Privacy Policy
Effective Date: April 15, 2026 Last Updated: April 15, 2026
This Privacy Policy explains how BrewCard ("the Service"), operated by Ivan Surin ("I," "me," "my"), collects, uses, stores, and protects your information when you use brewcard.app.
I take privacy seriously. BrewCard is designed to work without user accounts, and I collect only the minimum information needed to operate the Service.
1. Information I Collect
1.1 Information You Provide
Recipe data. When you create and share a recipe using server-stored sharing, the following data may be saved:
- Brew method, dose, water amount, temperature, and brew time
- Grinder name, grind setting, and dial position
- Bean name, roaster, origin, process type, roast level, and roast date
- Tasting notes and rating
- Card theme selection
- "Brewed by" name (optional, user-entered)
All of these fields are optional. You control what information you include in your recipe.
Email address. If you choose to sign up for updates, your email address is collected through the email subscription form. This is entirely voluntary.
1.2 Information Collected Automatically
Privacy-friendly analytics data. BrewCard uses Simple Analytics to measure overall usage of the Service in a privacy-friendly way. Based on Simple Analytics' published documentation, this analytics setup does not use cookies, does not use local storage for tracking, does not store visitors' IP addresses, and does not track you across websites.
The analytics information available to me is limited to aggregate website metrics such as:
- Page views and visits
- Referrers
- Device type, browser, viewport, and language
- Country-level location derived in a privacy-friendly way
- Basic event and page metadata reported by the analytics script
IP address for security. Your IP address is temporarily processed for rate limiting on API endpoints to help prevent abuse. I do not intentionally store those IP addresses with your recipe data or email signups.
2. How I Use Your Information
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Recipe data | Store and display shared recipes, show on public feed, generate social preview images | Legitimate interest (operating the Service) |
| Email address | Send product updates and newsletters when available | Consent (you opt in by submitting your email) |
| Aggregate analytics data | Understand usage patterns and improve the Service | Legitimate interest (improving the Service) |
| IP address | Rate limiting and abuse prevention | Legitimate interest (security) |
I will never:
- Sell your personal information to third parties.
- Use your email address for purposes unrelated to BrewCard communications.
- Combine your email address with your recipe data for profiling.
- Use BrewCard analytics to track you across other websites.
3. Email Communications
I collect email addresses for future feature updates and newsletters. If I send those communications:
- Every email will contain a one-click unsubscribe link where required by applicable law.
- You can also request removal from the mailing list at any time by emailing me at iv.d.surin@gmail.com.
- I will honor unsubscribe requests within a reasonable period and in accordance with applicable law.
4. How I Share Your Information
I do not sell, rent, or trade your personal information. Your data is shared only with service providers that help me operate BrewCard:
| Provider | Role | Data Shared | Privacy / Terms |
|---|---|---|---|
| Vercel | Hosting, CDN, app delivery, cached OG images | Website requests, cached assets, infrastructure logs | vercel.com/legal/privacy-policy |
| Upstash | Database (Redis) | Recipe data, email addresses | upstash.com/trust/privacy.html |
| Simple Analytics | Privacy-friendly website analytics | Aggregate visit and page analytics described above | simpleanalytics.com/privacy-policy |
| Font delivery through Next.js-hosted assets at build time | Minimal build-time provider access only | policies.google.com/privacy | |
| Stripe | Donation processing | Payment info collected by Stripe directly, not by me | stripe.com/privacy |
5. Data Retention
| Data | Retention Period |
|---|---|
| Server-stored recipes | Retained until deleted or until BrewCard changes its storage policy |
| URL-encoded recipes | Not stored on my servers; exists only in the URL you share |
| Email addresses | Retained until you unsubscribe or request removal |
| Aggregate analytics data | Retained by Simple Analytics under its service retention practices |
| OG preview images | Cached on Vercel's CDN for up to 1 year |
6. Data Security
I implement the following security measures:
- HTTPS encryption on all connections
- Content Security Policy (CSP) headers to reduce script injection risk
- Rate limiting on API endpoints to help prevent abuse
- X-Frame-Options headers to prevent clickjacking
- Permissions-Policy headers disabling access to camera, microphone, and geolocation
- Referrer-Policy set to
strict-origin-when-cross-origin
No method of transmission or storage is perfectly secure, so I cannot guarantee absolute security.
7. Your Rights
7.1 Rights Under GDPR (EEA Residents)
If you are located in the European Economic Area, you may have the right to:
- Request access to the personal data I hold about you
- Request correction of inaccurate data
- Request deletion of your personal data
- Request restriction of processing
- Object to processing based on legitimate interests
- Withdraw consent for email communications at any time
- Lodge a complaint with your local data protection authority
7.2 Rights Under CCPA / CPRA (California Residents)
If you are a California resident, you may have the right to:
- Know what personal information I collect, use, and disclose
- Request deletion of your personal information
- Request correction of inaccurate personal information
- Receive equal service and price even if you exercise your privacy rights
I do not sell personal information and do not use personal information for cross-context behavioral advertising.
7.3 Exercising Your Rights
To exercise these rights, please contact me at iv.d.surin@gmail.com.
For recipe data, BrewCard does not use accounts, so I may not be able to verify ownership of a specific recipe beyond the information you provide.
For email removal, please email me from the address you want removed.
8. International Data Transfers
BrewCard is delivered through infrastructure providers that may process data in multiple countries, including the United States. Recipe and email data may therefore be processed outside your home jurisdiction.
Simple Analytics states that its business and analytics processing are based in the Netherlands / European Union. Its own handling of analytics data is governed by its privacy policy and terms.
Where required, I rely on the safeguards offered by my service providers for international transfers.
9. Children's Privacy
BrewCard is not directed at children under 13, and I do not knowingly collect personal information from children under 13. If I learn that a child under 13 has provided personal information, I will delete it promptly.
If you believe a child has provided personal information to BrewCard, contact me at iv.d.surin@gmail.com.
10. Publicly Shared Recipes
When you share a recipe using server-stored sharing:
- Anyone with the link can view that recipe card
- Sufficiently complete recipes may appear on the public recipe feed
- The "Brewed by" name, if you include one, is visible on the shared card
- Social preview images are generated from your recipe data and may be cached publicly
Do not include personal or sensitive information in recipe content you do not want to be public.
11. Cookies and Similar Technologies
BrewCard does not use analytics cookies. Simple Analytics states that it does not use cookies or similar storage for analytics tracking.
12. Changes to This Policy
I may update this Privacy Policy from time to time. When I do, I will revise the "Last Updated" date at the top of this page.
Your continued use of the Service after changes are posted constitutes your acknowledgement of the revised policy.
13. Contact
If you have any questions about this Privacy Policy or want to exercise your privacy rights, please contact:
Ivan Surin
iv.d.surin@gmail.com