iCoffee Privacy Policy

1. Account & Authentication Data

What we collect:

• Email address
• Password (encrypted and managed by Firebase Authentication)
• Firebase User ID (UID)
• Google account profile information (if you sign in with Google): name, email, profile picture
• Apple ID–related information (if you sign in with Apple): as provided by Apple (e.g. email, name)
• Account creation date and last login timestamp
• Authentication method used (Google Sign-In, Sign in with Apple, or email/password)

Why we collect it:

• To create and maintain your user account
• To authenticate and secure your access to the Service
• To enable you to sign in across multiple devices
• To recover your account if you forget your password
• To communicate important account-related information

Legal basis (GDPR): Performance of contract and legitimate interests

2. Profile and Preferences Data

What we collect:

• Display name
• Username (unique @handle for display and account identification)
• Bio/profile description
• Profile photo (optional)
• Language and locale settings
• Unit preferences (metric/imperial)
• Taste preferences and flavor profiles
• Preferred brewing methods
• Preferred coffee equipment

Why we collect it:

• To personalize your experience within the app
• To provide relevant recommendations and brewing guidance
• To customize the interface to your language and unit preferences
• To improve AI-generated suggestions based on your preferences
• To display your profile information within the app
• Optional: to show your @username as the contributor when you contribute a coffee bean to our catalog (controlled by your in-app privacy preference)

Legal basis (GDPR): Performance of contract and legitimate interests

3. Brew Logs, Beans, Equipment, and Related Content

What we collect:

• Brew measurements (coffee dose, water amount, time, temperature, etc.)
• Brew ratings and scores
• Tasting notes and flavor descriptions
• Flavor tags and categories
• Coffee bean details (origin, roast date, roaster, variety, processing method, price, etc.)
• Bean ratings and reviews
• Equipment details (coffee makers, grinders, kettles, scales, etc.)
• Equipment specifications and settings
• Favorite brewing methods, beans, and equipment
• Achievement data and progress tracking
• Brewing streak data
• Brew photos (optional)
• Timestamps for all entries

Why we collect it:

• To track and display your brewing history
• To synchronize your data across multiple devices
• To generate personalized insights and statistics
• To provide AI-powered recommendations based on your brewing patterns
• To help you improve your coffee brewing skills over time
• To enable you to reference past brews and replicate successful recipes

Legal basis (GDPR): Performance of contract and legitimate interests

4. App Activity and Analytics Data

What we collect:

• App usage events across the following categories (representative examples; as the app evolves, new events may be added within these categories): Brewing (brew_logged, brew_log_edit, brew_log_delete, brew_guided_start, first_brew_completed); Library (bean_added, bean_detail_viewed, method_favorited, method_browsed, equipment_added, gear_detail_viewed); Authentication (auth_login, auth_signup, auth_logout); AI & Scanner (ai_barista_session_started, ai_request, scanner_opened, off_lookup_hit, off_lookup_miss); Engagement (onboarding_completed, search, settings_update, streak_milestone, mastery_level_up, rating_prompt_shown); Monetization (paywall_shown, paywall_dismissed, purchase_started, purchase_completed, purchase_failed); Screen views (automatic tracking for all major app screens, e.g. dashboard, brew_log, bean_library)
• User properties for aggregate cohort analysis. These are set on your device and sent to Firebase Analytics to enable segmentation (e.g., "how do Plus subscribers use the app differently from Lite users?"). Values are bucketed ranges, not raw counts: subscription_tier, account_type (guest or registered), app_language, platform; has_brewed, brew_count (bucketed: "0", "1-5", "6-20", "21-50", "50+"), bean_count, gear_count, method_count; streak_length (bucketed), mastery_level, achievement_count (bucketed); has_used_scanner, has_used_ai_barista, favorite_method, signup_source, onboarding_completed
• Search queries within the app (query length, not the query text)
• AI interaction events (requests made, features used)
• Feature engagement and navigation patterns
• Session duration and frequency
• Device information: device model, manufacturer, operating system version, screen resolution
• Android Advertising ID (GAID): A resettable, pseudonymous device identifier provided by Google Play Services, used by Firebase Analytics and RevenueCat to associate analytics events across sessions and attribute app installs. If you opt out of ad personalization or reset your Advertising ID in your device settings, we receive a string of zeros instead of the identifier. This ID is not used to serve or target advertisements.
• App version and build number
• Language and region settings
• Network information: IP address (coarse/approximate), connection type (WiFi/cellular), ISP metadata
• Installation and update events

Why we collect it:

• To understand which features are most valuable to users
• To improve app performance and user experience
• To identify and fix bugs and technical issues
• To analyze user engagement and retention
• To make data-driven product development decisions
• To optimize the app for different devices and OS versions

Third-party service: Firebase Analytics

Legal basis (GDPR): Legitimate interests

5. Crash Reports and Diagnostic Data

What we collect:

• Stack traces and error logs
• Device state at time of crash (memory usage, battery level, storage)
• App state and screen information
• Crash keys (custom metadata attached to each crash report to aid diagnosis): user_id (your Firebase UID — enables us to locate a specific user's crash report when they contact support), subscription_tier, account_type (guest or registered), app_version, current_screen, locale
• Non-fatal errors: Logged programmatically when the app encounters a recoverable error (e.g., an AI service failure or a purchase processing error) without a full crash. These help us detect and fix degraded experiences before they become crashes.
• Breadcrumbs: A trail of recent user actions (e.g., screen navigations) leading up to a crash, recorded automatically to help us reproduce and diagnose the issue. Breadcrumbs do not contain the content of your data (e.g., brew details), only navigation actions.
• Operating system version and device model
• Crash timestamp and frequency

Why we collect it:

• To diagnose and fix app crashes and stability issues
• To identify and resolve non-fatal errors before they escalate to crashes
• To improve app reliability and performance
• To prioritize bug fixes based on crash severity and frequency
• To ensure compatibility across different devices and OS versions
• To provide effective support when users report issues (crash keys enable us to locate the relevant report)

Third-party service: Firebase Crashlytics

Legal basis (GDPR): Legitimate interests

6. AI Interactions and Prompts

What we collect:

• Text prompts and chat messages you send to the AI assistant
• Brew context provided to the AI (your current brew parameters, preferences)
• Coffee bean and equipment context shared with the AI
• User manual URLs you submit for AI processing
• Location information you voluntarily provide in prompts or through precise GPS coordinates (e.g., "Find specialty coffee near me") to ground AI searches for nearby shops
• AI-generated responses and recommendations provided to you
• Conversation history for context continuity

Why we collect it:

• To generate personalized brewing guidance and recommendations
• To provide AI-powered features and conversational assistance
• To improve the quality and relevance of AI responses over time
• To maintain conversation context for better user experience

Third-party services:

• Google AI (Gemini): Primary AI provider. All AI features use Gemini by default.
• Groq (groq.com): Automatic fallback provider used when Gemini is temporarily unavailable. When a fallback occurs, the same interaction data described above (your message, conversation context, and user context) may be sent to Groq instead. Groq uses open-source large language models (e.g., Llama-family models) to generate responses. See Groq's Privacy Policy.

Important notes:

• Your AI interactions are sent to Google Gemini (or Groq as fallback) to generate responses
• We do not use your AI conversations to train our own models
• Conversation data is stored to maintain context within your session
• Google and Groq may use interactions to improve their AI services according to their own policies

Legal basis (GDPR): Performance of contract and legitimate interests

7. URL Safety Checks

What we collect:

• URLs you submit for manual extraction or safety verification
• Timestamps of URL submissions

Why we collect it:

• To protect you from malicious or unsafe websites
• To verify the safety of user manual links before processing
• To prevent phishing, malware, and other security threats

Third-party service: VirusTotal

Important notes:

• URLs are sent to VirusTotal only when you explicitly request a safety check or manual extraction
• VirusTotal may retain URLs according to their own policies
• Safety checks are performed in real-time and not stored by us long-term

Legal basis (GDPR): Legitimate interests and consent

8. Media Uploads

What we collect:

• Brew photos you choose to upload
• Bean or coffee label photos you capture or select (e.g. for the in-app scanner): used for AI-powered label reading and product matching, and stored so you can view them in your bean library
• Photo metadata (timestamp, file size, image dimensions)
• Optional: EXIF data if present in the image

Why we collect it:

• To allow you to visually document your brews
• To enhance your brew logging experience
• To sync photos across your devices
• To provide scanner features: label photos are sent to Google AI (Gemini) for text extraction and may be matched against our product catalog or external product databases. If a barcode is detected and not found in our internal catalog, the barcode may be submitted to Open Food Facts (world.openfoodfacts.org), a public food product database, to retrieve product information; processed images are stored so you can see them in the app
• To potentially enable future photo-based features

Storage: Firebase Cloud Storage (brew photos under brew-images; bean/label photos under bean-images, per your account).

Legal basis (GDPR): Performance of contract

9. Product Web Search and Bean Enrichment

What we collect:

• Coffee bean product names and roaster names that you save to your library
• Search queries constructed from your bean data (roaster + product name) and sent to Google Search via our backend proxy
• Cached search results stored in our Firestore database (product_search_cache collection) with a 30-day TTL
• Your monthly enrichment usage count, stored in the user_quotas Firestore collection as a rolling 30-day window

Why we collect it:

• To automatically look up official product descriptions, tasting notes, and photos for beans in your library
• To provide richer, more accurate bean information without requiring manual entry
• To enforce fair-use quotas for this feature based on your subscription tier (Lite: 5 enrichments/month; Plus: 20/month; Premium: unlimited)
• To cache results so that the same product search is not repeated unnecessarily

Third-party service: Google Search (via our Google Cloud Functions backend proxy). Product names and roaster names are sent to Google Search to find official product pages. We do not send your personal account data or brew history as part of these searches.

Important notes:

• Web enrichment runs automatically in the background when you save a new bean (subject to your monthly quota)
• You can see enriched information (official photos, descriptions) in your bean detail view
• Cache hits do not count against your monthly quota
• If your quota is reached, the bean is saved without enrichment until the next monthly window

Legal basis (GDPR): Performance of contract and legitimate interests

10. Device Permissions

To provide functionality, the app may request various device permissions including but not limited to:

• Camera: To take photos of your brews and to scan coffee bean labels (for AI-powered label reading and product matching)
• Storage/Photos: To save and access brew and bean photos
• Precise location access (GPS): To find specialty coffee shops nearby using the "Find Cafes Near Me" feature (when you use that feature)
• Internet Access: To sync data, access AI features, barcode/product lookups, and communicate with our servers

Note: You can manage these permissions in your device settings. Denying permissions may limit certain app features. As the app evolves, additional permissions may be requested to support new features.

11. Local Data and Offline Storage

What we store locally:

• Cached copies of your Firestore data for offline access
• Temporary session data (e.g. AI Barista conversation history for session continuity, stored only on your device)
• App preferences and settings

Why we store it locally:

• To enable offline functionality when you don't have internet access
• To improve app performance and reduce loading times
• To preserve your work in case of connectivity issues
• Native plugins (like Camera and Geolocation) may use temporary local storage for processing captured media or location data before cloud synchronization or display.

Important notes:

• Local data is cleared when you sign out of the app
• Local data is deleted when you uninstall the app
• Guest mode (anonymous) data is stored in Firebase under an anonymous identifier assigned by Firebase Authentication. It cannot be accessed from another device or recovered after signing out or uninstalling the app, because it is not linked to a persistent user account you can sign in to elsewhere

12. Subscription & Payment Processing

What we collect:

• Subscription tier status (Lite, Plus, or Premium)
• Billing period (monthly or annual)
• Trial status and trial start date (if applicable)
• Transaction identifiers managed by the payment provider (not raw payment data)
• App User ID linked to your subscription entitlements
• Usage quota counters: Daily AI message counts (stored locally and in Firestore) and monthly bean web enrichment counts (stored in the user_quotas Firestore collection, rolling 30-day window) — used to enforce per-tier limits

What we do NOT collect:

• Credit card numbers, CVVs, or billing addresses
• Bank account details
• Payment method specifics (handled entirely by the store or payment processor)

Why we collect it:

• To determine which features and limits apply to your account
• To verify your subscription status and entitlements
• To support purchase restoration across devices
• To provide customer support for billing-related inquiries

Third-party services:

• RevenueCat: Receipt validation, entitlement management, and subscription lifecycle tracking. RevenueCat receives your App User ID and purchase receipts from Apple/Google/Stripe to verify entitlements. See RevenueCat's Privacy Policy.
• Stripe (Web Billing): Processes web-based subscription payments via RevenueCat Web Billing. Stripe handles all payment card data directly; we never see or store your card details. See Stripe's Privacy Policy.
• Apple App Store / Google Play Store: Processes native in-app purchases. Payment information is managed entirely by Apple/Google; we only receive transaction confirmation and entitlement status.

Refund policy:

• iOS/Android purchases: Refunds handled via Apple App Store or Google Play Store refund processes.
• Web (Stripe) purchases: Refund requests can be submitted via email within 14 days of purchase.

Legal basis (GDPR): Performance of contract and legal obligation

13. User Feedback

What we collect:

• Text feedback submitted through in-app rating prompts (when you choose "Not really" and provide feedback)
• Associated metadata: user ID, trigger context, platform, subscription tier, timestamp

Why we collect it:

• To understand what can be improved in the app
• To prioritize feature development and bug fixes based on user feedback

Storage: Firebase Firestore (feedback collection). Feedback is not publicly visible.

Legal basis (GDPR): Legitimate interests

Guest Mode

• Data storage: Brew logs, beans, and equipment are stored in Firebase but not associated with a user account
• No account association: Your data is not linked to any account identifier and cannot be accessed after uninstalling
• No cross-device sync: Data cannot be synchronized or accessed from other devices
• Analytics: Anonymous usage data and crash reports are still sent to Firebase Analytics and Crashlytics
• Data deletion: All data is lost when you uninstall the app or clear app data - it cannot be recovered
• Limitations: No account recovery, no cross-device access, limited AI features

Registered Accounts

• Data storage: Data is stored in Firebase Firestore and synchronized across all your devices
• Cloud backup: Your data is backed up and accessible from any device you sign in to
• Account-based features: Access to synchronization, AI assistance, cloud storage, and all account-specific features
• Account management: Ability to delete specific entries or your entire account
• Recovery: Can recover your account and data if you lose access to a device

Core Functionality

1. Account Management: Create, maintain, and secure your user account
2. Data Synchronization: Sync your brew logs, beans, and equipment across devices
3. Brew Logging: Track, store, and display your brewing history and statistics
4. Equipment Library: Maintain your personal collection of coffee equipment and beans
5. Achievements: Track progress, milestones, and brewing streaks
6. Personalization: Customize the app experience based on your preferences and settings
7. Subscription Management: Determine which features and usage limits apply to your account based on your subscription tier; enforce daily and monthly usage quotas

AI-Powered Features

8. Brewing Guidance: Provide personalized brewing recommendations via AI
9. Conversational Assistance: Answer your coffee-related questions through AI chat
10. Recipe Suggestions: Generate brew recipes based on your preferences and equipment
11. Contextual Help: Provide relevant assistance based on your current brewing context

Service Improvement

12. Analytics: Understand feature usage patterns and user engagement
13. Performance Optimization: Monitor and improve app speed and reliability
14. Bug Fixes: Diagnose and resolve crashes and technical issues
15. Feature Development: Make data-driven decisions about new features and improvements
16. Quality Assurance: Test and validate app functionality across different devices

Security and Safety

17. URL Verification: Protect users from malicious links via VirusTotal checks
18. Fraud Prevention: Detect and prevent abuse of the Service
19. Account Security: Monitor for suspicious activity and unauthorized access

Communication

20. Service Updates: Notify you of important changes to the app or policies
21. Feature Announcements: Inform you about new features and improvements
22. Support: Respond to your inquiries and support requests

Future Features (When Implemented)

23. Social Features: Enable content sharing and community interactions (when available)
24. Advanced Analytics: Provide detailed brewing insights and trends
25. Advanced Subscription Analytics: Provide detailed usage insights per subscription tier

Google (Firebase & Google AI)

We use Google's infrastructure and services for core app functionality:

Services used:

• Firebase Authentication: Account creation, sign-in, and user management
• Cloud Firestore: Database for storing and syncing your brew logs, beans, equipment, and profile data
• Firebase Cloud Storage: Storage for brew photos and media uploads
• Firebase Analytics: App usage analytics and user engagement tracking
• Firebase Crashlytics: Crash reporting and stability diagnostics
• Google AI (Gemini): AI-powered features, recommendations, and conversational assistance

Data shared with Google:

• Account and authentication data
• All user-generated content (brews, beans, equipment, photos)
• App usage and analytics events
• Crash reports and diagnostic data
• AI prompts and conversation data

Governance:

Data shared with Google is governed by the Google Privacy Policy and Google Cloud Terms of Service.

Data location:

Your data is stored on Google Cloud infrastructure, which may be located in data centers around the world. Google employs appropriate safeguards for international data transfers.

Retention:

• Firebase Authentication retains account data as long as your account is active
• Firestore and Cloud Storage retain your data until you delete it or delete your account
• Firebase Analytics retains event data for up to 14 months by default
• Firebase Crashlytics retains crash data for up to 90 days
• Google AI may retain interaction data according to Google's policies

Important: These retention periods are controlled by Google and may change without notice to us. For the most current information, please refer to Google's privacy documentation.

Groq (AI Fallback)

Service: Large language model inference, used as an automatic fallback when Google AI (Gemini) is temporarily unavailable.

When data is shared: Only when an AI request fails to complete via Gemini and is automatically retried via Groq.

Data shared: The same AI interaction data sent to Gemini (your message, conversation context, and user context block including brew and bean data). No additional data is sent.

Governance: Groq's data handling is governed by their Privacy Policy and Terms of Service.

Note: You will not see a difference in the app when Groq handles a request. The response is presented the same way as a Gemini-generated response.

Open Food Facts

Service: Public food product database used for barcode lookup when a scanned barcode is not found in our internal catalog.

When data is shared: Only when you scan a barcode and the product is not found in our internal catalog (621 products). The lookup is a read-only query to the Open Food Facts public API.

Data shared: The barcode (EAN/UPC number) scanned. No personal data or account information is shared with Open Food Facts.

Governance: Open Food Facts is a non-profit open database. Barcode queries are public API calls; see Open Food Facts' terms of use.

VirusTotal

Service: URL safety analysis and malware scanning

When data is shared: Only when you explicitly submit a URL for safety checking or manual extraction

Data shared:

• URLs you submit for analysis
• Timestamp of submission

Governance: VirusTotal's data handling is governed by their Terms of Service and Privacy Policy.

Note: VirusTotal is owned by Google/Chronicle but operates as a separate service with its own policies. Their data retention practices may change without notice to us.

RevenueCat (Subscription Management)

Service: Subscription entitlement management, receipt validation, and billing coordination across platforms (iOS, Android, Web).

Data shared: App User ID, purchase receipts (forwarded from Apple/Google/Stripe), subscription status queries, platform type.

Governance: RevenueCat's data handling is governed by their Privacy Policy and Terms of Service.

Note: RevenueCat acts as an intermediary between your device and the payment provider. They validate receipts and manage entitlements but do not process credit card payments directly.

Stripe (Web Billing)

Service: Web-based subscription payment processing via RevenueCat Web Billing.

When data is shared: Only when you subscribe or manage billing through the web version of the app.

Data shared: Payment card details are submitted directly to Stripe (we never see or store them). Stripe shares transaction status and subscription confirmation with RevenueCat.

Governance: Stripe's data handling is governed by their Privacy Policy and Terms of Service.

Future Third-Party Services

As we add new features, we may integrate additional third-party services such as:

• Social Media Integration (Future): Optional integration with social platforms for content sharing. You will be able to control what data is shared.
• Analytics and Marketing Tools (Future): Additional analytics platforms for advanced insights. Marketing platforms for feature announcements (with your consent).

When new services are added, this Privacy Policy will be updated to reflect those integrations.

Data Storage

Cloud Storage:

• Primary storage: Google Cloud Firestore and Firebase Cloud Storage (including brew-images and bean-images per your account)
• Geographic location: Data centers operated by Google globally
• Redundancy: Google maintains multiple copies for reliability and disaster recovery

Local Storage:

• Device cache: Temporary copies stored on your device for offline access
• Session data: Stored locally during active app sessions
• Cleared upon sign-out or app uninstall

Security Measures

We implement industry-standard security measures to protect your data:

Transmission Security: All data transmitted over HTTPS/TLS encryption. Secure WebSocket connections for real-time features. Certificate pinning for added protection.

Storage Security: Firebase security rules restrict access to your data. Data encrypted at rest by Google Cloud. Access controls limit who can view or modify data.

Authentication Security: Passwords hashed using industry-standard algorithms (bcrypt via Firebase). Support for strong password requirements. Google Sign-In and Sign in with Apple use OAuth 2.0 for secure authentication. Session tokens expire and require re-authentication.

Application Security: Regular security audits and vulnerability assessments. Dependency scanning and updates. Code reviews and security best practices.

Important Disclaimer: While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

Data Retention

We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy.

• Active Accounts: Account data retained as long as your account is active. Brew logs, beans, equipment, photos, and profile data retained until you delete them or your account.
• Deleted Content: Individual entries (e.g. a single brew log or bean) are permanently deleted from Firestore immediately upon your action in the app. Full account deletion removes all associated data immediately — see the How to delete your account and data section for the complete list of what is deleted.
• Analytics and Logs: Firebase Analytics event data retained for up to 14 months. Crashlytics reports retained for up to 90 days. Server logs retained as required for security and operational purposes.
• Aggregated Data: Anonymized, aggregated analytics may be retained indefinitely for service improvement. Cannot be linked back to individual users.
• Legal Obligations: We may retain certain data longer if required by law, regulation, legal process, or to protect our legal rights.
• Backup Systems: Deleted data may persist temporarily in backup systems before permanent deletion. Backups are cycled according to standard retention schedules.

In-App Controls

• Profile Management: Update your display name, username, bio, and preferences at any time. Change your email address (requires re-authentication). Upload or change your profile photo. Adjust unit settings and language preferences.
• Content Management: Edit or delete individual brew logs, coffee bean entries, equipment entries, photos. Manage favorites and preferences.
• Account Management: You can delete your account and data in the app (see How to delete your account and data below). Sign out from any device.

How to delete your account and data

iCoffee (and the developer named on your store listing) let you request account deletion and deletion of your associated data. You can do this from inside the app; there is no separate web form. If you cannot use the app (for example, you no longer have the device), you can contact us by email (see below).

Steps to request account and data deletion (in the app)

1. Open the iCoffee app and sign in to your account.
2. Go to the Profile tab (bottom navigation).
3. Open My Profile.
4. Scroll to Delete Account and follow the on-screen steps to confirm.
5. After you confirm, your account and associated data are deleted immediately as described below.

What we delete

When you delete your account, we delete the following data from our systems immediately upon your confirmation:

• Firebase Authentication credentials — your sign-in account and session tokens are removed immediately.
• Your profile — display name, @username (the handle is released and made available again), bio, profile photo, language and unit preferences, taste preferences, and all other account settings.
• Your brew logs — your complete brewing history, ratings, tasting notes, flavor tags, and brew parameters.
• Your bean library — all coffee beans you added, including bean details, ratings, and associated photos.
• Your custom brewing methods — any methods you created or customized.
• Your favorited brewing methods — the list of method IDs you marked as favorites.
• Your equipment library — all coffee gear you registered.
• Your achievement progress — all achievement and milestone records.
• Your subscription order records — order history stored in our database.
• Your feedback submissions — any feedback you submitted via the in-app rating prompt.
• Your usage quota records — daily AI message counts and monthly enrichment usage counters.
• Your uploaded media — all photos stored in Firebase Cloud Storage, including brew photos, bean photos, profile photos, and feedback screenshots.
• Your local app data — app preferences, offline brew queue, AI chat session history, and other data cached locally on your device.

What we keep (and for how long)

• Analytics and crash data: Events and crash reports already sent to Firebase Analytics and Crashlytics are subject to those services' retention (e.g. up to 14 months for Analytics, up to 90 days for Crashlytics). We cannot delete them from Google's systems; they are not linked to your account after deletion.
• RevenueCat subscription history: Upon account deletion, we submit a deletion request to RevenueCat to remove your subscriber record. RevenueCat may retain certain transaction records as required for financial compliance and record-keeping obligations. For further enquiries regarding RevenueCat's data retention, you may contact RevenueCat directly.
• Shared product search cache: Our product search cache stores results by product fingerprint (roaster name + product name), not by user identity. These anonymous cache entries are not linked to your account and expire automatically after 30 days.
• Anonymized or aggregated data: We may retain non-identifying, aggregated statistics that cannot be linked back to you.
• Backups: Deleted data may remain in backup systems for a short period before being overwritten; we do not use backups to restore your account or personal data.
• Legal obligations: We may keep certain data longer where required by law (e.g. legal hold, regulatory request).

Timeline

• Account and all associated data: deleted immediately when you confirm the deletion in the app. The process typically completes within seconds to a few minutes depending on the volume of your data. It is not scheduled for a later date.
• Backup copies: purged in line with our backup cycle (within 30 days at most).
• Third-party systems (Firebase Analytics, Crashlytics, RevenueCat): subject to those services' own retention schedules as described above.

Deleting only some data (without deleting your account)

You can delete individual items in the app (e.g. a brew log, a bean, a piece of equipment) from the relevant screens. That does not delete your account; only Delete Account in My Profile removes your account and all associated data as described above. For requests to delete specific data that you cannot remove in the app, contact us at the email below.

If you cannot use the app

Contact us at icoffee.yourapp@gmail.com with "Account deletion" or "Data deletion" in the subject line and the email or username of the account. We will process the request in line with this policy.

Device-Level Controls

• Permissions: Manage app permissions (camera, storage, etc.) in your device settings. Revoke permissions at any time (may limit functionality).
• Analytics (Limited): Some platforms allow you to limit ad tracking or analytics. iOS: Settings → Privacy → Analytics & Improvements. Android: Settings → Google → Ads → Opt out of Ads Personalization. Note: These platform-level controls may not fully disable analytics, as Firebase requires certain data for core functionality.

Data Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

Exercising Your Rights

To exercise any of these rights:

1. Email us at: icoffee.yourapp@gmail.com
2. Include "GDPR Request" in the subject line
3. Clearly specify which right you wish to exercise
4. Provide sufficient information to verify your identity
5. We will respond within 30 days

We do not charge fees for most requests, but may charge a reasonable fee for excessive, repetitive, or manifestly unfounded requests.

Age Restrictions

The Service is not directed to children under 13 years of age (or under 16 in the EEA). We do not knowingly collect personal information from children under these ages. We comply with the US Children's Online Privacy Protection Act (COPPA) and the EU General Data Protection Regulation (GDPR) as they apply to children.

Parental Controls

If you are a parent or guardian and believe your child has provided personal information to us:

• Contact us immediately at: icoffee.yourapp@gmail.com
• We will delete the child's account and data promptly
• Provide the account email or username for faster processing

School or Educational Use

If the Service is used in an educational setting with users under 13/16, the school or educational institution is responsible for obtaining appropriate parental consent and complying with applicable laws (such as COPPA in the US or GDPR in the EU).

Data Processing Locations

Primary Infrastructure: Your data is processed and stored on Google Cloud infrastructure, which operates data centers globally including locations in:

• European Union (EU)
• United States
• Asia-Pacific regions
• Other global locations

Controller Location: iCoffee operates from the Netherlands and is subject to Dutch and EU data protection laws.

Safeguards for International Transfers

When your data is transferred outside the EEA, we rely on the following safeguards:

• Google Cloud: Google complies with the EU-U.S. Data Privacy Framework, employs Standard Contractual Clauses (SCCs) approved by the European Commission, and maintains robust security and privacy practices.
• Other Providers: We select third-party service providers that represent they implement appropriate safeguards for international data transfers. We require contractual commitments from providers regarding data protection, though we cannot control their actual practices. Third-party providers are responsible for their own compliance with applicable data protection laws.

Additional Regional Notes

The Service is available in Brazilian Portuguese, Simplified Chinese, and Traditional Chinese. If you are located in Brazil, your data processing may be subject to the Lei Geral de Proteção de Dados (LGPD). If you are located in mainland China, your data processing may be subject to the Personal Information Protection Law (PIPL). We encourage users in these regions to contact us at icoffee.yourapp@gmail.com for information about how your data is handled under local law. Where required by applicable local law, additional disclosures or consent mechanisms may apply.

Your Rights Regarding International Transfers

You have the right to:

• Request information about where your data is stored and processed
• Request information about the safeguards Google Cloud implements for international transfers
• Contact us at icoffee.yourapp@gmail.com for more information

Website (icoffeeapp.com)

Our website does not use tracking or analytics cookies.

Our website does not use tracking or analytics cookies.

The website may use minimal essential cookies only for:

• Basic website functionality
• Remembering user preferences (if applicable)

No third-party tracking:

• We do not use Google Analytics on the website
• We do not use advertising or marketing cookies
• We do not track you across websites

Types of cookies (if any):

Essential Cookies Only:

• Required for basic website functionality
• Examples: session management, security tokens

Mobile App Analytics

Firebase Analytics is used exclusively within the mobile app (not on the website) to:

• Understand how users interact with app features
• Monitor app performance and stability
• Improve the user experience

Settings:

• Granular location and device data collection: Enabled (mobile app only)
• Google Signals: Disabled
• Data collection follows the practices described in the "App Activity and Analytics Data" section above

No Cookie Banner Required

Since our website does not use tracking or analytics cookies, no cookie consent banner is required or displayed.

Browser Settings

Most browsers allow you to control cookies through settings. You can:

• Block or delete cookies at any time
• Set preferences for cookie acceptance

Note: Blocking essential cookies may prevent the website from functioning properly.

Mobile App Data

The mobile app does not use traditional web cookies. However, the app does use:

• Firebase Analytics SDK for app usage tracking (see "App Activity and Analytics Data" section)
• Local storage for offline functionality
• Session tokens for authentication

These are covered in detail in the main sections of this Privacy Policy above.

AI-Powered Recommendations

The Service uses AI (Google Gemini) to provide:

• Brewing recommendations based on your preferences and history
• Personalized guidance and tips
• Conversational assistance and answers to questions

Important clarifications:

• No automated decisions with legal or significant effects: The AI does not make decisions that legally or significantly affect you
• Purely advisory: All AI recommendations are suggestions only; you are in full control
• No automated account actions: We do not use AI to automatically ban, restrict, or suspend accounts
• Human oversight: Critical decisions are made by humans, not automated systems

Profiling for Personalization

We use your brewing history and preferences to:

• Suggest brewing methods you might enjoy
• Recommend equipment or beans
• Customize the app experience to your taste

Legal Basis: These personalization features are processed as necessary for the performance of our contract with you (providing the Service you signed up for).

Important Notes:

• Personalization is a core feature of the Service and cannot be individually disabled
• All recommendations are advisory; you maintain full control over your brewing decisions
• You may opt out of personalization entirely by deleting your account and discontinuing use of the Service

No High-Risk Automated Decision-Making

We do not use automated decision-making for:

• Credit scoring or financial decisions
• Employment or hiring decisions
• Access to services or benefits
• Legal or judicial decisions
• Law enforcement or surveillance

Planned Features

• Social and Sharing Features: Enable content sharing and community interactions. Data collected may include shared brew logs, public profiles, comments, likes, follows. You will control what you share publicly vs. keep private.
• Advanced Analytics and Insights: Provide deeper insights into your brewing performance using aggregated brewing trends and statistical comparisons. We will make reasonable efforts to anonymize and aggregate community data.
• Third-Party Integrations: Potential integrations with coffee roaster databases, equipment manufacturers, smart coffee devices, and recipe platforms. Data sharing only with your explicit consent; you can connect or disconnect integrations at any time.

Notification of Changes

When new features are introduced, this Privacy Policy will be updated to reflect new data practices. We may provide notice of significant changes through in-app notifications, email, or website announcements where feasible. The "Last updated" date will always reflect the most recent version. Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

Notification of Changes

Material Changes: For significant changes to our data collection, use, or sharing practices, we will make reasonable efforts to notify users through in-app notification, email to registered users, or prominent notice on our website. The "Last updated" date at the top of this policy will always reflect the most recent version.

Minor Changes: Non-material changes (such as clarifications, formatting updates, or corrections) may be made by updating this Privacy Policy without separate notification.

Your Responsibility

It is your responsibility to review this Privacy Policy periodically, check the "Last updated" date for recent changes, and contact us if you have questions. If you disagree with updated Privacy Policy, you may delete your account and discontinue use of the Service. Continued use after changes constitutes acceptance of the updated policy.

Your California Rights

• Right to Know: What personal information we collect, categories of sources, business or commercial purposes for collection, and categories of third parties with whom we share information.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions (legal compliance, fraud prevention).
• Right to Opt-Out: We do not sell personal information, so opt-out is not applicable. We do not share personal information for cross-context behavioral advertising.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information in ways that trigger this right.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

How to Exercise California Rights

Email us at icoffee.yourapp@gmail.com with subject line "California Privacy Request". Specify which right you wish to exercise and provide verification information. Response time: Within 45 days (may extend by 45 days if needed). You may designate an authorized agent to make requests on your behalf; agent must provide proof of authorization and we may require you to verify your identity directly.

Privacy Inquiries

Email: icoffee.yourapp@gmail.com

Website: icoffeeapp.com

Response Times: General inquiries: 5-10 business days. GDPR requests: Within 30 days. CCPA requests: Within 45 days.

Data Protection Authority

Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)

EU: You may also contact your local data protection authority in your EU member state.