Effective date: 1 June 2026

Last updated: 27 April 2026

This Privacy Policy explains how Agate International LTD trading as Cosycookie collects, uses, stores, shares, and protects personal data in connection with the Cosycookie website, marketplace, vendor onboarding, customer accounts, orders, reviews, support, and related services.

It is intended to reflect the nature of the business. Cosycookie operates as a multi-vendor marketplace for independent bakers. That means some personal data is used by Cosycookie for platform operation, while some personal data is also used by individual bakers for their own order fulfilment, customer support, legal compliance, and food-safety obligations.

Please read this policy carefully together with our Cookie Policy and any seller-specific privacy information you receive from a baker where relevant.

1. Who we are and how this policy applies

Cosycookie is operated by Agate International LTD trading as Cosycookie. Our registered office is 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ. We can be contacted about privacy matters at info@cosycookie.com.

This policy applies to personal data we handle when you browse the website, create an account, join a mailing list, place an order through an account or as a guest, apply to become a vendor, communicate with us, leave a review, or otherwise interact with the platform.

The website is currently intended for a UK-focused marketplace, but the policy is drafted so that it can support lawful processing where users, service providers, or technology providers are located in other places as well.

2. Roles of Cosycookie, bakers, and service providers

Cosycookie acts as a controller for the personal data it needs for website operation, account management, marketplace administration, customer support, fraud prevention, marketing where permitted, analytics, legal compliance, and vendor onboarding.

Independent bakers normally act as separate controllers for the customer and recipient data they need for their own order acceptance, food preparation, fulfilment, complaint handling, food-safety record-keeping, recall management, and other legal obligations as sellers and food business operators.

Where Cosycookie uses third-party service providers such as hosting providers, analytics providers, payment processors, email providers, cloud tools, identity-verification providers, or support tools, those providers may act as independent controllers for their own regulated functions or as processors acting on our behalf depending on the service and legal context.

3. Personal data we collect

We may collect account and contact information such as names, email addresses, phone numbers, social media handles, billing addresses, delivery addresses, and date of birth where needed for account creation, guest checkout, order administration, fraud prevention, eligibility checks, or vendor onboarding.

We may collect device and usage data such as device type, browser type, operating system, approximate geolocation, IP address, pages viewed, referral data, log data, cookie identifiers, and interaction data so that we can operate, secure, improve, and analyse the website.

We may collect order and marketplace data such as order contents, delivery instructions, collection preferences, payment status, transaction references, customer support correspondence, complaint history, reviews, and information needed to investigate disputes or platform misuse.

For vendors or vendor applicants, we may also collect identity-verification and compliance information such as government-issued ID, proof of UK address, proof of food business registration or equivalent local authority evidence, food hygiene documentation, insurance details, bank account and payout information, and other onboarding or due-diligence records. These records are collected for seller onboarding, fraud prevention, food-safety assurance, and legal compliance, and access should be restricted to staff or service providers who genuinely need that information for those purposes.

We do not intentionally ask ordinary customers to provide special-category personal data through the normal marketplace flow unless it becomes strictly necessary for a specific legal or safety issue. If unusual or sensitive information is submitted to us, we will seek to handle it only where we have a lawful basis to do so.

4. How we collect personal data

We collect information directly from you when you submit forms, create accounts, place orders through an account or as a guest, upload documents, subscribe to marketing communications, contact us, post reviews, or otherwise provide information through the website, email, social media, or support channels.

We also collect data automatically through cookies, server logs, security tools, and analytics tools when you use the website or interact with marketplace features.

In some cases we receive personal data from bakers, payment processors, delivery or support providers, anti-fraud tools, identity-verification providers, and other third parties where this is necessary for marketplace operation, legal compliance, or dispute resolution.

5. Purposes and legal bases for using personal data

We use personal data to provide and administer the marketplace, create and maintain accounts where used, facilitate guest and account-based orders, process or reconcile payments, communicate about transactions, deliver customer support, manage complaints, and monitor service quality. We do this because it is necessary for contract performance or to take steps at your request before entering a contract.

We use personal data for fraud prevention, account security, platform moderation, vendor due diligence, product-safety and recall support, business records, legal compliance, and the protection of customers, bakers, and Cosycookie. We do this because it is necessary to comply with legal obligations or because we have legitimate interests in running a safe and accountable marketplace.

We may use personal data for analytics, service improvement, audience measurement, personalised experiences, direct marketing, and advertising where we have a lawful basis to do so. Depending on the activity, that basis may be your consent, our legitimate interests, or both. You can withdraw consent at any time where consent is the basis relied on.

We do not currently expect to make solely automated decisions that produce legal or similarly significant effects about customers or vendors without meaningful human involvement. If that changes for a particular feature or service, we will update the relevant notices and controls.

6. How we share personal data

We may share customer order and contact information with the relevant baker so that the baker can accept, prepare, fulfil, support, or resolve the order, comply with food-safety obligations, and manage lawful customer service and dispute handling.

We may share personal data with payment processors, email providers, hosting and cloud providers, website analytics providers such as Google Analytics, email marketing providers such as Mailchimp or Hostinger Reach if enabled, customer-support tools, identity-verification or due-diligence providers, professional advisers, insurers, auditors, and competent authorities where reasonably necessary. We do not sell personal data to data brokers, and we do not disclose customer personal data to third parties for their own independent advertising purposes unless a lawful basis and any required consent are in place.

We may also share data if required to investigate fraud, unsafe food reports, allergen incidents, regulatory issues, breaches of platform terms, chargebacks, legal claims, or any issue where disclosure is reasonably necessary to protect rights, safety, or legal compliance.

7. International transfers and data location

Cosycookie expects to use cloud-based services and specialist third-party tools. Some of those providers may process personal data in the United Kingdom, the EEA, or other countries in which they or their sub-processors operate.

Where personal data is transferred outside the United Kingdom and a specific adequacy decision does not apply, we will seek to use appropriate safeguards such as approved contractual clauses, supplementary measures where needed, and proportionate provider due diligence.

Not every technology provider has been finalised at the time this draft is prepared. If our provider stack changes materially, we will update this policy, our internal records, and any necessary cookie or consent disclosures accordingly.

8. Data retention

We retain personal data only for as long as reasonably necessary for the purposes described in this policy, including order administration, refunds, complaints, vendor management, food-safety issues, fraud prevention, accounting, legal compliance, and the defence of claims.

Different categories of data may be kept for different periods. For example, vendor due-diligence records, ID and compliance records, transaction records, payout records, complaint files, and product-safety records may need to be retained for up to 6 years after the relevant order, relationship, or incident, or longer where law, limitation periods, or an active dispute reasonably require this.

When personal data is no longer required, we will delete it, anonymise it, or securely archive it in accordance with legal, regulatory, evidential, or operational needs.

9. Security and access controls

We use reasonable technical and organisational measures to protect personal data against accidental loss, unauthorised access, unlawful use, disclosure, alteration, or destruction. These measures may include access controls, role-based restrictions, supplier due diligence, secure hosting, contract controls, and documented response procedures.

No online environment is completely risk-free. If you use an account, you are also responsible for protecting your own account credentials, devices, and communications. If you believe your account, guest-order details, or personal data has been compromised, please contact us promptly.

10. Marketing, cookies, and advertising

If you subscribe to newsletters, product updates, or marketing messages, we may use your contact details to send those communications in accordance with your preferences and applicable law. You can unsubscribe at any time by using the link in the message or by contacting us.

We use cookies and similar technologies for essential site operation, analytics, functional preferences, and, where enabled and consented to, advertising or remarketing. Please see our Cookie Policy for more detail.

If we enable advertising tools such as Google AdSense or similar services in the future, related tracking or advertising cookies will be used only in line with the consent and transparency requirements that apply at that time. Marketing by email, text, or similar channels will also remain subject to the consent, soft opt-in, opt-out, and transparency rules that apply to the relevant audience and message type.

11. Your rights

Depending on the circumstances and applicable law, you may have rights to request access to your personal data, ask for correction, request deletion, object to processing, restrict processing, request transfer of certain data, and withdraw consent where consent is the lawful basis relied upon.

You may also have the right to complain to the Information Commissioner’s Office if you believe your data has been handled unlawfully. We would appreciate the opportunity to address concerns first where appropriate, but you are not required to contact us before contacting the ICO.

If we need additional information to verify identity or understand the scope of a request, we may ask for it before completing the request. We will aim to respond within the timeframe required by applicable law, which is usually within one month for a valid rights request.

12. Children’s data and age restrictions

Cosycookie is not intended for children to create accounts or independently place orders. We do not knowingly target children under 13, and our marketplace is generally intended for adult customers and adult vendors.

If we become aware that we have collected personal data from a child in circumstances that require deletion or parental action, we will take reasonable steps to address the issue.

13. Third-party links and seller practices

The website may contain links to third-party websites, baker websites, social media pages, payment tools, or courier tracking pages. Those third parties have their own privacy practices and notices. This policy does not govern how those third parties use personal data once you leave our environment.

Individual bakers may also provide their own privacy information where they collect or use personal data for their own separate purposes. Customers should review any seller-specific notices where relevant, especially for direct communications or collection-based arrangements.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in the law, our technology stack, our marketplace model, or our operational practices. The latest version will be published on the website and will apply from the date shown at the top of the policy.

Where material changes are made and the law requires additional notification or consent, we will take the steps that are reasonably required at that time.

Contact details

Agate International LTD trading as Cosycookie

Website: https://www.cosycookie.com

Registered office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

Registered in England and Wales

Company number: 12996873

Customer support: customers@cosycookie.com

General and privacy enquiries: info@cosycookie.com