Privacy Policy

PCIM Solutions Pty Ltd (ABN 64 156 234 089), trading as BiziBakes ("BiziBakes", "we", "us", "our") operates a software-as-a-service platform that enables cake decorators and small baking businesses to build, host, and manage websites and online ordering (the "Platform").

This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with the Platform. It applies to:

• Business Users - cake decorators and baking businesses who subscribe to the Platform ("Subscribers"); and

• End Customers - individuals who visit Subscriber websites, place orders, submit enquiry forms, or otherwise interact with Subscriber sites hosted on the Platform ("End Customers").

• We are bound by the Australian Privacy Principles ("APPs") contained in the Privacy Act 1988 (Cth) (the "Privacy Act"). Where applicable under the EU General Data Protection Regulation ("GDPR") or the UK General Data Protection Regulation ("UK GDPR"), we also comply with those regulations as described in this Policy.

We are the data controller (or, under the GDPR/UK GDPR, the "controller") for personal information we collect directly from Subscribers in connection with account registration, billing, and Platform administration.

When Subscribers use the Platform to collect personal information from their End Customers (for example, through order forms, enquiry forms, file uploads, or newsletter sign-ups), BiziBakes acts as a data processor (or, under the GDPR/UK GDPR, a "processor") on behalf of the Subscriber. The Subscriber is the data controller for that information and is responsible for ensuring their own compliance with applicable privacy laws, including obtaining all necessary consents from End Customers for the collection, use, and disclosure of their personal information.

The Platform operates a multi-tenant architecture. Each Subscriber's data is logically separated. BiziBakes does not control, direct, or supervise Subscribers' businesses, products, food safety practices, tax compliance, or consumer law obligations. Each Subscriber operates independently and is solely responsible for their own legal compliance.

Subscribers are solely responsible for ensuring they have obtained all necessary consents and have established a valid legal basis for collecting personal information from their End Customers through their Subscriber Websites. BiziBakes does not verify whether Subscribers have obtained appropriate consents or established valid legal bases and accepts no liability for any failure by a Subscriber to do so.

When you register for an account or subscribe to the Platform, we may collect:

• Name, email address, and contact details

• Business name and ABN (where provided)

• Account credentials (passwords are stored in hashed form only)

• Billing information (processed via Stripe; we do not store full payment card details)

• Stripe Connect account identifiers

• Platform usage data and preferences

• Communications with our support team

End Customers may provide personal information to Subscriber websites hosted on our Platform. This information is collected by the Subscriber (as data controller) and may include:

• Name, email address, phone number, and delivery address

• Order details and preferences

• File uploads (such as cake inspiration images)

• Messages submitted through enquiry or contact forms

• Newsletter subscription preferences

• BiziBakes processes this information on behalf of the Subscriber as part of the Platform's infrastructure.

When you access the Platform or Subscriber websites, we may automatically collect:

• IP address and approximate geolocation

• Browser type, device type, and operating system

• Pages visited, referral URLs, and session duration

• Technical logs for security, rate limiting, and performance monitoring

Where the GDPR or UK GDPR applies to our processing of personal data, we rely on the following lawful bases:

• Contract - processing necessary for the performance of our contract with you (including providing the Platform, managing your account, and processing billing)

• Legitimate interests - processing necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights (including Platform security, fraud prevention, product improvement, and analytics using anonymised data)

• Legal obligation - processing necessary to comply with a legal obligation to which we are subject (including tax, accounting, and regulatory requirements)

• Consent - where you have given specific consent for a particular processing activity (including marketing communications and optional analytics). Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal

• Where we process personal data as a processor on behalf of Subscribers, the Subscriber is responsible for establishing and documenting the applicable lawful basis for its own processing of End Customer data.

We use cookies and similar technologies for the following purposes:

• Essential cookies - required for authentication, session management, and security (including rate limiting via Redis)

• Functional cookies - to remember preferences and improve user experience

• Analytics cookies - to understand how the Platform is used and to improve our services

• BiziBakes does not use advertising tracking pixels by default. Subscribers may enable additional tracking or analytics on their own websites. BiziBakes is not responsible for cookies or tracking technologies implemented by Subscribers or third-party services integrated by Subscribers.

• You can manage cookie preferences through your browser settings. Disabling essential cookies may affect Platform functionality. Where required by applicable law (including the GDPR and UK GDPR), we will obtain your consent before placing non-essential cookies.

We use personal information for the following purposes:

• Providing, maintaining, and improving the Platform

• Processing subscriptions and billing via Stripe

• Facilitating Stripe Connect integrations for Subscribers

• Hosting Subscriber websites and delivering content via CDN

• Storing and delivering uploaded images and files

• Providing AI-assisted website content generation features

• Sending transactional emails (such as order confirmations) via third-party email providers

• Providing customer support

• Monitoring security, preventing fraud, and enforcing our Terms of Service

• Complying with legal obligations

• Generating anonymised and aggregated data for product improvement and analytics

We may use your contact information to send you communications about Platform updates, new features, and service-related announcements. We will not send you unsolicited marketing communications without your consent.

You may opt out of receiving marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email

• Updating your communication preferences in your account dashboard

• Contacting us using the details in Section 22

• Opting out of marketing communications does not affect transactional or service-related communications necessary for the operation of your account.

The Platform includes AI-assisted content generation features. When Subscribers use these features:

• Input data (such as business descriptions and preferences) may be processed by third-party AI service providers to generate website content

• We do not use Subscriber or End Customer personal information to train AI models

• AI-generated content may contain inaccuracies or errors. Subscribers are solely responsible for reviewing, editing, and approving all AI-generated content before publication

• BiziBakes does not guarantee the originality of AI-generated content and accepts no liability for any intellectual property infringement arising from its use

• BiziBakes does not retain AI prompt history and has no obligation to store or make available any record of AI-generated content inputs or outputs

We share personal information with the following categories of third-party service providers who process data on our behalf:

• Stripe - payment processing and Stripe Connect (Stripe's own privacy policy applies to payment data handled by Stripe)

• Supabase - database hosting (hosted PostgreSQL)

• Vercel - website hosting and CDN delivery

• Postmark (and/or other email service providers) - transactional and newsletter email delivery

• Redis-based services - rate limiting and caching

• AI service providers - content generation features

• Each third-party provider is bound by their own privacy policies and, where applicable, data processing agreements. We take reasonable steps to ensure they handle personal information in accordance with applicable privacy laws, including (where required) entering into Standard Contractual Clauses or equivalent safeguards for international transfers.

BiziBakes does not process payments directly. All payment processing is handled by Stripe.

Subscription fees are processed through Stripe. We receive limited billing information from Stripe (such as the last four digits of a payment card and transaction status) but do not store full card details.

Subscribers who enable online ordering connect their own Stripe accounts via Stripe Connect. When End Customers make payments on Subscriber websites, the payment relationship is directly between the End Customer and the Subscriber (via the Subscriber's Stripe account). BiziBakes is not the merchant of record and does not have access to full payment card details for these transactions.

• Stripe's privacy policy (available at stripe.com/privacy) governs the handling of payment information by Stripe.

The Platform allows Subscribers and End Customers to upload files, including images. Uploaded files are:

• Stored securely using cloud infrastructure providers

• Delivered via CDN for performance optimisation

• Subject to our acceptable use policies

• Subscribers are responsible for ensuring they have appropriate rights and consents for any content uploaded to the Platform, including content uploaded by their End Customers (such as cake inspiration images). BiziBakes does not routinely monitor uploaded content but reserves the right to remove content that violates our Terms of Service or applicable law.

Personal information collected through the Platform is stored using cloud infrastructure providers whose servers may be located outside Australia, including in the United States and other jurisdictions.

Our primary service providers and their typical hosting locations include:

• Supabase - cloud-hosted PostgreSQL (servers may be located in the US or other regions)

• Vercel - global edge network and hosting

• Stripe - global infrastructure

• Where personal information is transferred outside Australia, we take reasonable steps to ensure it is handled in accordance with the APPs. By using the Platform, you acknowledge that your personal information may be transferred to and processed in jurisdictions outside Australia.

Where personal data is transferred from the European Economic Area ("EEA") or the United Kingdom to a country that has not been recognised as providing an adequate level of data protection, we implement appropriate safeguards to protect that data, including:

• Standard Contractual Clauses ("SCCs") approved by the European Commission

• The International Data Transfer Agreement or Addendum approved by the UK Information Commissioner's Office, where applicable

• Any other transfer mechanism recognised under the GDPR or UK GDPR as providing appropriate safeguards

• You may request a copy of the relevant transfer safeguards by contacting us using the details in Section 22.

We retain personal information for as long as necessary to provide the Platform and fulfil the purposes described in this Policy, or as required by law. Specifically:

• Subscriber account information is retained for the duration of the subscription and for a reasonable period thereafter for legal and administrative purposes

• End Customer data collected through Subscriber websites is retained in accordance with the Subscriber's instructions and our Terms of Service

• Upon termination of a Subscriber's account, we will delete or de-identify Subscriber data and associated End Customer data within 90 days, unless retention is required by law or for the resolution of disputes

• Subscribers are responsible for exporting any data they require prior to account termination

• Anonymised and aggregated data that cannot be used to identify individuals may be retained indefinitely for analytics and product improvement

We implement reasonable technical and organisational measures to protect personal information, including:

• Encryption of data in transit (TLS/SSL)

• Hashed password storage

• Role-based access controls

• Rate limiting to prevent abuse

• Regular security monitoring

• Use of reputable cloud infrastructure providers with their own security certifications

• No method of electronic transmission or storage is completely secure. While we strive to protect personal information, we cannot guarantee absolute security.

In the event of a data breach that is likely to result in serious harm to individuals whose personal information is affected, BiziBakes will:

• Take reasonable steps to contain the breach and mitigate any resulting harm

• Assess whether the breach is likely to result in serious harm to affected individuals

• Where required under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act), notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable

• Where required under the GDPR, notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, and notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms

• Where required under the UK GDPR, notify the UK Information Commissioner's Office in accordance with UK requirements

• Where BiziBakes is acting as data processor on behalf of a Subscriber, notify the affected Subscriber without undue delay so that the Subscriber can fulfil its own notification obligations

Under the Privacy Act, you have the right to:

• Access the personal information we hold about you

• Request correction of inaccurate, incomplete, or out-of-date personal information

• Request deletion of your personal information (subject to legal retention requirements)

• Withdraw consent where processing is based on consent

• Opt out of receiving direct marketing communications

• To exercise any of these rights, please contact us using the details in Section 22.

• End Customers: If you are an End Customer of a Subscriber website and wish to access, correct, or delete your personal information, you should contact the Subscriber directly in the first instance. The Subscriber is the data controller for your information. If you are unable to resolve your request with the Subscriber, you may contact us and we will assist where reasonably practicable.

If you are located in the EEA or the United Kingdom, you have the following additional rights under the GDPR or UK GDPR (as applicable) in respect of personal data for which BiziBakes is the controller:

• Right of access - the right to obtain confirmation of whether we process your personal data and to request a copy of that data

• Right to rectification - the right to request correction of inaccurate or incomplete personal data

• Right to erasure - the right to request deletion of your personal data in certain circumstances

• Right to restriction of processing - the right to request that we restrict the processing of your personal data in certain circumstances

• Right to data portability - the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller

• Right to object - the right to object to processing based on legitimate interests or for direct marketing purposes

• Right to withdraw consent - where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal

• Right to lodge a complaint - the right to lodge a complaint with a supervisory authority. For EEA residents, this is the data protection authority in your member state. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk

• To exercise any of these rights, please contact us using the details in Section 22. We will respond to valid requests within one month, or within such extended period as permitted by applicable law.

• Where BiziBakes processes personal data as a processor on behalf of a Subscriber, EEA and UK data subjects should direct rights requests to the relevant Subscriber in the first instance.

If you are a resident of a US state that provides specific privacy rights (such as California, Virginia, Colorado, Connecticut, or other states with comprehensive privacy legislation), you may have additional rights under applicable state law, including the right to know what personal information is collected, the right to request deletion, and the right to opt out of certain data sharing or processing activities.

• BiziBakes does not sell personal information within the meaning of applicable US state privacy laws. To exercise any rights available to you under applicable US state privacy laws, please contact us using the details in Section 22.

If you believe we have breached the APPs, the GDPR, the UK GDPR, or otherwise mishandled your personal information, you may lodge a complaint with us using the contact details in Section 22.

We will acknowledge your complaint within 7 business days and aim to resolve it within 30 business days. If you are not satisfied with our response, you may lodge a complaint with:

• The Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au (for Australian privacy matters)

• The relevant data protection authority in your EEA member state (for GDPR matters)

• The UK Information Commissioner's Office (ICO) at ico.org.uk (for UK GDPR matters)

The Platform is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without appropriate parental or guardian consent, we will take steps to delete that information.

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, or legal requirements. We will notify Subscribers of material changes by email or through the Platform. The updated policy will be effective from the date of publication. Continued use of the Platform after changes are published constitutes acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of personal information, please contact us:

• PCIM Solutions Pty Ltd

• ABN 64 156 234 089

• Trading as BiziBakes

• Email: privacy@bizibakes.com

• Address: PO Box 667, Winston Hills NSW 2153 Australia

• For GDPR and UK GDPR enquiries, you may also contact us at the email address above, marked for the attention of our privacy team.