Privacy policy


Privacy Policy

At CakeDrop, we’re committed to ensuring the security and protection of the personal information that we process, and providing a compliant and consistent approach to data protection. We are regulated under the General Data Protection Regulations (GDPR), Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act (DPA). We are considered a 'Data Controller' and are responsible for processing personal information in a lawful way.

Below is our privacy notice which explains how and why we process data, as well as the legal bases for doing so. If you’d like more information about our Data Protection Policy which details how we ensure compliance at CakeDrop, please email us: hello@cakedrop.london

1. What personal data is being collected and why?

  1. While using our service, we may ask you to provide us with certain personal information so we can provide our services to you, including your name, email address, telephone number, home address, date of birth, employer, work address, employment start date and dietary requirements. We collect this personal information for the purpose of providing our service to you, identifying and communicating with you, responding to your requests/inquiries, and fulfilling your orders. 

  2. While using our website, we may collect information about your usage of the website for the purpose of improving our service to you and others. This is done with your consent when you accept Cookies. 

  3. When signing up to receive email communications from us we collect with your consent information that includes your name, email address, and employer. This personal information is collected for the purpose of serving you the requested emails and ensuring that they are personal and relevant. You can unsubscribe at any time from these communications. 

  4. When using our HubSpot live chat function, you are able to chat to us anonymously without providing your name or contact information. You are also able to provide your name, email address and any other information you think is relevant so that we may contact you with further information about our service. You can unsubscribe at any time from these communications.

  5. If you are sending treats to other individuals on an ad hoc basis, we collect their names and addresses from you. We may also collect information about their dietary requirements and employer. We collect this personal information from you for the purpose of providing our service. You are responsible for collecting and sharing this information with us in a lawful way.  If you’d prefer these individuals submit their own personal information directly to us so that we can obtain their consent, we can arrange this via a secure data collection link. 

  6. If you are using our automated corporate gifting solution, you will be required to provide personal information about your gift recipients so that we can provide this service to you. This information will include the recipients’ name, home address, date of birth, employer, department, employment address, employment start date and dietary requirements. We collect this personal information from you directly or via an integration to your HR system for the purpose of providing our service. You will enter into a Data Processing Agreement with CakeDrop during onboarding for this service. Under this Agreement, you are the Data Controller and CakeDrop acts as a Data Processor.

2. What is the legal basis for processing activities? 

1. If you are using our service, then the following legal bases apply:

GDPR Article 6 (1) (b) ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’

PECR citation 22(3) ‘A person may send or instigate the sending of electronic mail for the purposes of direct marketing where -

(a)that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;

(b)the direct marketing is in respect of that person’s similar products and services only; and

(c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

2. If you are using our website and have accepted cookies, then the following legal basis applies:

GDPR Article 6 (1) (a) ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’

3.  If you have signed up to receive emails from us then the following legal bases applies:

GDPR Article 6 (1) (a) ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’

PECR citation 22(3) ‘A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—

(a)that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;

(b)the direct marketing is in respect of that person’s similar products and services only; and

(c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

4. If you are using our live chat function then the following legal bases applies:

GDPR Article 6 (1) (b)processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’

PECR citation 22(3) ‘A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—

(a)that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;

(b)the direct marketing is in respect of that person’s similar products and services only; and

(c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

5. If you are sending treats to other individuals then the following basis applies:

GDPR Article 6 (1) (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interest are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of the personal data’

6. If you are using our automated corporate gifting solution, you will enter into a Data Processing Agreement with CakeDrop during onboarding that complies with the General Data Protection Regulation (GDPR). Please refer to this Agreement. 

3. Who will the personal data be shared with?

Your personal data may be shared with the following categories of recipients in compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws:

  1. Service Providers: We may share your personal data with trusted service providers who assist us in delivering and improving our services. These service providers may include, but are not limited to, payment processors, hosting providers, Google Analytics, and customer support services.

  2. Legal Requirements: We may disclose your personal data to comply with applicable laws, regulations, legal processes, or government requests. We may also share information to protect our rights, privacy, safety, or property, or that of our users or third parties.

  3. Business Transfers: In the event of a change in ownership, merger, acquisition, or sale of assets, your personal data may be transferred as part of the transaction. We will notify you of such a transfer and any choices you may have.

  4. Aggregated or De-identified Data: We may share aggregated or de-identified data with third parties for various purposes, including statistical analysis, research, and marketing. This data does not identify you personally.

We take appropriate due diligence measures to ensure that these third parties adhere to GDPR data protection standards and practices, including Risk Assessments. Your personal data is only shared with third parties to the extent necessary to fulfil the purposes described in this Privacy Policy while maintaining your data protection rights as stipulated by applicable laws.

4. How long will personal data be retained?

1. If you use our service, your data is kept for as long as is necessary for us to provide our services to you. You have the right to object to the processing of your data for these purposes and are free to opt-out of direct marketing at any time.

2. If you have used our website and accepted cookies, your data is kept only for as long as we have your consent. You are free to delete Cookies at any time.

3. If you have signed up to receive emails from us, your data is kept only for as long as we have your consent. You are free to unsubscribe from emails at any time and request your right to erasure.

4. If you are sending treats to other individuals, ad hoc or via our automated gifting solution, their data is kept for as long as is necessary for us to provide our services to you. You have the right to object to the processing of this data for these purposes and individuals are free to request their right to erasure.

5. Accessing your personal data

We acknowledge your right to access your personal information. You may access, update, correct or withdraw the personal information you provide to us by emailing a request to hello@cakedrop.london.

6. Cookies

Cookies are small files that are stored on your computer or phone. They help us understand how you are using our website and save you time by remembering your details and tailoring your browsing experience. When you use our website and accept cookies, you accept the usage we make of cookies, an acceptance which lasts 1 year.

Our website is built on Shopify, which deploys some cookies by default (more information can be found here). We have cookies from the security plugins we use to improve security on login and during the registration process, and to control the sessions. We also use cookies from security, performance and DDOS protection systems. Then, we use cookies and scripts from external sources, such as Klayvio (our email provider), Google Analytics and Google Ads. Certain services, like LinkedIn, may not store cookies but run scripts to track browsing information.

We commit to keep cookies to a bare minimum and you can set-up your browser to turn off cookies by default. This could make parts of our website not work properly during your session, but you can reach out to us with any difficulty you may encounter.

7. Changes to our privacy policy

We reserve the right to update or change our Privacy Policy at any time so you may wish to check this Privacy Policy periodically. Your continued use of the Service after we post any modifications to the Privacy Policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Privacy Policy. If we make any material changes to this Privacy Policy, we will notify you either through the email address you have provided, or by placing a prominent notice on our website.