Privacy Policy

Version 2026-05-28· Effective May 28, 2026

This Privacy Policy explains how Craftbevia ("we," "us," "our") collects, uses, shares, and protects information when you use the Craftbevia website and related services (the "Service"). The Service is intended for adults age 21 or older. We collect as little personal information as possible — only what we need to run the Service.

Craftbevia is the data controller for personal information processed through the Service. For questions or to exercise your privacy rights, email craftbevia@gmail.com.

Account information: your email address, a display name, and the version of the Terms and Privacy Policy you accepted at signup. Passwords are securely processed and stored by our authentication provider, Supabase. Craftbevia does not directly access or store plaintext passwords.

Optional profile information: short bio, city, state/province, social handles, avatar image, and notification preferences. All of these are optional and you can edit or remove them from your account settings.

User-generated content: reviews, ratings, comments, favorites, brewery visits, and any photos you upload. Reviews, ratings, comments, profile display names, and uploaded content may be visible to other users of the Service.

Brewery-owner claim information: if you submit a brewery claim we collect your first and last name, contact email, phone number, role, optional Instagram handle, and the brewery you are claiming. The IP address and user agent of the submission are logged for fraud prevention and are automatically deleted from the claim record after 90 days.

Usage information: if you accept analytics, Google Analytics records pages viewed, on-page interactions, approximate location (derived from a truncated IP), device/browser type, and timestamps. Google Analytics is configured to reduce IP precision where supported and to disable advertising features, advertising signals, and ad personalization.

Server logs: our hosting provider records standard request logs (IP address, user agent, timestamps) for security and operational purposes; these are retained on a rolling short-term basis.

Cookies and similar technologies: see Section 6.

We do not collect: real name (beyond an optional display name), date of birth, phone number, gender, or street address from regular user accounts. Brewery-claim submitters are the exception above.

We use the information we collect to (a) operate and improve the Service; (b) authenticate you and maintain your session; (c) personalize your experience; (d) send transactional emails about your account, claims, and security; (e) send marketing email only if you separately opt in; (f) measure aggregate usage if you accept analytics; (g) prevent fraud and abuse; and (h) comply with legal obligations.

Where the EU/UK GDPR applies, we rely on (a) contract for providing the Service to you; (b) legitimate interests for security, fraud prevention, and product improvement; (c) consent for analytics/marketing cookies and for marketing email; and (d) legal obligation where required.

We share personal information only with the service providers below, each of whom processes data on our behalf under contract.

We do not sell personal information, and we do not share it for cross-context behavioral advertising. California residents have the right to opt out of "sale" and "sharing" — we don't do either, so nothing further is required of you.

We may disclose information when required by law, in response to valid legal process, or to protect the rights, safety, or property of Craftbevia, our users, or the public.

Strictly necessary: Supabase authentication cookies and a consent record (stored in both a cookie and your browser's local storage) are required for the Service to function and are set without consent.

Analytics and marketing: Google Analytics and Klaviyo scripts only load after you accept them via the cookie banner. If you decline, no analytics or marketing scripts are injected, and any previously set analytics cookies and local-storage entries are cleared.

Withdrawing consent: the cookie banner appears again if you clear the consent record from your browser, or you can email craftbevia@gmail.com and we will reset your consent state. Withdrawing consent does not affect the Service's core functionality.

We keep personal information for as long as your account is active. When you delete your account we remove your profile, reviews, favorites, visits, and related records from our active databases. Encrypted database backups, security/abuse logs, and records we are required to keep by law may persist for up to 90 days after deletion before they are overwritten or purged.

Depending on where you live, you may have the right to (a) access the personal information we hold about you; (b) correct inaccurate information; (c) delete your information; (d) export your information in a portable format; (e) restrict or object to certain processing; (f) withdraw consent where processing is based on consent; and (g) opt out of "sale" or "sharing" of personal information (we do neither). California residents also have the right to limit the use of "sensitive personal information" — we do not use any data for purposes that would trigger this right.

You can edit your profile and delete your account at any time from your account settings. For other requests, email craftbevia@gmail.com. We will respond within the timelines required by applicable law and will not discriminate against you for exercising these rights.

Our service providers may process information in the United States or other countries. Where required, we rely on appropriate transfer mechanisms such as the EU Standard Contractual Clauses and equivalent UK addenda.

The Service is for adults 21 and older. We do not knowingly collect personal information from anyone under 21, and in particular do not knowingly collect information from children under 13 (in line with COPPA). If you believe a person under 21 has provided us with personal information, contact us and we will delete it.

We use industry-standard administrative, technical, and physical safeguards including TLS in transit, encryption at rest by our infrastructure providers, database row-level security, and access controls. We also minimize the personal data we collect in the first place, so a breach exposes as little as possible. No system is perfectly secure, and we cannot guarantee absolute security.

We may update this Policy from time to time. When we make material changes we will revise the version number above and notify you in-app or by email. For material changes that affect how we process your personal information, we will ask you to accept the updated Policy before you continue to use the Service.

Questions, requests, or complaints? Email craftbevia@gmail.com. EEA/UK users also have the right to lodge a complaint with their local data protection authority.