Privacy Policy
Last updated: 20 March 2026
Coffee Palazzo (the “Service”) is operated by Do Your Bit Limited (“we”, “us”, “our”), a company registered in England and Wales. This Privacy Policy explains how we collect, use, store and share your personal data when you use our website at coffeepalazzo.com.
We respect your privacy and are committed to protecting your personal data. This policy complies with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act (CCPA), as applicable.
1. Data Controller
Do Your Bit Limited is the data controller responsible for your personal data.
Contact: hello@coffeepalazzo.com
2. What Data We Collect
2.1 Account Data
When you create an account, we collect your email address, password (stored as a cryptographic hash), and display name (if provided). If you sign in with Google OAuth, we receive your name, email address and profile picture from Google. We do not receive or store your Google password.
2.2 Taste Profile Data
During onboarding and ongoing use, we collect your flavour preferences, preferred brew methods, coffees you’ve previously enjoyed, and country (used to show locally available products).
2.3 Coffee Journal Data
When you log coffees in your journal, we store the coffee name, origin and roaster, brew method used, your ratings, tasting notes you write, and the date of each entry.
2.4 Subscription & Payment Data
If you subscribe to Premium, payments are processed by Stripe. We store your Stripe customer ID and subscription ID, subscription status and plan type, and billing dates. We do not store your credit/debit card number, CVV, or full card details.
2.5 Usage & Analytics Data
We use PostHog for product analytics including pages visited, features used, onboarding progress, recommendation interactions, device type, browser, approximate location (city-level), and session duration.
2.6 Communications Data
We use Resend to send emails. We store your email address, delivery status, and communication preferences.
2.7 AI-Processed Data
We use Anthropic’s Claude API to generate personalised recommendation explanations. Your anonymised taste profile and journal data is sent to Anthropic’s API. We do not send your name, email, or other directly identifying information to the AI. Anthropic does not use API data to train their models.
2.8 Technical Data
We automatically collect IP address, browser type and version, operating system, referring URL, and access timestamps for security and service stability.
3. How We Use Your Data
| Purpose | Legal Basis (UK/EU GDPR) |
|---|---|
| Provide the Service | Performance of contract |
| Process payments via Stripe | Performance of contract |
| AI-powered recommendations | Legitimate interest |
| Transactional emails | Performance of contract |
| Marketing emails (weekly digest) | Consent (opt-in) |
| Product analytics | Legitimate interest |
| Fraud prevention & security | Legitimate interest |
| Legal compliance | Legal obligation |
4. Data Sharing
We share personal data only with service providers acting as data processors on our behalf:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase (US) | Database & auth | Account, taste profile, journal |
| Stripe (US) | Payments | Email, customer ID, payment events |
| PostHog (US/EU) | Analytics | Anonymised usage data |
| Anthropic (US) | AI recommendations | Anonymised taste & journal data |
| Resend (US) | Email delivery | Email address, message content |
| Google (US) | OAuth (if used) | Email, name, profile picture |
We do not sell your personal data. We do not share your data with advertisers.
5. International Data Transfers
Some service providers are US-based. We rely on Standard Contractual Clauses (SCCs), appropriate transfer mechanisms, and adequacy decisions where applicable.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion |
| Taste profile & journal | Until account deletion |
| Payment records | 7 years (UK legal requirement) |
| Analytics data | 24 months, then anonymised |
| Technical logs | 90 days |
| Email delivery logs | 12 months |
7. Your Rights
UK and EU Residents
Under the UK GDPR and EU GDPR, you have the right to access, rectify, erase, restrict processing, data portability, object to processing, and withdraw consent. Email hello@coffeepalazzo.com to exercise these rights. See our Data Rights page for full details.
California Residents (CCPA)
Under the CCPA you have the right to know, delete, opt out of sale (we do not sell data), and non-discrimination. Email hello@coffeepalazzo.com to exercise these rights.
8. Cookies
We use cookies and similar technologies. For full details, see our Cookie Policy.
9. Children’s Privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16.
10. Security
We implement appropriate measures including encryption in transit (TLS/HTTPS), encryption at rest, row-level database security, secure password hashing, and regular security reviews.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by prominent notice on the Service.
12. Contact Us
Do Your Bit Limited
Email: hello@coffeepalazzo.com
Website: coffeepalazzo.com