Legal

Privacy Policy

Last updated: 2 May 2026

Cascara Coffee Co. ("Cascara," "we," "us") operates cascara.cafe and the Cascara cellar service. We are a Philippine company based in BGC, Taguig. This policy explains what data we collect, why, how we use it, and the rights you have under the Data Privacy Act of 2012 (Republic Act 10173).

If anything here is unclear, email privacy@cascara.cafe.

1. What we collect

We collect only what we need to run the service:

  • Account. Email address and password (hashed — we never see it in plain text).
  • Palate data. Your answers to the 11-question calibration, your Palate Kite, the beans you rate, the brews you log, and the deltas the algorithm computes from those.
  • Submissions. Beans, roasters, tasting notes, comments, and corrections you contribute to the catalog.
  • Subscription & orders. If you join Drop or buy a bag, we record the order and a shipping address. Payment card data is handled by our processor (PayMongo) — Cascara never stores it.
  • Operational.Standard server logs (IP, user agent, timestamp), error reports (Sentry), privacy-safe pageview analytics (Vercel Web Analytics — no cookies, no cross-site tracking), and product-funnel analytics (PostHog — pageviews and Cascara-defined events such as "calibration started," "question answered," "signup gate shown." Session replay and form-field capture are off; we do not share PostHog data with third parties).

2. How we use it

  • To run the service: log you in, render your kite, recommend beans, fulfill orders.
  • To improve the algorithm: aggregate, de-identified palate signal trains the recommender.
  • To communicate: transactional email (account, orders), and — only if you opt in — product updates.
  • To prevent abuse: rate limiting, spam filtering, fraud checks on payments.

We do not sell your data. We do not share it with advertisers. We do not use it to train third-party AI models.

3. Catalog contributions

Beans, roasters, notes, and comments you submit to the public catalog are credited to your account and visible to other members and to anonymous visitors (for the public surfaces: /roasters and the public marketplace once enabled). Provenance tiers (cascara_verified / community_verified / pending) govern how catalog data is displayed and trusted; see Terms for the licensing model.

4. Who else touches your data

Sub-processors, scoped to what they need:

  • Supabase — database, auth, file storage.
  • Vercel — hosting + analytics.
  • Resend — transactional email delivery.
  • Sentry — error tracking.
  • PostHog — product analytics & funnel tracking (US region; session replay disabled).
  • PayMongo — payment processing (when subscriptions go live).
  • Shopify / 3PL — order fulfilment for physical bags (when shipping goes live).

Each processor is bound by a data-processing agreement and may store data outside the Philippines. We use only providers with comparable privacy commitments.

5. Retention

Account and palate data live as long as your account does. If you delete your account, we erase personal identifiers within 30 days; aggregated, de-identified palate signal may persist in the trained algorithm. Order records are retained for ten (10) years per Philippine tax and accounting law.

6. Your rights

Under the Data Privacy Act, you have the right to:

  • Be informed about processing.
  • Access your data.
  • Correct inaccurate data.
  • Erase or block processing (subject to legal-retention exceptions).
  • Object to processing (e.g., marketing emails).
  • Data portability — export your kite, ratings, and brews.
  • File a complaint with the National Privacy Commission (privacy.gov.ph).

To exercise any of these, email privacy@cascara.cafe. We respond within 15 business days.

7. Security

Passwords are hashed (Supabase Auth, bcrypt). All traffic is TLS-encrypted. Database access is row-level-secured per member. Backups are encrypted at rest. We disclose breaches affecting Philippine residents to the National Privacy Commission within 72 hours of confirmation, per RA 10173.

8. Children

Cascara is for adults. We do not knowingly collect data from anyone under 18. If you believe a minor has signed up, email us and we will delete the account.

9. Changes

When we change this policy in a material way, we notify members by email and update the "Last updated" date above. Continued use after notice constitutes acceptance.

10. Contact

Cascara Coffee Co.
BGC, Taguig, Philippines
Data Protection Officer: privacy@cascara.cafe