Privacy Policy

OK DEN CIC

Bloom & Bake

Privacy Policy

Last updated: 25 March 2026

1. Introduction

Welcome to Bloom & Bake, a social enterprise micro bakery operated by OK DEN CIC, a Community Interest Company limited by guarantee (CLG) registered in England and Wales. We are committed to protecting your personal data and respecting your privacy.

This Privacy Policy explains how we collect, use, store, and protect personal information when you interact with us through our website (hosted on Squarespace), place an order, or sign up to receive communications from us.

Please read this policy carefully. By using our website or placing an order with us, you confirm that you have read and understood how we handle your personal data.


2. Who We Are (Data Controller)

For the purposes of UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is:


OK DEN CIC

167-169 Great Portland Street

London, England

England

W1W 5PF


Contact email for data and privacy enquiries: bloomandbakeprivacy@outlook.com


3. What Personal Data We Collect

We collect and process the following categories of personal data:


3.1 Order and Contact Information

When you place an order or contact us, we collect:

  • Full name

  • Email address

  • Phone number (if provided)

  • Any message or special instructions you include with your order


3.2 Collection Orders

At present, all orders are for collection only. We do not currently collect delivery addresses. If we introduce delivery in the future, this policy will be updated accordingly so you are aware.


3.3 Payment Information

When you purchase from us online, payment is processed securely through Squarespace's integrated payment provider (which uses Stripe). For in-person purchases at our market stall or pop-up events, payments are processed via card reader using Square and/or SumUp. We do not directly receive, store, or process your full payment card details through any of these providers. Please refer to Squarespace's, Stripe's, Square's, and SumUp's own privacy policies for details of how they each handle your payment data.


3.4 Marketing Communications

If you opt in to receive our newsletter or marketing emails, we collect your email address and, where provided, your name. You can withdraw your consent and unsubscribe at any time by clicking the unsubscribe link in any marketing email or by contacting us directly.


3.5 Website Usage Data

Our website is hosted on Squarespace, which automatically collects certain technical data when you visit, including your IP address, browser type, and pages visited. This is covered by Squarespace's own privacy policy. We do not currently use Google Analytics or advertising pixels, but we may do so in the future. If and when we do, we will update this policy and seek any necessary consent before activating such tools.


4. Legal Basis for Processing

We rely on the following lawful bases under UK GDPR to process your personal data:

  • Contract: To process your order, communicate with you about it, and fulfil our obligations to you as a customer.

  • Legitimate interests: To manage our business operations, prevent fraud, and improve our services, where your interests and rights do not override ours.

  • Consent: To send you marketing communications, where you have opted in. You may withdraw this consent at any time.

  • Legal obligation: Where we are required to retain certain records for tax, accounting, or other legal reasons.


5. How We Use Your Personal Data

We use your personal data for the following purposes:

  • To process and manage your orders

  • To communicate with you about your order, including confirmation and collection information

  • To respond to any enquiries or complaints you raise

  • To send you marketing emails, newsletters, or updates about our bakery and community work (only if you have opted in)

  • To comply with our legal and financial obligations (e.g. maintaining transaction records)

  • To improve our website and customer experience


6. Who We Share Your Data With

We do not sell, rent, or trade your personal data. We may share your information with the following trusted third parties, solely to the extent necessary to operate our business:

  • Squarespace Inc.: Our website and e-commerce platform. Squarespace processes data on our behalf in accordance with their privacy policy and data processing agreements.

  • Stripe: Payment processing, via Squarespace's checkout. Stripe is PCI-DSS compliant and processes your payment data securely.

  • Email marketing platforms (e.g. Mailchimp): Only if you have opted in to marketing emails and only if we introduce a dedicated email platform. We will update this policy if and when this changes.

  • Legal and regulatory authorities: Where required by law, court order, or regulatory obligation.

  • Square: Used for in-person card payments at stalls and events. Square processes transaction data securely in accordance with their privacy policy and PCI-DSS standards.

  • SumUp: Also used for in-person card payments at stalls and events. SumUp processes transaction data securely in accordance with their privacy policy and PCI-DSS standards.

We require all third parties to respect the security of your data and to treat it in accordance with the law.


7. International Data Transfers

Some of our third-party service providers, including Squarespace and Stripe, are based in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR, such as Standard Contractual Clauses or adequacy decisions recognised by the UK Information Commissioner's Office (ICO).


8. How Long We Keep Your Data

We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by law.


9. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access: You can request a copy of the personal data we hold about you.

  • Right to rectification: You can ask us to correct inaccurate or incomplete data.

  • Right to erasure ('right to be forgotten'): You can ask us to delete your data in certain circumstances.

  • Right to restrict processing: You can ask us to pause processing of your data in certain situations.

  • Right to data portability: You can request your data in a structured, commonly used, machine-readable format.

  • Right to object: You can object to processing based on legitimate interests, or to direct marketing at any time.

  • Right to withdraw consent: Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.


To exercise any of these rights, please contact us at bloomandbakeprivacy@outlook.com. We will respond within one calendar month. You will not be charged a fee unless your request is clearly unfounded or excessive.


10. Right to Complain

You have various rights in respect of the personal information we hold about you. If you wish to exercise any of these rights or make a complaint, you can do so by contacting us by email with the details provided throughout this policy. You can also make a complaint to the data protection supervisory authority, the Information Commissioner's Office


Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113

Website: www.ico.org.uk


We would, however, appreciate the opportunity to address your concerns directly before you contact the ICO, so please do get in touch with us first.


11. Data Security

We take the security of your personal data seriously. Our website is hosted on Squarespace, which provides SSL encryption, secure infrastructure, and industry-standard security protections. We take reasonable steps to protect your information from unauthorised access, loss, or misuse. However, please be aware that no method of transmission over the internet is entirely secure.


12. Cookies

Our website uses cookies as managed by Squarespace. These may include strictly necessary cookies (required for the website to function), performance cookies, and functional cookies. You can manage your cookie preferences through your browser settings or via any cookie consent tool displayed on our website.

We do not currently use advertising or tracking cookies (such as Google Analytics or Meta Pixel). If this changes, we will update this policy and request your consent where required.


13. Children's Privacy

Our website and services are not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without appropriate consent, please contact us and we will take steps to delete it promptly.


14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. We will post the updated policy on our website with a revised 'Last updated' date. For significant changes, we may also notify you directly by email if you have opted in to communications from us.


15. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact us:


OK DEN CIC / Bloom & Bake

Email: bloomandbakeprivacy@outlook.com

Registered address: 167-169 Great Portland Street, London, England, W1W 5PF


This policy was last reviewed on 25 March 2026.