Legal Documents:
- Legal Hub
- Terms of Service
- Privacy & Cookie Policy
- Sub-Processors
- Cookie & Tracking Policy
Privacy & Cookie Policy
What did I just click on — and how does it affect me?
The website you came from believes, like we do, that customers should control their digital footprint. They are making transparency a pillar of their digital strategy while maintaining security and compliance with the GDPR, CCPA, PIPEDA, and other data protection laws.
Bread & Butter is a first-party data platform. We do not use third-party cookies or pixel-based cross-site tracking. Any data collected about your visit to a Bread & Butter customer’s website is collected on that customer’s behalf — they are the data controller and their privacy policy governs how they use it. Bread & Butter acts as a data processor and does not use visitor data for its own advertising or resell it to anyone.
If your organisation would like to harness the power of first-party and zero-party data strategies, learn more at breadbutter.io.
1. Scope and Who This Policy Applies To
This Privacy & Cookie Policy (“Policy”) describes how Bread & Butter IO Inc. (“Bread & Butter,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information in connection with the Bread & Butter Platform and our own business activities.
This Policy applies to:
- Customer administrators and account holders who create and manage a Bread & Butter account
- Visitors to breadbutter.io and other Bread & Butter-operated websites
- End users and website visitors whose data is processed through the Platform on behalf of our Customers
This Policy does not cover data from which individual persons cannot be identified, or data processed using pseudonyms where re-identification is not possible. Where we process personal data on behalf of a Customer, we act as a data processor and the Customer is the data controller. In those cases, the Customer’s own privacy policy governs the purposes and legal basis for processing.
The Bread & Butter Platform is intended for business use. It is not directed at children under the age of 16. See Section 11 for our Children’s Privacy statement.
2. Privacy Officer and Responsibilities
Bread & Butter has designated a Privacy Officer to oversee its information security programme, including its compliance with the GDPR, PIPEDA, Quebec Law 25, and applicable US state privacy laws. The Privacy Officer reviews and approves any material changes to this Policy and our data practices.
To contact our Privacy Officer for any privacy-related concern, data subject request, or complaint:
- Email: support@breadbutter.io — Subject line: “Privacy Officer Request”
- Company: Bread & Butter IO Inc., Province of British Columbia, Canada
Bread & Butter maintains, monitors, tests, and upgrades its information security policies, practices, and systems to protect the personal data it collects and processes. Personnel receive training on data protection obligations as applicable to their roles.
3. Personal Data We Collect
The data we collect depends on how you interact with Bread & Butter and which products and features are in use.
3.1 Account and Administrator Data
- Name and contact data: First and last name, email address, postal address, phone number, company name, job title
- Credentials: Passwords, password hints, and similar security information used for authentication — for local login only. Credentials are never stored or accessed for Identity Provider (social login) authentication
- Demographic data: Preferred language and regional settings
- Device and configuration data: Operating system, browser, IP address, device identifiers, and regional/language settings
- Billing data: Name, company address, and payment instrument details — processed directly by Stripe. Bread & Butter does not store raw card data
3.2 Website Visitor Data (Processed on Behalf of Customers)
When a Customer installs the Bread & Butter tracking code or WordPress Plugin on their website, the Platform collects the following data about their website visitors:
- Pages visited, time on page, scroll depth, navigation path, and session duration
- Session identifiers stored in browser Local Storage (see Section 9 — not HTTP cookies)
- Device type, browser, operating system, and screen resolution
- Approximate geographic location derived from IP address (see Section 9.4 — not precise geolocation)
- Referral source, UTM parameters, and campaign attribution data
- Form interaction events (field focus, completion, submission, abandonment)
- Identity information (name, email address) only when a visitor actively submits a form or authenticates via social login — never inferred automatically from anonymous browsing
3.3 Enrichment Data
Once a visitor identifies themselves (by submitting a form or social login), the Platform uses AI agents and third-party data providers to enrich their profile with publicly available professional information, including job title, company, LinkedIn profile data, company size, and industry. This enrichment data is licensed to the Customer and governed by the EULA.
3.4 Usage and Performance Data
- Product use data: Features used, pages visited within the Platform, and actions taken
- Error and performance data: Crash reports, error logs, and performance metrics collected via Sentry. These may include software/hardware details at time of error. This data is used solely to diagnose problems and improve the Platform
3.5 Support Data
When you contact Bread & Butter for support, we collect your name, email address, and the content of your communications, including details about the hardware, software, or account condition relevant to your inquiry. Support interactions are handled through Help Scout. Phone or chat sessions with our team may be monitored and recorded where permitted by law.
3.6 Communications
We collect the content of messages you send us, including feedback, product reviews, questions, and survey responses. We may contact you from time to time regarding product updates, new features, or other relevant information by email or in-product notifications.
All data transported between Bread & Butter products and services is transmitted using HTTPS (TLS 1.2 or higher).
4. How We Use Personal Data
4.1 To Deliver and Operate the Platform
- Registering accounts, authenticating users, and managing subscriptions
- Operating lead tracking, scoring, enrichment, and nurture features on behalf of Customers
- Processing payments through Stripe
- Delivering customer support
4.2 To Improve and Secure the Platform
- Monitoring application errors and performance
- Aggregated and anonymised usage analytics to improve product features
- Detecting and preventing fraud, abuse, spam, and security incidents
- Maintaining appropriate business and financial records
4.3 To Market Our Own Services
- Sending product updates and promotional communications to Customers who have opted in
- Conducting outbound sales outreach to business prospects (B2B only)
- Running advertising campaigns using hashed identifiers
4.4 Legal Basis for Processing (GDPR)
For individuals in the European Economic Area, our processing is based on the following legal grounds:
| Legal Basis | When We Rely on It |
|---|---|
| Contract (Art. 6(1)(b)) | Delivering the Platform, managing your account, processing payments |
| Legitimate Interests (Art. 6(1)(f)) | Platform security, fraud prevention, product improvement, B2B marketing (interests balanced against individual rights) |
| Consent (Art. 6(1)(a)) | Marketing communications, cookie/tracking consent where required |
| Legal Obligation (Art. 6(1)(c)) | Tax records, regulatory compliance, responding to lawful government requests |
5. How We Share Personal Data
5.1 Sub-Processors
We share personal data with third-party service providers (“sub-processors”) who process data on our behalf under written data processing agreements. Sub-processors may only use personal data for the purposes for which they have been engaged and must abide by our data privacy and security requirements. Our complete sub-processor list — including the categories of data, locations, and applicable transfer mechanisms — is published at BB-Subprocessors-v2026.html.
5.2 No Sale of Personal Data
Bread & Butter does not sell, rent, or trade personal data to third parties. We do not disclose personal data to third parties for purposes that are materially different from what it was originally collected for. Should this change in the future, we will provide individuals with the opportunity to opt-out.
5.3 No Cross-Customer Data Sharing
Data collected on behalf of one Customer is never disclosed to, combined with, or made accessible to any other Customer. Each Customer’s data is logically isolated within the Platform.
5.4 Affiliates and Subsidiaries
We may share personal data among Bread & Butter-controlled affiliates and subsidiaries for the purposes described in this Policy, subject to equivalent data protection obligations.
5.5 Business Transfers
Personal data held by Bread & Butter may be transferred to a successor entity in the event of a merger, acquisition, or sale of assets. We will notify affected individuals and, where required, supervisory authorities, prior to any such transfer.
5.6 Legal Disclosure
We may disclose personal data when we have a good-faith belief that doing so is necessary to:
- Comply with applicable law or respond to valid legal process, including from law enforcement or government agencies
- Protect our customers from spam, fraud, or attempts to defraud users of our products, or to help prevent loss of life or serious injury
- Operate and maintain the security of our products, including to prevent or stop an attack on our systems or networks
- Protect the rights or property of Bread & Butter, including enforcing the terms governing use of our services
Please be aware that Bread & Butter may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Bread & Butter is liable for appropriate onward transfers of personal data to third parties.
6. International Data Transfers
Bread & Butter is incorporated in Canada. Canada benefits from an adequacy decision from the European Commission for commercial organisations subject to PIPEDA, meaning that transfers of personal data from the EEA to Bread & Butter in Canada are lawful without requiring additional safeguards.
Personal data may be stored and processed in Canada, the United States, or in any other country where Bread & Butter or its sub-processors maintain facilities. The primary storage location is in Canada and/or the United States, often with backup to another region for redundancy and performance. Where we transfer personal data outside Canada or the EEA, we ensure appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to the United States and other third countries
- Adequacy Decisions where the destination country has been recognised as adequate by the European Commission (e.g., Israel, EU member states)
- EU–US Data Privacy Framework (DPF) where applicable for certified US recipients
For transfers from Switzerland, we apply equivalent safeguards consistent with Swiss data protection law. Details of the transfer mechanism for each sub-processor are on our Sub-Processors page.
7. Where We Store and Process Personal Data
The Bread & Butter Platform is hosted on Microsoft Azure (United States) with MongoDB Atlas as the primary database. Data is stored and processed as needed to operate efficiently, improve performance, and maintain redundancy in case of outage. We take steps to ensure that all data we collect under this Policy is processed in accordance with its provisions and applicable law, regardless of where the data is located.
8. Data Retention
We retain personal data for as long as necessary to provide our products, fulfil the transactions you have requested, or for other essential purposes such as complying with legal obligations, resolving disputes, and enforcing our agreements. Retention periods are determined by:
- Operational necessity: How long is the data needed to operate and improve the Platform and maintain security?
- Customer expectation: Where customers store or maintain data with the expectation we will retain it until they remove it (e.g., lead records), we retain it until they actively delete it or applicable retention policy settings are reached
- Customer consent: If a Customer has provided consent for a longer retention period, we retain data accordingly
- Legal obligation: Mandatory retention laws, government orders, or litigation holds
Specific retention periods:
- Active account data: Retained for the duration of your subscription and for 90 days following account termination
- Customer visitor and lead data: Default maximum 24 months from collection; configurable by the Customer
- Payment and billing records: Seven (7) years as required by Canadian tax and accounting regulations
- Support communications: Three (3) years from the date of last interaction
- Anonymised/aggregated data: May be retained indefinitely (cannot be used to identify individuals)
9. Cookies, Local Storage & Tracking Technologies
Unlike most analytics and marketing tools, Bread & Butter does not set third-party HTTP cookies. Visitor journey data is persisted using the browser’s Local Storage API — a different mechanism that is scoped to the Customer’s domain, not transmitted automatically with requests, and not shared across sites.
9.1 Cookies We Use
First-party session cookie (WordPress Plugin only): When the Bread & Butter WordPress Plugin is active, a single standard WordPress first-party session cookie may be set on the Customer’s domain to maintain session state. This cookie is scoped to the Customer’s own domain, does not track the visitor across other websites, and expires when the browser session ends.
No third-party cookies: Bread & Butter does not set or read third-party cookies and does not participate in cross-site tracking networks.
Identity provider cookies: When a visitor authenticates using a social login option (Google, Microsoft, LinkedIn, Apple, etc.), the identity provider — not Bread & Butter — may set its own cookies as part of the OAuth flow. These are governed by each provider’s privacy policy.
Analytics and preferences: On breadbutter.io, we use cookies to store preferences and settings, maintain sign-in sessions, and gather usage statistics (e.g., counting unique visitors). Where cookies are used for analytics, they are first-party and do not track users across external sites.
9.2 What We Store in Browser Local Storage
| Key | Purpose | Data Stored | Duration |
|---|---|---|---|
bb_visitor_id |
Anonymous visitor session identifier — links page views across a visit and across return visits on the same device/browser | Randomly generated pseudonymous ID (no name, email, or directly identifying data) | Persistent until cleared |
bb_journey |
Hashed summary of the visitor’s page journey for AI scoring continuity across sessions | Hashed page path references and session metadata | Persistent until cleared |
bb_consent |
Records the visitor’s consent decision when the Bread & Butter cookie consent tool is enabled on the Customer’s site | Consent status (accepted/declined), timestamp, and consent tool version | Persistent until cleared |
bb_utm |
Preserves UTM campaign attribution from the visitor’s initial landing URL | UTM source, medium, campaign, term, and content values | Session or until next UTM-tagged visit |
bb_identity |
Stores confirmed visitor identity after active identification | Name and email address — only populated after the visitor submits a form or social login | Persistent until cleared |
9.3 Server-Side Tracking (WordPress Plugin)
When the WordPress Plugin is installed, visitor page requests are intercepted at the web server level before the page renders in the browser. This means tracking is not affected by ad-blockers, Apple’s Intelligent Tracking Prevention (ITP), or other browser privacy restrictions. The visitor’s IP address and request headers are processed server-side to derive approximate geographic location (via MaxMind GeoIP2) and to generate a pseudonymous device-level identifier. Raw IP addresses are not stored indefinitely.
9.4 IP-Based Location
Visitor location displayed in the Platform is estimated from IP address using MaxMind GeoIP2. This is an approximation of the visitor’s general geographic region — not precise geolocation. Results may be affected by VPNs, corporate proxy servers, or shared network infrastructure. Bread & Butter does not perform GPS-level or device-level location tracking.
9.5 Cookie Consent Tool
Bread & Butter provides an optional built-in cookie consent and notice tool, available free to all Customers. When enabled, the tool displays a consent banner to website visitors and records: consent status, UTC timestamp, approximate IP-derived location, and device/browser information. Consent records are owned by the Customer. See Section 9.9 of the EULA for full details and limitations.
9.6 How to Clear Local Storage
- Chrome / Edge: Settings → Privacy and security → Clear browsing data → “Site data”
- Safari: Settings → Privacy → Manage Website Data → remove the relevant domain
- Firefox: Settings → Privacy & Security → Cookies and Site Data → Clear Data
Clearing Local Storage will reset the visitor’s session identifier. A new anonymous identifier will be generated on the next visit, and the visitor will not be linked to their prior session history.
10. Security of Personal Data
Bread & Butter is committed to protecting the security of your personal data. We use a variety of security technologies and procedures including:
- Encryption in transit: HTTPS (TLS 1.2+) for all data transmissions
- Encryption at rest for stored personal data
- Role-based access controls and principle of least privilege
- Application error monitoring and infrastructure monitoring
- Controlled-access server environments on Microsoft Azure
No method of data transmission or storage is 100% secure. In the event of a personal data breach, we will notify affected individuals and, where required, the relevant supervisory authority within the legally required timeframe.
11. Children’s Privacy
The Platform is designed for business use and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will delete it promptly. If you believe a child has provided personal data to us, contact us at support@breadbutter.io.
12. Health Information — HIPAA
Bread & Butter is a B2B marketing intelligence platform. It is not designed, certified, or intended for use with Protected Health Information (PHI) as defined under the US Health Insurance Portability and Accountability Act (HIPAA). Bread & Butter is not a HIPAA covered entity or business associate and does not execute Business Associate Agreements (BAAs). Customers in the healthcare sector must not use the Platform to collect, store, or process PHI. Doing so constitutes a breach of the EULA and is solely the Customer’s liability.
13. AI and Machine Learning
Bread & Butter uses AI and machine learning models to power features including lead scoring, profile enrichment, nurture message generation, and prospect research. These models process Customer Data (lead profiles, behavioural signals, enrichment inputs) on behalf of the relevant Customer and subject to the EULA.
Bread & Butter does not use any Google Workspace data — or any Customer Data — to develop, improve, or train generalised AI/ML models for use outside the specific Customer account for which the data was collected.
A list of current AI model providers used in the Platform is published on our Sub-Processors page.
14. Canadian Privacy Law
Bread & Butter is subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and, for individuals in Quebec, the Act Respecting the Protection of Personal Information in the Private Sector (Law 25). We have designated a Privacy Officer responsible for PIPEDA compliance (see Section 2).
To access, correct, or inquire about personal information we hold about you, contact our Privacy Officer at support@breadbutter.io. You also have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.
15. Your Privacy Rights
Depending on your jurisdiction, you may have the following rights. To exercise any right, contact us at support@breadbutter.io. We will respond within the legally required timeframe (generally 30 days, or sooner where required).
| Right | What It Means | Jurisdiction |
|---|---|---|
| Access | Request a copy of the personal data we hold about you | GDPR, PIPEDA, CCPA/CPRA |
| Rectification / Correction | Request correction of inaccurate or incomplete personal data | GDPR, PIPEDA, CCPA/CPRA |
| Erasure / Deletion | Request deletion of your personal data (subject to legal retention obligations). Data deletion requests: support@breadbutter.io | GDPR, CCPA/CPRA |
| Restriction of Processing | Request that we limit how we process your data in certain circumstances | GDPR |
| Data Portability | Receive your personal data in a structured, machine-readable format | GDPR |
| Objection | Object to processing based on legitimate interests or for direct marketing | GDPR |
| Withdraw Consent | Where processing is consent-based, you may withdraw it at any time. This does not affect the lawfulness of prior processing. To disable your account, contact support@breadbutter.io | GDPR, PIPEDA, Quebec Law 25 |
| Opt-Out of Sale / Sharing | We do not sell or share personal data for cross-context behavioural advertising. No opt-out is required, but you may confirm by contacting us | CCPA/CPRA |
| Non-Discrimination | We will not discriminate against you for exercising your privacy rights | CCPA/CPRA |
| Post-Mortem Instructions | As applicable under French law, you may send specific instructions regarding the use of your personal data after your death | French law |
| Lodge a Complaint | File a complaint with your national data protection authority. EU supervisory authorities: ec.europa.eu. Canada: priv.gc.ca | GDPR, PIPEDA |
If your personal data was collected by a Bread & Butter Customer’s website (not directly by Bread & Butter), please direct your rights request to that Customer. Bread & Butter processes that data on the Customer’s behalf as a data processor and will assist the Customer in responding to verified requests.
16. Changes to This Policy
We will update this Policy when necessary to reflect customer feedback, changes in our products, or changes in applicable law. When we post changes, we will revise the “Last Updated” date at the top of this page. If there are material changes to how we use personal data, we will notify you by prominently posting a notice before the changes take effect or by directly sending you a notification. We encourage you to periodically review this Policy.
17. Enforcement, Disputes, and How to Contact Us
For any privacy concerns, technical or support questions, data subject access requests, or to request limitation of use and disclosure of your personal information, please contact us:
- Email: support@breadbutter.io
- Data Deletion Requests: support@breadbutter.io — Subject line: “Data Deletion Request”
- Company: Bread & Butter IO Inc., Province of British Columbia, Canada
- Website: breadbutter.io
If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority in your jurisdiction. In the EU, you can find a list of supervisory authorities at ec.europa.eu. In Canada, complaints may be directed to the Office of the Privacy Commissioner at priv.gc.ca.
