Privacy Policy

Last updated: May 2026

Bean Bard ("we", "us", "our") is committed to protecting your personal data. This policy explains what we collect, why we collect it, how we use it, and your rights under UK data protection law (UK GDPR and the Data Protection Act 2018).

Who we are

Bean Bard is the data controller for personal data collected through this website. If you have any questions about this policy or how we handle your data, contact us at brew@beanbard.com.

What data we collect

When you place an order

• Name and email address
• Delivery address
• Payment information — processed and stored by Stripe. We never see or store your full card details.
• Order history (items, quantities, amounts paid)

When you create an account

• Email address
• Name (if you choose to add it)
• Authentication data — managed by Supabase. Passwords are hashed and never stored in plain text.

When you browse the site

• We do not use tracking cookies or third-party analytics. No data is shared with advertising networks.

Why we collect it and our legal basis

• To fulfil your order (contract performance) — we need your name, email, and delivery address to process and ship your order, and to send you an order confirmation.
• To manage your account (contract performance) — your email and authentication data are needed to provide account access and order history.
• To comply with legal obligations — we retain transaction records as required by HMRC and applicable financial regulations.
• Legitimate interests — we may use your order history to improve our products and service. We will never use this for profiling or automated decision-making.

How we share your data

We do not sell your data. We share it only with the third-party services necessary to operate the store:

• Stripe — payment processing. Stripe is PCI-DSS compliant. See Stripe's Privacy Policy.
• Supabase — database and authentication. Data is stored on servers in the EU. See Supabase's Privacy Policy.
• Resend — transactional email (order confirmations and account emails). See Resend's Privacy Policy.
• Vercel — website hosting. See Vercel's Privacy Policy.

How long we keep your data

• Order records — retained for 7 years to comply with HMRC requirements.
• Account data — retained for as long as your account is active. You can request deletion at any time.
• Email communications — retained for up to 2 years.

Your rights

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your data, subject to legal retention obligations.
• Restriction — ask us to limit how we use your data.
• Portability — receive your data in a structured, machine-readable format.
• Object — object to processing based on legitimate interests.

To exercise any of these rights, email brew@beanbard.com. We will respond within 30 days.

Cookies

We use only essential cookies required for authentication (session management). We do not use advertising, tracking, or analytics cookies. No cookie consent banner is required for essential cookies under UK law.

Security

We take reasonable technical and organisational measures to protect your data, including encrypted connections (HTTPS), hashed passwords, and row-level security on our database so each user can only access their own data.

Changes to this policy

We may update this policy from time to time. The "last updated" date at the top will reflect any changes. Continued use of the site after changes constitutes acceptance of the updated policy.

Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). We would, however, appreciate the chance to address your concerns first — please contact us at brew@beanbard.com.