Privacy Policy
Last updated: February 27, 2026
1. Introduction
BrewFlow ("we," "us," or "our") operates a brewery operations management platform at brewflow.app (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service.
We are committed to protecting your privacy. By using BrewFlow, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your name and email address. If you are invited to join a brewery team, the inviting user provides your email address.
2.2 Brewery & Operational Data
You provide brewery details (name, timezone), vessel configurations, recipes, batch records, measurements, and deviation logs. This data is stored to provide the Service and belongs to you.
2.3 Payment Information
Payments are processed by Stripe. We do not receive, store, or have access to your full credit card number. Stripe provides us with a tokenized reference, card brand, last four digits, and expiration date for display purposes only. See Stripe's Privacy Policy for details on how Stripe handles your payment data.
2.4 Usage Data
We automatically collect information about how you interact with the Service, including pages visited, features used, actions taken (activity log), timestamps, and referring URLs.
2.5 Device & Log Data
Our servers automatically record information sent by your browser, including IP address, browser type and version, operating system, device type, and language preferences.
3. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Process transactions and send billing-related communications
- Send transactional emails (sign-in links, team invitations, subscription confirmations)
- Monitor and analyze usage trends to improve user experience
- Detect, prevent, and address technical issues and abuse
- Comply with legal obligations
We do not sell your personal information to third parties. We do not use your brewery operational data (recipes, batches, measurements) for any purpose other than providing the Service to you.
4. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases:
- Contract Performance: Processing necessary to provide the Service you have subscribed to, including account creation, data storage, email delivery, and payment processing.
- Legitimate Interest: Processing for our legitimate business interests, such as improving the Service, ensuring security, and preventing fraud, where these interests are not overridden by your data protection rights.
- Consent: Where we rely on your consent (e.g., for optional analytics cookies), you may withdraw consent at any time.
- Legal Obligation: Processing necessary to comply with applicable laws, regulations, or legal proceedings.
5. Sub-processors
We use the following third-party services to operate BrewFlow. Each sub-processor only receives the minimum data necessary for its function:
| Sub-processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Email, billing details | USA |
| Resend | Transactional email delivery | Email address, email content | USA |
| Vercel | Application hosting & CDN | Request data, IP address | USA |
| Neon | PostgreSQL database hosting | All application data | USA |
6. Data Retention
We retain your personal information as follows:
- Account data: Retained for the duration of your account. Upon account deletion, personal information is purged within 30 days. Anonymized usage data may be retained indefinitely for analytics.
- Brewery operational data: Retained for the duration of the brewery account. Upon brewery deletion, all associated data (vessels, recipes, batches, measurements, deviations) is permanently deleted within 30 days.
- Payment records: Retained for 7 years to comply with tax and accounting obligations.
- Server logs: Automatically deleted after 90 days.
7. Data Security
We implement industry-standard security measures to protect your data, including encryption in transit (TLS 1.2+), encryption at rest for database storage, secure authentication via magic link email tokens (no passwords stored), role-based access control within brewery teams, and multi-tenant data isolation ensuring each brewery can only access its own data.
While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
8. International Data Transfers
BrewFlow is operated from the United States. If you access the Service from the EEA, UK, or Canada, your data will be transferred to and processed in the United States. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Addendum where applicable, and contractual data protection commitments with all sub-processors.
9. Children's Privacy
BrewFlow is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child under 16, please contact us immediately and we will promptly delete it.
10. Your Rights Under CCPA (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) and its amendments (CPRA) provide you with specific rights:
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal compliance, completing a transaction).
- Right to Opt-Out of Sale: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
Categories of Personal Information Collected: Identifiers (name, email, IP address), commercial information (subscription and billing records), internet activity (usage data, log data), and professional information (brewery name, role within brewery).
To exercise your rights, email us at privacy@brewflow.app. We will verify your identity before processing requests and respond within 45 days.
11. Your Rights Under GDPR (EEA Residents)
If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Data Portability: Receive your personal data in a structured, machine-readable format (JSON or CSV).
- Restriction: Request restriction of processing under certain circumstances.
- Object: Object to processing based on legitimate interests.
- Withdraw Consent: Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Data Controller: BrewFlow is the data controller for personal data processed through the Service. To exercise your rights, contact us at privacy@brewflow.app. We will respond within 30 days.
You have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.
12. Your Rights Under UK Data Protection Act 2018
If you are located in the United Kingdom, you have rights equivalent to those outlined in Section 11 above under the UK GDPR and Data Protection Act 2018. You may lodge complaints with the Information Commissioner's Office (ICO) at ico.org.uk.
13. Your Rights Under PIPEDA (Canadian Residents)
If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation provide you with the following rights:
- Consent: We obtain your meaningful consent for the collection, use, and disclosure of personal information. You may withdraw consent at any time, subject to legal or contractual restrictions.
- Access: You may request access to your personal information held by us.
- Correction: You may challenge the accuracy and completeness of your personal information and have it amended as appropriate.
- Complaint: You may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date and, where required by law, by sending you an email notification. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:
Email: privacy@brewflow.app
For data protection inquiries from the EEA or UK, you may also write to our data protection contact at the email address above. We aim to respond to all legitimate requests within 30 days.
See also our Terms of Service, Cookie Policy, and Acceptable Use Policy.