Privacy Policy
Tea Cellar is a personal tea inventory and brewing journal. We collect the minimum data needed to deliver the service: your email address, a hashed password, and the tea records you choose to create. We do not sell your data, do not run ads, and do not profile you across other apps or websites.
Effective date: 25.4.2026
Who we are
The data controller ("we", "us") under Article 4(7) GDPR is:
- Filip Bury
- Světova 523/1, 180 00 Praha 8 – Libeň, Czech Republic
- IČO: 06363342
- Email: f.bury@email.cz
We have not appointed a Data Protection Officer; the processing we carry out does not meet any of the mandatory-DPO triggers in Article 37(1) GDPR. For any privacy-related request, write to the email above and we will respond within 30 days.
What we collect
Account data
- Your email address (used as your login identifier and for service-related email such as address verification).
- A salted, one-way hash of your password, computed with the Argon2id algorithm. We never see or store the plaintext password.
- Whether your email has been verified, and when.
Content you create
- Tea records (name, type, origin, cultivar, harvest year and season, producer, vendor, weights, notes, and any images you attach).
- Brewing sessions (leaf weight, water volume and temperature, infusion times, ratings, notes).
- Inventory events (weight adjustments, brewing deductions).
- Your shopping list and notification preferences.
Photos you submit for label scanning
When you scan a tea label, the image bytes are sent to our server and immediately forwarded to OpenAI for content moderation and metadata extraction. The image itself is not stored on our servers. It lives only in memory for the duration of the request. OpenAI's handling of the image is governed by their own privacy policy.
Technical data
- Authentication tokens (short-lived access tokens and rotated refresh tokens, stored by the app on your device in secure storage and by us in our database as one-way hashes).
- Basic request logs (IP address, user agent, timestamp) retained briefly for debugging and abuse prevention.
We do not collect advertising identifiers, precise location, contact lists, microphone audio, or any biometric data.
Why we collect it and our legal basis
For every category of data we process, the table below names the purpose and the Article 6 GDPR legal basis we rely on. Where we rely on legitimate interests (Art. 6(1)(f)), we have performed a balancing test; you can request a summary of it at the contact address above.
Email address and password hash
Purpose: creating and operating your account;
sending you the one-time email-verification link; authenticating
you on each login.
Legal basis: performance of the contract you
enter into when you create an account — Art. 6(1)(b) GDPR.
Without this data the Service cannot be provided.
Tea records, brewing sessions, notes, and other user content
Purpose: storing and displaying back to you the
content you create — this is the Service itself.
Legal basis: performance of the contract —
Art. 6(1)(b) GDPR.
Photos of tea labels
Purpose: extracting structured metadata (tea
name, type, origin, producer, etc.) so the app can pre-fill a
new tea record, and screening the image for illegal or
policy-violating content before it leaves our servers. The image
is sent to OpenAI in the United States for this purpose and is
not retained by us afterwards.
Legal basis: performance of the contract for
the extraction itself — Art. 6(1)(b) GDPR. The pre-upload
content moderation is additionally grounded in our legitimate
interest in not forwarding illegal content to third parties —
Art. 6(1)(f) GDPR.
Server logs (IP address, user agent, timestamp, request path)
Purpose: debugging; enforcing rate limits;
detecting and blocking abuse, brute-force login attempts, and
AI-quota abuse.
Legal basis: legitimate interest in keeping the
Service available and secure — Art. 6(1)(f) GDPR. We have
weighed this against your reasonable expectations and consider
it proportionate; logs are kept briefly (see retention below)
and never shared with advertising or analytics networks.
Push notification preferences
Purpose: sending the reminders you asked for
(low stock, shopping list, daily brewing reminder).
Legal basis: your consent, given by enabling
each category in the app's Settings — Art. 6(1)(a) GDPR. You
can withdraw consent at any time by toggling the switches off;
withdrawal does not affect the lawfulness of processing done
before withdrawal.
Aggregated accuracy metrics for the AI extraction pipeline
Purpose: monitoring and improving label-scan
quality.
Legal basis: legitimate interest in operating
and improving the Service — Art. 6(1)(f) GDPR. Metrics are
aggregated and do not identify you; we do not use your images
or tea records to train third-party AI models.
Recipients and sub-processors
We do not sell your personal data, do not share it with advertising or analytics networks, and do not disclose it to any third party except the processors listed below. Each one acts only on our documented instructions under a data processing agreement (Article 28 GDPR).
| Processor | Role | Data | Location |
|---|---|---|---|
| Railway (Railway Corp.) | Application hosting, managed PostgreSQL database, Redis cache, backups | Everything stored server-side: account, content, logs, token hashes | European Union (Frankfurt region) |
| OpenAI (OpenAI, L.L.C.) | Ephemeral content moderation and metadata extraction for label scans | The label image bytes and the text prompts we send. No account identity is attached. | United States |
| Resend (Resend Inc.) | Transactional email delivery (verification link, password reset link, future account notices) | Your email address and the message body | United States |
| Sentry (Functional Software, Inc. d/b/a Sentry) | Crash and error reporting so we can detect and fix bugs that affect real users | Stack traces, error messages, the URL path that triggered the error, your account's user ID (UUID), device model and OS version, and app version. We do not forward your email address, request bodies, authentication tokens, or any tea/brewing content. Authorization headers and cookies are stripped before transmission. | United States |
| Expo (650 Industries, Inc.) | Push-notification relay (forwards our pushes to Apple APNs and Google FCM) | Your device's Expo push token, the notification title and body, and a small JSON payload for in-app routing. No account email or content is attached. | United States |
| Apple (Apple Inc., APNs) | Push-notification delivery to iOS devices | Your device's APNs token (held by Apple, not us) and the notification title and body | United States |
| Google (Google LLC, Firebase Cloud Messaging) | Push-notification delivery to Android devices | Your device's FCM token (held by Google, not us) and the notification title and body | United States |
The push-notification chain (Expo → APNs / FCM) only carries the title, body, and a small routing payload. Your email address, your teas and brewing sessions, and the AI-extracted metadata never leave our server in a notification payload — the push is a "knock on the door" that prompts you to open the app and read the information locally.
We do not currently use any image / blob storage provider such as Cloudflare R2 or Amazon S3. If that changes — for example if we later let you save tea photos long-term — we will update this list and the effective date before the feature ships.
International transfers
Your primary application data – account record, tea collection, brew sessions, photo metadata, logs – is stored on Railway infrastructure located in the European Union (Frankfurt) and never leaves the EEA in the ordinary course of operations. The remaining processors listed above (OpenAI, Resend, Sentry, Expo, Apple APNs, Google FCM) are located in the United States, so the limited categories of data we route to them constitute a transfer outside the EEA. Transfers rely on a combination of the following safeguards, as applicable to each recipient:
- EU–US Data Privacy Framework (DPF). OpenAI is self-certified under the DPF; transfers to OpenAI therefore benefit from the European Commission's adequacy decision of 10 July 2023 (Commission Implementing Decision (EU) 2023/1795).
- Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, together with supplementary technical measures (TLS in transit, access controls), for any processor that is not DPF-certified at the time of transfer.
You can request a copy of the relevant transfer safeguards at the contact address above.
How long we keep data
- Account and content data — for as long as your account exists. When you delete your account (in-app or by written request) the production database records are removed immediately.
- Encrypted backup snapshots — up to 30 days after account deletion. Our hosting provider retains rolling encrypted backups of the database for disaster recovery. Deleted accounts are overwritten from active backups within that window; we do not actively restore deleted-user data from backups.
- Refresh tokens — hashed in our database until expiry (30 days of inactivity) or until you log out of that device.
- Email verification tokens — hashed for up to 24 hours, then expired and purged.
- Server request logs — up to 30 days from generation, then rotated out.
Your rights under GDPR
If you are in the EEA, the UK, or Switzerland, you have the following rights in respect of your personal data. Rights can be exercised at any time, free of charge, by writing to the contact address above; we will respond within one month (extendable by two further months for complex requests, with notice).
- Right of access (Art. 15) — you can ask for a copy of the personal data we hold about you and the information in this policy specific to you.
- Right to rectification (Art. 16) — you can ask us to correct inaccurate or incomplete data. Most fields are directly editable in the app.
- Right to erasure / "right to be forgotten"
(Art. 17) — you can delete your account yourself in-app via
Settings → Delete Account, which wipes your data from the production database immediately. Backup snapshots roll out within 30 days (see retention above). - Right to restriction of processing (Art. 18) — you can ask us to pause processing in certain circumstances (e.g. while you contest the accuracy of your data).
- Right to data portability (Art. 20) —
you can download a machine-readable JSON export of your
account (profile, teas, brew sessions, inventory history,
shopping list, notification preferences) at any time via the
authenticated endpoint
GET /auth/export. If you need assistance exercising this right, email us at the address above and we will deliver the export within 30 days. - Right to object (Art. 21) — you can object to any processing we base on legitimate interests, in which case we will stop unless we demonstrate compelling legitimate grounds that override your interests.
- Right not to be subject to automated decision-making (Art. 22) — we do not make any decisions with legal or similarly significant effects about you through purely automated means.
- Right to withdraw consent (Art. 7(3)) — where processing is based on consent (push notifications), you can withdraw it at any time in the app's Settings without affecting the lawfulness of prior processing.
If you cannot sign in to use the in-app deletion flow, email f.bury@email.cz from the address you registered with; we will verify mailbox ownership and delete the account within 30 days.
Right to lodge a complaint
If you believe our processing of your personal data infringes GDPR, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement.
In the Czech Republic, the competent supervisory authority is:
- Úřad pro ochranu osobních údajů (Office for Personal Data Protection)
- Pplk. Sochora 27, 170 00 Praha 7, Czech Republic
- Website: www.uoou.cz
- Email: posta@uoou.cz
We would appreciate the chance to address your concern first, so please consider contacting us before (or in parallel with) a formal complaint.
Cookies, tracking, and analytics
The Tea Cellar mobile app does not use cookies, web beacons, SDK-based analytics, advertising identifiers, session replay, fingerprinting, or any other tracking technology. It does not implement Apple's App Tracking Transparency prompt because there is nothing to prompt about.
This website (the one you are reading) is a static set of HTML and CSS files. It serves no cookies, runs no analytics, embeds no third-party scripts, and loads no external fonts or images. The one inline script on this page simply fills in the current year in the footer.
Children and minimum age
Tea Cellar is intended for users aged 16 and over and is not directed at children. We apply a uniform 16-year minimum across all jurisdictions — this is above the Czech implementation of Art. 8 GDPR (which sets the digital-consent age at 15) and matches or exceeds the floor in every other EEA Member State, so we do not operate any parental-consent flow.
We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe a user under 16 has created an account, please contact us at the address above and we will close the account and delete the associated data without undue delay.
Security
Passwords are hashed with Argon2id. Tokens are stored hashed. All traffic between the app and our servers is encrypted in transit (HTTPS / TLS 1.2+). We do not claim that any system is perfectly secure, but we try.
Changes
If we materially change this policy, we will update the effective date and, for substantive changes, notify signed-in users via the app on next launch. Your continued use after the change constitutes acceptance of the updated policy.
Contact
Questions, requests, or complaints: f.bury@email.cz.