The Cake Picnic Cookbook — out May 19, 2026 →
CAKE PICNIC
Menu

Policies

Privacy policy.

The information we collect, why we collect it, how we protect it, and how to ask us to delete it.

Last updated: May 17, 2026

Effective date: May 17, 2026

This Privacy Policy explains how elisasunga LLC, a California limited liability company doing business as Cake Picnic ("Cake Picnic", "we", "us", "our"), collects, uses, shares, and protects personal information when you visit cakepicnictour.com or shop.cakepicnictour.com (together, the "Site"), buy our cookbook or merchandise, RSVP to or attend a Cake Picnic event, subscribe to our newsletter, or otherwise interact with us.

If you are a California, EU, UK, or other jurisdiction-protected resident, additional rights apply to you — see Your privacy rights below.

1. Who we are

  • Legal entity: elisasunga LLC (a California limited liability company), doing business as Cake Picnic
  • Mailing address: 2261 Market Street STE 33549, San Francisco, CA 94114
  • Privacy contact: privacy@cakepicnictour.com
  • General contact: support@cakepicnictour.com
  • Phone: (831) 246-7598

We are the controller of personal information collected through the Site under GDPR, UK GDPR, and equivalent terminology under other laws. We do not have an EU or UK Representative at this time; EEA and UK residents may contact us directly at privacy@cakepicnictour.com.

2. What information we collect

a. Information you give us directly

  • Contact details — name, email address, phone number, mailing/shipping address.
  • Order information — the products you ordered, order total, shipping selection, and gift-message text (if any).
  • Payment information — handled by Stripe. We never see or store your full card number, CVC, or bank credentials. We receive a tokenized reference and the last four digits of your payment method.
  • Event RSVP information — name, email, city, and any responses you give to event-specific questions (e.g., what cake you're bringing).
  • Communications — anything you send to our support inboxes, the contact form, voicemail, or in reply to our emails.
  • Newsletter subscription — email address, optional first name, and the source (which page or form you subscribed from).
  • Volunteer, partnership, or press inquiry information — anything you submit when applying to volunteer, propose a partnership, or request press coverage.

b. Information we collect automatically

  • Device and connection data — IP address, user-agent string, browser type and version, operating system, device type, language preference, referring URL.
  • Usage data — pages viewed, links clicked, time on page, scroll depth, search queries on the Site.
  • Cookies and similar technologies — see Section 5 for the full disclosure.

c. Information from third parties

  • Stripe — confirmation that a payment cleared, last four digits, card brand, billing zip.
  • Klaviyo — newsletter subscriber engagement events (opens, clicks).
  • Resend — transactional email delivery and bounce events.
  • Squarespace Commerce — event ticket purchases, attendee names, and emails (used when ticketing flows are served from the cakepicnictour.com root).
  • Social platforms — if you tag us or message us on Instagram, TikTok, or other platforms, we see what those platforms make visible.

We do not purchase personal information from data brokers.

3. How we use your information

For each purpose below, we identify the legal basis under EU/UK GDPR. If you are outside the EEA, UK, or Switzerland, only the purpose applies to you.

  • Fulfill your order — charge payment, ship products, send confirmations. Legal basis: contract.
  • Provide customer support — respond to questions, process returns. Legal basis: contract + legitimate interest.
  • Send transactional email — order confirmations, shipping updates, event reminders. Legal basis: contract.
  • Send marketing email — newsletter, new product launches, event invites. Legal basis: consent. You opt in and can withdraw any time.
  • Operate and improve the Site — analytics, error monitoring, performance. Legal basis: legitimate interest; consent for non-essential cookies in the EEA/UK.
  • Prevent fraud and abuse — detect fake orders, chargeback defense, block scrapers. Legal basis: legitimate interest + legal obligation.
  • Comply with law — tax records, subpoenas, regulator requests. Legal basis: legal obligation.
  • Plan and run events — build attendee rosters, contact volunteers. Legal basis: contract (if you bought a ticket) or consent (if you volunteered/RSVP'd).
  • Communicate with sponsors, press, partners — send press kits, sponsor decks, contract drafts. Legal basis: legitimate interest or contract.

We do not sell your personal information for money. We do not share it for cross-context behavioral advertising. See Section 9 for what this means under California law.

4. Who we share it with

We share personal information only with the service providers we need to run the business. Each provider is contractually required to use the information only for the service they provide to us.

  • Stripe, Inc. (United States) — payment processing.
  • Squarespace, Inc. (United States) — website hosting for cakepicnictour.com, event ticketing, cookbook microsite.
  • Vercel, Inc. (United States, with edge locations worldwide) — storefront hosting for shop.cakepicnictour.com, edge CDN, analytics, performance monitoring.
  • Resend (Resend, Inc.) (United States) — transactional email and our newsletter audience of record.
  • Klaviyo, Inc. (United States) — email marketing (secondary list-of-record), engagement analytics.
  • Google LLC (Google Analytics 4) (United States, with EU regional processing for EEA traffic) — site analytics, traffic attribution.
  • Gorgias, Inc. (United States and France) — customer support helpdesk.
  • Quo (Quo Communications, Inc.) (United States) — business phone, voicemail, call recording where disclosed.
  • Mercury (Mercury Technologies, Inc.) (United States) — banking. Only sees your information if you pay us by ACH or wire.
  • Shipping carriers (USPS, UPS, FedEx, DHL, Royal Mail, others) — to deliver your order.

We may also share information:

  • With legal advisors and accountants under confidentiality obligations.
  • With law enforcement or regulators in response to a valid legal process, or where we believe disclosure is necessary to prevent harm or comply with the law.
  • In connection with a business transaction — e.g., a sale of assets, merger, financing, or conversion to a Delaware C-Corporation. We'll notify you of any change in controller via email if you're a subscriber or active customer.

5. Cookies and similar tracking technologies

We use cookies and similar technologies (pixels, local storage, SDKs) for the purposes below.

  • Strictly necessary — make the Site work (cart contents, checkout state, fraud prevention, language preference). Cannot be disabled.
  • Performance and analytics — Google Analytics 4 and Vercel Speed Insights. Help us understand how the Site is used. Opt-in for EEA/UK visitors via cookie banner when active; opt-out via Section 9 otherwise.
  • Functional — remember preferences, language, recent products. Optional.
  • Marketing — email engagement tracking via Klaviyo and Resend pixels, only inside our own emails (not on the Site). Disable by unsubscribing.

We do not use cookies for cross-context behavioral advertising (retargeting). We do not sell information collected by cookies. We do not currently display a cookie-consent banner on the Site; we honor your browser-level Global Privacy Control (GPC) signal as a valid opt-out request (see Section 9.d).

You can also block or delete cookies in your browser settings — note that strictly-necessary cookies will be reset on each visit, and the Site may not work properly without them.

6. International data transfers

Cake Picnic is based in the United States. Most of our processors store and process information in the United States.

If you are in the EEA, UK, or Switzerland, your personal information will be transferred to and stored in the United States, which the European Commission and the UK have determined does not provide an "adequate" level of data protection by default. We rely on the following safeguards:

  • EU–US Data Privacy Framework (DPF) — for transfers to DPF-certified processors: Google LLC, Stripe Inc., Vercel Inc., Resend Inc., Klaviyo Inc., and Squarespace Inc.
  • Standard Contractual Clauses (SCCs) — for transfers to non-DPF-certified processors. Gorgias, Inc. is the only listed processor that relies solely on SCCs (EU 2021/914 + UK Addendum).
  • UK International Data Transfer Addendum (UK IDTA) — for transfers from the UK, in addition to the UK Extension to the DPF where the processor is certified.
  • Swiss-US Data Privacy Framework — for transfers from Switzerland, where the processor is certified; otherwise Swiss FDPIC standard contractual clauses apply.

You can request a copy of the relevant transfer mechanism by emailing privacy@cakepicnictour.com.

7. How long we keep your information

  • Order records (name, address, what you ordered, payment receipts) — at least 7 years from order date (US federal and California tax law).
  • Customer support emails and chat transcripts 3 years from last interaction.
  • Newsletter subscribers (active) — until you unsubscribe, plus 90 days.
  • Unsubscribed contacts (suppression list) indefinitely, only to prevent re-mailing you. Suppression entries hold only your email address and the date you unsubscribed.
  • Event attendee records3 years from event date.
  • Volunteer applications (not selected) 1 year from submission.
  • Press, sponsor, partner inquiries 3 years from last interaction.
  • Site analytics (GA4)14 months at the event-level; aggregated reports retained indefinitely.
  • Server logs (IP, request path) — 90 days.
  • Phone call recordings (when disclosed) 30 days, then deleted unless flagged for a specific dispute.

When retention expires, we delete or aggregate the information. Where deletion is impractical (e.g., backups), we isolate the information and prevent further processing until the backup cycle overwrites it.

8. How we protect your information

  • All data in transit is encrypted with TLS 1.2 or higher.
  • Payment data is processed by Stripe; we never store full card numbers, CVCs, or banking credentials on our systems.
  • Administrative access to our systems requires multi-factor authentication.
  • Access is least-privilege — staff get the access required for their role and no more.
  • We maintain an incident response process. If a breach affects you, we will notify you within the timeframes required by applicable law (72 hours under GDPR; "without unreasonable delay" under most US state laws).

No system is perfectly secure. We cannot guarantee absolute security and you transmit information at your own risk. If you suspect your account has been compromised, email privacy@cakepicnictour.com immediately.

9. Your privacy rights

a. Rights for everyone

  • Email us at any time at privacy@cakepicnictour.com.
  • Unsubscribe from marketing emails — use the link at the bottom of any newsletter, or email us.
  • Ask us to update inaccurate information.

b. EEA, UK, and Switzerland residents (GDPR / UK GDPR / FADP)

You have the right to:

  • Access the personal information we hold about you.
  • Rectify inaccurate or incomplete information.
  • Erase your information (subject to legal retention requirements).
  • Restrict processing while a request is being resolved.
  • Portability — receive your information in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
  • Lodge a complaint with your local data protection authority — for UK residents, the Information Commissioner's Office (ico.org.uk); for Swiss residents, the FDPIC (edoeb.admin.ch).

c. California residents (CCPA / CPRA)

You have the right to:

  • Know what categories of personal information we have collected, the sources, the business purposes, and the third parties we have disclosed it to.
  • Access the specific pieces of personal information we hold.
  • Delete your personal information, subject to exceptions (e.g., we have to keep your order records for tax purposes).
  • Correct inaccurate personal information.
  • Opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of, but you can confirm this in writing. See Your Privacy Choices for the full opt-out walkthrough and how we honor GPC.
  • Limit use of sensitive personal information — we do not use sensitive personal information beyond what is necessary to provide the service (see Section 11).
  • Non-discrimination — we will not deny you service, charge you a different price, or provide a different level of service because you exercised your rights.

Notice at Collection. Categories of personal information we collect:

  • Identifiers (name, email, address, phone) — from you and from the payment processor; used for order fulfillment, support, and marketing. Not sold or shared. Retained per Section 7.
  • Commercial information (orders, returns) — from you and Squarespace; used to fulfill orders and for accounting. Not sold or shared. Retained 7 years.
  • Internet activity (browsing, clicks) — automatic; used for analytics and fraud prevention. Not sold or shared. Retained 14 months in GA4.
  • Approximate geolocation (from IP) — automatic; used for analytics and fraud prevention. Not sold or shared. Retained 14 months.
  • Audio / electronic information (support calls) — from you; used for customer support. Not sold or shared. Recordings retained 30 days.
  • Inferences (preferences, marketing segments) — derived; used for marketing. Not sold or shared. Retained until you unsubscribe.

We do not collect: biometric information, precise geolocation, racial/ethnic origin, religious beliefs, mental/physical health diagnoses, sexual orientation, immigration status, union membership, genetic data, or contents of non-marketing mail/email/SMS.

d. Global Privacy Control (GPC)

We honor the Global Privacy Control (GPC) browser signal as a valid opt-out request under the CCPA and equivalent state laws. If your browser sends a GPC signal, we will treat that as a request to opt out of any sale/share of personal information and to opt out of non-essential analytics, even though we do not sell or share for cross-context advertising. Learn more at globalprivacycontrol.org.

e. Authorized agents

You may designate an authorized agent to exercise your rights on your behalf. We will ask for written proof of authorization and may verify your identity directly. Send the request to privacy@cakepicnictour.com.

f. Other US state residents (VA, CO, CT, UT, TX, OR, NV, DE, IA, NH, NJ, TN, MN, MT)

You have rights similar to California residents under your state's privacy law: the right to access, correct, delete, opt out of sale and targeted advertising, and (in most states) appeal a denied request. Use the same contact: privacy@cakepicnictour.com.

g. How to exercise your rights

The fastest path is the web form at /policies/privacy-choices — it covers identity verification and routes directly to our privacy team. You can also email privacy@cakepicnictour.com with the subject line "Privacy request". Either way, include:

  • Your full name
  • The email address you used with us
  • A description of your request (access / delete / correct / opt out / portability / other)
  • The jurisdiction you're claiming rights under (if applicable)

We will:

  • Acknowledge your request within 10 business days (CCPA) or 5 business days (some state laws).
  • Verify your identity through a confirmation email or, if needed, additional verification questions.
  • Respond within 30 days (GDPR) or 45 days (CCPA) — we may extend by an additional 45 days if the request is complex, with notice to you.

You may also appeal a denied request by replying with the subject line "Privacy request — appeal". We respond to appeals within 60 days.

10. Children's privacy

The Site is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us information, email privacy@cakepicnictour.com and we will delete it.

For California residents under 16: we do not sell or share personal information about anyone under 16 without affirmative opt-in consent.

11. Sensitive personal information

We do not intentionally collect any of the following categories of "sensitive personal information" defined under California law:

  • Social Security, driver's license, state ID, or passport numbers
  • Account log-in credentials with access to a financial account
  • Precise geolocation
  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Union membership
  • Contents of mail, email, and text messages where we are not the intended recipient
  • Genetic data
  • Biometric information used to identify you
  • Health information
  • Sex life or sexual orientation information

We do not use any inadvertently collected sensitive personal information for any purpose other than to provide the service you requested or comply with the law.

12. Automated decision-making

We do not use automated decision-making (including profiling) that produces legal or similarly significant effects on you, within the meaning of GDPR Article 22 or comparable US state laws. Our marketing segments and analytics models inform human decisions; they do not make automated decisions that affect your rights or access to our products.

13. Marketing communications

Email. You opt in to our newsletter by submitting your email on the Site or at an event. Every newsletter has an unsubscribe link at the bottom. You can also email privacy@cakepicnictour.com with "unsubscribe" in the subject line. Unsubscribe requests are honored within 10 business days, typically immediately.

We never sell your email address. We never use your email for advertising on other platforms.

SMS. We do not currently send marketing SMS. Transactional SMS (e.g., delivery updates from a shipping carrier) is sent by the carrier, not by us.

Phone. Our business line (831-246-7598) is for inbound support, press, and sponsor calls. We do not place outbound marketing calls. Where calls are recorded for quality or training, you will be notified at the start of the call (California two-party consent).

14. Third-party links

The Site may link to third-party websites, social platforms, or merchant pages (e.g., Chronicle Books, Amazon, Bookshop.org for cookbook purchases). Those sites have their own privacy policies. We are not responsible for their practices.

15. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. If we make a material change (one that meaningfully reduces your rights or expands our use of your information), we will:

  • Email active newsletter subscribers and recent customers at least 30 days before the change takes effect.
  • Post a banner on the Site for at least 30 days.

Continued use of the Site after the change takes effect means you accept the updated policy.

16. Contact us