Last updated: 21 May 2026 ยท Applies to thedessertdetective.com
Summary: We collect only what we need to run The Dessert Detective. We never sell your data. You can delete your account and all associated data at any time. We store data in the UK/EU on Supabase (hosted on AWS EU). If you have questions, email us at [email protected].
The Dessert Detective ("we", "us", "our") is the operator of thedessertdetective.com โ a UK dessert shop discovery platform. For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller.
Contact: [email protected]
We are not currently registered with the ICO as we fall below the fee threshold, but we comply fully with UK GDPR obligations.
We only collect personal data that is necessary for the service. Here is a complete breakdown:
| Data | Why we collect it | Legal basis |
|---|---|---|
| Email address | Account login and communications | Contract (account registration) |
| Username | Display name on your account | Contract |
| Name | Personalise your experience | Contract |
| City / Country | Show relevant local content | Contract |
| Phone number | Optional โ account recovery only | Legitimate interests |
| Password (hashed) | Authenticate you securely โ never stored in plain text | Contract |
| Marketing preferences | To send or withhold marketing emails | Consent |
| Favourite shops | Show you saved venues | Contract |
| Submitted events | Display events you created | Contract |
| Last login timestamp | Security โ inactive account detection | Legitimate interests |
| Data | Why we collect it | Legal basis |
|---|---|---|
| Business name | Display on the directory | Contract |
| Contact name | Account management communications | Contract |
| Email address | Account login and business communications | Contract |
| Phone number | Account verification and support | Contract |
| Password (hashed) | Authenticate you securely | Contract |
| Messages sent to us | Customer support communications | Contract |
| Promotion requests | Process paid promotions | Contract |
| Data | Why we collect it | Legal basis |
|---|---|---|
| Email leads (newsletter) | Send dessert updates if opted in | Consent |
| Shop suggestions | Improve the directory | Legitimate interests |
| Shop claims | Verify business ownership | Contract |
| Reactions (likes on shops) | Community features โ not linked to your identity if not logged in | Legitimate interests |
| PWA install/prompt events | Understand how people use the app โ no personal identifiers | Legitimate interests |
| Google Analytics data | Understand site usage via anonymised analytics | Legitimate interests |
| Location data (GPS) | Show dessert shops near your current position โ only processed in your browser, never stored on our servers | Consent (browser permission) |
All personal data is stored on Supabase, hosted on Amazon Web Services (AWS) in the EU-West region. This keeps your data within the UK GDPR adequacy framework.
Our website is hosted on Netlify (US company with EU Standard Contractual Clauses in place). Static pages and CDN-cached content do not contain personal data.
Email notifications are sent via Resend (US company, SCCs in place). Emails are not stored permanently โ they are sent and discarded.
Analytics are processed by Google Analytics 4 with IP anonymisation enabled. We do not use Google Analytics for advertising targeting.
| Data type | Retention period |
|---|---|
| User account data | Until you delete your account, or 3 years of inactivity |
| Business account data | Until you delete your account, or 3 years of inactivity |
| Favourites | Until you delete them or your account |
| Events | Until you delete them or your account |
| Messages to us | 2 years from the date sent |
| Email newsletter leads | Until you unsubscribe |
| Reactions / likes | 90 days if not linked to an account; indefinitely if linked |
| Shop suggestions / claims | 2 years |
| PWA analytics events | 12 months |
| Google Analytics data | 14 months (GA4 default, configured by us) |
We do not sell, rent or trade your personal data to any third party, ever.
We share data with the following processors only to the extent necessary to run the service:
We may disclose data if required to do so by law, court order, or a regulatory authority. We would notify you of any such request unless legally prohibited from doing so.
We use the following cookies and local storage mechanisms:
| Name / Type | Purpose | Duration |
|---|---|---|
| dd_user (localStorage) | Keeps you logged in to your account | Session (1 hour) |
| dd_biz_account (localStorage) | Keeps you logged in to your business account | 30 days |
| dd_shops_v3 (sessionStorage) | Caches shop data for faster browsing โ no personal data | 5 minutes / tab close |
| dd_pwa_dismissed (localStorage) | Remembers if you dismissed the install prompt | 7 days |
| _ga, _ga_* (cookies) | Google Analytics โ anonymised usage data | 14 months |
We do not use advertising cookies, tracking pixels or third-party remarketing tools.
You have the following rights regarding your personal data. To exercise any of them, email us at [email protected] or use the options in your account settings.
| Right | What it means | How to exercise it |
|---|---|---|
| Right of access | Request a copy of all data we hold about you | Email us โ we respond within 30 days |
| Right to rectification | Correct inaccurate data | Edit in your account settings, or email us |
| Right to erasure ("right to be forgotten") | Delete your account and all personal data | Delete Account button in your account settings, or email us |
| Right to restrict processing | Ask us to pause processing your data | Email us |
| Right to data portability | Receive your data in a machine-readable format | Email us โ we will provide a JSON export |
| Right to object | Object to processing based on legitimate interests | Email us |
| Right to withdraw consent | Withdraw marketing consent at any time | Account settings โ Preferences, or email us |
We aim to respond to all requests within 30 calendar days. If a request is particularly complex, we may extend this by up to a further two months โ we will inform you if this is the case.
We will only send you marketing emails if you have explicitly opted in (either at registration or in your account settings). You can withdraw consent at any time:
Withdrawing marketing consent does not affect transactional emails (e.g. password resets, account confirmations) which we send on the basis of contract performance.
You can delete your account at any time from your Account page. When you delete your account:
Deletion is irreversible. We cannot recover your account after deletion is processed.
The Dessert Detective is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
We may update this privacy notice from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We will notify registered users by email for significant changes.
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113
We would always appreciate the opportunity to address your concern directly before you contact the ICO โ please email us first at [email protected].