Privacy Policy
Last updated: May 16, 2026
1. Data Controller
Granino (“we”, “us”, “our”) is the controller of your personal data. If you have questions about this policy or want to exercise your rights, contact us at [email protected].
2. Data We Collect
We collect personal data only when it is necessary for the service:
- Account & profile: email address, username, first name, last name, and avatar image (when you create an account or sign in via Google).
- Tasting feedback: coffee-bean ratings, tasting notes, and optional location information you enter when logging a tasting.
- Saved items: coffee beans you bookmark.
- Newsletter subscription: email address when you subscribe; we also store whether and when you unsubscribed.
- Usage data: with your consent, we collect aggregated analytics on pages visited and navigation patterns (see §7 Analytics).
- Technical logs: with your consent, error reports and performance traces via Sentry (see §9 Diagnostics).
3. Legal Bases (GDPR Art. 6)
| Processing activity | Legal basis |
|---|---|
| Account authentication & profile storage | Contract (Art. 6(1)(b)) |
| Tasting feedback & saved items | Contract (Art. 6(1)(b)) |
| Newsletter subscription & sending | Consent (Art. 6(1)(a)) |
| Analytics cookies, Umami Analytics, Vercel Analytics & Google Analytics | Consent (Art. 6(1)(a)) |
| Maps & location autocomplete (Mapbox) | Consent (Art. 6(1)(a)) |
| Error tracking & performance monitoring (Sentry) | Consent (Art. 6(1)(a)) |
| Umami Analytics and Vercel Analytics (cookieless, aggregated) | Consent (Art. 6(1)(a)) |
4. Processors & Third-Party Services
We use the following sub-processors:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (AWS eu-west-1) |
| Vercel | Web hosting, edge CDN, Vercel Analytics (analytics consent required) | Global (EU available) |
| Umami | Cookieless traffic analytics (analytics consent required) | Cloud or self-hosted analytics environment |
| Resend | Transactional & newsletter email sending | US (SCCs in place) |
| Mapbox | Interactive maps & address autocomplete (functional consent required) | US (SCCs in place) |
| Sentry | Error monitoring & performance (diagnostics consent required) | US (SCCs in place) |
| Google Analytics | Traffic analytics (analytics consent required) | US (SCCs in place) |
SCCs = Standard Contractual Clauses (EU Commission Implementing Decision 2021/914). Transfers to the US are covered by SCCs and, where applicable, the UK International Data Transfer Addendum.
5. Retention Periods
- Account data: retained for as long as your account is active. Deleted within 30 days of account deletion.
- Tasting feedback & saves: deleted when you delete your account.
- Newsletter subscriptions: retained until you unsubscribe. Unsubscribed records are kept for 1 year to prevent accidental re-subscription, then purged.
- Analytics data: Umami retains aggregated analytics per the configured Umami workspace retention policy. Vercel retains aggregated analytics per their data retention policy. Google Analytics data is retained for 14 months by default.
- Error reports (Sentry): retained for 90 days.
6. Your Rights
Under GDPR (Chapter III) you have the following rights. To exercise them, email [email protected] or use the self-service controls in your profile.
- Access (Art. 15): download a copy of your data via the “Export my data” button in your profile.
- Rectification (Art. 16): edit your profile details in the profile settings.
- Erasure (Art. 17): delete your account via the “Delete my account” button in your profile, or email us.
- Restriction (Art. 18): email us to request restricted processing.
- Portability (Art. 20): use the data export to receive your data in a machine-readable JSON format.
- Objection (Art. 21): you can object to processing based on legitimate interest; email us to do so.
- Withdraw consent: change your cookie preferences at any time using the “Cookie settings” link in the footer, or unsubscribe from the newsletter using the link in any email we send you.
- Lodge a complaint: you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence. In the Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
7. Cookies & Analytics
We categorise cookies as follows. You can manage your preferences at any time via the “Cookie settings” link in the footer.
| Category | Cookie name(s) | Purpose | Expiry | Consent required |
|---|---|---|---|---|
| Essential | granino_consent | Stores your cookie consent preferences | 1 year | No |
| Essential | sb-* (Supabase) | Authentication session tokens | Session / 1 week | No |
| Analytics | _ga, _ga_* | Google Analytics — distinguishes users and sessions | 2 years / session | Yes |
| Analytics | (none — cookieless) | Umami Analytics and Vercel Analytics — aggregated, IP not stored | N/A | Yes |
| Maps & Location | Mapbox-* / local storage | Interactive map tiles & address autocomplete | Session | Yes |
| Diagnostics | sentry-* / local storage | Error & performance monitoring | Session | Yes |
Umami Analytics and Vercel Analytics do not use cookies and do not track individual users. They provide aggregated page-view statistics and custom events only after you grant analytics consent.
8. Authentication & OAuth
You can create an account with an email and password, or sign in via Google OAuth (“Sign in with Google”). When you use Google OAuth, Google shares your name and email address with us; we do not receive your Google password. Session tokens are managed by Supabase Auth and stored in cookies scoped to granino.coffee.
9. Browser Geolocation
On the Cafés list, individual shop pages, and the map view, we ask your browser for your current location so we can show how far each shop is from you and let you sort by distance. Your coordinates are processed entirely in your browser — they are never sent to our servers, never stored, and never shared with any third party. This is a browser-level permission separate from cookie consent: granting or refusing it does not affect the rest of the site. You can deny the permission when prompted or revoke it later from your browser settings; if you do, distance information simply will not appear.
10. Diagnostics (Sentry)
With your consent (Diagnostics category), we send error reports and performance traces to Sentry. We configure Sentry with sendDefaultPii: false, which means your IP address and email are never included in reports. Stack traces may include application state; we do not intentionally include personal data. Session Replay (if enabled) is configured to mask all text and block all media.
11. Newsletter
When you subscribe to the newsletter, we store your email address and send emails via Resend. Each email contains an unsubscribe link. You may also unsubscribe at any time by emailing [email protected].
12. Security
We use HTTPS for all data in transit, and Supabase provides encryption at rest. Authentication tokens are rotated regularly. Avatar images are stored in a private Supabase Storage bucket with signed URLs. No method of data transmission over the Internet is 100% secure.
13. Children
Granino is not directed at children under 16. We do not knowingly collect personal information from children. If you believe we have done so, contact [email protected].
14. Changes to This Policy
We may update this policy to reflect changes in our practices or applicable law. We will update the “Last updated” date at the top and, for material changes, notify registered users by email. Continued use of the service after changes constitutes acceptance of the updated policy.