Version 1.0 · Last updated Fri May 22 2026 00:00:00 GMT+0000 (Coordinated Universal Time)
Privacy Policy
Last updated: 22 May 2026
This Privacy Policy explains how Cakester AB ("Cakester", "we", "us") handles personal data. It covers visitors to our website, the people at our customer organisations who use Cakester (account users), and the employees whose details a customer enters into the platform.
If you are an employee whose workplace uses Cakester to organise celebrations, please also read the section "Employee data we process for our customers" below â and note that your employer, not Cakester, decides what data is entered and why.
1. Who we are
Cakester AB is a company incorporated in Sweden, with its registered office at [Registered Address], Sweden. For any privacy question or to exercise your rights, contact us at legal@cakester.io.
2. The two roles we play
Data protection law distinguishes between a controller (who decides why and how data is processed) and a processor (who processes it on someone's instructions). Cakester acts in both roles, depending on the data:
- Controller â for our website, our marketing, and the accounts of the people who administer Cakester at a customer organisation. We decide how that data is used.
- Processor â for the employee personal data a customer enters to organise celebrations (names, dates, dietary requirements). The customer is the controller; we process it only on their instructions, under our Data Processing Agreement.
3. Personal data we collect, and why
3.1 Website visitors
| Data | Purpose | Lawful basis |
|---|---|---|
| Usage and device data (pages viewed, approximate location, analytics events) | Operate, secure, and improve the site | Legitimate interests (Art. 6(1)(f)) |
| Information you submit (e.g. waitlist or contact forms) | Respond to you | Legitimate interests / steps prior to a contract (Art. 6(1)(b), (f)) |
3.2 Account users (customer administrators)
| Data | Purpose | Lawful basis |
|---|---|---|
| Name, work email, login credentials (via our authentication provider) | Provide and secure the service, authenticate you | Performance of a contract (Art. 6(1)(b)) |
| Company details (name, address, organisation number, billing contact) | Account administration, billing, compliance | Performance of a contract; legal obligation (Art. 6(1)(b), (c)) |
| Support communications | Provide support | Legitimate interests (Art. 6(1)(f)) |
3.3 Employee data we process for our customers
When a customer uses Cakester, their HR or office administrators enter employee details so we can organise celebrations and deliveries. As processor, we handle this strictly on the customer's instructions. The categories are set out in Schedule A of the DPA and include name, preferred name, pronouns, work email, employment details, date of birth, employment dates, and â where the customer chooses â dietary requirements and allergies (which may be special-category data).
The lawful basis for this processing is the customer's responsibility as controller. If you are an employee, direct any request about this data to your employer; we will assist them in responding.
4. How we share data
We share personal data with the Sub-processors listed on our Sub-processors page â for hosting, email, analytics, authentication, error monitoring, and order fulfilment (bakeries and couriers). Each is bound by a contract requiring appropriate protection. We do not sell personal data.
We may also disclose data where required by law, or to protect our rights, safety, or property, or those of others.
5. International transfers
Our application database is hosted within the European Union (Sweden). Some supporting providers are established outside the EEA; where personal data is transferred to them, we rely on appropriate safeguards â EU Standard Contractual Clauses and/or the EUâUS Data Privacy Framework. See the Sub-processors page for each provider's location and safeguard.
6. How long we keep data
- Account and customer data: for the duration of the customer relationship, then deleted or returned as set out in the DPA, except where law requires longer retention (e.g. accounting records under the Swedish Bookkeeping Act).
- Employee data processed for customers: retained per the customer's instructions and the DPA; deleted on request (within 5 business days for a specific person) or on termination (within 30 days), subject to legal retention.
- Website analytics: retained only as long as needed for the purposes above.
7. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, or object to processing of your personal data, and to data portability. Where we rely on consent, you may withdraw it at any time.
- If we are the controller (website, account data), contact legal@cakester.io and we will respond within the statutory timeframe.
- If your data is employee data we process for your employer, contact your employer (the controller); we will support them in fulfilling your request.
You also have the right to lodge a complaint with a supervisory authority. In Sweden this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), imy.se.
8. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, role-based access controls, audit logging, and regular security testing. See DPA Clause 8 for detail.
9. Cookies and analytics
We use a small number of cookies and similar technologies to operate the site and understand usage through our analytics provider (PostHog, EU region). You can control cookies through your browser settings.
10. Changes to this policy
We may update this policy from time to time. We will post the updated version here with a new "Last updated" date and, where changes are material, provide additional notice.
11. Contact
Cakester AB â [Registered Address], Sweden Email: legal@cakester.io