Mustafa Evleksiz
Privacy

Privacy policy — Cafe Brewly

Last updated: May 30, 2026

This policy explains what Cafe Brewly collects, why, and your choices. Operated by Mustafa Evleksiz — contact mustafa@mustafaevleksiz.com.

1. Summary

Cafe Brewly is a SaaS café management platform — QR menu, order flow, kitchen and cashier views, plus an AI assistant called Çırak that reads your café's own sales data. To run the service we process account, café, order, and usage data. We do not sell personal data and we do not use your café's data for advertising.

2. Data we collect

We collect only what's needed to run the service:

  • Account: email, name, optional phone (used for staff OTP login), user role and branch access.
  • Café/organisation: name, logo, address, phone, tax information, and other settings you provide.
  • Operational: orders, products, prices, and other business records you enter.
  • Payment: payment method type (cash/card) per transaction — card numbers are never stored.
  • Customer feedback: optional ratings, comments, and (if provided) contact email.
  • Newsletter (opt-in): customer emails you collect for marketing.
  • AI conversations: messages exchanged with Çırak and the sales data summaries used to answer them.
  • Usage data: anonymised events for product analytics via PostHog.
  • Diagnostics: crash and error reports via Sentry.
  • Session: short-lived authentication cookies via Supabase SSR.

3. How we use your data

Your data powers the core service and keeps it healthy:

  • Run the platform — orders, menus, role-based access, AI answers.
  • Maintain your account, café and staff identities.
  • Detect errors, prevent abuse (rate-limiting) and improve performance.
  • Send transactional and (opted-in) newsletter emails.
  • Comply with legal obligations.

4. Legal bases (GDPR)

Performance of a contract (Art. 6(1)(b)), legitimate interests in security and improvement (Art. 6(1)(f)), consent for newsletter and analytics where required (Art. 6(1)(a)), and legal obligations (Art. 6(1)(c)).

5. Who we share data with

Sub-processors act under our instructions — we do not sell personal data:

  • Supabase — authentication, database and file storage (email, name, phone, all app data, session tokens).
  • Google (Gemini API) — powers Çırak's AI answers (questions you send + the relevant sales summary).
  • Upstash (Redis) — rate-limiting to prevent abuse (hashed user ID + counters; no content stored).
  • PostHog — product analytics (anonymous user ID, page views, feature events).
  • Sentry — crash reporting (error stack traces, contextual user ID, device/browser info).
  • Resend — transactional email (recipient address, name, email content).
  • Vercel — hosting and Edge runtime (request logs, IP address temporarily, runtime metadata).

6. Çırak (AI assistant) and your café data

When you ask Çırak a question, we send your message plus a relevant summary of your café's own sales data to Google's Gemini API to generate an answer. Çırak does not use your data for model training, does not share it with other cafés, and is not used to profile your customers. Çırak's answers are informational — they do not replace professional financial, legal, or business advice.

7. Data retention

How long different data lives:

  • Account and café data: kept while your account is active.
  • Orders and operational data: kept while your account is active (subject to applicable accounting/tax retention).
  • AI conversations: kept while your account is active for context and feature improvement.
  • Analytics and diagnostics: retained per provider defaults.
  • Session cookies: short-lived and rotated on sign-out.

8. International transfers

Most providers (Supabase, Google, Upstash, PostHog, Sentry, Resend, Vercel) process data outside Turkey, including the United States and the EU. Transfers rely on appropriate safeguards (Standard Contractual Clauses) and, where required, your explicit consent.

9. Your rights and account deletion

Under GDPR/KVKK you may request access, correction, deletion, restriction, portability, and objection. The in-app account deletion UI is in progress; in the meantime, contact mustafa@mustafaevleksiz.com and we will delete your account and associated data within 30 days.

10. Cookies

Cafe Brewly uses short-lived authentication cookies (Supabase SSR) required for sign-in to work. We do not use third-party advertising or cross-site tracking cookies.

11. Security

We use industry-standard measures — encryption in transit, role-based access controls, rate-limiting on sensitive endpoints. No method is 100% secure; we cannot guarantee absolute security.

12. Changes

We may update this policy; material changes will be notified in-app or by updating this page's date.

13. Contact

Mustafa Evleksiz — mustafa@mustafaevleksiz.com.

Back to project
Mustafa Evleksiz — Product Engineer · Mustafa Evleksiz