Privacy Policy
Last Updated: 02/12/25
1) Who We Are (Data Controller)
Lorna’s Bakes (“we”, “us”, “our”).
Website: https://lornasbakes.web-space.ie
Registered address: 38 Brews Hill, Navan, Co Meath, Ireland
Company number: 676784
If you have questions about this notice or wish to exercise your data protection rights, please contact us using the contact form provided.
You also have the right to lodge a complaint with the Irish Data Protection Commission (DPC):
https://www.dataprotection.ie.
2) Principles We Follow
We process personal data in line with GDPR principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality.
We review the data we hold to ensure it is accurate and removed when no longer needed.
3) What We Collect, Why, and Our Lawful Bases
a) Shopping & Account Data (WooCommerce)
What we collect:
- Name
- Billing & shipping address
- Phone number
- Order contents
- Order notes
- Payment method (no card numbers stored by us)
- IP address & device info (fraud prevention / security)
- Account login details (if you choose to create an account)
Why:
To process and deliver your orders, handle customer support, maintain your account, and prevent fraud.
Lawful bases:
- Contract performance — Art. 6(1)(b)
- Legal obligations for accounting/tax — Art. 6(1)(c)
- Legitimate interests in fraud prevention & security — Art. 6(1)(f)
b) Payments
We do not store full card details.
Payment processors (e.g., Stripe) receive payment info directly and may perform fraud checks.
Lawful bases: Contract performance; legitimate interests in fraud prevention; legal obligations.
Processor: Stripe (see their privacy policy).
c) Customer Support & Communications
What we collect:
- Emails and messages
- Contact-form submissions
- Returns information
- IP address and browser/device information (fraud and spam prevention)
Lawful bases:
- Contract performance
- Legitimate interests in responding to enquiries & preventing abuse — Art. 6(1)(f)
- Consent, where applicable (e.g., optional marketing)
d) Marketing (Email/SMS)
What:
- Email address
- Name
- Purchase history (for segmentation and relevant offers)
- Marketing preferences
Lawful basis:
Consent — Art. 6(1)(a).
You may withdraw consent anytime by using the unsubscribe link or contacting us.
e) Analytics (Google Analytics 4)
What:
Pseudonymous usage data, including:
- Pages viewed
- Events (e.g., button clicks)
- Browser/device type
For EU users, IP addresses are not stored (GA4 drops them before logging).
We use Consent Mode to respect your cookie choices.
Lawful basis: Consent — Art. 6(1)(a).
Processor: Google LLC.
f) Advertising & Retargeting (Meta Pixel)
What:
If you consent to marketing cookies, the Meta Pixel may process:
- Pixel ID
- Cookies
- Page views
- Button clicks
- Purchase events
- IP address via standard HTTP headers
Lawful basis: Consent — Art. 6(1)(a).
Processor: Meta Platforms Ireland Ltd.
g) Comments (if enabled)
What:
- Data submitted in the comment form
- IP address & browser user agent (spam detection)
- If using Gravatar: a hashed version of your email to retrieve your avatar
h) Children’s Data
Our website is not directed at children under 16.
We do not knowingly collect personal data from minors.
If you believe a child has submitted data, contact us and we will delete it.
4) Cookies & Tracking
We use the following types of cookies:
- Strictly necessary cookies — needed for cart, checkout, login, and security. These do not require consent.
- Analytics cookies (GA4) — only loaded with your consent.
- Marketing cookies (Meta Pixel) — only loaded with your consent.
You can change or withdraw consent at any time via the Cookie Settings link in our footer.
5) International Data Transfers
Some of our providers (e.g., Google, Meta, Stripe) may transfer data to the USA or other countries.
To protect your data, we rely on:
- EU Standard Contractual Clauses (SCCs)
- Vendor security measures
- Additional supplementary measures where appropriate
There is a small risk that non-EU authorities may access transferred data under local laws. We assess these risks in line with Schrems II.
6) How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Orders & invoices | 6 years (legal requirement) |
| Customer accounts | Deleted or anonymised after 24 months of inactivity |
| Support enquiries | 12 months after closure |
| Marketing data | Until you unsubscribe or 24 months of inactivity |
| IP addresses from forms | 12 months |
| Comments | Indefinitely (to recognise future comments) |
Retention may be extended if required for legal claims or to comply with legal obligations.
7) Your Rights (GDPR)
You have the right to:
- Access your personal data
- Correct inaccurate data
- Request deletion
- Restrict processing
- Object to processing
- Data portability
- Withdraw consent at any time
- Lodge a complaint with the DPC
To exercise any rights, email hello@lornasbakes.com.
8) Security
We use industry-standard technical and organisational measures, including:
- TLS (HTTPS) encryption
- Access controls
- Data minimisation
- Monitoring for unusual activity
If a data breach occurs and poses a high risk to your rights, we will notify you and the DPC in line with GDPR requirements.
9) Automated Decision-Making & Profiling
We do not make decisions that have legal or significant effects based solely on automated processing.
If you consent to marketing cookies, analytics and advertising tools may be used to create audience segments or personalise ads. This profiling does not produce significant or legal effects.
10) Embedded Content from Other Websites
Embedded content (e.g., YouTube videos, Instagram posts) behaves as if you visited the source website.
These sites may collect data, use cookies, or track interactions.
You should refer to their privacy policies.
11) Changes to This Policy
We may update this policy occasionally.
When changes are significant, we will update the date above and may notify you by email or via the website.