GrindSize

Privacy Policy

1. Responsible Party

The responsible party for data processing on this website is:

Philip Brembeck
Frankfurter Ring 30
80807 München
Germany
Email: co@ffee.app

Data Protection Contact: Philip Brembeck (no separate DPO)

2. Overview of Data Processing

GrindSize is a coffee brewing tracker that helps you log and optimize your brewing sessions. We process your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable European data protection laws. This policy explains what data we collect, why, and how you can exercise your rights.

3. Data We Collect

3.1 Authentication Data (OAuth)

When you sign in using OAuth providers, we collect:

  • Email address (if available)
  • First and last name
  • Profile picture
  • OAuth provider ID

Legal basis: Contract performance (Art. 6(1)(b) GDPR) – necessary to provide login functionality

3.2 Brew Session Data

When you create brew sessions, we store:

  • Coffee dose and yield
  • Brewing time and method
  • Grind size and grinder model
  • Coffee variety, roastery, and roast date
  • Rating and taste profile (acidity, bitterness, sweetness, body, aftertaste)
  • Optional notes
  • Timestamp of creation

Legal basis: Contract performance (Art. 6(1)(b) GDPR) – necessary to provide the service

3.3 Grinder & Usage Data

We track your grinder preferences and usage data to improve your experience:

  • Grinder preferences based on your activity
  • Session data (login sessions, retained for 30 days)

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) – to improve service and user experience

3.4 Invite System Data

  • Email allowlist
  • Invite codes and usage status

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) – to manage access to the service

4. How We Use Your Data

  • Authenticate and manage your account
  • Store and display your brew sessions
  • Provide personalized grinder recommendations (profiling for service improvement)
  • Generate statistics and insights about your brewing habits
  • Improve service functionality and user experience

No automated decisions with legal or similarly significant effects are made.

5. Data Storage and Security

All user data is stored on servers physically located in Germany (exact data center depends on provider). We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse.

  • PostgreSQL database with encrypted connections
  • Authentication via secure OAuth 2.0 flows
  • Kubernetes cluster hosted in Germany (IONOS & Lima-City)
  • Server logs containing IP addresses are retained for security and troubleshooting

TLS certificates are managed via Let's Encrypt.

6. Data Retention

  • Authentication sessions: 30 days
  • Brew session data: Until account deletion or user request
  • Account data: Until account deletion
  • Server logs: Retained for security and troubleshooting (maximum 30 days)

7. Third-Party Services and Transfers

We use the following third-party services, which may involve transfers outside the EU:

7.1 GitHub OAuth

GitHub provides authentication services. We only process the minimal data needed (email, name, profile picture, provider ID). Data may be transferred to the U.S. under Standard Contractual Clauses (SCCs). See GitHub Privacy Policy.

7.2 Strava OAuth

Strava provides authentication services. We only process first name, last name, profile picture, and provider ID. Data may be transferred to the U.S. under SCCs. See Strava Privacy Policy.

7.3 Google OAuth

Google provides authentication services. We only process email address, first name, last name, profile picture, and provider ID. Data may be transferred to the U.S. under SCCs. See Google Privacy Policy.

7.4 Cloudflare

Cloudflare provides DNS and email forwarding. Some data (IP addresses) may be processed outside the EU under SCCs. We do not use Cloudflare proxy services or analytics.

8. Cookies and Similar Technologies

  • Session Cookie: Essential for authentication (NextAuth.js)
  • Theme Preference: Stores dark/light mode preference
  • Invite Token: Temporary cookie for invite code validation (10 minutes)

We may also use **IndexedDB** for storing client-side data (brew sessions, UI state). No third-party cookies are used.

9. Your Rights Under GDPR

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent (Art. 7(3) GDPR)

You can exercise your rights via email at or using the in-app account deletion button.

10. Right to Lodge a Complaint

If you believe your data is processed unlawfully, you may lodge a complaint with a supervisory authority. In Germany, this is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).

11. Data Sharing

We do not sell, trade, or rent your personal data. Sharing is limited to service providers necessary for operation (OAuth providers, Cloudflare for DNS/email) and only to the extent required.

12. Changes to This Privacy Policy

This policy may be updated from time to time. Changes will be posted here with a revision date. We encourage periodic review.

13. Contact

For questions about this privacy policy or your data, contact:

Philip Brembeck
Email: co@ffee.app

Last updated: November 30, 2025