Privacy Policy
Effective Date: March 27, 2026 Last Updated: March 27, 2026
This Privacy Policy explains how BrewCard ("the Service"), operated by Ivan Surin ("I," "me," "my"), collects, uses, stores, and protects your information when you use brewcard.app.
I take your privacy seriously. BrewCard is designed to work without user accounts, and I collect only the minimum data necessary to operate the Service.
1. Information I Collect
1.1 Information You Provide
Recipe data. When you create and share a recipe using server-stored sharing, the following data is saved:
- Brew method, dose, water amount, temperature, and brew time
- Grinder name, grind setting, and dial position
- Bean name, roaster, origin, process type, roast level, and roast date
- Tasting notes and rating
- Card theme selection
- "Brewed by" name (optional, user-entered)
All of these fields are optional. You control what information you include in your recipe.
Email address. If you choose to sign up for updates, your email address is collected through the email subscription form. This is entirely voluntary.
1.2 Information Collected Automatically
Analytics data. I use Vercel Analytics and Vercel Speed Insights to understand how the Service is used and to monitor performance. These services may collect:
- Pages visited and interactions
- Browser type and version
- Device type and screen size
- Operating system
- Approximate geographic location (country/region level)
- Web performance metrics (page load times, core web vitals)
IP address. Your IP address is temporarily processed for rate limiting on API endpoints (to prevent abuse). IP addresses are not stored persistently or linked to your recipe data or email.
1.3 Information Stored on Your Device
Local storage. BrewCard stores a single flag (brewcard_email_dismissed) in your browser's local storage to remember if you've dismissed the email signup prompt. This data never leaves your device. See the Cookie Policy for details.
2. How I Use Your Information
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Recipe data | Store and display shared recipes, show on public feed, generate social preview images | Legitimate interest (operating the Service) |
| Email address | Send feature updates and newsletters when available | Consent (you opt in by submitting your email) |
| Analytics data | Understand usage patterns, improve performance | Legitimate interest (improving the Service) |
| IP address | Rate limiting to prevent abuse | Legitimate interest (security) |
| Local storage flag | Remember your email prompt dismissal preference | Legitimate interest (user experience) |
I will never:
- Sell your personal information to third parties.
- Use your email address for purposes other than BrewCard communications.
- Combine your email address with your recipe data.
- Create user profiles or track you across other websites.
3. Email Communications
I currently collect email addresses for future feature updates and newsletters. At this time, no emails are being sent. When I begin sending communications:
- Every email will contain a one-click unsubscribe link, as required by CAN-SPAM (US) and GDPR (EU).
- You can also request removal from the mailing list at any time by emailing me at iv.d.surin@gmail.com.
- I will honor unsubscribe requests within 10 business days.
4. How I Share Your Information
I do not sell, rent, or trade your personal information. Your data is shared only with the following service providers, solely for the purpose of operating the Service:
| Provider | Role | Data Shared | Privacy Policy |
|---|---|---|---|
| Vercel | Hosting, CDN, analytics | Analytics data, cached OG images | vercel.com/legal/privacy-policy |
| Upstash | Database (Redis) | Recipe data, email addresses | upstash.com/trust/privacy.html |
| Font delivery | Font requests (at build time; minimal runtime exposure) | policies.google.com/privacy | |
| Stripe | Donation processing | Payment info (collected by Stripe directly, not by me) | stripe.com/privacy |
5. Data Retention
| Data | Retention Period |
|---|---|
| Server-stored recipes | 90 days from creation, then automatically deleted |
| URL-encoded recipes | Not stored on my servers; exists only in the URL you share |
| Email addresses | Retained until you request removal |
| Analytics data | Subject to Vercel's retention policy |
| Local storage flag | Persists in your browser until you clear your browser data |
| OG preview images | Cached on Vercel's CDN for up to 1 year |
6. Data Security
I implement the following security measures:
- HTTPS encryption on all connections.
- Content Security Policy (CSP) headers to prevent cross-site scripting.
- Rate limiting on API endpoints to prevent abuse.
- X-Frame-Options headers to prevent clickjacking.
- Permissions-Policy headers disabling access to camera, microphone, and geolocation.
- Referrer-Policy set to
strict-origin-when-cross-origin.
While I take reasonable precautions to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. I cannot guarantee absolute security.
7. Your Rights
7.1 Rights Under GDPR (EEA Residents)
If you are located in the European Economic Area, you have the following rights:
- Right of access — request a copy of the personal data I hold about you.
- Right to rectification — request correction of inaccurate data.
- Right to erasure — request deletion of your personal data.
- Right to restrict processing — request that I limit how I use your data.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interest (including analytics).
- Right to withdraw consent — withdraw your consent for email communications at any time.
- Right to lodge a complaint — file a complaint with your local data protection authority.
7.2 Rights Under CCPA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know — request what personal information I collect, use, and disclose.
- Right to delete — request deletion of your personal information.
- Right to non-discrimination — I will not discriminate against you for exercising your privacy rights.
I do not sell personal information. I do not use personal information for cross-context behavioral advertising.
7.3 Exercising Your Rights
To exercise any of the above rights, please contact me at iv.d.surin@gmail.com. I will respond to verifiable requests within 30 days (GDPR) or 45 days (CCPA).
For recipe data: since BrewCard does not use accounts, I cannot verify ownership of specific recipes. Recipes are automatically deleted after 90 days.
For email removal: please email me from the address you wish to have removed, and I will delete it promptly.
8. International Data Transfers
BrewCard is hosted on Vercel's global infrastructure, and recipe/email data is stored on Upstash's servers. Your data may be transferred to and processed in the United States or other countries. By using the Service, you acknowledge this transfer.
For EEA residents: where data is transferred outside the EEA, I rely on the service providers' Standard Contractual Clauses (SCCs) or other appropriate safeguards as required by GDPR.
9. Children's Privacy
BrewCard is not directed at children under the age of 13. I do not knowingly collect personal information from children under 13. If I become aware that a child under 13 has provided me with personal information (such as an email address), I will take steps to delete that information promptly.
If you are a parent or guardian and believe your child has provided personal information to BrewCard, please contact me at iv.d.surin@gmail.com.
10. Publicly Shared Recipes
When you share a recipe using server-stored sharing, please be aware that:
- Your recipe is accessible to anyone with the link.
- Sufficiently complete recipes may appear on the public recipe feed.
- The "Brewed by" name, if you choose to provide one, is visible on the shared card.
- Social preview (Open Graph) images are generated from your recipe data and publicly cached.
Do not include personal or sensitive information in your recipe details that you do not wish to be publicly visible.
11. Cookies and Similar Technologies
BrewCard uses cookies and local storage. For detailed information, please see the Cookie Policy.
12. Changes to This Policy
I may update this Privacy Policy from time to time. When I do, I will revise the "Last Updated" date at the top of this page. For significant changes, I will make reasonable efforts to provide notice (such as a banner on the site).
Your continued use of the Service after changes are posted constitutes your acknowledgement of the revised policy.
13. Contact
If you have any questions about this Privacy Policy or wish to exercise your privacy rights, please contact:
Ivan Surin iv.d.surin@gmail.com