← BrewIQ

Privacy Policy

Effective 23 April 2026 · Last updated 20 May 2026

This policy explains what personal data BrewIQ collects, why we collect it, who it’s shared with, and the choices you have. It covers the BrewIQ mobile app, the brew-iq.app website, and the services that power them. We’ve written it in plain English. Where we use technical or legal terms, we define them.

BrewIQ is a coffee companion. To make useful recommendations, we learn from the brews you log. That means your data is the product’s engine, and we take looking after it seriously.

Contents

  1. Who we are
  2. Data we collect
  3. How we use your data and why it’s lawful
  4. Voice recordings and transcripts
  5. AI and how it works in the app
  6. Cross-user machine learning — your choice
  7. Sharing and sub-processors
  8. International data transfers
  9. Retention and deletion
  10. Your rights by country
  11. Security and DPIA
  12. Children
  13. Changes to this policy
  14. Contact and complaints

1. Who we are

BrewIQ (“BrewIQ”, “we”, “us”) is the data controller for the personal data described in this policy.

Trading name: BrewIQ
Operator: MAY APPS LTD
Correspondence address: 19 Calshot House, London N1 9AT
Company number: 17180702
ICO registration: ZC134169
Privacy contact: info@brew-iq.app

Where BrewIQ is available. BrewIQ is available on the Apple App Store and Google Play in the United Kingdom, United States, Canada, Australia, New Zealand, Singapore, Mexico, Brazil, Japan, and India. The current list of supported countries is shown on each platform’s storefront and may change over time. BrewIQ may also be temporarily available in other regions for closed-testing purposes via Apple TestFlight or Google Play internal testing, but is not actively marketed there.

BrewIQ is not currently offered in the European Economic Area (EEA) or Switzerland, and we do not actively target or market the app to individuals in those regions. If you are an EEA or Swiss resident who has accessed BrewIQ, this policy still describes how we handle your data and you retain the rights set out in Section 10.

Data Protection Officer. We have not appointed a DPO. Our processing does not meet the thresholds in Article 37 UK GDPR that would require one (we are not a public authority, our core activity is not large-scale systematic monitoring, and we do not process special-category data at scale). For jurisdictions that require a designated privacy contact (Singapore PDPA, Brazil LGPD, Quebec Law 25), the BrewIQ privacy contact named above acts in that capacity and can be reached at info@brew-iq.app.

EU representative. Because BrewIQ is not currently offered in the EEA, we have not appointed an Article 27 EU representative. Before any EEA launch we will appoint one and update this section with their name and contact address.

2. Data we collect

We only collect what we need to run BrewIQ, improve your recommendations, and keep the service secure. In practice, that falls into the categories below.

Account and profile

  • Email address and authentication state (via Supabase Auth).
  • Display name, avatar, unit preference (metric/imperial).
  • Self-declared experience level and preferred brew method.
  • Consent choices (data sharing for model training, marketing emails) and the timestamp you recorded them.

Brew data

  • Brew method, dose, grind setting, water temperature, brew time, yield, pressure, pre-infusion time.
  • Your equipment (grinders, espresso machines, brewing devices, kettles, scales) and your current beans (origin, roast date, process, variety).
  • Taste outcome and scores you give a brew (overall, acidity, sweetness, body, bitterness, aftertaste, free-text notes, descriptors you tick).
  • Optional environment at brew time: ambient temperature, humidity, altitude.
  • Your water profile (source type, TDS, hardness, pH — either entered manually or looked up from your postcode area).
  • Notes you type and transcripts of what you say while logging a brew.
  • Photos you choose to scan for bean-bag OCR, and the text we extract from them. Photos are not retained once the extraction completes.
  • Recommendations we generate for you, and whether you followed them and how the resulting brew scored.

Device and technical data

  • App version, operating system and platform (iOS, Android, web), device model, language and time zone.
  • Server-side logs generated by our edge functions for debugging and abuse prevention (IP address, error traces, rate-limit counters). These are short-lived.

Product analytics and usage data

We collect data about how you use BrewIQ so we can understand what’s working, fix what isn’t, and prioritise what to build next. This includes:

  • Sessions: when you open the app, how long you stay, and which days and times you’re active.
  • Screen views and navigation paths (for example, which onboarding steps people complete and which they drop out of).
  • Feature usage — e.g. voice brew logging, bean scanner, taste feedback, recommendations you saw and whether you acted on them.
  • Interaction counts such as brews logged, beans added, recommendations viewed, ratings given, and similar in-app events.
  • Performance and stability signals: load times, API errors, crashes, and the app version and device where they occurred.
  • A stable pseudonymous identifier for your account so we can stitch these events together and tell “one returning user” apart from “a new one”.

Where we work with a product-analytics vendor, we configure it to minimise what it collects (no cross-site advertising identifiers, no third-party ad trackers, IP truncation where the vendor supports it). Analytics events are tied to your BrewIQ account identifier, not resold or cross-linked with other services. We’ll list the current vendor in Section 7 and update it as it changes.

Derived and computed data

  • Vector embeddings — numerical representations of your brews and beans used for similarity search. These are generated from the data you already provided.
  • Rolling averages per brew method (your “default profile”). These only include data you confirmed or logged — assumed placeholders never feed into them.
  • Model features and predictions derived from your brew data (e.g. inferred taste preferences, palate profile, extraction tendency) used to make the recommendations you see.

What we do not collect

  • Audio recordings. Only the text transcript is stored. Audio is discarded as soon as Whisper returns the transcript.
  • Third-party advertising IDs (such as Apple IDFA or Google AAID) and cross-app behavioural ad trackers. BrewIQ doesn’t run advertising.
  • Precise GPS location. Water lookup uses your postcode area only, and only if you provide one.
  • Contacts, photo library, or data from other apps beyond the single photo you hand to the bean scanner.
  • Payment details. The app is currently free. If that changes, a payment provider will handle card data and we’ll update this policy.
  • Special category data as defined by UK GDPR (health, biometrics, etc.). Please don’t put this in brew notes.

Data we receive from other sources

Most of your data comes from you directly. We also receive a small amount of data from other places to enrich what you log:

  • UK water-utility data — when you enter a postcode for water-hardness lookup, we match it against publicly published water-utility data to suggest a hardness band. The postcode itself is not permanently stored; only the derived water profile is.
  • Public manufacturer data — equipment guidelines (grind ranges, temperature recommendations) are scraped from manufacturer websites and support documents. That’s public product information, not your personal data, but it’s worth being transparent that it feeds your recommendations.
  • Planned product-analytics vendor (once live) — will receive the session, screen-view, and feature-usage events described above.

3. How we use your data and why it’s lawful

Under UK GDPR we need a lawful basis for every use of your personal data. Here is what we do and the basis we rely on.

  • Run the app for you. Authenticating you, saving your brews, generating your personal recommendations (which requires running BrewIQ’s own models on your data), and showing your history. Lawful basis: performance of a contract with you (the Terms).
  • Keep the service safe and reliable. Rate limiting, fraud and abuse prevention, security monitoring, debugging, backups. Lawful basis: legitimate interests in keeping the service working, balanced against your privacy.
  • Understand how BrewIQ is used. Product analytics, feature usage, session timing, stability and performance monitoring, funnel analysis, and A/B testing of new features. Lawful basis: legitimate interests in understanding and improving the product. Where local law requires consent to non-essential analytics cookies or device identifiers, we ask for it first.
  • Train, evaluate, and improve BrewIQ’s models and features — now and in the future. Your brew data (parameters, taste outcomes, transcripts, notes, equipment and bean records, interactions with recommendations, and derived features) is used to train, fine-tune, benchmark, test, debug, and evaluate the models and systems that power BrewIQ — including rule engines, similarity search, clustering, embeddings, regression and classification models, language-model prompts, voice understanding, palate inference, and any future model, product, or feature that BrewIQ develops. This work happens inside BrewIQ’s own systems. Lawful basis: legitimate interests in improving the Service for the benefit of users, with the safeguards described in Section 6. You can object at any time (see Section 10).
  • Research, experiment, and develop new BrewIQ products. Using your data (or pseudonymised derivatives of it) to run experiments, A/B tests, quality reviews, evaluation sets, and internal research that informs what we build next inside BrewIQ. Lawful basis: legitimate interests. If a new product means a materially different use of your personal data, we’ll describe it here first and, where required, ask for fresh consent.
  • Pool data across users to make everyone’s recommendations better. Only where you have turned on “Share anonymised brew data” in Profile → Privacy & consent. Lawful basis: your consent (see Section 6). You can withdraw that consent at any time.
  • Talk to you. Product updates, safety notices, and replies when you contact us. Service messages rely on legitimate interests; anything marketing-flavoured only goes out if you turned on marketing emails in your profile.
  • Comply with law. Responding to valid legal requests and keeping records where we must. Lawful basis: legal obligation.

We do not sell your personal data. We may sell or license aggregated, anonymised insights derived from the user base — data that cannot identify you and cannot be reverse-engineered to do so. We do not profile you for third-party advertising. We do not run behavioural ad trackers inside the app or on this website.

4. Voice recordings and transcripts

When you hold down to speak, audio is captured on your device, streamed to OpenAI’s Whisper API for transcription, and then discarded. The audio is not written to persistent storage on our side at any point. Only the transcript text is stored, attached to the brew you were logging, and it is deleted when that brew log is deleted. Our arrangement with OpenAI is that your audio is not used to train their models.

5. AI and how it works in the app

The first time you use a feature that sends data to a third-party AI provider, BrewIQ asks for your explicit permission and records the timestamp of your choice. You can change your mind later from Profile → Privacy & consent.

There are three AI touches on your data during normal use:

  • Transcription — OpenAI Whisper turns your spoken brew notes into text.
  • Brew Buddy — Anthropic Claude extracts structured parameters from that transcript (dose, grind, temperature, time, and similar fields) and asks one clarifying question if something essential is missing.
  • Bean-bag scanning — when you point your camera at a bag, we send the image to Anthropic Claude (vision) to read the label and pull out the bean name, origin, process, and roast date. The image is not written to persistent storage and is discarded once the extraction returns.

For these calls we send only what’s needed: your current brew context and a few recent brews for continuity. We do not send your email address, account identifier, or any free-text field that isn’t needed for the task. Our contracts with OpenAI and Anthropic bar them from using your data to train their own models.

AI transparency. In line with the EU AI Act transparency rules that take effect in August 2026, any text BrewIQ surfaces to you that was generated by an AI model (for example, an extracted brew summary or a recommendation narrative) is labelled as AI-generated in the app. The voice interface makes clear that you are interacting with an automated assistant, not a human.

6. Machine learning and how BrewIQ learns from your data

Recommendations are the core of BrewIQ, and recommendations come from models. Those models are only useful if they learn from real brews. This section explains how we use your data for machine learning, the safeguards around it, and the choices you have.

A. Your data, to serve you

Your brew logs, taste ratings, transcripts, notes, equipment and bean records, water profile, environment data, embeddings, and the recommendations you received and acted on all feed into how BrewIQ generates suggestions for youspecifically. This runs inside our systems on the lawful basis of performance of a contract — you asked us to recommend coffee settings, and learning from your own brews is how the Service actually does that.

B. Your data, to train and develop BrewIQ’s models

We also use data from across the user base to train, evaluate, benchmark, fine-tune, test, debug, and improve BrewIQ’s recommendation engine and related machine-learning systems. That scope deliberately covers the models and techniques we use today and the ones we build in future — including rule engines, similarity search, clustering, embeddings, regression and classification models (such as XGBoost), language-model prompts and small fine-tunes, voice understanding, palate inference, and any future model, feature, or product BrewIQ develops that serves the same purpose of giving users better coffee suggestions. Lawful basis: legitimate interests in improving the Service for the benefit of current and future users, balanced against your privacy. The safeguards we apply are:

  • Training happens inside BrewIQ’s own systems. Your personal data is not handed to third parties so they can train their own models.
  • We minimise what each training task uses. Most tasks only need brew parameters, taste outcomes, equipment, and derived features — not your email, name, transcript text, or free-text notes.
  • Where a training or evaluation task does need free-text fields (for example, to improve voice understanding or prompt quality), access is limited to named engineers, logged, and the data is used only for that task.
  • Trained models do not memorise and regurgitate individual rows. Outputs are aggregate patterns (e.g. “V60 brewers with this bean tend to dial in around X”), never another user’s record.
  • Evaluation and experimentation — A/B tests, offline evals, quality reviews, red-teaming — is covered by this section and subject to the same safeguards.
  • You can object to this use at any time under Article 21 UK GDPR — email info@brew-iq.app and we’ll exclude your data from future training cycles and document it in your account.

C. Cross-user signals that affect what other users see

Separately from training our models, BrewIQ also pools brew-level signals across users so that the recommendation a given user sees right now can be informed by what worked for similar users. This is a direct cross-user effect, and we treat it as consent-based. It is off by default and only runs for users who have turned on “Share anonymised brew data” under Profile → Privacy & consent. When enabled:

  • Only anonymised brew parameters, taste outcomes, and vector embeddings are considered — never your name, email, transcript text, notes, or any free-text field that could identify you.
  • Queries to the cross-user pool explicitly exclude your own account from the results returned to you, and return only aggregate parameter medians — not other users’ row-level records.
  • You can withdraw consent at any time. From that moment your data stops contributing to new pooled results; aggregates already computed cannot be un-aggregated.

D. What we won’t do without asking first

  • Use your data to train a third party’s foundation model.
  • Sell your data, or rent it to advertisers or brokers.
  • Make legally significant automated decisions about you. BrewIQ recommendations aren’t that — they’re suggestions about coffee — but if this ever changes, Article 22 UK GDPR rights kick in.

If at some point we want to train a model in a way that is materially different from the above — for example, fine-tuning a large language model on individual brew logs, sharing training data with a partner, or using brew data for something other than improving BrewIQ — we will ask for fresh, specific consent before doing so.

7. Sharing and sub-processors

We do not sell your personal data. Aggregated, anonymised insights derived from the user base (described below) may be sold or licensed to partners — these cannot identify you and cannot be reverse-engineered to do so. We share personal data only with the service providers we rely on to run BrewIQ, each under a written data processing agreement. The current live sub-processors are:

  • Supabase — hosted PostgreSQL database, authentication, file storage, and edge functions. Our primary database region is the European Union (Frankfurt, AWS eu-central-1). Data is held on AWS infrastructure operated by Supabase.
  • OpenAI — Whisper speech-to-text transcription.
  • Anthropic — Claude, the language model behind Brew Buddy and bean-bag scanning.
  • Expo (EAS) — mobile app builds and over-the-air update delivery.
  • Apple App Store and Google Play — app distribution and platform-level services (crash reports limited to the OS default).
  • Vercel — hosting for the brew-iq.app marketing website.

The following categories of sub-processor are planned but not yet live. We’ll update this section with specific vendor names and the data involved before they begin processing your personal data, and we’ll notify you in-app if the change is material:

  • Product analytics provider — to collect the sessions, screen views, feature-usage events, and stability signals described in Section 2.
  • Crash and performance monitoring — beyond what the operating system reports by default.
  • Machine-learning worker — a dedicated environment where models are trained and evaluated on anonymised and minimised brew data.
  • Scraper worker — processes public manufacturer data for equipment guidelines, not personal data.
  • Transactional email provider — for account emails, data-export deliveries, and marketing emails if you opted in.

Aggregated and anonymised insights. We may share aggregated or anonymised statistics and insights derived from the user base (for example, “x% of AeroPress users grind in this range” or category-level trends in taste outcomes) with partners such as coffee roasters, equipment manufacturers, researchers, or the press. These insights do not identify you and cannot be reverse-engineered to identify you. We do not share personal data in this way.

We may also share data where strictly necessary to comply with law, enforce our Terms, or protect the rights, safety, or property of BrewIQ or others. If BrewIQ is ever acquired or merges with another company, your data may transfer — but this policy (or one at least as protective) will continue to apply, and we’ll tell you beforehand.

8. International data transfers

Some of our sub-processors are based in the United States (notably OpenAI, Anthropic, and Vercel). When your personal data is transferred out of the UK or EEA, we rely on safeguards recognised by UK GDPR. Specifically:

  • Anthropic and Vercel self-certify under the EU-US Data Privacy Framework (DPF) and its UK Extension, which the UK government recognises as providing an adequate level of protection.
  • OpenAI is not DPF-certified at the time of writing. For OpenAI, we rely on the EU Standard Contractual Clauses as amended by the UK International Data Transfer Addendum.
  • Supabase hosts our primary database in the EU (Frankfurt). For users outside the UK and EU, this means your data is transferred to the EU when you use the Service. For any onward transfers Supabase relies on SCCs with the UK Addendum.

We monitor these vendors’ transfer statuses and update this section if anything changes. A copy of the relevant safeguards is available on request to info@brew-iq.app.

9. Retention and deletion

  • While your account is active: we keep your data for as long as the account exists, so the app works.
  • Inactive accounts: if you don’t sign in for 24 months we’ll email you to check whether you still want the account. If there’s no response within 30 days, we’ll delete it under the same process as a voluntary deletion.
  • Brew sessions (transient state): cleared automatically after 7 days.
  • Deletion: when you delete your account from Profile → Account → Delete account (or from brew-iq.app/delete-account), your account is deactivated immediately — you’re signed out and we stop all processing (no recommendations, no emails, no analytics). After 30 days your personal data is permanently erased: profile, water profile, equipment, beans, recommendations, sessions, and method preferences are deleted; brew logs are anonymised by stripping the link to your identity and may be retained as anonymous training data to improve recommendations for all users. You can cancel deletion within the 30-day window by emailing info@brew-iq.app. Encrypted backups may retain pre-deletion records for up to 60 days before being overwritten on rotation.
  • Legal minimums: we may retain a small amount of data longer where law requires (for example, records related to a legal claim or required by tax or corporate law). We hold no more than necessary and we don’t keep it for any other purpose.
  • Aggregated and anonymised data: data that can no longer be tied back to you (for example, aggregate medians used to improve the model) may be retained indefinitely.

10. Your rights

Under UK GDPR (and the EU GDPR, if you’re in the EEA) you have the following rights. We will act on valid requests within one month.

  • Access: get a copy of the personal data we hold about you. The app has a Request export button under Profile → Privacy & consent.
  • Rectification: correct anything that’s wrong — most of this you can do directly in the app.
  • Erasure: have your data deleted (“right to be forgotten”).
  • Restriction: ask us to stop using your data for a period while something is resolved.
  • Portability: receive your brew data in a machine-readable format so you can take it elsewhere.
  • Object: object to uses that rely on legitimate interests.
  • Withdraw consent: where we rely on consent (cross-user ML, marketing emails), you can withdraw it at any time without affecting earlier lawful processing.
  • Not be subject to solely automated decisions with legal or similarly significant effects (Article 22 UK GDPR). BrewIQ’s recommendations don’t have that kind of effect — they’re suggestions about coffee that you can ignore, override, or adjust at any time in the app. Where a recommendation is generated automatically as part of delivering the Service you asked for, that falls within the Article 22(2)(a) exception (processing necessary for a contract), with human-override built into every screen.

To exercise any of these, email info@brew-iq.app from the address on your account, or use the in-app controls in Profile.

US state privacy rights (California, Virginia, and others)

BrewIQ is a UK business and does not currently meet the thresholds in the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act, or other US state consumer-privacy laws that require a standalone compliance programme. We do not “sell” your personal information, and we do not “share” it for cross-context behavioural advertising, as those laws define those terms. If you are a US resident and would like to exercise access, deletion, correction, or opt-out rights on a voluntary basis, email info@brew-iq.app from the address on your account and we’ll treat the request the same way we treat a UK GDPR request.

Other countries where BrewIQ is available

Depending on where you live, you may also have rights under your local data protection law. BrewIQ honours equivalent requests from users in any country where the Service is available.

  • Canada (PIPEDA / Quebec Law 25): rights of access and correction, and to know how your information is used and shared. Our person responsible for the protection of personal information for the purposes of Quebec Law 25 is the privacy contact named in Section 1. Federal regulator: Office of the Privacy Commissioner of Canada (priv.gc.ca). For Quebec users: Commission d’accès à l’information (cai.gouv.qc.ca).
  • Australia (Privacy Act 1988 / Australian Privacy Principles): we are below the AU$3M turnover threshold but comply with the APPs voluntarily. Rights of access and correction. Regulator: Office of the Australian Information Commissioner (oaic.gov.au).
  • New Zealand (Privacy Act 2020): rights of access and correction. Regulator: Office of the Privacy Commissioner (privacy.org.nz).
  • Singapore (PDPA): rights of access and correction. Our Data Protection Officer for the purposes of the PDPA is the privacy contact named in Section 1. Regulator: Personal Data Protection Commission (pdpc.gov.sg).
  • Japan (APPI): rights of disclosure, correction, suspension of use, and deletion. Regulator: Personal Information Protection Commission (ppc.go.jp).
  • Brazil (LGPD): rights of access, correction, anonymisation, blocking, deletion, portability, and information about data sharing. Our Encarregado(data protection officer) for the purposes of the LGPD is the privacy contact named in Section 1. Regulator: Autoridade Nacional de Proteção de Dados — ANPD (gov.br/anpd).
  • Mexico (LFPDPPP): rights of access, rectification, cancellation, and opposition (the “ARCO rights”). Regulator: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales — INAI (inai.org.mx).
  • India (DPDP Act 2023): rights of access to information, correction and erasure, grievance redressal, and nomination. Regulator: Data Protection Board of India (once constituted; refer to MeitY for current guidance).

To exercise any of these, email info@brew-iq.app from the address on your account. If you live in a country not listed here, write anyway — we’ll handle the request the same way we treat a UK GDPR request.

11. Security

We take reasonable and appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS) and at rest (at the infrastructure level).
  • Row-level security on every user table — one user’s credentials cannot read another user’s rows.
  • The cross-user recommendation path is implemented so it returns only aggregate medians and can never leak another user’s identifiable records.
  • Principle of least privilege: admin keys stay on our servers and never reach the mobile app.
  • Short-lived sessions, rate limits on expensive endpoints, and audit logging on sensitive operations.
  • Soft deletion before purge, so an accidental tap is recoverable without compromising a genuine erasure request.

Data Protection Impact Assessment. Because BrewIQ processes voice data, runs automated recommendations, and pools signals across users, we treat this as high-risk processing under Article 35 UK GDPR. We maintain a written DPIA covering these activities and review it when we introduce a materially new use of personal data. A summary is available on request.

No system is perfect. If we become aware of a personal data breach that is likely to create a risk to you, we will notify the UK ICO within 72 hours and tell you directly if the risk is high.

12. Children and the UK Age Appropriate Design Code

BrewIQ is intended for users aged 16 and over. At signup we ask you to confirm you’re at least 16, and the Terms make the minimum age part of the agreement.

Our assessment. BrewIQ is a voice, text, and tap-first coffee-brewing companion that presumes ownership of coffee equipment and an interest in extraction theory. It is not designed for, marketed to, or likely to appeal to children. We have assessed the service as not “likely to be accessed by children” within the meaning of the Information Commissioner’s Age Appropriate Design Code (the Children’s Code). We review that assessment whenever the product direction changes materially.

We apply the Code’s protections anyway.Because an age-gated service can still be accessed by a 16- or 17-year-old, and because the Code sets a good baseline for every user, we align with its standards as follows:

  • Best interests of the child: where a user’s best interests conflict with a commercial interest, the user’s come first.
  • Data Protection Impact Assessment: our DPIA (see Section 11) specifically considers impacts on 16- and 17-year-old users.
  • Age-appropriate application: we apply the same high privacy defaults to every user regardless of age, so a child user receives at least the protections the Code prescribes.
  • Transparency: this policy is written in plain English. Short, plain-language versions of any in-app disclosure (for example the AI-processing prompt) are used.
  • Detrimental use of data: we do not use personal data in ways that research shows are detrimental to children, including behavioural advertising, inferring moods to drive engagement, or gambling-style mechanics.
  • Policies and community standards: we uphold our own Terms and this policy — we don’t promise protections we don’t deliver.
  • Default settings: cross-user data sharing is off by default, marketing emails are off by default, AI processing requires explicit in-app consent on first use.
  • Data minimisation: we only collect what a brew-logging and recommendation service needs (see Section 2). We don’t collect advertising identifiers, precise GPS, contacts, or photo-library contents.
  • Data sharing: we share only with the processors listed in Section 7, under written contracts, and we don’t sell personal data. Cross-user signals that affect other users are consent-gated (Section 6).
  • Geolocation: precise location is never collected. Water lookup uses postcode area only, and only when you type it in.
  • Parental controls: BrewIQ does not currently offer parental-control features because our intended user is 16+. If we ever lower the age threshold we will add them.
  • Profiling: we do not profile users for advertising. We do profile at a technical level to personalise brew recommendations, but those recommendations never have legal or similarly significant effects — they’re coffee suggestions you can ignore.
  • Nudge techniques: we do not use nudges, dark patterns, or infinite-scroll/streak mechanics to push users into weaker privacy choices or excessive use.
  • Connected toys and devices: not applicable — BrewIQ does not pair with children’s connected toys.
  • Online tools: data subject rights (access, correction, deletion, export, consent withdrawal) are available through Profile controls in the app or by email to info@brew-iq.app.

If we find out that someone under 16 has created an account, we’ll delete it. If you believe a child has provided us with their data, email info@brew-iq.app and we’ll act.

13. Changes to this policy

As the product grows, this policy will change. We’ll update the date at the top. If changes are material — new categories of data, new purposes, new sub-processors that meaningfully shift the picture — we’ll notify you inside the app before the changes take effect, so you can decide whether to keep using BrewIQ.

14. Contact and complaints

Privacy questions: info@brew-iq.app. General support: hello@brew-iq.app.

If you’re in the UK and you’re not satisfied with how we’ve handled a privacy matter, you have the right to complain to the Information Commissioner’s Office at ico.org.uk. If you’re in the EEA, you can complain to your local supervisory authority — a full list is maintained by the European Data Protection Board at edpb.europa.eu. We’d always prefer the chance to fix it first.

See also: Terms of Service · Cookie Policy