Privacy Policy

Last updated: 2 May 2026

This Privacy Policy describes how Baristica (“we,” “us,” or “our”) collects, uses, shares, and protects information when you use the Baristica mobile application (“App”), related web properties we operate (such as our administrator tools, if applicable), and related services (collectively, the “Services”).

By using the Services, you acknowledge this Policy. If you do not agree, please do not use the Services.

1. Who we are

Data controller: Baristica (operator of the Baristica App).

Contact (general & privacy): support@baristica.app

For EU/UK privacy requests, you may use the same contact address and include “GDPR Request” in the subject line where helpful.

2. Scope

This Policy applies to personal data we process through the Services as described here. It does not govern third-party websites, payment providers, or app stores, which have their own policies.

3. Information we collect

We collect information you provide, information generated when you use the App, and limited technical data needed to run the Services.

3.1 Account and authentication (Supabase)

When you create or access an account we process:

• Email address and password (passwords are hashed and stored by our authentication provider; we do not store your raw password in readable form).
• Session / access tokens issued by our provider, which may be stored locally on your device (for example in encrypted or secure storage and/or local app storage) so you can stay signed in.
• Optional identifiers you provide at sign-up such as full name and username (may be stored as part of your authentication profile metadata).

We use Supabase for authentication and backend data storage as described in Section 6.

3.2 Profile and preferences

Depending on your choices, your profile may include:

• Display name fields such as full name and username
• Birthday (if you choose to provide it)
• City or location context you enter
• Profile picture / avatar if you upload one (stored as a file URL reference in our systems)
• Recipe and coffee preferences expressed through content you save, such as brewing records (method such as V60, Aeropress, or similar, grind, notes, ratings, titles, and related fields) and catalogue interactions (for example products you view or order)

We also maintain gamification and engagement data associated with your account where those features are enabled, such as experience points, quiz points, purchase-based points, streak counts, and dates such as last active (exact field names may evolve with the product).

3.3 Orders and fulfilment

When you place an order we collect data needed to fulfil it, which may include:

• Name, phone number, and delivery or pickup address
• Order items, amounts, grind or product options, and order status history
• Payment status and transaction references returned by our payment provider (we do not store full payment card numbers on our servers as described in Section 5)

3.4 Quiz and educational features

If you use quiz or challenge features we process quiz participation data, including responses, scores, session timing, and rewards (such as points), as stored in our database for the operation of those features and any leaderboards we offer.

3.5 AI assistant (if enabled)

If the AI assistant feature is available and you use it, we process the messages and prompts you submit and related interaction records needed to provide responses, maintain safety, and improve the feature. Depending on configuration, short reports or logs of usage may be retained in our systems for operational and quality purposes. Do not submit health information, payment card details, or other sensitive categories of data in free-text fields.

3.6 Push notifications

If you opt in to push notifications we register an Expo push token with your account. This token is a messaging address used to deliver notifications through Expo’s push infrastructure; it is not equivalent to a hardware device serial number, but it is a persistent identifier for notification delivery on your installation until you reinstall the app, clear app data, or we rotate tokens.

We may use the token to send order updates, service messages, and optional marketing or news notifications according to your settings and platform permissions.

3.7 In-app messaging and notifications centre

We store in-app notifications (titles, bodies, and related metadata) linked to your account when we deliver them through the App.

3.8 Support and communications

If you contact us, we process your contact details and message content to respond.

3.9 Technical and security data

To operate, secure, and improve the Services we may process:

• IP address and approximate network / device information typical of client–server requests
• Device and OS type as reported by the client environment (for compatibility and diagnostics)
• App configuration and update channel information (for example over-the-air configuration used to manage supported client behaviour)
• Error and diagnostic messages emitted by the app in development or when not stripped; in production builds we configure tooling to reduce routine console output, while errors and warnings may still be emitted for debugging

Analytics: We do not integrate third-party advertising or product-analytics SDKs (such as Firebase Analytics, Mixpanel, or PostHog) in the App based on our current codebase. If we add analytics in the future, we will update this Policy and, where required, obtain consent.

4. How we use information

We use personal data to:

• Create and secure accounts; authenticate users
• Provide catalogue, ordering, payments handoff, fulfilment, and customer support
• Operate optional features (quiz, brew records, leaderboard, AI assistant, news)
• Send push and in-app notifications consistent with your preferences
• Detect, prevent, and address fraud, abuse, and security issues
• Comply with law, tax, and accounting obligations
• Improve reliability and user experience of the Services

We do not sell your personal information in the conventional sense of exchanging it for money. We use service providers (processors) to host data and deliver features as described below.

5. Payments

For online payments (where available), transactions may be processed by our payment partner (E-point or another provider we disclose at checkout). Payment data you enter is handled under that provider’s terms and privacy notice. We typically receive confirmation of payment, transaction references, and amounts needed to complete your order and meet legal record-keeping obligations.

6. Sharing and processors

We share data with service providers strictly as needed:

These providers may store or process data in the EU, the UK, the US, or other countries depending on their architecture. Where required, we use appropriate safeguards such as Standard Contractual Clauses or other lawful transfer tools.

We may disclose information if required by law, lawful request, or to protect rights, safety, and security.

7. Legal bases (EEA / UK / Switzerland)

Where GDPR or similar laws apply, we rely on one or more of the following:

• Contract — to provide the Services you request (account, orders, features)
• Legitimate interests — to secure the Services, fix bugs, analyse aggregate usage in internal tools, and communicate service messages (balanced against your rights)
• Consent — where required (for example certain optional notifications or marketing); you may withdraw consent at any time
• Legal obligation — bookkeeping, tax, and regulatory compliance

8. Retention

We keep information as long as your account is active and for a reasonable period afterwards to resolve disputes, enforce agreements, and comply with law. Certain order and tax records may be retained longer where required. Tokens and logs may be rotated or deleted according to operational policies.

9. Security

We implement administrative, technical, and organisational measures appropriate to the risk, including transport encryption (HTTPS) for client–server traffic where TLS is used, authenticated access to backend resources, and reliance on our providers’ security programmes. No method of storage or transmission is perfectly secure.

10. Your rights and choices

Depending on your location you may have rights to access, rectify, delete, restrict, object, or port certain data, and to withdraw consent where processing is consent-based.

• Account deletion: Where available, use in-app Delete account (or equivalent). Some records may be retained where the law requires.
• Marketing / push: Use in-app settings and your device settings to manage push categories and permissions.
• Requests: Email support@baristica.app. We may need to verify your identity before fulfilling requests.

10.1 California (CCPA / CPRA)

If you are a California resident, you may have rights to know, delete, and correct personal information, and to opt out of certain sharing. We do not “sell” or “share” personal information for cross-context behavioural advertising as currently implemented. To submit a request, email us with “California Privacy Request” in the subject.

10.2 Children

The Services are not directed at children under 13 (or higher age where local law requires). If you believe we have collected data from a child, contact us and we will take appropriate steps.

11. International transfers

If you access the Services from outside the country where our providers process data, your information may be transferred across borders as described in Section 6.

12. Changes

We may update this Policy from time to time. We will post the updated version and revise the Last updated date. If changes are material, we will provide additional notice where appropriate (for example an in-app notice).

13. Contact

Questions about this Policy: support@baristica.app

Where applicable, you may also lodge a complaint with your local supervisory authority.