TårtlyPrivacy Policy
Last updated: May 2026This policy describes what personal data Tårtly collects, why we process it, and your rights under the General Data Protection Regulation (GDPR).
1. Data Controller
Tårtly AB is the data controller for the processing of your personal data when you use the platform. Email for data protection inquiries: info@tartly.se
2. What Data We Collect
Account data: name, email, optionally phone number and address. Order data: which cakes you ordered, flavor and add-on choices, pickup date, any message to the patisserie, dietary restrictions you note. Payment data: card details are handled by Stripe and are never stored in our systems — we receive only a transaction reference. Usage data: pages you visit, searches, and technical information about your device. We use anonymous aggregate analytics (Vercel Analytics) and error reporting (Sentry, when configured). Reviews: ratings and comments you submit about patisseries you ordered from.
3. Lawful Basis
Contract (Art. 6(1)(b)): to process your orders, facilitate payments, and deliver the service you requested. Legitimate interest (Art. 6(1)(f)): to prevent fraud, improve the platform, and deliver customer support. Consent (Art. 6(1)(a)): for marketing communications, where such are sent — you can withdraw consent at any time. Legal obligation (Art. 6(1)(c)): to meet Swedish accounting law (Bokföringslagen) record-keeping requirements.
4. Retention
Account data: until the account is deleted, plus 1 year for security and audit purposes. Order and payment data: 7 years per Swedish accounting law. Reviews: retained indefinitely. When you request deletion of your account, we keep the rating itself (so the patisserie's aggregate score is not distorted) but remove your identity and the comment text. Cookies: per each cookie's own lifetime — see section 7.
5. Who We Share Data With
Patisseries: receive only the data needed to prepare and hand over your order — name, contact details, order specification, pickup date. Stripe (payment), Resend (email delivery), Vercel (operations and hosting), Supabase (database and authentication), Sentry (error reporting): data processors that help us deliver the service. All have GDPR-compliant data processing agreements. We never sell your data to third parties and do not share it for marketing of other companies' services. Some data may be stored or processed in third countries within the framework of EU/EEA-approved transfer mechanisms.
6. Your Rights
Under GDPR you have the right to: • Access the data we hold about you (Art. 15) • Rectification of inaccurate data (Art. 16) • Erasure, the "right to be forgotten" (Art. 17) • Data portability (Art. 20) • Object to processing (Art. 21) • Restriction of processing (Art. 18) You exercise your rights by emailing info@tartly.se. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY — Integritetsskyddsmyndigheten) if you believe we are processing your data unlawfully — imy.se.
7. Cookies and Tracking
We use the following types of cookies: Necessary cookies: for sign-in, security, and your cart. These do not require consent. Functional cookies: for your preferences (language, etc.). Analytics cookies: anonymous visitor statistics via Vercel Analytics, primarily to understand platform performance. A cookie consent dialog is in development and will launch before commercial launch. For now, you can manage cookies via your browser settings.
8. Security
We use industry-standard security measures: encryption in transit (HTTPS/TLS), access controls and logging, secure authentication via Supabase, and card data handled only by PCI-DSS-certified Stripe — never in our own systems. In the event of a personal data breach that poses a risk to you, we report under GDPR Art. 33 to IMY within 72 hours and notify you if required (Art. 34).
9. Changes to This Policy
We may update this policy. For material changes, we will notify you via email or on the platform. The last updated date is shown above.
10. Contact
For data protection questions or to exercise your rights, contact: Tårtly AB Email: info@tartly.se Supervisory authority: Swedish Authority for Privacy Protection (IMY), imy.se.