Privacy policy

Em Cakes Ltd (“Em Cakes”, “we”, “us”) is a private limited company owned by Bella Do. We are the data controller for any personal information you provide through this website or in-store. This privacy policy explains how the company use any personal information we collect about you when you use this website.

  • We collect personal data only when you choose to give it to us, for example when you:

    • place an order or request a quotation

    • create an online account or join our mailing list

    • email us, message us on social media, or complete an enquiry form

    • browse our site (which creates basic server-log and session-cookie data)

    Depending on the activity, the information may include your name, postal address, email, telephone number, order details, payment reference (never your full card number), IP address, browser type and session cookies. We do not collect sensitive (“special-category”) data such as health or biometric information.

  • We process your personal information only when we have a lawful reason under the UK GDPR:

    • To fulfil a contract – processing and delivering your order, handling payments and providing customer service.

    • Legitimate interests – answering pre-sale enquiries, improving website security and performance.

    • Consent – sending marketing emails; you can withdraw consent at any time.

    • Legal obligation – retaining tax records and complying with UK accounting rules.

  • We never sell or lease your information. We share it only with trusted third-party service providers who need it to perform their work—for example:

    • secure payment processors (e.g. Stripe, PayPal)

    • courier companies for deliveries

    • IT and hosting partners who keep the website and email running

    Each partner is contractually bound to use your data solely for the agreed purpose and to apply UK GDPR-level safeguards. We may also disclose data if required to do so by law.

    • Order records and invoices: kept for seven years, as required by tax law.

    • Enquiry emails that do not lead to an order: kept for up to twelve months.

    • Marketing-list details: kept until you unsubscribe or after twenty-four months of inactivity, whichever comes first.

    • Website logs: anonymised or deleted after fourteen days.

    After the relevant period we permanently erase or anonymise your information.

  • At any time you may:

    1. Access the personal data we hold about you.

    2. Correct inaccurate or incomplete details.

    3. Delete data we no longer need (“right to be forgotten”).

    4. Restrict or object to certain types of processing.

    5. Port data to another provider.

    6. Withdraw consent for marketing.

    We will respond within one month of receiving your request. If you believe we have mishandled your data, you can complain to the UK Information Commissioner’s Office

  • We protect your information with SSL/TLS encryption, strong password policies, two-factor authentication for admin accounts and routine security audits. All card payments are handled by PCI-DSS-compliant processors; we never store your full card details.

  • Your data is stored on servers located in the UK or the European Economic Area. If a service provider transfers data outside that region, they must use an adequacy decision or Standard Contractual Clauses to keep it safe.

  • We may update this Privacy Policy from time to time. Any changes appear on this page with a new “Last updated” date. Continued use of the website signifies acceptance of the revised terms.