your information to manage client accounts effectively and provide accurate services, without causing an undue risk of harm to your privacy.

Third-Party Data Sharing

To provide our services, we may share data with trusted partners who act as our data processors if there is no other way to fulfil your order, manage payments, or provide essential communication. These include:

• Payments & Database: Stripe processes all payments securely, and Supabase provides our secure cloud database storage.
• Infrastructure & Email: IONOS manages our domain, Vercel hosts this website, and Google (Gmail) handles our business correspondence.
• Social Media & Analytics: We may interact with you via Meta (Facebook/Instagram) or TikTok, and use Google Analytics to understand website performance.

Where data is transferred outside the UK, we ensure appropriate safeguards (Standard Contractual Clauses) are in place.

Cookies

Our website uses essential cookies to enable secure payment processing (Stripe) and to understand how visitors use our site. You can manage your cookie preferences through your browser settings.

Retention of Personal Data

In accordance with recognised good practice within the food and tax sector, we retain records as follows:

Your Data Protection Rights

You have a number of rights regarding your personal data:

1. Accessing your personal data (Subject Access Requests)

You have the right to request access to the personal data we hold about you. Please make your request in writing to: lemon.house.bakery@gmail.com. To help us locate your data quickly, please include enough details to verify your identity (full name, date of birth, and any addresses used in the past five years). We are required to respond within one month and will not charge for this service unless the request is clearly unfounded or excessive.

2. Correcting your information (Right to Rectification)

You have the right to have any inaccurate or incomplete personal data corrected. If you believe any information we hold is inaccurate, please contact us immediately.

3. Deleting your information (Right to Erasure)

In certain circumstances, you have the right to have your personal data deleted. We will review your request alongside our legal obligations (e.g. HMRC retention) and inform you if we are unable to delete specific records.

4. Transferring your data (Right to Data Portability)

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format where the processing is based on a contract and carried out by automated means.

Automated Decision-Making

Lemon House Bakery does not use automated decision-making or profiling in connection with your personal data.