Legal
Privacy Policy
Last updated: 4 June 2026
This policy explains how TeamTreat handles personal data when you use our website (teamtreat.co.uk) and the TeamTreat platform. It is written to comply with the UK GDPR and the Data Protection Act 2018.
1. Who we are
TeamTreat Ltd ("TeamTreat", "we", "us") is the data controller for personal data processed through this website and the TeamTreat platform. Where your employer uses TeamTreat to send celebrations to you, your employer is the controller of the employee data they upload and TeamTreat acts as their processor.
Contact us at hello@teamtreat.co.uk for general questions, or privacy@teamtreat.co.uk for privacy requests.
2. Personal data we collect
- Account data: name, work email, company name, role, authentication identifiers and login timestamps.
- Employee data uploaded by your company: name, work email, birthday, work anniversary, dietary requirements, office or home delivery address.
- Order & billing data: selected bakery, delivery dates, order items and notes, invoices, payment status. Card details are collected and held by Stripe — we never see or store them.
- Bakery partner data: business name, contact email and phone, address, capacity and pricing configuration.
- Support & contact data: messages you send via the contact form, email or chat.
- Usage & security data: IP address, device and browser information, audit log of significant account events, and a local device identifier used to detect suspicious sign-ins.
- Cookies and similar storage: see our Cookie Policy for the full list.
3. Why we process it and our legal basis
- To deliver the service you've signed up for, including taking orders, sending them to the correct bakery and confirming delivery — performance of a contract.
- To send service emails such as order confirmations, receipts and account notifications — performance of a contract.
- To take payment and meet accounting and tax obligations — legal obligation.
- To secure the platform and prevent abuse, fraud and unauthorised access — legitimate interests.
- To improve the platform based on aggregated usage — legitimate interests.
- Optional cookies (functional / analytics) — your consent, which you can withdraw at any time via the "Manage cookie preferences" button on the Cookie Policy.
4. Who we share data with
We share the minimum data needed with the partner bakery fulfilling each order (recipient name, delivery address, dietary notes and delivery date). We also use trusted processors to host the platform, send email and take payments. All processors act on our instructions under a written data processing agreement.
| Processor | Purpose | Data shared | Location | Safeguard |
|---|---|---|---|---|
| Supabase (hosting, database, auth, storage) | Application database, authentication and file storage | Account, employee, order and billing records | EU (Ireland) | DPA in place; data hosted in the EU |
| Cloudflare | Edge hosting, DNS and DDoS protection | IP address, request metadata | Global edge | UK IDTA / EU SCCs |
| Stripe Payments UK, Ltd. | Card payments, invoicing and fraud prevention | Billing contact, payment method, transaction history | UK / EU / US | UK IDTA / EU SCCs |
| Resend | Transactional email delivery (order confirmations, receipts, invites) | Recipient email, message content, delivery metadata | US | UK IDTA / EU SCCs |
| Partner bakeries | Fulfilling each cake order | Recipient name, delivery address, dietary notes, delivery date | United Kingdom | Contractual data sharing terms |
| Google Fonts | Serving web fonts (loaded only with your Functional cookie consent) | IP address | US | UK IDTA / EU SCCs |
We may also disclose personal data where we are required to by law, to enforce our terms, or to protect the rights, safety or property of TeamTreat, our customers or the public.
5. International transfers
Some processors listed above are located outside the UK. Where this happens we rely on appropriate safeguards such as the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or transfers to countries the UK considers adequate.
6. Retention
- Account & employee records: kept while the account is active. Removed within 30 days of account deletion, except where we need to keep them for a legal obligation.
- Orders, invoices and receipts: kept for 7 years to meet UK tax and accounting obligations.
- Audit and security logs: up to 24 months.
- Support messages: up to 3 years after the last interaction.
- Marketing suppression list: kept indefinitely so we continue to honour your opt-out.
7. How we keep data secure
Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted to a small number of authorised staff, protected by multi-factor authentication. Row-level security policies in our database ensure each company can only see its own data. We log significant security events and review them for suspicious activity.
8. Your rights
Under UK GDPR you have the right to:
- access a copy of the personal data we hold about you;
- have inaccurate data corrected;
- ask us to delete your data ("right to be forgotten");
- restrict or object to certain processing;
- receive your data in a portable format;
- withdraw consent for any processing based on consent.
If your data was uploaded by your employer, please contact them first — they control the data and we will help them respond. Otherwise, email privacy@teamtreat.co.uk and we'll respond within one month.
You can also complain to the UK Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.
9. Children
TeamTreat is a workplace service and is not directed at children under 16. We do not knowingly collect data about children. If you believe a child's data has been uploaded in error, contact us and we will remove it.
10. Automated decision-making
We do not use personal data to make solely automated decisions that produce legal or similarly significant effects.
11. Changes to this policy
We'll post any material changes on this page and update the "Last updated" date above. Where the change is significant we'll also notify account owners by email.