Privacy & data — SourDoughies

Summary

SourDoughies runs this website as a bakery brochure and ordering hub (menu, locations, gallery, contact). There is no public “user account” on the site: visitors browse the same pages everyone sees. We do not sell data and we do not build marketing profiles on anonymous visitors.

When we show photos that originally appeared on our public Facebook Page, our server requests that Page’s posts and image references through the Meta Graph API (with a Page access token). We do not use Meta’s oEmbed API for that workflow—oEmbed is a separate product for “embed this URL” HTML, not how we ingest images for review and display on sourdoughies.com.

Like any website on the internet, our servers and security tools may automatically see technical signals (for example IP address, browser type, rough request timing) so we can deliver pages, measure aggregate traffic, and spot abuse or overload (rate limits, firewall rules, and similar protections). That is operational infrastructure—not a plan to “collect dossiers” on individuals.

What this site processes

Operational analytics (aggregate traffic). On most public pages, the site sends a small request to our own API with the page path you viewed, an anonymous session identifier stored in your browser’s sessionStorage for that visit, optional referrer, and time on page. Our server may store those fields together with IP address and browser user-agent so we can count visits, see which pages are popular, and investigate spikes or errors. We do not use this to identify shoppers by name, and we do not ask visitors to log in with Facebook on the public menu pages.
Security & abuse protection. Along with rate limiting and normal web-server behavior, we may log or block suspicious traffic to keep the site fast and safe. That can involve the same kinds of technical metadata (IP, user-agent, timestamps) described above.
Security & forms. Our API may set a short-lived, technical cookie used to protect against cross-site request forgery (CSRF) on requests that need it.
Contact you choose to send. If you email or call us using the details on the Contact page, we receive whatever you send us through that channel.
Staff admin accounts. Separate admin pages use password-protected accounts for bakery staff only; those credentials are not used for casual browsing of the public menu.

Facebook / Meta (Page content)

We operate a Meta developer application so our server can read posts and images from our public SourDoughies Facebook Page through the Meta Graph API (for example listing Page posts and fields such as image URLs and captions). That supports our admin workflow to review content and optionally show approved bakery photos on this website (backgrounds, gallery, or similar). We do not use Facebook Login on the public menu pages to collect visitors’ Facebook profiles.

This image workflow does not rely on Meta oEmbed Read. oEmbed is used when an app wants Meta’s official “embed HTML” for a public post or Page URL; our ingestion path is Graph API access to our own Page’s content, scoped to what we need to operate the site.

Meta’s own privacy practices apply when you use Facebook; see Meta’s Privacy Policy.

Third-party sites & embeds

Pages may link to DoorDash, Square Online ordering, Shopify, or social networks. When you leave our site or interact with their widgets, those companies process data under their own policies.

Retention

Analytics and security logs are kept only as long as needed for operations, troubleshooting, and aggregate reporting, then removed or rolled up according to our internal practices.

Children

This bakery website is not directed at children under 13, and we do not knowingly collect personal information from children.

Questions

For privacy questions, contact us at Hailey@sourdoughies.com or use the phone number on our Contact page.

Data deletion requests

See our dedicated Data deletion policy for how to request removal and what we can do by scenario (visitors, messages you sent us, synced Page media, and Meta tools).