Privacy Policy
Coffee Language — Educational App for Turkish Coffee Cup Reading
1. Introduction and Important Information
Dinkel AI & MEDIA TECH GmbH (hereinafter "Company", "we", "us", "our") respects your privacy and is committed to protecting your personal data in accordance with European Union and Austrian law.
This Privacy Policy ("Policy") describes:
- What data we collect
- How we use it
- How we protect it
- Your rights regarding your data
This Policy applies to the iOS application Coffee Language distributed via the Apple App Store.
2. Data Controller Information
Legal Entity:
- Name: Dinkel AI & MEDIA TECH GmbH
- Type: Gesellschaft mit beschränkter Haftung (GmbH)
- Country of Registration: Austria
- Jurisdiction: European Union
Contact Information:
- Website: https://dinkel.it.com/fincan.html
- Email for privacy questions: partners@sonaya.ai
- Support email: support@sonaya.ai
Regulator:
- Austrian Data Protection Authority (DSB): https://www.dsb.gv.at/
3. What Data We Collect
3.1. Data You Provide to Us
Authorization Data (Optional)
If you choose to sign in with Apple ID:
| Data | Source | Purpose | Legal Basis |
|---|---|---|---|
| Apple User ID | Sign in with Apple | User identification, subscription binding | Consent (Art. 6(1)(a) GDPR) |
| Email address (if shared) | Apple ID | User contact, account recovery | Consent (Art. 6(1)(a) GDPR) |
| Profile name (if available) | Apple ID | Display in app | Consent (Art. 6(1)(a) GDPR) |
Important: Sign in with Apple is optional. You can use the app anonymously with Device ID / Persistent Device ID (stored in iOS Keychain).
Data You Actively Upload
| Data | Description | Purpose | Storage |
|---|---|---|---|
| Cup photographs (3 photos) | Photos of coffee cup sediment from different angles | Analysis by our AI practice engine (see Section 7) to generate an educational interpretation | Original full-resolution photos are deleted immediately after analysis (max 24 hours) |
| Practice history record | Your optional question, the generated interpretation text, and a small low-resolution thumbnail of the analysed cup | Show your practice history inside the app | Stored until you delete the record or delete your account |
| Text question (optional) | Question or thought you share | Context for AI interpretation | Stored in history until account deletion |
3.2. Educational Progress Data (Stored Locally)
The following data is stored locally on your device (AsyncStorage) and is not transmitted to our servers unless you choose to sign in:
| Data | Description | Purpose |
|---|---|---|
| Completed lessons | Which lessons you have finished | Track course progress |
| XP (experience points) | Points earned from completing lessons and practice | Gamified learning progress |
| Level and title | Your current level (e.g. "Interpreter", "Master") | Motivation and achievement tracking |
| Streaks | Consecutive days of activity | Engagement tracking |
| Quiz results | Scores from lesson quizzes | Learning assessment |
If you sign in with Apple ID, this progress data may be synced to our server to enable cross-device access and backup.
3.3. Technical Data Collected Automatically
| Data | Purpose | Legal Basis | Storage |
|---|---|---|---|
| Device ID / Persistent Device ID | Subscription binding, fraud protection, stable identity after reinstall (iOS Keychain) | Legitimate Interest (Art. 6(1)(f) GDPR) | Until account deletion |
| IP address | Region for pricing, security | Legitimate Interest (Art. 6(1)(f) GDPR) | 30 days in logs |
| Device type, OS version | Bug debugging, compatibility | Legitimate Interest (Art. 6(1)(f) GDPR) | Anonymous, 12 months |
| App version | Bug debugging, support | Legitimate Interest (Art. 6(1)(f) GDPR) | Anonymous, 12 months |
Our legitimate interest in collecting technical data is to ensure the security, stability, and proper functioning of the App, prevent fraud, and provide customer support. You have the right to object to processing based on legitimate interest (see Section 5).
3.4. Payment Data
3.5. Community Data (User-Generated Content)
Coffee Language includes an optional educational community feature where signed-in users can share text posts about their practice, comment, and like other members' contributions. Participation is entirely voluntary; the courses, symbol library, and AI practice work without ever posting or reading community content.
| Data | Description | Purpose | Legal Basis |
|---|---|---|---|
| Public wall name (pseudonym) | A display name of 2–20 characters that you choose. This is not your real name — your Apple ID name is never shown publicly. | Public attribution of your posts and comments within the community | Performance of a contract (Art. 6(1)(b) GDPR) |
| Posts | Text you publish (up to 2,000 characters), plus its language | Display in the educational community | Performance of a contract (Art. 6(1)(b) GDPR) |
| Comments | Text replies to posts, plus their language | Community discussion | Performance of a contract (Art. 6(1)(b) GDPR) |
| Likes | Which posts and comments you liked | Community interaction | Performance of a contract (Art. 6(1)(b) GDPR) |
3.6. Push Notification Tokens
If you enable notifications, we collect a push notification token to deliver messages. This applies to signed-in users only.
| Data | Description | Purpose | Legal Basis |
|---|---|---|---|
| Push token (FCM / APNs) | A device-specific token issued by Apple Push Notification service and Firebase Cloud Messaging | Deliver notifications: the "cup of the day" educational exercise, the evening interpretation reveal, and replies to your posts | Consent (Art. 6(1)(a) GDPR) |
| Device platform & interface language | iOS/Android and your app language at registration | Deliver notifications in the correct language and format | Consent (Art. 6(1)(a) GDPR) |
You grant notification permission through the iOS system prompt and can withdraw it at any time in iOS Settings → Notifications, or by signing out. When you sign out or revoke permission, the token is removed from our servers; invalid tokens are also removed automatically.
3.7. Data We DO NOT Collect
- ❌ Photos of your face or personal photos (except coffee cup photos)
- ❌ Real-time location (only region by IP)
- ❌ Contacts from your phone
- ❌ Health information
4. Third Parties and Data Transfer
4.1. OpenAI, Inc.
Purpose: Image analysis (GPT Vision) and interpretation text generation.
Data transferred: Coffee cup photographs (3), optional question text, anonymized identifier.
Storage country: USA. Transfer safeguard: EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs). We have a Data Processing Agreement (DPA) with OpenAI. Privacy Policy: https://openai.com/policies/privacy-policy/
4.2. RevenueCat, Inc.
Purpose: Subscription management and payment validation for iOS.
Storage country: USA. Transfer safeguard: EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs). We have a Data Processing Agreement (DPA) with RevenueCat. Privacy Policy: https://www.revenuecat.com/privacy
4.3. Apple, Inc.
Purpose: In-app purchases, Sign in with Apple. Payment data is processed by Apple (PCI-DSS). Apple acts as an independent data controller for payment processing.
4.4. DigitalOcean, LLC (Content Delivery)
Purpose: Hosting and delivery of educational video content (course lesson videos) via CDN (Content Delivery Network).
Data involved: No personal user data is collected or processed. Video files are static content served over HTTPS. Standard web server logs (IP address, request timestamp) may be generated by the CDN infrastructure.
Storage country: USA / EU (nearest CDN edge). Privacy Policy: https://www.digitalocean.com/legal/privacy-policy
4.5. TikTok (ByteDance Ltd.) — Conversion Tracking
Purpose: Measuring the effectiveness of advertising campaigns on TikTok. The TikTok Business SDK tracks anonymized conversion events (e.g. purchase completed, content viewed, registration).
Data transferred: Anonymized event data (event type, timestamp, purchase amount/currency). No personal identifiers, photos, or content data is shared with TikTok.
Storage country: USA / Singapore. Transfer safeguard: Standard Contractual Clauses (SCCs). Privacy Policy: https://www.tiktok.com/legal/privacy-policy
You can limit ad tracking in iOS Settings → Privacy & Security → Tracking.
4.6. Infrastructure (e.g. Railway / AWS)
Purpose: App backend hosting. Database: PostgreSQL with encryption at rest. Transfer safeguard: Standard Contractual Clauses (SCCs) and Data Processing Agreement (DPA) for transfers to the USA.
4.7. Firebase (Google Ireland Limited / Google LLC)
Purpose: (1) Firebase Analytics — aggregated product and conversion analytics (e.g. lesson completed, purchase completed, paywall viewed) to understand feature usage and improve the App; (2) Firebase Cloud Messaging (FCM) — technical delivery of push notifications.
Data processed: Pseudonymous app-instance identifier, in-app event data, your app language, your account identifier (when signed in), and — for messaging — your push token. We do not send your coffee cup photos, community posts, or comment content to Firebase.
Storage country: USA. Transfer safeguard: EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs). We have a Data Processing Agreement (DPA) with Google. Privacy Policy: https://firebase.google.com/support/privacy
4.8. OpenAI, Inc. — Content Moderation
Purpose: Automated pre-screening of community posts and comments for safety (detecting profanity, spam, solicitation, personal data, and crisis content) and machine translation to assist human moderators. This is in addition to OpenAI's role in the AI practice feature described in Section 4.1.
Data transferred: The text of the post or comment being submitted. No account identifiers beyond what is necessary are transmitted.
Legal basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR — Digital Services Act) and our legitimate interest in a safe community and in meeting App Store safety requirements (Art. 6(1)(f) GDPR). Storage country: USA. Transfer safeguard: EU-US Data Privacy Framework and SCCs; DPA in place. Privacy Policy: https://openai.com/policies/privacy-policy/
4A. Community Content, Moderation and Safety
To keep the educational community safe and to comply with the EU Digital Services Act (DSA) and Apple App Store requirements, we process the following data when you use the community (available to users 18+).
| Data | Purpose | Legal Basis | Storage |
|---|---|---|---|
| Automated moderation result (verdict, reason category, machine translation) attached to a post/comment | Pre-screen user content before it becomes public; assist human review | Legal obligation (Art. 6(1)(c) GDPR, DSA) and legitimate interest in a safe community (Art. 6(1)(f) GDPR) | With the content; removed when the content is removed |
| Reports you submit (content reference, reason, your identifier or a device key) | Allow members to flag content; enable us to act on illegal or objectionable content | Legitimate interest and legal obligation (Art. 6(1)(f), 6(1)(c) GDPR) | Retained for accountability (see below); personal identifiers removed on account deletion |
| Blocks (which members you blocked) | Hide content from members you have blocked | Legitimate interest (Art. 6(1)(f) GDPR) | Until you remove the block or delete your account |
| Age confirmation (timestamp that you confirmed you are 18+) | Restrict community posting to adults | Legitimate interest and legal obligation to protect minors (Art. 6(1)(f), 6(1)(c) GDPR) | Until account deletion |
| Moderation log (statement of reasons for moderation decisions) | Accountability and transparency of moderation decisions | Legal obligation (Art. 6(1)(c) GDPR — DSA Art. 17) | Retained for the accountability period even after the underlying content or account is removed |
Automated Content Moderation
The text of every post and comment is processed by automated means (OpenAI moderation technology and an AI text classifier) before it is published, to detect illegal or prohibited content (e.g. hate, harassment, sexual content, self-harm, spam, solicitation, personal data). Content that is not cleared automatically is held for human review. This automated processing supports a moderation decision and does not produce legal effects on you comparable to automated individual decision-making under Art. 22 GDPR; you can always contact us at partners@sonaya.ai to have a decision reviewed by a person and to obtain the statement of reasons for any decision affecting your content (DSA Art. 17).
Your controls: You can delete your own posts and comments at any time; report any post or comment; and block another member. All community content is published under your chosen public wall name, never your real name.
5. Your Rights Under GDPR
You have the right to: Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction (Art. 18), Data portability (Art. 20), Object (Art. 21).
How to exercise: Email partners@sonaya.ai (subject: "GDPR request – Coffee Language") or use in-app Settings → Account / Privacy where available. We respond within 30 days.
Complaint: Austrian Data Protection Authority (DSB): https://www.dsb.gv.at/, dsb@dsb.gv.at, +43 1 521 52-0.
6. Data Security and Retention
Security: Encryption in transit (HTTPS/TLS 1.3), encryption at rest (AES-256).
Retention: User/account data until deletion; AI practice history (question, interpretation text, thumbnail) until you delete the record or delete your account; original cup photos max 24 hours; educational progress until app deletion or account deletion; community posts and comments until you delete them or delete your account; moderation logs (statements of reasons) retained for accountability under the DSA even after the content or account is removed; push tokens until you sign out, revoke notification permission, or delete your account; payment receipts 7 years (Austrian tax law); IP logs 30 days.
7. AI Usage
Coffee Language uses artificial intelligence in two ways, both under our control as data controller:
- AI practice engine. When you use the AI practice feature, our own backend service receives your cup photographs and optional question and uses OpenAI (GPT Vision) as a sub-processor to generate a text interpretation based on the traditional Turkish coffee cup reading heritage. Each interpretation is generated for that session; we do not use your data for profiling or to train our own models. This is a cultural and educational experience, not a predictive or diagnostic service.
- Content moderation. Community posts and comments are automatically pre-screened for safety using OpenAI moderation and classification, and may be machine-translated to assist human moderators (see Sections 4.8 and 4A).
The educational courses and symbol library content are created by human instructors and do not involve AI generation.
8. Children and Age
App Store rating: 12+ (as assigned by the App Store based on the presence of a moderated user community). Coffee Language is intended for a general teenage and adult audience and is not directed at young children.
Users under 14 (the age of digital consent in Austria under GDPR) must have verifiable parental or legal guardian consent before using the App. Parents and guardians are responsible for monitoring their children's use of the App. If we become aware that we have collected personal data from a child under 14 without such consent, or that a minor has posted in the community, we will take steps to remove that data and content promptly.
9. Analytics and Tracking
We do not use cookies in the Coffee Language app. We use local storage (AsyncStorage) for app settings and educational progress, and a device/persistent identifier for subscription and access control.
We use Firebase Analytics (Google, Section 4.7) to collect aggregated product and conversion analytics, and the TikTok Business SDK (Section 4.5) to measure advertising conversions. On iOS, any tracking that relies on the device advertising identifier (IDFA) or cross-app attribution is only performed after you grant permission through Apple's App Tracking Transparency (ATT) prompt; if you decline, such tracking is not performed. You can review or change this at any time in iOS Settings → Privacy & Security → Tracking.
10. Policy Changes
We may update this Policy. The "Last Updated" date will be revised. For material changes that affect your rights or how we process your personal data, we will notify you in the app and request your explicit consent before applying the changes. Minor clarifications or formatting updates do not require renewed consent.
11. Contact
Privacy: partners@sonaya.ai — Support: support@sonaya.ai
Thank you for using Coffee Language.
Privacy Policy as of July 3, 2026