1. Summary
Cafe Brewly is a SaaS café management platform — QR menu, order flow, kitchen and cashier views, plus an AI assistant called Çırak that reads your café’s own sales data. To run the service we process account, café, order, and usage data. We do not sell personal data and we do not use your café’s data for advertising.
2. Data we collect
We collect only what’s needed to run the service:
- Account: email, name, optional phone (used for staff OTP login), user role and branch access.
- Café/organisation: name, logo, address, phone, tax information, and other settings you provide.
- Operational: orders, products, prices, and other business records you enter.
- Payment: payment method type (cash/card) per transaction — card numbers are never stored.
- Customer feedback: optional ratings, comments, and (if provided) contact email.
- Newsletter (opt-in): customer emails you collect for marketing.
- AI conversations: messages exchanged with Çırak and the sales data summaries used to answer them.
- Usage data: anonymised events for product analytics via PostHog.
- Diagnostics: crash and error reports via Sentry.
- Session: short-lived authentication cookies via Supabase SSR.
3. How we use your data
Your data powers the core service and keeps it healthy:
- Run the platform — orders, menus, role-based access, AI answers.
- Maintain your account, café and staff identities.
- Detect errors, prevent abuse (rate-limiting) and improve performance.
- Send transactional and (opted-in) newsletter emails.
- Comply with legal obligations.
4. Legal bases (GDPR)
Performance of a contract (Art. 6(1)(b)), legitimate interests in security and improvement (Art. 6(1)(f)), consent for newsletter and analytics where required (Art. 6(1)(a)), and legal obligations (Art. 6(1)(c)).
5. Who we share data with
Sub-processors act under our instructions — we do not sell personal data:
- Supabase — authentication, database and file storage (email, name, phone, all app data, session tokens).
- Google (Gemini API) — powers Çırak’s AI answers (questions you send + the relevant sales summary).
- Upstash (Redis) — rate-limiting to prevent abuse (hashed user ID + counters; no content stored).
- PostHog — product analytics (anonymous user ID, page views, feature events).
- Sentry — crash reporting (error stack traces, contextual user ID, device/browser info).
- Resend — transactional email (recipient address, name, email content).
- Vercel — hosting and Edge runtime (request logs, IP address temporarily, runtime metadata).
6. Çırak (AI assistant) and your café data
When you ask Çırak a question, we send your message plus a relevant summary of your café’s own sales data to Google’s Gemini API to generate an answer. Çırak does not use your data for model training, does not share it with other cafés, and is not used to profile your customers. Çırak’s answers are informational — they do not replace professional financial, legal, or business advice.
7. Data retention
How long different data lives:
- Account and café data: kept while your account is active.
- Orders and operational data: kept while your account is active (subject to applicable accounting/tax retention).
- AI conversations: kept while your account is active for context and feature improvement.
- Analytics and diagnostics: retained per provider defaults.
- Session cookies: short-lived and rotated on sign-out.
8. International transfers
Most providers (Supabase, Google, Upstash, PostHog, Sentry, Resend, Vercel) process data outside Turkey, including the United States and the EU. Transfers rely on appropriate safeguards (Standard Contractual Clauses) and, where required, your explicit consent.
9. Your rights and account deletion
Under GDPR/KVKK you may request access, correction, deletion, restriction, portability, and objection. The in-app account deletion UI is in progress; in the meantime, contact mustafa@mustafaevleksiz.com and we will delete your account and associated data within 30 days.
10. Cookies
Cafe Brewly uses short-lived authentication cookies (Supabase SSR) required for sign-in to work. We do not use third-party advertising or cross-site tracking cookies.
11. Security
We use industry-standard measures — encryption in transit, role-based access controls, rate-limiting on sensitive endpoints. No method is 100% secure; we cannot guarantee absolute security.
12. Changes
We may update this policy; material changes will be notified in-app or by updating this page’s date.
13. Contact
Mustafa Evleksiz — mustafa@mustafaevleksiz.com.