Privacy Policy

Ovenbloom (“we”, “us”, “our”) operates ovenbloom.com. We respect your privacy and are committed to protecting your personal data. This policy explains what we collect, how we use it, and your rights.

Account information: name, email address, password (hashed and salted — we never store plaintext passwords), store name, and state.

Payment information: processed entirely by Stripe. We never see, access, or store your credit card numbers.

Order data: customer names, email addresses, phone numbers (when SMS opt-in is provided), order details, and pickup dates.

Store data: product listings, prices, images, inventory counts, discount codes, and store settings.

Usage data: pages visited and features used, collected through PostHog analytics.

Communication data: SMS subscriber phone numbers, managed through Twilio.

Device data: IP address and browser type, used for security and rate limiting.

• To provide and maintain the Ovenbloom platform
• To process payments through Stripe and Stripe Connect
• To send order confirmations and status updates via email (Resend)
• To send SMS notifications and drop announcements (Twilio)
• To analyze platform usage and improve features (PostHog)
• To prevent fraud and enforce rate limits (Upstash Redis)
• To comply with legal obligations

We use the following services to operate Ovenbloom. Each handles your data according to their own privacy policy:

• Stripe — payment processing
• Supabase — database and authentication
• Twilio — SMS messaging
• Resend — transactional email
• PostHog — product analytics
• Upstash — rate limiting
• Vercel — hosting

• Active accounts: data retained while your account is active.
• Closed accounts: data deleted within 90 days of account closure.
• Order records: retained for 7 years for tax compliance purposes.
• SMS subscriber data: retained until the subscriber unsubscribes.

• Access: you can request a copy of your data at any time.
• Correction: you can update your information in Settings.
• Deletion: you can request full account deletion by contacting us.
• SMS opt-out: reply STOP to any SMS message to unsubscribe instantly.

To exercise any of these rights, email us at hello@ovenbloom.com.

• All data transmitted over HTTPS/TLS encryption
• Passwords hashed via Supabase Auth (bcrypt)
• Payment data handled entirely by Stripe (PCI DSS Level 1 compliant)
• API routes protected by rate limiting and JWT authentication
• Input sanitization on all user-submitted data

We comply with the Florida Information Protection Act. In the event of a data breach affecting your personal information, we will notify affected individuals and the Florida Attorney General within 30 days of discovery.

Our services are not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this privacy policy from time to time. When we do, we will notify you via email and update the effective date at the top of this page. Continued use of Ovenbloom after changes constitutes acceptance of the updated policy.

Email: hello@ovenbloom.com
Location: Trinity, Florida, United States