Privacy Policy

Last updated: Saturday, June 13th

This policy explains what personal data roasted ("we") collects, why, and the rights you have over it under the EU/UK General Data Protection Regulation (GDPR).

1. Who is responsible

The data controller is Hendrik Borchert, Puschkinstraße 2, 15236 Frankfurt (Oder), Germany. For any privacy request, contact us at roasted-privacy@gmx.de.

2. What we collect and why

Email address — to identify your account, verify ownership, and send account emails (verification, password reset). Legal basis: performance of a contract.
Username — shown to the friends you connect with. Legal basis: performance of a contract.
Password — stored only as a salted bcrypt hash; we never see or store your plaintext password.
Caffeine logs (drink name, amount, time) — the core function of the app. Because patterns of caffeine consumption can reveal information about your health, we treat this as special-category data under Art. 9 GDPR and process it only on the basis of your explicit consent, which you give at sign-up and can withdraw at any time by deleting your account.
Timezone — to show your day boundaries correctly.
Friend connections — to provide the friends and leaderboard features. Your data on the leaderboard is visible only to friends you have accepted.
Session cookie — a single strictly-necessary httpOnly cookie to keep you logged in. We use no analytics or advertising cookies.

3. How long we keep it

We keep your data for as long as your account exists. Verification and password-reset tokens expire automatically (24 hours and 1 hour). When you delete your account, all of the above is removed immediately and permanently.

4. Who we share it with

We do not sell your data. It is shared only with the infrastructure providers needed to run the service — our hosting provider (STRATO AG, Berlin, Germany) and our email provider (Resend, resend.com, United States) — acting as processors on our behalf. Sending account emails transfers your email address to the United States; we rely on the provider's Standard Contractual Clauses for that transfer. Other users see only your username and your leaderboard totals, and only if you accept them as a friend.

5. Your rights

You can, at any time:

Access & portability — download all your data as JSON from Settings → Your data & privacy → Export my data.
Erasure — permanently delete your account and all associated data from Settings → Your data & privacy → Delete account.
Rectification — correct your timezone in Settings, or contact us for other changes.
Withdraw consent / object / complain — contact us, or lodge a complaint with your local data-protection authority.

6. Caffeine estimates are not medical advice

roasted is not a medical device. Features such as the "caffeine in your system" estimate, blood-concentration figures, the 400 mg/day reference and the taper planner are approximate, generic calculations for general information and lifestyle purposes only. They are not medical advice, a diagnosis, or a treatment, and must not be relied on for medical decisions. Consult a qualified healthcare professional before changing your caffeine intake — especially during pregnancy or with a heart condition. See our Terms of Use for more.

7. Changes

We may update this policy; material changes will be reflected by the "last updated" date above, and we will ask you to review and accept the update the next time you use roasted.