Privacy Policy

The data controller responsible for your personal information is:

We comply with all applicable EU data protection regulations.

Account Information

• Name and email address from Apple ID or Google Account when using third-party authentication
• Unique user identifier for account management
• Authentication tokens (encrypted and securely stored)
• Account creation and last login timestamps

Photo and Image Data

• Coffee photos uploaded for AI analysis
• Image metadata including timestamps, device information, and image properties
• Processed image data for coffee characteristic analysis (temporarily stored)
• Historical photo records for user's coffee analysis history

Device and Technical Data

• Device model, operating system version, and app version
• IP address (anonymized after 30 days for GDPR compliance)
• Device language and timezone settings
• Crash reports and error logs (anonymized)
• App performance metrics and usage statistics

Location Data (Optional)

• Approximate location for coffee shop recommendations (only with explicit consent)
• Location data is never stored permanently and is used only for session-based features

Advertising and Tracking Data

• Advertising identifiers (IDFA/GAID) only with explicit consent via ATT framework
• Marketing engagement data (email opens, app store interactions)
• Attribution data for advertising campaign effectiveness

Health-Related Data (HIPAA Consideration)

Under GDPR Article 6, we process your personal data based on the following legal grounds:

Performance of Contract (Article 6(1)(b))

• Providing coffee analysis and AI-powered insights
• Maintaining your photo history and analysis records
• Account creation, authentication, and user management
• Core app functionality and features

Consent (Article 6(1)(a))

• Marketing communications and promotional content
• Advertising tracking and personalization
• Location-based personalization features
• Optional data sharing with third-party partners

Legitimate Interests (Article 6(1)(f))

• App security, fraud prevention, and abuse protection
• Technical improvements and bug fixes
• Anonymized analytics and usage insights
• Customer support and dispute resolution

Legal Obligation (Article 6(1)(c))

• Compliance with tax and accounting requirements
• Response to law enforcement requests
• Data breach notification requirements

Vital Interests (Article 6(1)(d))

• Emergency situations requiring immediate data processing to protect health or safety

Core App Functionality

• AI-powered coffee analysis and quality assessment
• Photo storage and analysis history management
• User account creation, authentication, and profile management
• Personalized coffee insights and recommendations

Service Improvement

• App performance monitoring and optimization
• Bug detection, error tracking, and technical support
• Feature development and user experience enhancement
• A/B testing for improved functionality

Communication and Marketing

• Service notifications and important updates
• Marketing communications (with explicit consent)
• Customer support and user assistance
• Promotional campaigns and special offers

Legal and Security

• Fraud prevention and security monitoring
• Compliance with legal obligations and regulations
• Protection of our rights and interests
• Response to legal requests and court orders

Service Providers (Data Processors)

• Cloud Infrastructure: Google Cloud Platform, AWS (data hosting and processing)
• AI Processing: OpenAI Vision Models (coffee analysis - images processed securely and not retained)
• Analytics: Google Analytics, Firebase Analytics (anonymized usage data only)
• Authentication: Apple Sign-In, Google OAuth (secure identity verification)
• Push Notifications: Firebase Cloud Messaging, Apple Push Notification Service

Legal Requirements

• Law enforcement agencies (when legally required)
• Regulatory authorities (for compliance purposes)
• Courts and legal proceedings (under judicial order)
• Emergency services (to protect health and safety)

Business Transfers

• In case of merger, acquisition, or sale of assets, users will be notified in advance
• Data protection standards will be maintained during any business transition

All data sharing arrangements include: Data Processing Agreements (DPAs), strict security requirements, purpose limitation clauses, and regular compliance audits.

Account Data

• Active accounts: Retained while account is active and for 30 days after deletion request
• Inactive accounts: Automatically deleted after 3 years of inactivity
• Authentication tokens: Expire automatically after 90 days

Photo and Analysis Data

• User photos: Retained until manually deleted by user or account closure
• Coffee analyses: Stored with photos for user history access
• Temporary AI processing: Images deleted within 24 hours after analysis

Technical and Analytics Data

• Device logs: Retained for 90 days for debugging purposes
• Anonymized analytics: Retained for 26 months (Google Analytics default)
• Crash reports: Retained for 1 year for app stability improvements

Legal and Compliance Data

• Legal requests: Retained as required by law (typically 5-7 years)
• Audit logs: Retained for 3 years for security monitoring
• GDPR requests: Documentation retained for 3 years

Access Rights (Article 15)

• Request a copy of all personal data we hold about you
• Receive information about how your data is processed
• Learn about data sharing and retention periods

Rectification Rights (Article 16)

• Correct inaccurate or incomplete personal data
• Update your account information and preferences
• Modify consent settings and privacy choices

Erasure Rights - "Right to be Forgotten" (Article 17)

• Request complete deletion of your account and all associated data
• Remove specific photos or fortune records
• Withdraw consent and delete related processing activities

Data Portability (Article 20)

• Export your data in a machine-readable format
• Transfer your data to another service provider
• Receive structured data exports within 30 days

Objection Rights (Article 21)

• Object to processing based on legitimate interests
• Opt-out of direct marketing and profiling
• Stop automated decision-making processes

In-App Controls

• Photo Management: Delete individual photos or your entire history
• Account Settings: Update personal information and preferences
• Privacy Settings: Control data sharing and consent preferences
• Notification Settings: Manage push notifications and communications

Device-Level Controls

• Location Services: Disable location access in device settings
• Camera Permissions: Revoke photo access permissions
• Tracking Prevention: Use iOS App Tracking Transparency or Android privacy settings
• Advertising: Reset advertising ID or opt-out of personalized ads

Communication Preferences

• Unsubscribe from marketing emails via email footer links
• Disable push notifications in app or device settings
• Opt-out of promotional communications
• Control frequency of app notifications

Technical Safeguards

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
• Access Controls: Multi-factor authentication and role-based access
• Network Security: Firewalls, intrusion detection, and VPN access
• Data Anonymization: Automatic anonymization of analytics data

Organizational Measures

• Regular security training for all personnel
• Background checks for employees with data access
• Incident response procedures and security monitoring
• Regular security audits and penetration testing

Industry Standards

• ISO 27001 information security management compliance
• SOC 2 Type II audited cloud infrastructure
• GDPR technical and organizational measures (Article 32)
• Regular third-party security assessments

Transfer Mechanisms

• EU Adequacy Decisions: Transfers to countries with adequate protection levels
• Standard Contractual Clauses: EU-approved data transfer agreements
• Binding Corporate Rules: For multinational service providers
• Certification Schemes: Industry-recognized privacy certifications

Data Localization

• EU user data primarily stored in EU data centers
• Backup data may be stored in adequacy-approved countries
• AI processing may occur in secure US facilities under strict contracts
• Data subject rights remain enforceable regardless of processing location

Safeguards and Guarantees

• Contractual obligations to maintain EU-level protection
• Regular compliance audits of international processors
• Immediate suspension of transfers if protection levels are compromised
• Notification to users of any significant transfer arrangement changes

Age Restrictions

• Minimum Age: 16 years in the EU, 13 years in other jurisdictions
• Age Verification: Account creation includes age confirmation
• Parental Consent: Required for users under applicable age limits

Special Protections

• Enhanced privacy settings for young users
• Restricted data collection and profiling
• No behavioral advertising to minors
• Regular compliance reviews for child safety

Parental Rights

• Right to access their child's data
• Right to request deletion of child's account
• Right to withdraw consent at any time
• Priority customer support for family-related concerns

Notification Process

• Significant Changes: 30-day advance notice via email and in-app notification
• Minor Updates: Notification through app updates and website posting
• Emergency Changes: Immediate notification for security or legal reasons

User Rights During Changes

• Right to review changes before they take effect
• Right to withdraw consent if you disagree with changes
• Right to export your data before policy changes
• Right to delete your account if changes are unacceptable

Change Documentation

• Version history maintained for transparency
• Summary of changes provided with each update
• Legal basis documented for any new processing activities
• Regular comprehensive policy reviews every 12 months

Data Protection Contacts

Supervisory Authority

• Romania: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
• Website: www.dataprotection.ro
• EU Citizens: You may also lodge complaints with your local data protection authority