Effective date: 1 June 2026 · Last updated: 13 June 2026
This Privacy Policy explains how RoastConsole ("we", "us", "our") handles your information when you use RoastConsole Mobile — the iPhone and iPad application. RoastConsole Mobile is a companion app for coffee roasting businesses. It requires a RoastConsole Cloud subscription and provides mobile access to your existing cloud account. Questions? Contact us at privacy@roastconsole.com.
Operator: RoastConsole · Website: roastconsole.com · Privacy contact: privacy@roastconsole.com. The only personal data we collect and control is your email address, used for authentication. All business data you access through the app — orders, customers, tasks, inventory — belongs to you and your organisation. We act as a data processor for that data, storing and serving it back to you on your behalf. EEA and UK users who require a Data Processing Agreement (DPA) may contact privacy@roastconsole.com.
We collect your email address when you create an account. Authentication is handled by AWS Cognito using the Secure Remote Password (SRP) protocol. Your password is never transmitted in plaintext — only cryptographic proofs are sent. Your authentication tokens (JWT) are stored in the iOS Keychain and cleared when you sign out.
All business data — orders, customers, tasks, inventory records, roast profiles — is owned by you and your organisation. The app reads from and writes to the RoastConsole Cloud backend via authenticated HTTPS. Nothing is stored locally beyond your credentials. When the device is offline, pending writes are temporarily held in device storage and flushed automatically when connectivity returns; this queue is cleared after a successful sync or sign-out.
If you grant location permission, your device’s location is used locally to assist with delivery route optimisation via Apple Maps. Location data is never sent to our backend or stored. You can revoke location permission at any time in iOS Settings.
If you grant camera permission, the camera is used solely for QR code and barcode scanning. No images or video are captured, stored, or transmitted.
If you grant notification permission, your device’s push notification token is registered with our backend to deliver order updates, task alerts, and operational notifications. It is never used for advertising or shared with third parties. You can revoke notification permission at any time in iOS Settings → Notifications.
Your tab bar layout, date format preference, currency, and weight unit are stored locally on your device and never leave your device.
The app includes Firebase Crashlytics. When the app crashes, Crashlytics automatically collects a report containing device model, iOS version, app version, and a stack trace. This does not include your name, email, or any business data. Firebase Analytics and advertising features are explicitly disabled. To opt out of crash reporting, contact privacy@roastconsole.com.
We do not store or transmit your location; record, store, or transmit camera images or video; use advertising networks, tracking SDKs, or behavioural analytics; run background location tracking or background sync; collect data when the app is not in use; or sell your personal data — ever.
Account authentication (email) — Performance of a contract (Art. 6(1)(b)). Business data storage and sync — Performance of a contract; we act as processor (Art. 6(1)(b)). Push notification token — Consent (Art. 6(1)(a)), granted via system prompt, revocable in iOS Settings. Precise location — Consent (Art. 6(1)(a)), granted via system prompt, revocable in iOS Settings. Crash reporting — Legitimate interests (Art. 6(1)(f)), maintaining a stable and reliable product.
UK GDPR: UK users have the same rights as EEA users under the UK GDPR and Data Protection Act 2018. Brazil (LGPD): Processing is based on execution of a contract (Art. 7, V), consent (Art. 7, I) for location and notifications, and legitimate interest (Art. 7, IX) for crash reporting. Canada (PIPEDA / Québec Law 25): We collect personal information only with knowledge and consent. Québec residents may request data portability or deletion at privacy@roastconsole.com. Australia (Privacy Act 1988): We handle personal information in accordance with the Australian Privacy Principles. California (CCPA/CPRA): You have the right to know what we collect, request deletion, correct inaccurate data, and opt out of sale or sharing of personal information. We do not sell personal information. Other US states: We respect similar rights under Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), and other applicable state privacy laws.
Authentication tokens are stored in the iOS Keychain (AES-256, OS-managed; requires device unlock). App preferences and the offline action queue are stored on-device only and cleared after sync or sign-out. Your business data is stored on our backend (AWS us-east-1) with HTTPS in transit and AES-256 at rest. Your account email is managed by AWS Cognito (us-east-1) via SRP — your password is never transmitted. Push notification tokens are stored on our backend with HTTPS and AES-256 at rest. Crash reports are retained by Google Firebase Crashlytics for 90 days. All data transmitted between the app and our backend uses HTTPS/TLS 1.2 or higher.
Our backend and authentication infrastructure are hosted in the United States (AWS us-east-1). EEA and UK users: transfers to the United States are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission and their UK equivalent (International Data Transfer Agreement). All other users: by using the app you acknowledge that your data is processed in the United States under the safeguards described in Section 5.
AWS Cognito — account authentication (USA). AWS SNS — push notification delivery (USA). Apple Maps — on-device delivery route navigation (USA). Google Firebase / Crashlytics — crash reporting only; analytics and ads disabled (USA). We do not use Google Analytics, Facebook SDK, advertising networks, or behavioural tracking.
Depending on your location, you may have the right to access personal data we hold about you; correct inaccurate data; delete your account and associated data; port your data in a structured format; restrict or object to certain processing; and withdraw consent for location or notifications via iOS Settings at any time. To submit a request, email privacy@roastconsole.com with subject line “Privacy Request”. Include your name, account email, and the right you wish to exercise. We respond within 30 days. EEA and UK users may also lodge a complaint with their local supervisory authority (e.g. the ICO for UK users).
Account email and identity — retained while your account is active; deleted within 30 days of a deletion request. Business data — retained while your account is active; deleted within 30 days of a deletion request. Auth tokens — cleared from device on sign-out. Offline action queue — cleared after successful sync or sign-out. Push notification token — deleted within 30 days of account deletion. Crash reports — 90 days (Firebase default). To close your account and request data deletion, email privacy@roastconsole.com.
In the event of a breach likely to risk your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR/UK GDPR requirement) and notify you directly if the risk to you is high.
This app is designed for coffee roasting businesses and staff. It is not directed at children under 13. We do not knowingly collect information from anyone under 13. Contact privacy@roastconsole.com if you believe we have done so.
We do not use your data for automated decision-making or profiling that produces legal or significant effects on you.
This policy is governed by the laws of the State of [YOUR STATE], United States, except where superseded by mandatory local law (GDPR, UK GDPR, LGPD, etc.).
We will update the “Last updated” date when this policy changes. For material changes we will notify you via the app or email. Continued use after changes are posted constitutes acceptance.
Email: privacy@roastconsole.com · Website: roastconsole.com
