Privacy.

RoasteryHub is operated by RoasteryHub Yazılım A.Ş. ("RoasteryHub", "we"). This policy covers personal data we process when you visit RoasteryHub.io or use the RoasteryHub application as an account holder, staff member, or café portal user.

Where this policy uses "customer data", we mean records you upload about your own café customers (business names, orders, balances). You are the data controller for that information; RoasteryHub processes it on your behalf.

We collect the minimum required to run the service. Specifically:

• Account info — email, hashed password, roastery name, role.
• Usage data — which pages you visit and which actions you take, used to debug and improve the product.
• Customer data you upload — café customers, batches, lots, orders, balances, cupping logs. Stored under your tenant, isolated by row-level security.
• Payment info — handled directly by Stripe. We never see card numbers; we receive only an identifier and subscription status.
• Locale preference — a `locale` cookie storing your TR/EN choice. No tracking pixels.

To run the service — authentication, multi-tenant data scoping, sending operational emails (orders, password resets), and processing payments through Stripe. We use AI features (Anthropic Claude) only on data you explicitly submit to them (e.g. clicking "Generate insight" on a cupping log).

We do not sell personal data. We do not use your customer data to train models. We do not share data with advertisers.

We use a small set of vetted sub-processors:

• Supabase — managed Postgres + Auth. Stores your account and tenant data.
• Anthropic — provides Claude models for AI features. Inputs are not retained beyond what's necessary to return a response.
• Stripe — payment processing. Sees billing details; never accessed by us.
• Vercel — hosting and edge compute. Sees request metadata.

Application data is hosted in the EU region (Frankfurt). We may transfer data to processors located elsewhere; in those cases we rely on Standard Contractual Clauses or equivalent safeguards. Turkey-resident customers are covered under KVKK; we act as veri işleyen for customer data.

Under GDPR, KVKK, and equivalent regimes you can:

• Access — request a copy of the personal data we hold about you.
• Correct — ask us to fix anything that's wrong.
• Delete — close your account and we'll remove your account-level data; tenant data is purged within 30 days unless retention is legally required.
• Export — download your data in a machine-readable format at any time.
• Object — to specific processing activities, where applicable.

If we change anything material, we'll notify you by email at least 30 days before the change takes effect. Minor edits (typos, clarifications) are reflected in the "Last updated" date above.

For any privacy question, email contact@emincan.com. We aim to respond within 5 business days.