← Back to Shedful

Privacy Policy

Last updated: April 2025

1. Who we are

Shedful ("we", "us", "our") operates the platform at shedful.app. Shedful is currently operated by an individual based in England. We are the data controller for the personal data we collect from bakers and customers.

When you purchase from a Shedful-powered store, both Shedful and the individual baker may process some of your personal data. This policy explains Shedful's role. The baker is a separate data controller for their own records.

Contact us about privacy matters at: privacy@shedful.app

2. What data we collect

2.1 Baker account and profile data

When you create a Shedful baker account, we collect:

  • Your name
  • Email address
  • Shed name and location (as entered during registration)
  • Password (stored as a secure hash — we never see your plain-text password)

2.2 Baker billing and payment data

If you upgrade to a paid tier, we collect:

  • Your Stripe customer ID and subscription ID (used to manage your subscription)
  • Your Stripe Connect account ID (used to route payments to you)

We do not store your full card details. Payment information is handled directly by Stripe in accordance with their privacy policy (stripe.com/gb/privacy).

2.3 Baker usage and transaction data

We collect data generated by your use of the platform, including:

  • Products, stock levels, and settings you configure
  • Orders placed through your store (items, amounts, timestamps)
  • Analytics data derived from your sales

2.4 Customer purchase data

When a customer buys from a Shedful store, Shedful's platform receives and stores:

  • The items purchased and quantities
  • The total amount paid
  • The date and time of the transaction
  • A reference to the baker's store

Your full card details are handled exclusively by Stripe and are never stored by Shedful.

2.5 Technical data

Our hosting infrastructure (Vercel) may log standard technical data such as IP addresses and browser type for security purposes. We do not use this data to identify or profile you.

3. How we use your data

We use your data to:

  • Provide and operate the Shedful platform
  • Process and confirm payments
  • Provide bakers with a record of sales (visible in their dashboard)
  • Process and manage subscriptions and payments via Stripe
  • Send service-related communications (account notices, billing alerts)
  • Maintain transaction records for financial and legal compliance
  • Investigate and resolve support requests
  • Monitor for security incidents and abuse

We do not use your data for marketing. We do not profile you or serve you advertisements.

Our lawful basis for processing is primarily contractual necessity and, for communications, legitimate interest.

4. Who we share your data with

We share data with the following third parties only to the extent necessary to provide the service:

  • The baker whose store you purchased from — they can see order details in their Shedful dashboard.
  • Supabase— our database and authentication provider. Your data is stored on Supabase's infrastructure. supabase.com/privacy
  • Stripe — payment processing, Connect account management, and subscription billing. stripe.com/gb/privacy
  • Vercel — hosting provider for the Shedful web application. vercel.com/legal/privacy-policy

We do not sell your data. We do not share it with advertisers or unrelated third parties.

5. Your store and customers (bakers)

When a customer purchases from your store, their transaction data (items purchased, amount paid, date) is stored in Shedful's database and is visible to you in your dashboard. All customer data is held and controlled by Shedful — you do not store or independently process any customer personal data outside of the platform.

6. Data retention

Transaction records are retained for 7 years in line with standard financial record-keeping requirements.

Baker account data is retained for as long as your account is active. If you close your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes.

7. Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request erasure (subject to legal retention obligations on financial records)
  • Object to processing based on legitimate interest
  • Request restriction of processing
  • Data portability (receive your data in a machine-readable format)
  • Lodge a complaint with the ICO at ico.org.uk

To exercise any of these rights, contact us at privacy@shedful.app. We will respond within one month.

8. Cookies

Shedful uses session cookies to keep you logged in. On customer-facing store pages, we only use cookies that are strictly necessary to complete your purchase. We do not use tracking or advertising cookies. If this changes, we will update this policy and seek consent where required.

9. Security

We take reasonable technical and organisational measures to protect your data, including encrypted connections (HTTPS), hashed passwords, and row-level security on our database. Payment data is handled by Stripe, who are PCI DSS compliant. No system is completely secure and we cannot guarantee absolute security.

10. Changes to this policy

We may update this policy from time to time. We will notify bakers of material changes by email or via the platform. The current version is always available at shedful.app/privacy. For significant changes we will update the "last updated" date prominently.

11. Contact

Privacy queries: privacy@shedful.app

Information Commissioner's Office: ico.org.uk / 0303 123 1113