the place
THE PLACECAFÉ & CAKES

Privacy Policy

Anna Bunetska The Place

Last updated: 14 November 2025

This Privacy Policy explains how we collect and use your personal data when you use our website theplacecake.com, especially when you order cakes from us.

We try to keep this simple and clear, but this document is also meant to match EU/GDPR rules.

1. Who is responsible for your data?

The data controller (the one who decides what happens with your data) is:

  • Business name: Anna Bunetska The Place
  • Brand name: the place
  • Address: Zamenhofa 5/1, 31-025 Kraków, Poland
  • NIP: 6772477225
  • REGON: 521906243
  • Email: the.place.kontakt@gmail.com
  • Phone: +48 664 709 333

If you have any questions about privacy, contact us at: the.place.kontakt@gmail.com

2. What data we collect and when

2.1. When you place an order on the website

We collect:

  • Name
  • Email address
  • Phone number
  • Order details (cake type, size, flavor, decoration, etc.)
  • Pickup date and time
  • Technical payment status (paid / failed, payment ID from Stripe)

We do not see or store your full card numbers or CVV – this goes through Stripe.

2.2. When you contact us (email, phone, Instagram)

We may collect:

  • Name or nickname
  • Email address or phone number
  • Content of your message
  • Order ID (if you give it)

2.3. When you sign up for newsletter/marketing

If you tick the box for marketing, we collect:

  • Email address
  • Info about the fact you agreed to marketing
  • Date/time of your consent

2.4. When you visit the website (technical data)

Our systems and/or our hosting/analytics providers may collect basic technical data, such as:

  • IP address (often shortened/aggregated)
  • Browser type and version
  • Device type
  • Operating system
  • Date and time of visit
  • Pages viewed

We use this only for basic statistics and security, not for building detailed profiles or doing creepy tracking.

3. For what purposes and on what legal basis we process data

We process your data mainly under GDPR Article 6(1)(b), (c), (f) and (a).

3.1. To handle your order (contract) – Art. 6(1)(b) GDPR

We use your data to:

  • Accept and confirm your order
  • Prepare the cake
  • Contact you if we need to clarify something
  • Let you pick up the cake at the right time

Legal basis: performance of a contract – we can't make and hand over your cake without this data.

3.2. To handle payments – Art. 6(1)(b) and (f) GDPR

We send some data (order value, currency, basic customer info) to Stripe, our payment provider, to:

  • Process your payment
  • Confirm whether it was successful or not
  • Prevent fraud and misuse

Legal basis: contract + our legitimate interest in safe payments and fraud prevention.

3.3. To issue invoices and keep accounting – Art. 6(1)(c) GDPR

We have legal duties under Polish law (e.g. tax and accounting rules). We may need:

  • Your name
  • In some cases, company details (if you ask for an invoice)

Legal basis: legal obligation – we must store some data for accounting and tax purposes for a certain number of years.

3.4. To plan our work using Google Calendar – Art. 6(1)(b) and (f) GDPR

We save order information in an internal Google Calendar used by our staff. This usually includes:

  • Your name
  • Pickup date and time
  • Short note about the order (e.g. type of cake)

Legal basis: contract + our legitimate interest in organizing work and making sure your cake is ready on time.

3.5. To handle complaints and problems – Art. 6(1)(b) and (f) GDPR

If you complain about an order, we use your data to:

  • Check what happened
  • Contact you and solve the problem
  • Possibly offer a discount for the next order

Legal basis: contract + our legitimate interest in customer support and defending our claims.

3.6. For newsletter/marketing – Art. 6(1)(a) GDPR

If you explicitly agree (e.g. by ticking a checkbox), we use your email to:

  • Send news about the place
  • Send promotions, discounts and special offers

Legal basis: your consent. You can withdraw consent at any time (see Section 8).

3.7. For statistics and security – Art. 6(1)(f) GDPR

Technical data about website visits may be used for:

  • Basic statistics (how many people visit, which pages they view)
  • Improving the website
  • Protecting against attacks and abuse

Legal basis: our legitimate interest in keeping the website working and improving it.

4. Who we share data with

We share your data only with providers who help us run the business. We choose them carefully.

We may share data with:

  • Stripe, Inc. – to process online payments.
  • Google LLC – for email (if using Gmail/Workspace) and for internal Google Calendar where we store order info.
  • Vercel – for hosting the website.
  • [Email sending provider, e.g. Resend/Postmark] – for sending order confirmation emails and other necessary messages.

These providers process data on our behalf (as processors) and follow GDPR rules. Some data may be transferred outside the EU (e.g. to the USA), but only with appropriate safeguards (e.g. standard contractual clauses, data centers in the EU where possible).

We do not sell your data to third parties.

5. How long we keep your data

We keep personal data only as long as necessary for the purposes described above.

Roughly:

  • Order data – for the time needed to process the order and then for the period required by Polish tax/accounting law (usually up to 5–6 years from the end of the year in which the transaction took place).
  • Google Calendar entries – for as long as needed for planning and evidence; we may keep basic order entries for similar periods as accounting data.
  • Complaint-related data – for the time needed to handle the complaint and for the time we may need to defend against potential legal claims (usually a few years).
  • Newsletter/marketing data – until you withdraw consent (unsubscribe) or we decide to stop sending marketing.
  • Technical logs/statistics – for a reasonable period needed for security and analysis (e.g. several months), then they may be anonymized or deleted.

If the law requires us to keep something longer, we will do so. When we no longer need data, we delete it or anonymize it.

6. Cookies and similar technologies

Our website may use cookies or similar technologies to:

  • Make the site work correctly (e.g. remembering language or cart contents)
  • Provide basic statistics on website usage (if we use analytics tools)

We do not use cookies to profile you for aggressive marketing or sell your data.

Details on cookies (types, storage time, how to manage them) will be described in a separate Cookie Policy or in a cookie banner, if needed.

7. Is providing data mandatory?

You don't have to give us your data. But:

  • If you do not provide the data needed for an order (name, email, phone, pickup date/time, payment), we cannot accept and fulfill the order.
  • For marketing/newsletter, you decide freely. Not giving consent has no impact on your ability to order cakes.

8. Your rights under GDPR

You have the following rights regarding your personal data:

  • Right of access: you can ask us what data we have about you and get a copy.
  • Right to rectification: you can ask us to correct your data if it is not accurate or complete.
  • Right to erasure ("right to be forgotten"): you can ask us to delete your data in some cases (e.g. when we no longer need it or you withdraw consent), unless the law requires us to keep it (e.g. accounting).
  • Right to restriction of processing: you can ask us to limit how we use your data in certain situations.
  • Right to data portability: you can ask us to send your data to you or another controller in a structured, commonly used format, where technically possible.
  • Right to object: you can object to processing based on our legitimate interest, or processing for direct marketing (newsletter).
  • Right to withdraw consent: if we process data based on consent (newsletter/marketing), you can withdraw this consent at any time. It will not affect processing done before withdrawal.

To use these rights, contact us at: the.place.kontakt@gmail.com

9. Right to complain to a supervisory authority

If you think we are processing your data in a way that breaks GDPR, you have the right to lodge a complaint with the supervisory authority.

In Poland this is:

  • Prezes Urzędu Ochrony Danych Osobowych (PUODO)
  • ul. Stawki 2
  • 00-193 Warszawa
  • Website: https://uodo.gov.pl

We would appreciate if you contact us first so we can try to resolve the issue together.

10. Security of your data

We take reasonable technical and organizational measures to protect your data, including:

  • Secure connections (HTTPS)
  • Limiting access to data only to staff who need it
  • Using trusted providers (Stripe, Google, hosting, email) with good security practices
  • Regular software updates

No system is 100% perfect, but we do what we can to reduce risks.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example when we add new features or when the law changes.

The current version will always be available on this page.

We will show the date of last update at the top.

If the changes are significant, we may also inform you by email or via a notice on the website.

12. Contact

For all questions about privacy, data protection, or this Privacy Policy, contact us at:

Address: Zamenhofa 5/1, 31-025 Kraków, Poland