iCoffee Privacy Policy

1. Account & Authentication Data

What we collect:

• Email address
• Password (encrypted and managed by Firebase Authentication)
• Firebase User ID (UID)
• Google account profile information (if you sign in with Google): name, email, profile picture
• Account creation date and last login timestamp
• Authentication method used (Google Sign-In or email/password)

Why we collect it:

• To create and maintain your user account
• To authenticate and secure your access to the Service
• To enable you to sign in across multiple devices
• To recover your account if you forget your password
• To communicate important account-related information

Legal basis (GDPR): Legal basis (GDPR): Performance of contract and legitimate interests

2. Profile and Preferences Data

What we collect:

• Display name
• Username
• Bio/profile description
• Profile photo (optional)
• Language and locale settings
• Unit preferences (metric/imperial)
• Taste preferences and flavor profiles
• Preferred brewing methods
• Preferred coffee equipment

Why we collect it:

• To personalize your experience within the app
• To provide relevant recommendations and brewing guidance
• To customize the interface to your language and unit preferences
• To improve AI-generated suggestions based on your preferences
• To display your profile information within the app

Legal basis (GDPR): Legal basis (GDPR): Performance of contract and legitimate interests

3. Brew Logs, Beans, Equipment, and Related Content

What we collect:

• Brew measurements (coffee dose, water amount, time, temperature, etc.)
• Brew ratings and scores
• Tasting notes and flavor descriptions
• Flavor tags and categories
• Coffee bean details (origin, roast date, roaster, variety, processing method, price, etc.)
• Bean ratings and reviews
• Equipment details (coffee makers, grinders, kettles, scales, etc.)
• Equipment specifications and settings
• Favorite brewing methods, beans, and equipment
• Achievement data and progress tracking
• Brewing streak data
• Brew photos (optional)
• Timestamps for all entries

Why we collect it:

• To track and display your brewing history
• To synchronize your data across multiple devices
• To generate personalized insights and statistics
• To provide AI-powered recommendations based on your brewing patterns
• To help you improve your coffee brewing skills over time
• To enable you to reference past brews and replicate successful recipes

Legal basis (GDPR): Legal basis (GDPR): Performance of contract and legitimate interests

4. App Activity and Analytics Data

What we collect:

• App usage events (e.g., brew_logged, bean_added, method_favorited, equipment_registered, onboarding_completed, feature_viewed)
• Search queries within the app
• AI interaction events (requests made, features used)
• Feature engagement and navigation patterns
• Session duration and frequency
• Device information: device model, manufacturer, operating system version, screen resolution
• App version and build number
• Language and region settings
• Network information: IP address (coarse/approximate), connection type (WiFi/cellular), ISP metadata
• Installation and update events

Why we collect it:

• To understand which features are most valuable to users
• To improve app performance and user experience
• To identify and fix bugs and technical issues
• To analyze user engagement and retention
• To make data-driven product development decisions
• To optimize the app for different devices and OS versions

Third-party service: Third-party service: Firebase Analytics

Legal basis (GDPR): Legal basis (GDPR): Legitimate interests

5. Crash Reports and Diagnostic Data

What we collect:

• Stack traces and error logs
• Device state at time of crash (memory usage, battery level, storage)
• App state and screen information
• User actions leading up to the crash
• Operating system version and device model
• Crash timestamp and frequency

Why we collect it:

• To diagnose and fix app crashes and stability issues
• To improve app reliability and performance
• To prioritize bug fixes based on crash severity and frequency
• To ensure compatibility across different devices and OS versions

Third-party service: Third-party service: Firebase Crashlytics

Legal basis (GDPR): Legal basis (GDPR): Legitimate interests

6. AI Interactions and Prompts

What we collect:

• Text prompts and chat messages you send to the AI assistant
• Brew context provided to the AI (your current brew parameters, preferences)
• Coffee bean and equipment context shared with the AI
• User manual URLs you submit for AI processing
• Location information you voluntarily provide in prompts (e.g., "coffee shops near me")
• AI-generated responses and recommendations provided to you
• Conversation history for context continuity

Why we collect it:

• To generate personalized brewing guidance and recommendations
• To provide AI-powered features and conversational assistance
• To improve the quality and relevance of AI responses over time
• To maintain conversation context for better user experience

Third-party service: Third-party service: Google AI (Gemini)

Important notes:

• Your AI interactions are sent to Google Gemini to generate responses
• We do not use your AI conversations to train our own models
• Conversation data is stored to maintain context within your session
• Google may use interactions to improve their AI services according to their own policies

Legal basis (GDPR): Legal basis (GDPR): Performance of contract and legitimate interests

7. URL Safety Checks

What we collect:

• URLs you submit for manual extraction or safety verification
• Timestamps of URL submissions

Why we collect it:

• To protect you from malicious or unsafe websites
• To verify the safety of user manual links before processing
• To prevent phishing, malware, and other security threats

Third-party service: Third-party service: VirusTotal

Important notes:

• URLs are sent to VirusTotal only when you explicitly request a safety check or manual extraction
• VirusTotal may retain URLs according to their own policies
• Safety checks are performed in real-time and not stored by us long-term

Legal basis (GDPR): Legal basis (GDPR): Legitimate interests and consent

8. Media Uploads

What we collect:

• Brew photos you choose to upload
• Photo metadata (timestamp, file size, image dimensions)
• Optional: EXIF data if present in the image

Why we collect it:

• To allow you to visually document your brews
• To enhance your brew logging experience
• To sync photos across your devices
• To potentially enable future photo-based features

Storage: Storage: Firebase Cloud Storage

Legal basis (GDPR): Legal basis (GDPR): Performance of contract

9. Device Permissions

To provide functionality, the app may request various device permissions including but not limited to:

• Camera: To take photos of your brews for documentation
• Storage/Photos: To save and access brew photos
• Internet Access: To sync data, access AI features, and communicate with our servers

Note: Note: You can manage these permissions in your device settings. Denying permissions may limit certain app features. As the app evolves, additional permissions may be requested to support new features.

10. Local Data and Offline Storage

What we store locally:

• Cached copies of your Firestore data for offline access
• Temporary session data
• App preferences and settings

Why we store it locally:

• To enable offline functionality when you don't have internet access
• To improve app performance and reduce loading times
• To preserve your work in case of connectivity issues

Important notes:

• Local data is cleared when you sign out of the app
• Local data is deleted when you uninstall the app
• Guest mode data is stored ONLY locally and is not synced to the cloud

Guest Mode

• Data storage: Brew logs, beans, and equipment are stored in Firebase but not associated with a user account
• No account association: Your data is not linked to any account identifier and cannot be accessed after uninstalling
• No cross-device sync: Data cannot be synchronized or accessed from other devices
• Analytics: Anonymous usage data and crash reports are still sent to Firebase Analytics and Crashlytics
• Data deletion: All data is lost when you uninstall the app or clear app data - it cannot be recovered
• Limitations: No account recovery, no cross-device access, limited AI features

Registered Accounts

• Data storage: Data is stored in Firebase Firestore and synchronized across all your devices
• Cloud backup: Your data is backed up and accessible from any device you sign in to
• Account-based features: Access to synchronization, AI assistance, cloud storage, and all account-specific features (note: some premium features may require a subscription in the future)
• Account management: Ability to delete specific entries or your entire account
• Recovery: Can recover your account and data if you lose access to a device

Core Functionality

1. Account Management: Create, maintain, and secure your user account
2. Data Synchronization: Sync your brew logs, beans, and equipment across devices
3. Brew Logging: Track, store, and display your brewing history and statistics
4. Equipment Library: Maintain your personal collection of coffee equipment and beans
5. Achievements: Track progress, milestones, and brewing streaks
6. Personalization: Customize the app experience based on your preferences and settings

AI-Powered Features

7. Brewing Guidance: Provide personalized brewing recommendations via AI
8. Conversational Assistance: Answer your coffee-related questions through AI chat
9. Recipe Suggestions: Generate brew recipes based on your preferences and equipment
10. Contextual Help: Provide relevant assistance based on your current brewing context

Service Improvement

11. Analytics: Understand feature usage patterns and user engagement
12. Performance Optimization: Monitor and improve app speed and reliability
13. Bug Fixes: Diagnose and resolve crashes and technical issues
14. Feature Development: Make data-driven decisions about new features and improvements
15. Quality Assurance: Test and validate app functionality across different devices

Security and Safety

16. URL Verification: Protect users from malicious links via VirusTotal checks
17. Fraud Prevention: Detect and prevent abuse of the Service
18. Account Security: Monitor for suspicious activity and unauthorized access

Communication

19. Service Updates: Notify you of important changes to the app or policies
20. Feature Announcements: Inform you about new features and improvements
21. Support: Respond to your inquiries and support requests

Future Features (When Implemented)

22. Payment Processing: Handle subscriptions and in-app purchases
23. Social Features: Enable content sharing and community interactions (when available)
24. Advanced Analytics: Provide detailed brewing insights and trends

Google (Firebase & Google AI)

We use Google's infrastructure and services for core app functionality:

Services used:

• Firebase Authentication: Account creation, sign-in, and user management
• Cloud Firestore: Database for storing and syncing your brew logs, beans, equipment, and profile data
• Firebase Cloud Storage: Storage for brew photos and media uploads
• Firebase Analytics: App usage analytics and user engagement tracking
• Firebase Crashlytics: Crash reporting and stability diagnostics
• Google AI (Gemini): AI-powered features, recommendations, and conversational assistance

Data shared with Google:

• Account and authentication data
• All user-generated content (brews, beans, equipment, photos)
• App usage and analytics events
• Crash reports and diagnostic data
• AI prompts and conversation data

Governance:

Data shared with Google is governed by the Google Privacy Policy common.and Google Cloud Terms of Service.

Data location:

Your data is stored on Google Cloud infrastructure, which may be located in data centers around the world. Google employs appropriate safeguards for international data transfers.

Retention:

• Firebase Authentication retains account data as long as your account is active
• Firestore and Cloud Storage retain your data until you delete it or delete your account
• Firebase Analytics retains event data for up to 14 months by default
• Firebase Crashlytics retains crash data for up to 90 days
• Google AI may retain interaction data according to Google's policies

Important: Important: These retention periods are controlled by Google and may change without notice to us. For the most current information, please refer to Google's privacy documentation.

VirusTotal

Service: Service: URL safety analysis and malware scanning

When data is shared: When data is shared: Only when you explicitly submit a URL for safety checking or manual extraction

Data shared: Data shared: URL submitted, timestamp

Governance: VirusTotal's data handling is governed by their Terms of Service common.and Privacy Policy.

Note: Note: VirusTotal is owned by Google/Chronicle but operates as a separate service with its own policies. Their data retention practices may change without notice to us.

Future Third-Party Services

As we add new features, we may integrate additional third-party services such as:

• Payment Processors (Future): Stripe, RevenueCat, or Apple/Google payment systems for subscription management. Only payment and billing information necessary to process transactions will be shared.
• Social Media Integration (Future): Optional integration with social platforms for content sharing. You will be able to control what data is shared.
• Analytics and Marketing Tools (Future): Additional analytics platforms for advanced insights. Marketing platforms for feature announcements (with your consent).

When new services are added, this Privacy Policy will be updated to reflect those integrations.

Data Storage

Cloud Storage:

• Primary storage: Google Cloud Firestore and Firebase Cloud Storage
• Geographic location: Data centers operated by Google globally
• Redundancy: Google maintains multiple copies for reliability and disaster recovery

Local Storage:

• Device cache: Temporary copies stored on your device for offline access
• Session data: Stored locally during active app sessions
• Cleared upon sign-out or app uninstall

Security Measures

We implement industry-standard security measures to protect your data:

Transmission Security: Transmission Security: All data transmitted over HTTPS/TLS encryption. Secure WebSocket connections for real-time features. Certificate pinning for added protection.

Storage Security: Storage Security: Firebase security rules restrict access to your data. Data encrypted at rest by Google Cloud. Access controls limit who can view or modify data.

Authentication Security: Authentication Security: Passwords hashed using industry-standard algorithms (bcrypt via Firebase). Support for strong password requirements. Google Sign-In uses OAuth 2.0. Session tokens expire and require re-authentication.

Application Security: Application Security: Regular security audits, dependency scanning, code reviews, and security best practices.

Important Disclaimer: Important Disclaimer: While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

Data Retention

We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy.

• Active Accounts: Account data retained as long as your account is active. Brew logs, beans, equipment, photos, and profile data retained until you delete them or your account.
• Deleted Content: Individual entries permanently deleted from Firestore within a reasonable timeframe. Account and associated Firestore data deleted within 30 days. Firebase Authentication account deleted immediately upon request.
• Analytics and Logs: Firebase Analytics event data retained for up to 14 months. Crashlytics reports retained for up to 90 days. Server logs retained as required for security and operational purposes.
• Aggregated Data: Anonymized, aggregated analytics may be retained indefinitely for service improvement. Cannot be linked back to individual users.
• Legal Obligations: We may retain certain data longer if required by law, regulation, legal process, or to protect our legal rights.
• Backup Systems: Deleted data may persist temporarily in backup systems before permanent deletion. Backups are cycled according to standard retention schedules.

In-App Controls

• Profile Management: Update your display name, username, bio, preferences, email, photo, unit settings, and language.
• Content Management: Edit or delete brew logs, beans, equipment, photos, and favorites.
• Account Management: Delete your account from My Profile → Delete Account. Sign out from any device.

Device-Level Controls

• Permissions: Manage app permissions (camera, storage, etc.) in device settings.
• Analytics (Limited): Some platforms allow limiting ad tracking/analytics (e.g., iOS Settings → Privacy → Analytics & Improvements). Platform controls may not fully disable analytics required for core functionality.

Data Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights:

1. Right to Access: Request a copy of your personal data via email. Response within 30 days.
2. Right to Rectification: Correct inaccurate data in-app or request correction via email.
3. Right to Erasure ("Right to be Forgotten"): Request deletion of your data via in-app "Delete Account" or email. Deleted within 30 days unless legally required to retain.
4. Right to Restriction of Processing: Request limits on how we use your data via email.
5. Right to Data Portability: Request your data in a portable format (JSON/CSV) via email. Response within 30 days.
6. Right to Object: Object to processing based on legitimate interests (e.g., direct marketing) via email.
7. Right to Withdraw Consent: Withdraw consent at any time by deleting account or using provided opt-out mechanisms.
8. Right to Lodge a Complaint: Complain to a data protection authority (e.g., Dutch DPA: {{dutchDpaLink}}). autoriteitpersoonsgegevens.nl

Exercising Your Rights

To exercise any of these rights:

1. Email us at: icoffee.yourapp@gmail.com
2. Include "GDPR Request" in the subject line
3. Clearly specify which right you wish to exercise
4. Provide sufficient information to verify your identity

We will respond within 30 days. We do not charge fees for most requests.

Age Restrictions

The Service is not directed to children under 13 years of age (or under 16 in the EEA). We do not knowingly collect personal information from children under these ages.

Parental Controls

If you are a parent or guardian and believe your child has provided personal information to us:

• Contact us immediately at: icoffee.yourapp@gmail.com
• We will delete the child's account and data promptly
• Provide the account email or username for faster processing

School or Educational Use

If the Service is used in an educational setting with users under 13/16, the school or educational institution is responsible for obtaining appropriate parental consent and complying with applicable laws.

Data Processing Locations

Primary Infrastructure: Primary Infrastructure: Your data is processed and stored on Google Cloud infrastructure, which operates data centers globally (EU, US, Asia-Pacific, etc.).

Controller Location: Controller Location: iCoffee operates from the Netherlands and is subject to Dutch and EU data protection laws.

Safeguards for International Transfers

When your data is transferred outside the EEA, we rely on safeguards:

• Google Cloud: Complies with EU-U.S. Data Privacy Framework, employs Standard Contractual Clauses (SCCs), and maintains robust security practices.
• Other Providers: Selected providers must represent they implement appropriate safeguards. We require contractual commitments regarding data protection.

Your Rights Regarding International Transfers

You have the right to request information about storage locations and safeguards. Contact us at icoffee.yourapp@gmail.com.

Website (icoffeeapp.com)

Our website does not use tracking or analytics cookies. Our website does not use tracking or analytics cookies. The website may use minimal essential cookies only for basic functionality. No third-party tracking (no Google Analytics, no ad cookies).

No Cookie Banner Required: No Cookie Banner Required: Since we don't use tracking cookies, no consent banner is displayed.

Mobile App Analytics

Firebase Analytics Firebase Analytics is used exclusively within the mobile app (not website) to understand usage, monitor performance, and improve experience.

Settings: Settings: Granular location/device collection enabled (app only). Google Signals disabled.

Mobile App Data: Mobile App Data: The app does not use traditional cookies but uses Firebase Analytics SDK, local storage for offline use, and session tokens.

AI-Powered Recommendations

The Service uses AI (Google Gemini) to provide recommendations and guidance.

No automated decisions with legal effects: No automated decisions with legal effects: AI does not make legally significant decisions.

Purely advisory: Purely advisory: All recommendations are suggestions; you are in control.

Human oversight: Human oversight: Critical decisions are made by humans.

Profiling for Personalization

We use your history to customize the experience. Legal basis: Performance of contract.

No High-Risk Automated Decision-Making: No High-Risk Automated Decision-Making: We do not use automated decision-making for credit scoring, hiring, legal decisions, etc.

Planned Future Features

1. Subscription and Payment Processing: Billing info collected by providers (Stripe/RevenueCat). Rights: view history, cancel, refund.
2. Social and Sharing Features: Shared logs, profiles, comments. Visibility controlled by you. Rights: privacy settings, delete content, block users.
3. Advanced Analytics: Aggregated trends. Data anonymized where possible.
4. Third-Party Integrations: Potential integrations with roasters/equipment. Data shared only with explicit consent. Control: connect/disconnect at any time.

Notification of Changes

When new features are introduced, this policy will be updated. Notice provided for significant changes. Continued use implies acceptance.

Notification of Changes

Material Changes: Material Changes: Notice via in-app, email, or website. "Last updated" date reflects recent version.

Minor Changes: Minor Changes: Updated without separate notification.

Your Responsibility

Review periodically. Contact if questions. Continued use constitutes acceptance. If you disagree, you may delete your account.

Your Rights

• Right to Know: Categories of info collected, sources, purposes, sharing.
• Right to Delete: Request deletion (subject to exceptions).
• Right to Opt-Out: Not applicable as we do not sell info.
• Right to Correct: Request correction of inaccurate info.
• Right to Non-Discrimination: No discrimination for exercising rights.

Exercise Rights

Email icoffee.yourapp@gmail.com with subject "California Privacy Request". Response within 45 days.

Privacy Inquiries

Email: Email: icoffee.yourapp@gmail.com

Website: icoffeeapp.com

Response Times: Response Times: Gen. inquiries 5-10 days. GDPR 30 days. CCPA 45 days.

Data Protection Authority

Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

EU: EU: Contact your local DPA.