Privacy Policy

Last updated: April 23, 2026

Who We Are

Kafeo is a digital loyalty platform operated by SCOOPMEDIA OÜ, a private limited company registered in Estonia. SCOOPMEDIA OÜ is the data controller responsible for your personal data processed through Kafeo.

  • Legal entity: SCOOPMEDIA OÜ
  • Registration code: 16546238
  • Registered address: Akadeemia tee 7/1-302b, Mustamäe District, Tallinn, Harju County 10621, Estonia
  • Contact: hello@kafeo.io

Introduction

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital loyalty platform. In this policy, "we", "our", or "us" refers to SCOOPMEDIA OÜ.

Information We Collect

Personal Information

We collect the following personal information:

  • Phone number (for account authentication)
  • Email address (optional)
  • Name (optional)
  • Profile picture (optional)

Usage Information

We automatically collect:

  • Loyalty card activity (stamps collected, rewards redeemed)
  • Location data (when you search for nearby cafés, with your permission)
  • Device information and app usage analytics

How We Use Your Information & Legal Basis

Under GDPR we must have a lawful basis for each use of your data. Here's a breakdown:

  • Provide loyalty services, process stamps and redemptions — legal basis: performance of a contract (Art. 6(1)(b))
  • Send transactional emails (password reset, account updates, subscription notices) — legal basis: performance of a contract
  • Push notifications about loyalty activity — legal basis: consent (you grant this when enabling notifications on your device) (Art. 6(1)(a))
  • Prevent fraud and secure the platform — legal basis: legitimate interest (Art. 6(1)(f)) in protecting our users and business
  • Analytics on our website (Google Analytics via Tag Manager) — legal basis: consent. Only loads after you accept analytics cookies.
  • Error monitoring (Sentry) — legal basis: legitimate interest in keeping the product working reliably
  • Legal obligations (tax records for café subscriptions, responding to lawful requests) — legal basis: legal obligation (Art. 6(1)(c))

Who We Share Data With

We share the minimum data needed with the following categories of recipients:

Cafés you interact with

When you collect a stamp or redeem a reward, the café can see your first name (if provided) and your loyalty card progress with them. They cannot see your phone number, email, password, or your activity at other cafés.

Third-party processors

We use the following service providers to run Kafeo. Each has signed a Data Processing Agreement committing to GDPR-compliant handling of your data:

  • Supabase (EU region) — database and file storage
  • Railway — API hosting (EU region)
  • Vercel — website and dashboard hosting
  • Resend — transactional emails
  • Stripe — café subscription billing (payment details never touch our servers)
  • Sentry — error monitoring and session replay for debugging crashes
  • Google Analytics / Google Tag Manager — anonymized website analytics (only with your consent)
  • Expo / Apple / Google — push notifications to your device
  • Google Maps / Geocoding — showing cafés on a map and converting addresses to coordinates

We never sell your personal data.

International Data Transfers

We store your primary account and loyalty data on servers in the European Union. Some of our processors (notably Sentry, Stripe, Google Analytics, Vercel, Expo) may process data outside the EEA, including in the United States. Where that happens, we rely on the European Commission's Standard Contractual Clauses and/or the EU–US Data Privacy Framework to ensure your data receives an equivalent level of protection.

Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption of data in transit and at rest
  • Regular security audits and updates
  • Limited access to personal data
  • Secure authentication methods

Your Rights (GDPR)

If you are in the EU/EEA, you have the following rights over your personal data:

  • Access — request a copy of the data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure ("right to be forgotten") — request deletion of your data
  • Restriction — limit how we process your data
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — revoke any consent you previously gave (e.g. analytics, notifications)

To exercise any of these rights, email us at hello@kafeo.io. We'll respond within 30 days. You can also delete your account directly from the mobile app.

Right to Lodge a Complaint

If you believe we've handled your data improperly, you have the right to lodge a complaint with your local data protection authority. In Estonia (our supervisory authority), this is:

Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate)
Tatari 39, 10134 Tallinn, Estonia
Phone: +372 627 4135
Email: info@aki.ee
Website: www.aki.ee/en

We'd appreciate the chance to address your concern first — please reach out to us before filing a formal complaint.

Data Retention

We retain your personal information only as long as necessary to provide our services and comply with legal obligations. When you delete your account, we delete your personal data within 30 days.

Cookies

Our website uses cookies in two categories:

  • Essential cookies — required for the site to work (authentication, security, saving your cookie preference). These are always on.
  • Analytics cookies (optional) — loaded via Google Tag Manager to run Google Analytics, only after you click "Accept" on the cookie banner. These help us understand which pages visitors use. IP addresses are anonymized and we do not enable Google's advertising features.

You can change your cookie preference at any time by clicking "Cookie settings" in the footer or by clearing your browser's site data for kafeo.io.

Children's Privacy

Our services are not directed to children under 16. We do not knowingly collect personal information from children under 16.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes via email or app notification.

Contact Us

If you have questions about this Privacy Policy or want to exercise your GDPR rights, contact us at:

SCOOPMEDIA OÜ

Akadeemia tee 7/1-302b, Mustamäe District, Tallinn, Harju County 10621, Estonia

Email: hello@kafeo.io