Privacy Policy

1. Introduction

MyVibeCoffee (“MyVibeCoffee”, “we”, “our”, or “us”) operates a community platform for Hong Kong specialty coffee enthusiasts. This Privacy Policy describes how we collect, use, disclose, store, and protect personal information when you visit our website, create an account, log check-ins, write tasting notes, organize café team-ups (LFG), or otherwise interact with our services (collectively, the “Service”).

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with how we handle personal information as described here, please do not use the Service. We keep this policy concise and practical so it remains useful to ordinary users; where our practices change materially, we will update the “Last Updated” date and notify users through the Service.

This policy is best read alongside our Terms of Service. Together, they describe the full relationship between you and MyVibeCoffee. The Service is operated from Hong Kong SAR. Where applicable, we make best-effort accommodations for users located in the European Economic Area, the United Kingdom, and other jurisdictions, but the Service is primarily designed for residents of Hong Kong.

2. Information We Collect

We collect personal information in the following categories:

• Account information. When you register, we collect your email address, a display name, an authentication credential (for example, a Google OAuth identifier if you sign in with Google), and an optional profile photo.
• Profile information. Any information you choose to add to your profile, such as your district in Hong Kong, brewing experience level, preferred brewing methods, taste preferences, equipment list, a short personal bio or motto, and Instagram handle.
• User-generated content. Check-ins, structured tasting notes (flavor scores, brew parameters, equipment, beans), photos, comments, posts, reactions, follows, team-up activities, and direct messages between users.
• Usage and device data. Server logs containing your IP address, browser user-agent, request timestamps, and the pages you accessed. We use this for security, abuse prevention, and basic service operation. We may also collect anonymous performance and error telemetry.
• Location data. When you opt to use location-based features such as nearby café team-ups, we use your approximate location, snapped to a 100-metre grid before storage, to protect your precise whereabouts. You may decline browser geolocation prompts at any time without losing access to other features.
• Cookies. Strictly necessary cookies for authentication, security (HMAC-signed share-token cookies), and remembering preferences such as theme and language. We do not use third-party advertising cookies.

3. How We Use Your Information

We use the information described above for the following purposes:

• Service delivery. Operating the platform, creating and maintaining your account, displaying your content to other users, and connecting you with cafés, beans, equipment, and other community members.
• Personalization. Recommending cafés and beans based on your tasting profile and check-in history, suggesting users with similar coffee preferences, and tailoring the home feed to your interests.
• Community features. Enabling check-ins, tasting notes, café team-up coordination, follows, comments, reactions, and direct messages.
• Safety and security. Detecting and preventing abuse, spam, harassment, scraping, fraud, account takeover attempts, and unauthorized access. This includes server-side rate limiting, content moderation, and HMAC verification of authentication cookies.
• Aggregate analytics. Understanding how the Service is used at an aggregate, non-identifying level so we can prioritize improvements.
• Legal compliance and enforcement. Complying with applicable laws, responding to lawful requests, and enforcing our Terms of Service.
• Communications. Sending operational messages such as account confirmations, security alerts, and material updates to this policy. We do not currently send marketing newsletters; if we begin doing so, we will obtain your prior opt-in consent where required by law.

4. Third-Party Processors

We do not sell your personal information. We share limited personal information with service providers (“processors”) only as necessary to operate the Service. Each processor is bound by contract or its published Data Processing Agreement to handle your information consistent with this policy:

• Supabase. Provides our managed PostgreSQL database and authentication infrastructure. Account data, profile data, and user-generated content are stored on Supabase. Hosted in the United States.
• Vercel. Provides our application hosting and global content delivery network (CDN). Server logs (including IP addresses) transit Vercel infrastructure. Hosted across multiple regions including the United States.
• Google. If you sign in with Google OAuth, Google provides authentication. We also use Google Maps APIs to render café locations and place data; queries to those APIs include the relevant address or place identifier.
• Sentry. Provides error and performance monitoring. Error reports may incidentally include limited request metadata. We configure Sentry to scrub personal identifiers where possible. Hosted in the United States and the European Union.
• Upstash. Provides rate-limiting and caching infrastructure. Records IP addresses and route identifiers strictly for the purpose of rate limiting, with short retention.

We may also disclose information when required by law, court order, or other lawful request from a governmental authority, or where disclosure is necessary to protect the rights, property, or safety of MyVibeCoffee, our users, or the public.

5. Data Retention

We retain personal information only for as long as necessary to provide the Service or comply with our legal obligations. Specifically:

• Account information. Retained while your account is active. When you request account deletion, we remove your account and personal profile within 30 days, with limited residual copies in encrypted backups that age out within 90 days.
• User-generated content. Retained while your account is active. After account deletion, public content (such as café reviews) may be retained in anonymized form so that reply threads remain coherent for other users; identifying attribution is removed.
• Server logs. Retained for up to 90 days for security and operational diagnostics, then deleted or aggregated.
• Aggregate analytics. Retained for up to 24 months to support trend analysis. Aggregate analytics do not identify you individually.
• Verification and abuse-prevention records. Retained for up to 12 months to support fraud and abuse investigation, then aggregated or deleted.

6. Your Rights

Subject to applicable law, you have the following rights regarding your personal information:

• Access. Request confirmation of whether we hold personal information about you and a copy of that information.
• Correction. Request that we correct inaccurate or incomplete personal information. Most profile fields can be updated directly through your account settings.
• Deletion. Request that we delete your account and associated personal information (sometimes called the “right to be forgotten”), subject to limited retention for legal and security purposes as described in Section 5.
• Data portability. Request a machine-readable copy of the personal information you have provided to us.
• Objection and restriction. Object to or request restriction of certain processing activities, where permitted by law.
• Withdraw consent. Where we rely on your consent for processing, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Opt out of analytics. You may opt out of optional analytics where applicable through your browser settings or by contacting us.

To exercise any of these rights, please contact us at the email address in Section 11. We aim to respond to verified requests within 30 days. If you are unsatisfied with our response, you may have the right to lodge a complaint with your local data protection authority. In Hong Kong, this is the Office of the Privacy Commissioner for Personal Data (PCPD).

7. International Transfers

MyVibeCoffee is operated from Hong Kong SAR, but several of our processors (notably Supabase and Vercel) host infrastructure in the United States. As a result, your personal information may be transferred to, stored in, and processed in the United States or other jurisdictions outside Hong Kong. The data protection laws in those jurisdictions may differ from those in your home jurisdiction.

Where required by law, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms with our processors to protect your personal information during international transfer. By using the Service, you acknowledge that your information may be transferred to and processed in jurisdictions outside your country of residence for the purposes described in this policy.

8. Cookies and Tracking

We use a small number of cookies and similar technologies to operate the Service. These fall into the following categories:

• Strictly necessary cookies. Authentication session cookies, HMAC-signed share-token cookies for café team-up invites, and security cookies. These are required for the Service to function and cannot be disabled in our application.
• Preference cookies. Local storage entries that remember your theme (light or dark) and similar UI preferences. These are stored in your browser only and are not transmitted to us.
• Analytics. Limited, aggregated usage analytics for service operation. We do not use third-party advertising cookies and we do not share information with advertising networks.

You can manage or delete cookies through your browser settings. Note that disabling necessary cookies will prevent you from signing in or using core features.

9. Children’s Privacy

The Service is not directed at children under the age of 13 (or under the age of 16 in jurisdictions where that higher threshold applies, including parts of the European Economic Area). We do not knowingly collect personal information from children under those ages. If you believe a child has provided personal information to us without appropriate parental consent, please contact us and we will take prompt steps to delete the information.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, the Service, or applicable law. When we make material changes, we will update the “Last Updated” date at the top of this policy and provide notice through the Service, by email, or by other reasonable means. We encourage you to review this policy periodically. Your continued use of the Service after the effective date of an update constitutes acceptance of the revised policy.

11. Contact

If you have any questions, comments, or requests regarding this Privacy Policy or our handling of your personal information, please contact us at support@myvibecoffee.com. We will respond to verified requests within a reasonable time, generally no later than 30 days from receipt.