Privacy Policy

Last updated: 20 March 2026

Coffee Palazzo (the “Service”) is operated by Do Your Bit Limited (“we”, “us”, “our”), a company registered in England and Wales. This Privacy Policy explains how we collect, use, store and share your personal data when you use our website at coffeepalazzo.com.

We respect your privacy and are committed to protecting your personal data. This policy complies with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act (CCPA), as applicable.

1. Data Controller

Do Your Bit Limited is the data controller responsible for your personal data.
Contact: hello@coffeepalazzo.com

2. What Data We Collect

2.1 Account Data

When you create an account, we collect your email address, password (stored as a cryptographic hash), and display name (if provided). If you sign in with Google OAuth, we receive your name, email address and profile picture from Google. We do not receive or store your Google password.

2.2 Taste Profile Data

During onboarding and ongoing use, we collect your flavour preferences, preferred brew methods, coffees you’ve previously enjoyed, and country (used to show locally available products).

2.3 Coffee Journal Data

When you log coffees in your journal, we store the coffee name, origin and roaster, brew method used, your ratings, tasting notes you write, and the date of each entry.

2.4 Subscription & Payment Data

If you subscribe to Premium, payments are processed by Stripe. We store your Stripe customer ID and subscription ID, subscription status and plan type, and billing dates. We do not store your credit/debit card number, CVV, or full card details.

2.5 Usage & Analytics Data

We use PostHog for product analytics including pages visited, features used, onboarding progress, recommendation interactions, device type, browser, approximate location (city-level), and session duration.

2.6 Communications Data

We use Resend to send emails. We store your email address, delivery status, and communication preferences.

2.7 AI-Processed Data

We use Anthropic’s Claude API to generate personalised recommendation explanations. Your anonymised taste profile and journal data is sent to Anthropic’s API. We do not send your name, email, or other directly identifying information to the AI. Anthropic does not use API data to train their models.

2.8 Technical Data

We automatically collect IP address, browser type and version, operating system, referring URL, and access timestamps for security and service stability.

3. How We Use Your Data

Purpose	Legal Basis (UK/EU GDPR)
Provide the Service	Performance of contract
Process payments via Stripe	Performance of contract
AI-powered recommendations	Legitimate interest
Transactional emails	Performance of contract
Marketing emails (weekly digest)	Consent (opt-in)
Product analytics	Legitimate interest
Fraud prevention & security	Legitimate interest
Legal compliance	Legal obligation

4. Data Sharing

We share personal data only with service providers acting as data processors on our behalf:

Provider	Purpose	Data Shared
Supabase (US)	Database & auth	Account, taste profile, journal
Stripe (US)	Payments	Email, customer ID, payment events
PostHog (US/EU)	Analytics	Anonymised usage data
Anthropic (US)	AI recommendations	Anonymised taste & journal data
Resend (US)	Email delivery	Email address, message content
Google (US)	OAuth (if used)	Email, name, profile picture

We do not sell your personal data. We do not share your data with advertisers.

5. International Data Transfers

Some service providers are US-based. We rely on Standard Contractual Clauses (SCCs), appropriate transfer mechanisms, and adequacy decisions where applicable.

6. Data Retention

Data Type	Retention Period
Account data	Until account deletion
Taste profile & journal	Until account deletion
Payment records	7 years (UK legal requirement)
Analytics data	24 months, then anonymised
Technical logs	90 days
Email delivery logs	12 months

7. Your Rights

UK and EU Residents

Under the UK GDPR and EU GDPR, you have the right to access, rectify, erase, restrict processing, data portability, object to processing, and withdraw consent. Email hello@coffeepalazzo.com to exercise these rights. See our Data Rights page for full details.

California Residents (CCPA)

Under the CCPA you have the right to know, delete, opt out of sale (we do not sell data), and non-discrimination. Email hello@coffeepalazzo.com to exercise these rights.

8. Cookies

We use cookies and similar technologies. For full details, see our Cookie Policy.

9. Children’s Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16.

10. Security

We implement appropriate measures including encryption in transit (TLS/HTTPS), encryption at rest, row-level database security, secure password hashing, and regular security reviews.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by prominent notice on the Service.

12. Contact Us

Do Your Bit Limited
Email: hello@coffeepalazzo.com
Website: coffeepalazzo.com