Privacy Policy

Last updated: 24.01.2026

1Who we are (Controller)

The controller responsible for data processing under the GDPR (and other applicable data protection laws) is:

Controller: Jonas Boos

Pappelweg 28

51503 Rösrath

Germany

Email: support@jutio.org

2Scope of this Privacy Policy

This Privacy Policy applies to:

  • the Coffeelist mobile application ("App"), and
  • the Coffeelist website ("Website").

It explains what personal data we process, why we process it, and what rights you have.

App stores / distribution: When you download or use the App via the Apple App Store or Google Play Store, the respective store provider may process personal data independently (e.g., for distribution, security, and store-related analytics). This processing is governed by the store provider's privacy policy:

Apple Privacy Policy

Apple – App Store & Privacy

Google Privacy Policy

Google Play Console – Privacy policy requirement

3What Coffeelist does

Coffeelist helps groups manage shared consumption lists (e.g., coffee/consumables) without paper lists or manual spreadsheets. Users can create or join groups, admins can create products, and the group can track consumption and balances.

Important: Any "balance", "debt", or "money" shown in the App is an internal counter used for tracking within a group. No real payments are processed in the App, and there are currently no in-app purchases.

4Data we process (App)

Depending on how you use the App, we may process the following categories of data:

Account & identification data
  • Email address (for account creation and login)
  • User ID (Firebase UID)
Group & usage data (content you create in the App)
  • Group information (e.g., group name, membership, admin role)
  • Products created in groups
  • Consumption entries (e.g., who consumed what/when)
  • Balance/debt counter and related records (group-internal tracking)
Device & technical data
  • Push notification tokens / device instance identifiers (for delivering push notifications)
  • Basic technical data necessary for providing the service (e.g., timestamps, system status needed to run the App)
Camera access (QR scanning)
  • If you use QR features, the App may access your camera to scan QR codes. We do not store your camera images. Camera access is used only for the scanning function.

5Why we process data (Purposes) and legal bases (GDPR)

We process personal data for the following purposes:

  • Providing the App and core features (account, groups, syncing, consumption tracking)
    Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
  • Operating and securing the service (e.g., preventing misuse, maintaining stability)
    Legal basis: legitimate interests (Art. 6(1)(f) GDPR)
  • Sending service-related emails (e.g., password reset emails via Firebase Authentication)
    Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
  • Push notifications (if enabled by you)
    If you enable push notifications, we process a device token/instance identifier to deliver notifications to your device. The legal basis is your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time by disabling notifications in your device settings. Disabling notifications does not affect the core functionality of the App.

6Firebase / Google as a service provider

We use Google Firebase (Google Ireland Limited for users in the EEA/UK; Google LLC may process data as a sub-processor) to provide core App functions.

More information about Google's data processing and privacy can be found here:

Google Privacy Policy

Firebase Privacy & Data Processing

Firebase services used include:

a) Firebase Authentication (Login)

We use Firebase Authentication to manage user accounts and login. This includes processing your email address and assigning a unique user ID (Firebase UID). Firebase Authentication also supports password reset emails (service emails).

b) Firebase Cloud Firestore (Database + real-time sync)

We use Cloud Firestore to store and synchronize App data in real time, such as:

  • user profile references (linked to Firebase UID),
  • group data and membership,
  • products,
  • consumption entries,
  • group-internal balance/debt counters.

c) Firebase Cloud Functions (server-side logic)

We use Cloud Functions to run automated checks and tasks, for example:

  • checkDebtLimit: checks whether a group's debt limit is exceeded after balance changes
  • checkAnomaly: detects unusual consumption patterns
  • checkPayday: daily check for payday rules (e.g., Monday or the 1st day of the month)
  • cleanupUserData: deletes user-related data after account deletion

These functions operate on data stored in Firestore and support the App's core features and data integrity. They do not make automated decisions with legal or similarly significant effects within the meaning of Art. 22 GDPR. For example, anomaly detection is used to identify unusual patterns for integrity/safety purposes and does not result in binding decisions about a user.

d) Firebase Cloud Messaging (Push notifications)

If push notifications are enabled, we use Firebase Cloud Messaging (FCM). For this, Firebase processes a device token/instance identifier to deliver notifications to your device.

7No analytics / no tracking

We currently do not use Firebase Analytics or other tracking/analytics tools in the App.

8Sharing of data

We do not sell your personal data.

We may share data only when necessary:

  • With service providers (e.g., Firebase/Google) to operate the App
  • Within your groups: other group members may see group-related information and records depending on your group's setup (e.g., consumption entries, product lists, balances). This is the core purpose of the App.

We may disclose data if required by law or to protect our rights and security.

9International data transfers

Firebase is a service by Google. Depending on your location and Google's processing structure, personal data may be processed in countries outside your country (including outside the EEA). Where required, transfers are safeguarded by appropriate legal mechanisms (e.g., standard contractual clauses).

10Data retention

We keep personal data only for as long as necessary to provide the service and for the purposes described in this Privacy Policy. In general:

  • Account and app data is stored for as long as your account is active and until you delete it or request account deletion (unless we are legally required to retain certain data).
  • Technical data (e.g., push notification delivery tokens) is retained as needed for the notification feature and may be refreshed or removed automatically.

If you request account deletion, we delete or anonymize personal data associated with your account within a reasonable period, unless retention is required by law or necessary to establish, exercise, or defend legal claims.

11Account deletion

You can request deletion of your account at any time. After deletion, we will delete or anonymize personal data associated with your account, unless we are legally required to keep certain data. For group integrity, certain group records (e.g., consumption entries and group data) may remain after account deletion, but will no longer be linked to your account. If a group is deleted, the related group data is deleted as well.

Account deletion request page:

https://coffeelist.jutio.org/delete-account

12Website processing (coffeelist.jutio.org)

  • Hosting: The Website is hosted on Cloudflare (Cloudflare Workers). In this context, Cloudflare may process technical data (including server log data) to deliver and secure the Website.
  • Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/
  • Cookies / tracking: Our Website does not use marketing cookies or analytics tracking tools at this time.
  • Server logs: Like most websites, Cloudflare may process basic server log data (e.g., IP address, date and time of the request, requested page, referrer URL, and user agent) to deliver the Website and ensure security.
  • Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
  • Website: https://coffeelist.jutio.org

13Security

We use reasonable technical and organizational measures to protect your data. However, no system can guarantee 100% security.

14Your rights (GDPR)

If you are in the EEA/UK (and in many other jurisdictions), you may have the right to:

  • Access your personal data
  • Rectify incorrect data
  • Delete your data
  • Restrict processing
  • Data portability
  • Object to processing based on legitimate interests
  • Withdraw consent (where processing is based on consent)

To exercise your rights, contact us using the details in Section 1.

15Supervisory authority

You also have the right to lodge a complaint with a data protection supervisory authority in your country of residence or the place of the alleged infringement.

16Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top shows when changes were made.