Privacy Policy

1. Controller

Tegrovio — Dominik Palzer
Sterntalerweg 65
40235 Düsseldorf, Germany
E-Mail: hello@brewmind.app

2. BrewMind App — Overview

The BrewMind app for iOS requires registration with an e-mail address and password. Data is stored both locally on your device (SQLite) and in the cloud (Supabase, EU region) and synchronised accordingly.

No advertising identifiers (IDFA) are collected and no usage data is passed to third parties. Location data is not requested. All Bluetooth and speech-processing functions run exclusively on your device.

Legal basis for processing: Art. 6(1)(b) GDPR (performance of a contract).

3. Account and Authentication

Use of the app requires a user account. The following data is processed in this context:

• Registration data: E-mail address and password. The password is hashed server-side and is never transmitted or stored in plain text.
• Profile fields: Display name, founding-member status, date of beta join.
• Session tokens: Stored exclusively in the iOS Keychain on your device (via expo-secure-store) — not in the cloud.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

4. Locally Stored Data

All user data is stored primarily in a local SQLite database on your device. The app works offline; cloud synchronisation takes place additionally once a connection is available.

• Espresso parameters (dose, yield, time, temperature, pressure, ratings, notes)
• Machines, grinders, beans, roasters, manufacturers, recipes, brew methods, scales
• Calibration data and grind correlations
• App settings and preferences (always stored locally only, never synchronised)
• CSV export available at any time (data sovereignty with the user)
• When no internet connection is available the app operates offline; synchronisation resumes automatically once connected

5. Cloud Synchronisation (Supabase)

When signed in, the following data is synchronised with the cloud server and stored in the EU region of Supabase (Supabase Inc., 444 De Haro Street, San Francisco, CA 94107, USA). Supabase acts as a data processor pursuant to Art. 28 GDPR; a Data Processing Agreement is in place. See Section 13 for details.

• Equipment: Machines, grinders, beans, roasters, manufacturers, recipes, brew methods, scales
• Shot data: Brew parameters (dose, yield, time, temperature, pressure, ratio, flow rate, rating, notes)
• Shot telemetry: Time-series measurements (weight, flow rate, temperature, pressure) captured during the brew
• Taste feedback: Ratings, problem tags, recommendations
• Grind correlations: Adjustments between consecutive shots
• Catalogue customisations: Catalogue entries modified by the user

Synchronisation serves the purpose of data backup and cross-device access. Data is transmitted encrypted (TLS) and stored within the EU.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — synchronisation is a core function of the app).

6. Multi-Device Sync and Device Management

To resolve conflicts during cross-device synchronisation, a random device ID (UUID) is generated for each app installation. The following is stored: user ID, device UUID, and the timestamp of last activity.

• A maximum of 10 active devices can be registered per account
• If the limit is exceeded, the oldest device is removed automatically
• Devices that have not been used for more than 90 days are not counted toward the active device limit
• All data is unambiguously linked to the respective account via the user ID

Legal basis: Art. 6(1)(b) GDPR.

7. Bluetooth (BLE)

• Optional connection to coffee scales (e.g. Acaia Lunar)
• Exclusively local Bluetooth communication — no data is forwarded via the internet
• iOS permission: “Bluetooth”

8. Speech Recognition

• Optional voice control via Apple On-Device Speech Recognition
• Voice data is processed exclusively on the device
• No audio data leaves the device
• iOS permissions: “Speech Recognition” and “Microphone”

9. Data Analysis and Product Improvement

The operator may analyse data stored in the cloud in order to develop the app, fix bugs, and improve the user experience. This includes in particular the evaluation of brew parameters, feedback data, and usage patterns.

In addition, the operator may access individual users’ data in response to support requests in order to diagnose technical problems.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in product improvement and bug fixing).

10. No Advertising Tracking, No Third-Party Analytics

• No Advertising Identifier (IDFA), no advertising tracking
• No third-party analytics services (no Google Analytics, no Mixpanel, or similar)
• No third-party crash-reporting services
• No location access — explicitly disabled
• No access to contacts, camera, or photos
• No sharing of data with third parties for advertising purposes

11. Data Security

• Row Level Security (RLS): Enforced at database level to ensure users can only access their own data.
• TLS encryption: All data transfers between the app and the cloud are encrypted.
• Password hashing: Passwords are stored server-side as hashes; plain text is never transmitted or persisted.
• iOS Keychain: Authentication tokens are stored locally in the iOS Keychain (expo-secure-store) and are not held in the cloud.
• EU data storage: All personal data is stored in the EU region of Supabase.

12. Data Deletion and Account Deletion

Uninstalling the app removes all local data. Signed-in users can delete their account directly within the app. Upon account deletion, all server-side data is permanently and cascadingly deleted:

• User profile and authentication data (e-mail, password hash)
• All equipment data (machines, grinders, beans, roasters, manufacturers, recipes, etc.)
• All shot data and telemetry data
• All feedback data and taste ratings
• All device registrations

Deletion is carried out via a server-side Edge Function (delete-account) that ensures an atomic and complete clean-up. It is immediate and irreversible.

The right to erasure under Art. 17 GDPR can be exercised at any time, either directly in the app or by e-mail to hello@brewmind.app.

13. Data Processing Agreement

The following processor is used for cloud infrastructure:

Supabase Inc.
444 De Haro Street, Suite 200, San Francisco, CA 94107, USA
Role: Database hosting (PostgreSQL), authentication, Edge Functions
Data storage location: EU region
Privacy policy: supabase.com/privacy

A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR has been concluded with Supabase Inc. Supabase Inc. is certified under the EU-US Data Privacy Framework, thereby ensuring an adequate level of data protection for transfers to the USA; data storage itself takes place within the EU.

14. Website — Hosting

This website is hosted via GitHub Pages (GitHub Inc., 88 Colin P Kelly Jr St, San Francisco, CA 94107, USA, a subsidiary of Microsoft Corporation). When you visit this website, GitHub automatically stores information in server log files transmitted by your browser. This includes in particular:

• IP address of the requesting device
• Date and time of the request
• URL of the page requested
• Referrer URL (previously visited page)
• Browser and operating system used

This data is collected on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically flawless presentation and security of the website. The data is processed by GitHub. For further details please refer to GitHub’s Privacy Statement.

GitHub Inc. is certified under the EU-US Data Privacy Framework, thereby ensuring an adequate level of data protection.

15. Website — No Cookies

This website uses no cookies and no tracking. No analytics or marketing tools are employed.

16. Website — No Data Collection by the Operator

This website currently contains no forms, newsletter sign-ups, or other input mechanisms. Beyond the hosting described in Section 14, the operator collects no personal data.

17. Website — Fonts (Self-Hosted)

This website uses the “Inter” typeface. Font files are served locally from this server. No connection to external servers (such as Google Fonts) is made.

18. Website — External Links

This website contains links to external websites (e.g. GitHub). Clicking these links will redirect you to the respective external site. The respective provider is responsible for data processing on those external sites.

19. SSL/TLS Encryption

For security reasons this website uses SSL/TLS encryption. You can recognise an encrypted connection by the address bar changing from “http://” to “https://” and by the padlock icon in your browser bar.

20. Your Rights

You have the right at any time to:

• Obtain information about the personal data stored about you (Art. 15 GDPR)
• Request the rectification of inaccurate data (Art. 16 GDPR)
• Request the erasure of your data (Art. 17 GDPR)
• Request the restriction of processing (Art. 18 GDPR)
• Request data portability (Art. 20 GDPR)
• Object to processing (Art. 21 GDPR)
• Lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise your rights, please contact hello@brewmind.app. The competent supervisory authority is the State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (www.ldi.nrw.de).

21. Changes

This Privacy Policy is currently valid (as of April 2026). As the app or website evolves, or due to changes in legal requirements, an update to this policy may become necessary. Material changes will be communicated to users with an active account by e-mail.