The Cake Picnic Cookbook — out May 19, 2026 →
CAKE PICNIC
Menu

Privacy

Your privacy choices

The short version: we don't sell or share your personal information for cross-context behavioral advertising. Here's what you can still control.

Last updated: 2026-05-17

Quick summary

  • We do not sell or share your personal information for cross-context behavioral advertising, as those terms are defined in the California Consumer Privacy Act (CCPA/CPRA).
  • We honor the Global Privacy Control (GPC) signal your browser sends as a valid opt-out request — see globalprivacycontrol.org for how to enable it.
  • You can still exercise other rights — access, delete, correct, port, limit, or appeal — by emailing privacy@cakepicnictour.com.

1. The "Do Not Sell or Share" choice

Under the CCPA/CPRA and similar laws in Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Tennessee, Delaware, Minnesota, New Hampshire, New Jersey, Indiana, Iowa, and Maryland, you have the right to opt out of the sale or sharing of your personal information.

Cake Picnic does not engage in either practice. We do not sell personal information to data brokers, list brokers, or advertising networks. We do not engage in cross-context behavioral advertising (the kind of tracking where one site shows you ads based on what you did on another site).

Because we do not sell or share, there is no "opt out" toggle to flip — the opt-out is already the default state. If you want this confirmed in writing for your records, email privacy@cakepicnictour.com and we will send a signed confirmation.

2. Global Privacy Control (GPC)

We treat a GPC signal from your browser as a valid opt-out request under the CCPA and equivalent state laws. When we detect GPC, we:

  • Confirm we are not selling or sharing your data (still true).
  • Suppress any non-essential analytics or advertising cookies, regardless of consent banner state.
  • Treat the signal as an opt-out of targeted advertising for any state law that recognizes it (CO, CT, NJ, OR, TX, MT, DE, etc.).

You do not need to send us a separate request when GPC is on — your browser is doing it automatically on every page load.

3. Other privacy rights you can exercise

Depending on where you live, you may have additional rights under CCPA/CPRA, GDPR, UK GDPR, or one of the 14 US state privacy laws now in effect. These include:

  • Right to know / access — get a copy of the personal information we hold about you.
  • Right to delete — ask us to delete your personal information (subject to legal retention exceptions like tax records).
  • Right to correct — fix inaccurate personal information.
  • Right to portability — receive your personal information in a portable, machine-readable format.
  • Right to limit use of sensitive information — restrict our use of any sensitive personal information beyond what is necessary to provide the service (we collect very little of this in the first place).
  • Right to appeal — if we deny your request, you can appeal by replying with the subject line "Privacy request — appeal" within 60 days of our denial.
  • Right to non-discrimination — we will not deny you services, charge you more, or provide a lower quality experience because you exercised a privacy right.

4. How to submit a request

You can submit a privacy request two ways. Both go to the same 2-person Google Group (privacy@cakepicnictour.com) and receive the same SLA.

Option A — Use the form below

This is the easiest path. Fill it in and we will email you a confirmation receipt with your request type and our response window.

Submitting this form sends your request to privacy@cakepicnictour.com — a 2-person Google Group monitored by our privacy team. We retain a log of privacy requests for 24 months as evidence of compliance. See the Privacy Policy for full details.

Option B — Email us directly

Email privacy@cakepicnictour.com with:

  • The email address (and shipping address, if relevant) you used to interact with us.
  • The state or country you reside in.
  • A description of your request (access / delete / correct / port / limit / opt out / appeal).

We will acknowledge your request within 10 business days and respond within the timeframe required by your jurisdiction's law (30 days for most US state laws, 45 days for California with one 45-day extension permitted, 30 days for GDPR / UK GDPR).

You may also designate an authorized agent to make a request on your behalf. We will ask the agent to provide signed written permission from you, and we will verify your identity directly before fulfilling the request.

5. Identity verification

To protect against fraudulent privacy requests, we verify your identity before fulfilling sensitive requests. Verification is matched to the risk of the request — low-risk requests (general access) need only confirmation from the email address on file, while higher-risk requests (deletion, portability) may require additional confirmation.

If you are unable to verify your identity, we will respond explaining what additional information is needed or, if we cannot verify, why we had to deny the request.

6. What we do with these requests

Privacy requests are logged in our internal Privacy Requests Log with the date, jurisdiction, request type, and resolution. We retain that log for 24 months as evidence of compliance with state and federal privacy laws. The log itself is not shared with any third party except, if compelled, a data protection regulator.

7. EU and UK residents

Under GDPR Article 27 and UK GDPR equivalent, we have appointed an EU Representative and UK Representative who can receive communications from supervisory authorities and data subjects in those regions. Once the appointment is finalized (in progress as of May 17, 2026), their contact details will appear in Section 1.5 of our Privacy Policy.

8. Questions about this page

If anything here is unclear, or if you have a privacy question that isn't a formal request, email privacy@cakepicnictour.com and a real person will get back to you.

For the full picture of what we collect, why, and who we share it with, see our Privacy Policy.