Anna's Baked Delights

Privacy Policy

What we keep, and what we don't.

Effective May 20, 2026. This policy explains what personal information Anna's Baked Delights collects when you use annasbakeddelights.com or place an order, why we collect it, and what we do with it. It follows Canada's federal privacy law (PIPEDA) and Alberta's Personal Information Protection Act (PIPA).

1. Who's responsible

A small bakery in Edmonton.

Anna's Baked Delights, 10th Floor, 10055-106 Street NW, Edmonton, Alberta, Canada, T5J 2Y2, is the organization responsible for the personal information described here. Privacy questions and requests can be sent to hello@annasbakeddelights.com.

2. What we collect

Only what we need.

We collect the smallest amount of information we can while still running the bakery well. In practice that means:

  • Account information: email address, a salted password hash, and (optionally) a phone number you provide for order updates or two-factor authentication.
  • Order information: what you bought, when you bought it, the pickup or delivery window, any allergy notes or instructions you add, and the order's status and history.
  • Payment information: a payment reference and confirmation status from PayPal or Stripe. We don't see or store your card number, CVV, or full bank details. Payment forms are served by the provider directly.
  • Contact form messages: the name, email, and message you submit through the Contact page.
  • Technical information: IP address, user agent, referring page, and approximate request timing, written to short-lived server logs to help us operate the site, troubleshoot errors, and detect abuse.
  • Cookies: a session cookie, a sign-in cookie if you log in, an anti-forgery cookie, and (if you use it) a maintenance-bypass cookie. We don't use advertising cookies and don't run third-party trackers for marketing.
  • Diagnostic records: if the site throws an exception while you're using it, we record the error and the surrounding context so we can fix it. We try to keep personal information out of those records, but a stack trace may incidentally include input you provided.

3. Why we collect it

For the order, mostly.

We use the information above to:

  • Create and maintain your account.
  • Take, fulfill, deliver, and (when needed) refund orders.
  • Email or text you about an order - confirmations, pickup reminders, problems - using the contact details on file.
  • Answer questions you send us through the Contact form or by email.
  • Keep the site working: security, debugging, performance, fraud prevention.
  • Meet legal and tax obligations (we're required to keep certain order and payment records).

We don't sell your information, ever. We don't use it to build a marketing profile of you, and we don't share it with advertisers. If we ever start a newsletter, it will be opt-in and you'll be able to unsubscribe with one click.

4. Consent

By giving us information, you consent.

When you create an account, place an order, or send us a message, you consent to the collection and use described here. For sensitive information - for example, an allergy note you put on an order - the consent is explicit by virtue of you typing it in. You can withdraw consent at any time by emailing us, but doing so may mean we can't keep your account open or finish an in-progress order. We may still keep limited records we're legally required to keep.

5. Who we share with

A short list of partners.

We share the minimum information needed with a small number of service providers that help us run the bakery. They're bound by contract or by their own terms to use the information only to provide the service.

  • Payment processing: PayPal (PayPal, Inc.) and Stripe (Stripe, Inc.). When you check out, your payment details go to them directly, and we get back a confirmation and reference.
  • Email delivery: our SMTP provider (currently Gmail / Google LLC, configurable) delivers transactional email such as order confirmations and password resets.
  • SMS delivery: Twilio (Twilio Inc.) delivers SMS verification codes and order alerts, if you've opted in to a phone-based feature.
  • Hosting: our website and database run on Microsoft Azure (Microsoft Corporation). The underlying servers are operated by Microsoft on our behalf.
  • Government and law enforcement: if we're legally required to disclose information - for example, in response to a valid Canadian court order or production order - we will, and we'll push back on requests we believe are overbroad.

We don't sell personal information. We don't share it for our partners' independent marketing purposes. If we're ever involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, and we'll let you know before that happens.

6. Cookies and similar technologies

A few, all functional.

We use first-party cookies to keep you signed in, protect forms from cross-site request forgery, remember your cart while you shop, and let a maintenance-bypass key open the site when we're in scheduled downtime. These cookies are necessary for the site to work and are set without asking, since there's no functional alternative. We don't use third-party advertising or social-tracking cookies. PayPal and Stripe may set their own cookies when their checkout components load; their use of those is governed by their own privacy notices.

7. How long we keep it

As long as we need, no longer.

We keep different things for different lengths of time:

  • Account profile: as long as your account is open. If you ask us to close it, we delete or anonymize it within 30 days, except where law requires us to keep a record.
  • Order and payment records: at least seven years, to satisfy Canadian tax record-keeping rules.
  • Contact form messages: up to two years, then deleted.
  • Server logs and exception records: typically 30 to 90 days, longer for records related to a security incident.
  • Backups: up to 90 days, then overwritten or deleted. Deleted data can persist briefly in a backup before being overwritten.

8. How we protect it

Reasonable care, in honest terms.

We use HTTPS site-wide, hash passwords with a modern adaptive algorithm, tokenize XSRF protection on every form, gate the diagnostic endpoint behind a per-environment bearer secret, store credentials in environment variables rather than in code, and run on managed hosting that handles physical and network security on our behalf. No system is perfectly secure. If a breach affects you, we'll notify you and the appropriate regulator as required by law and tell you what happened, what was affected, and what we're doing about it.

9. Where it's stored

Mostly Canada; sometimes elsewhere.

We host the site and database on Microsoft Azure, preferring Canadian regions where the service is available. Some service providers - notably payment processors, email and SMS providers - are based in the United States or store data there, which means your information may be processed outside Canada and could be accessible to foreign authorities under their own laws. By using the site you consent to that transfer, and we use providers that publish their own security and privacy commitments.

10. Your rights

You can see and change what we have.

Under Canadian privacy law you can ask us to:

  • Tell you what personal information we hold about you and how we've used it.
  • Correct anything that's wrong or incomplete.
  • Delete information you gave us, except where law requires us to keep it.
  • Withdraw consent for a particular use, subject to legal and contractual constraints.
  • Get a copy of your account data in a portable format.

Email hello@annasbakeddelights.com with the request. We may ask for proof that the request is really from you - a small bakery shouldn't be a tool for one person to harass another. We respond within 30 days, and free of charge for reasonable requests. If you're unhappy with our response, you can complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, for Alberta-specific concerns, the Office of the Information and Privacy Commissioner of Alberta (oipc.ab.ca).

11. Children

The site is not for kids.

We don't knowingly collect personal information from anyone under 13. If you believe a child has given us information, please email us and we'll delete it.

12. Automated decisions and profiling

A real person reads the orders.

We don't make decisions about you using automated processing alone. A human at the bakery reviews custom orders, refund requests, and any flag on your account before acting on it.

13. Changes to this policy

When this changes, we'll say so.

If we make a material change to this policy, we'll post the new version on this page with a new effective date, and where appropriate we'll send an email to account holders explaining what changed. Continued use of the site after the new effective date means you accept the updated policy.

14. Contact

Reach us, in writing.

Privacy questions, access requests, and complaints go to hello@annasbakeddelights.com or by post to Anna's Baked Delights, 10th Floor, 10055-106 Street NW, Edmonton, AB, T5J 2Y2, Canada. Please write “Privacy” on the envelope.

For the rules of using the site and placing an order, see the Terms of Service.