Privacy Policy
Corner Loaf — Privacy Policy
Effective date: 2026-05-22 Last updated: 2026-05-22
This Privacy Policy explains how HMB Software LLC, a Florida limited liability company ("HMB Software," "we," "us," "our"), collects, uses, shares, and protects information when you use Corner Loaf — our marketplace web app, iOS app, and Android app (collectively, the "Service").
By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, do not use the Service.
1. Who we are
HMB Software is the data controller (under EU/UK GDPR) and the business (under the California Consumer Privacy Act) for personal information collected through Corner Loaf.
For privacy-related requests, contact privacy@cornerloaf.com.
2. Information we collect
2.1 Information you give us
| Category | Examples | Source |
|---|---|---|
| Account identity | First name, last name, email, optional phone, optional date of birth | You provide when creating an account |
| Customer addresses | One or more U.S. street addresses (for pickup and delivery) | You add in the address book |
| Onboarding location | A coarse latitude/longitude derived from a street address or device location | You provide during onboarding so Discover can rank Bakers by distance |
| Baker profile | Business name, kitchen description, biographical text, year started, hero photo, item photos, allergens-handled tags, cancellation policy, cottage-food self-attestation | Bakers provide during onboarding and ongoing operation |
| Order and message content | Item descriptions, special instructions, attachments to custom requests, messages between Customer and Baker | You provide when ordering or messaging |
| Reviews and replies | Star rating, free-text review, optional Baker reply | You write |
| Payment information (Bakers only) | Card details for the Baker Subscription | Provided to Stripe — we receive only a Stripe customer ID and metadata (subscription status, plan, current period end, last-4 of card) |
2.2 Information collected automatically
| Category | Examples | Source |
|---|---|---|
| Device and app info | Device model, OS version, app version, IP address, language | The web/iOS/Android app on use |
| Push notification tokens | Apple Push Notification service (APNs) token, Firebase Cloud Messaging (FCM) token | The iOS/Android app on first push permission grant |
| Server logs | Request paths, response codes, timestamps, IP addresses, user agents | Our back-end services |
| Session data | OAuth/OIDC tokens issued by our identity provider (Keycloak) | Set when you sign in |
2.3 Information from third parties
| Category | Source |
|---|---|
| Authentication events (sign-in, sign-out, email verification) | Keycloak (our identity provider) |
| Subscription billing events (created, renewed, canceled, payment failed) | Stripe |
| Email delivery events (delivered, bounced, complaint) | Postmark |
2.4 What we do not collect
- We do not collect or process payment information for Orders. Customers pay Bakers directly at handoff; no card numbers, bank-account numbers, or peer-to-peer transfer credentials pass through the Service.
- We do not use any device-level advertising identifier (IDFA, GAID) for advertising.
- We do not track you across other apps or websites.
- We do not run third-party advertising or behavioral-advertising SDKs.
- We do not sell or rent personal information.
- We do not collect background location. We collect a one-time coarse latitude/longitude during onboarding only; we do not track movement.
3. How we use information
We use the information described above to:
- Operate the Service — create your account, authenticate you, place reservations, route Custom Order Requests, send order-status notifications, display reviews, deliver baker hero/item photos.
- Communicate transactionally — send Order updates, Custom Order Request responses, baker-subscription receipts and renewal notices, restock alerts to Customers who favorited an item, and security/account messages.
- Improve and secure the Service — diagnose errors, monitor abuse, prevent fraud and unauthorized access, enforce our Terms of Service.
- Comply with legal obligations — respond to lawful requests, defend legal claims, comply with tax and financial-reporting requirements applicable to the Baker Subscription.
We do not use your information to build advertising profiles, train AI models, or make automated decisions that significantly affect you.
4. Legal bases (EU/UK/EEA users)
Although the Service is United-States-only and not directed to users outside the U.S., this section is provided to be forward-compatible if a non-U.S. user happens to access the Service.
| Purpose | Lawful basis under GDPR |
|---|---|
| Creating and operating your account; fulfilling Orders | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails and push notifications | Performance of a contract (Art. 6(1)(b)) |
| Fraud prevention, abuse monitoring, securing the Service | Legitimate interests (Art. 6(1)(f)) |
| Complying with tax, accounting, or other legal obligations | Legal obligation (Art. 6(1)(c)) |
| Future analytics or marketing (none currently) | Consent (Art. 6(1)(a)) — we will request it before any such processing |
5. How we share information
We do not sell or rent personal information. We share it only in the limited circumstances below.
5.1 Sub-processors
We rely on the following service providers, which receive only the information they need to perform their function:
| Sub-processor | Purpose | Information shared | Location | Privacy link |
|---|---|---|---|---|
| Keycloak (self-hosted) | Identity & access management | Email, password hash, OIDC profile, MFA enrollment, login events | DigitalOcean U.S. data center | Self-hosted by HMB Software |
| Stripe, Inc. | Baker Subscription billing | Email, first/last name, card details (entered by Baker directly into Stripe), subscription state, billing events | United States | stripe.com/privacy |
| Postmark (Wildbit, LLC) | Transactional email | Email, message subject and body | United States | postmarkapp.com/eu-privacy |
| DigitalOcean, LLC | Application hosting and image storage (Spaces) | All server-side data | United States | digitalocean.com/legal/privacy-policy |
| Apple, Inc. (APNs) | iOS push notifications | APNs device token, notification payload | United States | apple.com/privacy |
| Google LLC (Firebase Cloud Messaging) | Android push notifications | FCM device token, notification payload | United States | policies.google.com/privacy |
Each sub-processor is bound by a written data-processing agreement (or equivalent obligation) limiting use of personal information to the services they provide to us.
5.2 Between Bakers and Customers
To fulfill Orders, Customers and Bakers see each other's information as follows:
- The Customer sees the Baker's business name, kitchen description, photos, pickup address (after a confirmed Order), and direct phone number (after a confirmed Order, if the Baker has provided one).
- The Baker sees the Customer's "First L." display name, the delivery address (if a delivery Order), and any contact preferences the Customer set on the Order.
Beyond what is necessary to fulfill an Order, neither Bakers nor Customers can browse other users' personal information.
5.3 Reviews and replies
Reviews and replies are public on the Baker's storefront. The reviewer is identified by their "First L." display name. Do not include information in a review that you do not want to be public.
5.4 Legal disclosures
We may disclose information if required by law, regulation, legal process, or government request, or to defend our legal rights or those of our users. Where lawful and reasonable, we will notify you before disclosing.
5.5 Business transfers
If HMB Software is acquired, merged, or has assets transferred, your information may be transferred as part of that transaction. The recipient will be bound by this Privacy Policy or a successor of equivalent protection.
6. Retention and deletion
6.1 Active accounts
We retain your information for as long as your account is active.
6.2 Soft-tombstone deletion
When you delete your account in-app, we perform a soft tombstone:
- Personally identifying fields (name, email, phone, date of birth) are anonymized — your name becomes "Deleted User" and your email is replaced with a non-routable address.
- Your favorites are hard-deleted.
- Your account is disabled at our identity provider.
- Your past Orders, reviews, and messages remain on the Service in their anonymized form so other users' transaction history is preserved (for example, a Baker can still see their order history with "Deleted User").
6.3 Legal hold and hard-delete
After your account is anonymized, we retain the anonymized tombstone only as long as needed to satisfy tax, fraud-prevention, and dispute-resolution obligations, after which we hard-delete the underlying records.
- Users who have held a Baker Subscription: we retain subscription and transaction records for seven (7) years to meet tax and financial-reporting requirements, then hard-delete them.
- Users who never held a Baker Subscription: we hard-delete the anonymized tombstone promptly and without undue delay once it is no longer needed to resolve any open dispute or prevent fraud.
6.4 Refusal to delete while in-flight
We will not process a deletion request while you have in-flight Orders or an active Baker Subscription. You must complete or cancel those first. See Terms of Service §10.
6.5 Server logs
Server logs and security telemetry are retained for up to 90 days for operational and abuse-prevention purposes, then deleted.
6.6 Stripe and other sub-processors
Sub-processors retain information per their own privacy policies and applicable law. For example, Stripe retains records of payment transactions for tax and audit purposes.
7. Security
We use industry-standard technical and organizational measures, including:
- TLS 1.2+ for all network traffic between clients and our servers.
- At-rest encryption of our managed PostgreSQL database (DigitalOcean managed cluster).
- OAuth 2.0 / OIDC for authentication, with optional MFA.
- Bcrypt password hashing within Keycloak.
- Least-privilege access for HMB Software personnel; production credentials are scoped and rotated.
- Soft-tombstone deletion that disables the upstream identity record so a leaked session token can't refresh against a deleted account.
No system is perfectly secure. If you believe your account has been compromised, contact us immediately at privacy@cornerloaf.com.
8. Your rights
You have the following rights regarding your personal information.
8.1 Everyone
- Access: Request a copy of the personal information we hold about you.
- Correction: Update inaccurate or incomplete personal information (most fields can be edited in You → Edit profile).
- Deletion: Delete your account in-app (You → Delete account) or by emailing privacy@cornerloaf.com.
- Portability: Request an export of your account data in a machine-readable format. Note: a self-service export endpoint is on our roadmap; until it ships, send a request to privacy@cornerloaf.com.
- Withdraw consent: Where we rely on consent, you may withdraw it at any time.
We aim to respond within 30 days of receiving a verified request.
8.2 California residents (CCPA / CPRA)
California residents have these additional rights:
- Right to know the categories and specific pieces of personal information we have collected about them.
- Right to delete personal information, subject to the exceptions above (in-flight Orders, active Subscription, tax/legal retention).
- Right to correct inaccurate personal information.
- Right to opt out of "sale" or "sharing" of personal information — we do not sell or share personal information as those terms are defined in the CCPA/CPRA, and there is no "Do Not Sell or Share My Personal Information" link because none is required.
- Right to non-discrimination for exercising these rights.
To exercise California rights, email privacy@cornerloaf.com with the subject "CCPA REQUEST."
8.3 EU/UK/EEA residents (GDPR / UK GDPR)
In addition to the rights above:
- Restrict processing in certain circumstances.
- Object to processing based on our legitimate interests.
- Lodge a complaint with your local supervisory authority (for example, the list of EU data protection authorities).
EU/EEA residents should note that the Service is U.S.-only and your personal information will be processed in the United States.
8.4 No automated decision-making
We do not make decisions affecting you solely on the basis of automated processing.
9. Children's privacy
Corner Loaf is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If we learn that we have collected information from a child under 13, we will delete it promptly. If you are a parent or guardian and believe your child has provided information to us, contact privacy@cornerloaf.com.
Users between 13 and the age of majority must have a parent or guardian's permission to use the Service.
10. Cookies and similar technologies (web only)
The Corner Loaf web app uses cookies and similar storage technologies for:
- Authentication and session management (essential — required for sign-in to work).
- Preference persistence (language, cart state).
We do not use third-party advertising or analytics cookies. We do not currently display a cookie banner because all cookies are strictly necessary; if we later add non-essential cookies, we will request consent in the manner required by law.
The Corner Loaf iOS and Android apps do not use cookies; they use the OS keychain/keystore for session tokens.
11. International transfers
Personal information is stored in the United States. If you access the Service from outside the United States, you understand and consent to the transfer of your personal information to the United States.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we make a material change, we will:
- update the "Last updated" date at the top of this document;
- post the new version at our website; and
- where the change materially expands the categories of information collected or the purposes of processing, notify you via email or in-app notification before the change takes effect.
Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.
13. Apple App Store Privacy Nutrition Label mapping
When submitting to the App Store, we declare the following Data Categories. This section is informational for App Store reviewers and our own audit trail.
| Data type | Linked to user identity? | Used for tracking? | Purpose |
|---|---|---|---|
| Contact Info — Email | Yes | No | App Functionality, Account Management |
| Contact Info — Phone (optional) | Yes | No | App Functionality (baker reach-out at pickup) |
| Contact Info — Name | Yes | No | App Functionality |
| Contact Info — Physical Address | Yes | No | App Functionality (pickup / delivery) |
| Identifiers — User ID | Yes | No | App Functionality |
| Location — Coarse Location | Yes | No | App Functionality (Discover ranking) |
| User Content — Photos | Yes | No | App Functionality (item & baker hero photos) |
| User Content — Other (reviews, item descriptions, messages) | Yes | No | App Functionality |
| Purchases — Subscription status (Bakers) | Yes | No | App Functionality |
| Diagnostics — Crash data | No | No | App Functionality |
Tracking: No. ATT prompt required: No.
14. Contact
- Privacy requests: privacy@cornerloaf.com
- General support: support@cornerloaf.com
- Mailing address: [To be inserted — HMB Software LLC's published mailing address (e.g., P.O. box or virtual-office address) pending setup. Until then, you can reach us at the email addresses above.]