← Back to site

Privacy Policy

Coffee Language — Educational App for Turkish Coffee Cup Reading

Effective Date: March 1, 2026

Last Updated: July 3, 2026

Company: Dinkel AI & MEDIA TECH GmbH

Jurisdiction: European Union (GDPR), Austria

Application: Coffee Language (com.dinkelai.fincan) — iOS, Apple App Store

1. Introduction and Important Information

Dinkel AI & MEDIA TECH GmbH (hereinafter "Company", "we", "us", "our") respects your privacy and is committed to protecting your personal data in accordance with European Union and Austrian law.

This Privacy Policy ("Policy") describes:

IMPORTANT: Coffee Language is an educational application that teaches the tradition of Turkish coffee cup reading (UNESCO Intangible Cultural Heritage, 2013). The App provides structured courses with video lessons, a symbol library, and AI-powered practice where users can photograph their coffee cups and receive AI-generated interpretations. Interpretations are for cultural, educational, and entertainment purposes and are not professional advice, medical diagnosis, legal or financial advice, or fortune-telling.

This Policy applies to the iOS application Coffee Language distributed via the Apple App Store.


2. Data Controller Information

Legal Entity:

Contact Information:

Regulator:


3. What Data We Collect

3.1. Data You Provide to Us

Authorization Data (Optional)

If you choose to sign in with Apple ID:

DataSourcePurposeLegal Basis
Apple User IDSign in with AppleUser identification, subscription bindingConsent (Art. 6(1)(a) GDPR)
Email address (if shared)Apple IDUser contact, account recoveryConsent (Art. 6(1)(a) GDPR)
Profile name (if available)Apple IDDisplay in appConsent (Art. 6(1)(a) GDPR)

Important: Sign in with Apple is optional. You can use the app anonymously with Device ID / Persistent Device ID (stored in iOS Keychain).

Data You Actively Upload

DataDescriptionPurposeStorage
Cup photographs (3 photos)Photos of coffee cup sediment from different anglesAnalysis by our AI practice engine (see Section 7) to generate an educational interpretationOriginal full-resolution photos are deleted immediately after analysis (max 24 hours)
Practice history recordYour optional question, the generated interpretation text, and a small low-resolution thumbnail of the analysed cupShow your practice history inside the appStored until you delete the record or delete your account
Text question (optional)Question or thought you shareContext for AI interpretationStored in history until account deletion

3.2. Educational Progress Data (Stored Locally)

The following data is stored locally on your device (AsyncStorage) and is not transmitted to our servers unless you choose to sign in:

DataDescriptionPurpose
Completed lessonsWhich lessons you have finishedTrack course progress
XP (experience points)Points earned from completing lessons and practiceGamified learning progress
Level and titleYour current level (e.g. "Interpreter", "Master")Motivation and achievement tracking
StreaksConsecutive days of activityEngagement tracking
Quiz resultsScores from lesson quizzesLearning assessment

If you sign in with Apple ID, this progress data may be synced to our server to enable cross-device access and backup.

3.3. Technical Data Collected Automatically

DataPurposeLegal BasisStorage
Device ID / Persistent Device IDSubscription binding, fraud protection, stable identity after reinstall (iOS Keychain)Legitimate Interest (Art. 6(1)(f) GDPR)Until account deletion
IP addressRegion for pricing, securityLegitimate Interest (Art. 6(1)(f) GDPR)30 days in logs
Device type, OS versionBug debugging, compatibilityLegitimate Interest (Art. 6(1)(f) GDPR)Anonymous, 12 months
App versionBug debugging, supportLegitimate Interest (Art. 6(1)(f) GDPR)Anonymous, 12 months

Our legitimate interest in collecting technical data is to ensure the security, stability, and proper functioning of the App, prevent fraud, and provide customer support. You have the right to object to processing based on legitimate interest (see Section 5).

3.4. Payment Data

IMPORTANT: We do NOT process payment data directly. Card numbers, CVV, and other payment details are processed exclusively by Apple (App Store). We only receive transaction status, purchase ID, subscription expiry, and currency via RevenueCat.

3.5. Community Data (User-Generated Content)

Coffee Language includes an optional educational community feature where signed-in users can share text posts about their practice, comment, and like other members' contributions. Participation is entirely voluntary; the courses, symbol library, and AI practice work without ever posting or reading community content.

DataDescriptionPurposeLegal Basis
Public wall name (pseudonym)A display name of 2–20 characters that you choose. This is not your real name — your Apple ID name is never shown publicly.Public attribution of your posts and comments within the communityPerformance of a contract (Art. 6(1)(b) GDPR)
PostsText you publish (up to 2,000 characters), plus its languageDisplay in the educational communityPerformance of a contract (Art. 6(1)(b) GDPR)
CommentsText replies to posts, plus their languageCommunity discussionPerformance of a contract (Art. 6(1)(b) GDPR)
LikesWhich posts and comments you likedCommunity interactionPerformance of a contract (Art. 6(1)(b) GDPR)
IMPORTANT: Community posts and comments are public to other members (including logged-out readers) and are attributed to your chosen public wall name only. Do not include personal data (real name, phone, email, address) in your posts. You can delete your own posts and comments at any time, report content, and block other members (see Section 4A). Members do not upload photos or media to the community — posts are text only.

3.6. Push Notification Tokens

If you enable notifications, we collect a push notification token to deliver messages. This applies to signed-in users only.

DataDescriptionPurposeLegal Basis
Push token (FCM / APNs)A device-specific token issued by Apple Push Notification service and Firebase Cloud MessagingDeliver notifications: the "cup of the day" educational exercise, the evening interpretation reveal, and replies to your postsConsent (Art. 6(1)(a) GDPR)
Device platform & interface languageiOS/Android and your app language at registrationDeliver notifications in the correct language and formatConsent (Art. 6(1)(a) GDPR)

You grant notification permission through the iOS system prompt and can withdraw it at any time in iOS Settings → Notifications, or by signing out. When you sign out or revoke permission, the token is removed from our servers; invalid tokens are also removed automatically.

3.7. Data We DO NOT Collect


4. Third Parties and Data Transfer

4.1. OpenAI, Inc.

Purpose: Image analysis (GPT Vision) and interpretation text generation.

Data transferred: Coffee cup photographs (3), optional question text, anonymized identifier.

Storage country: USA. Transfer safeguard: EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs). We have a Data Processing Agreement (DPA) with OpenAI. Privacy Policy: https://openai.com/policies/privacy-policy/

4.2. RevenueCat, Inc.

Purpose: Subscription management and payment validation for iOS.

Storage country: USA. Transfer safeguard: EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs). We have a Data Processing Agreement (DPA) with RevenueCat. Privacy Policy: https://www.revenuecat.com/privacy

4.3. Apple, Inc.

Purpose: In-app purchases, Sign in with Apple. Payment data is processed by Apple (PCI-DSS). Apple acts as an independent data controller for payment processing.

4.4. DigitalOcean, LLC (Content Delivery)

Purpose: Hosting and delivery of educational video content (course lesson videos) via CDN (Content Delivery Network).

Data involved: No personal user data is collected or processed. Video files are static content served over HTTPS. Standard web server logs (IP address, request timestamp) may be generated by the CDN infrastructure.

Storage country: USA / EU (nearest CDN edge). Privacy Policy: https://www.digitalocean.com/legal/privacy-policy

4.5. TikTok (ByteDance Ltd.) — Conversion Tracking

Purpose: Measuring the effectiveness of advertising campaigns on TikTok. The TikTok Business SDK tracks anonymized conversion events (e.g. purchase completed, content viewed, registration).

Data transferred: Anonymized event data (event type, timestamp, purchase amount/currency). No personal identifiers, photos, or content data is shared with TikTok.

Storage country: USA / Singapore. Transfer safeguard: Standard Contractual Clauses (SCCs). Privacy Policy: https://www.tiktok.com/legal/privacy-policy

You can limit ad tracking in iOS Settings → Privacy & Security → Tracking.

4.6. Infrastructure (e.g. Railway / AWS)

Purpose: App backend hosting. Database: PostgreSQL with encryption at rest. Transfer safeguard: Standard Contractual Clauses (SCCs) and Data Processing Agreement (DPA) for transfers to the USA.

4.7. Firebase (Google Ireland Limited / Google LLC)

Purpose: (1) Firebase Analytics — aggregated product and conversion analytics (e.g. lesson completed, purchase completed, paywall viewed) to understand feature usage and improve the App; (2) Firebase Cloud Messaging (FCM) — technical delivery of push notifications.

Data processed: Pseudonymous app-instance identifier, in-app event data, your app language, your account identifier (when signed in), and — for messaging — your push token. We do not send your coffee cup photos, community posts, or comment content to Firebase.

Storage country: USA. Transfer safeguard: EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs). We have a Data Processing Agreement (DPA) with Google. Privacy Policy: https://firebase.google.com/support/privacy

4.8. OpenAI, Inc. — Content Moderation

Purpose: Automated pre-screening of community posts and comments for safety (detecting profanity, spam, solicitation, personal data, and crisis content) and machine translation to assist human moderators. This is in addition to OpenAI's role in the AI practice feature described in Section 4.1.

Data transferred: The text of the post or comment being submitted. No account identifiers beyond what is necessary are transmitted.

Legal basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR — Digital Services Act) and our legitimate interest in a safe community and in meeting App Store safety requirements (Art. 6(1)(f) GDPR). Storage country: USA. Transfer safeguard: EU-US Data Privacy Framework and SCCs; DPA in place. Privacy Policy: https://openai.com/policies/privacy-policy/


4A. Community Content, Moderation and Safety

To keep the educational community safe and to comply with the EU Digital Services Act (DSA) and Apple App Store requirements, we process the following data when you use the community (available to users 18+).

DataPurposeLegal BasisStorage
Automated moderation result (verdict, reason category, machine translation) attached to a post/commentPre-screen user content before it becomes public; assist human reviewLegal obligation (Art. 6(1)(c) GDPR, DSA) and legitimate interest in a safe community (Art. 6(1)(f) GDPR)With the content; removed when the content is removed
Reports you submit (content reference, reason, your identifier or a device key)Allow members to flag content; enable us to act on illegal or objectionable contentLegitimate interest and legal obligation (Art. 6(1)(f), 6(1)(c) GDPR)Retained for accountability (see below); personal identifiers removed on account deletion
Blocks (which members you blocked)Hide content from members you have blockedLegitimate interest (Art. 6(1)(f) GDPR)Until you remove the block or delete your account
Age confirmation (timestamp that you confirmed you are 18+)Restrict community posting to adultsLegitimate interest and legal obligation to protect minors (Art. 6(1)(f), 6(1)(c) GDPR)Until account deletion
Moderation log (statement of reasons for moderation decisions)Accountability and transparency of moderation decisionsLegal obligation (Art. 6(1)(c) GDPR — DSA Art. 17)Retained for the accountability period even after the underlying content or account is removed

Automated Content Moderation

The text of every post and comment is processed by automated means (OpenAI moderation technology and an AI text classifier) before it is published, to detect illegal or prohibited content (e.g. hate, harassment, sexual content, self-harm, spam, solicitation, personal data). Content that is not cleared automatically is held for human review. This automated processing supports a moderation decision and does not produce legal effects on you comparable to automated individual decision-making under Art. 22 GDPR; you can always contact us at partners@sonaya.ai to have a decision reviewed by a person and to obtain the statement of reasons for any decision affecting your content (DSA Art. 17).

IMPORTANT: As required by the Digital Services Act, records of moderation decisions (statements of reasons) are kept for accountability even after the related content is deleted or an account is closed. These records do not contain your real name; they document that and why a decision was taken. This is a lawful limitation on the right to erasure under Art. 17(3)(b) GDPR.

Your controls: You can delete your own posts and comments at any time; report any post or comment; and block another member. All community content is published under your chosen public wall name, never your real name.


5. Your Rights Under GDPR

You have the right to: Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction (Art. 18), Data portability (Art. 20), Object (Art. 21).

How to exercise: Email partners@sonaya.ai (subject: "GDPR request – Coffee Language") or use in-app Settings → Account / Privacy where available. We respond within 30 days.

Complaint: Austrian Data Protection Authority (DSB): https://www.dsb.gv.at/, dsb@dsb.gv.at, +43 1 521 52-0.


6. Data Security and Retention

Security: Encryption in transit (HTTPS/TLS 1.3), encryption at rest (AES-256).

Retention: User/account data until deletion; AI practice history (question, interpretation text, thumbnail) until you delete the record or delete your account; original cup photos max 24 hours; educational progress until app deletion or account deletion; community posts and comments until you delete them or delete your account; moderation logs (statements of reasons) retained for accountability under the DSA even after the content or account is removed; push tokens until you sign out, revoke notification permission, or delete your account; payment receipts 7 years (Austrian tax law); IP logs 30 days.


7. AI Usage

Coffee Language uses artificial intelligence in two ways, both under our control as data controller:

The educational courses and symbol library content are created by human instructors and do not involve AI generation.


8. Children and Age

App Store rating: 12+ (as assigned by the App Store based on the presence of a moderated user community). Coffee Language is intended for a general teenage and adult audience and is not directed at young children.

IMPORTANT — Community posting is 18+ only. Publishing posts or comments in the community requires you to be signed in and to confirm that you are at least 18 years old. Members who do not confirm adult age can still use the educational courses, symbol library, and AI practice, but cannot post or comment.

Users under 14 (the age of digital consent in Austria under GDPR) must have verifiable parental or legal guardian consent before using the App. Parents and guardians are responsible for monitoring their children's use of the App. If we become aware that we have collected personal data from a child under 14 without such consent, or that a minor has posted in the community, we will take steps to remove that data and content promptly.


9. Analytics and Tracking

We do not use cookies in the Coffee Language app. We use local storage (AsyncStorage) for app settings and educational progress, and a device/persistent identifier for subscription and access control.

We use Firebase Analytics (Google, Section 4.7) to collect aggregated product and conversion analytics, and the TikTok Business SDK (Section 4.5) to measure advertising conversions. On iOS, any tracking that relies on the device advertising identifier (IDFA) or cross-app attribution is only performed after you grant permission through Apple's App Tracking Transparency (ATT) prompt; if you decline, such tracking is not performed. You can review or change this at any time in iOS Settings → Privacy & Security → Tracking.


10. Policy Changes

We may update this Policy. The "Last Updated" date will be revised. For material changes that affect your rights or how we process your personal data, we will notify you in the app and request your explicit consent before applying the changes. Minor clarifications or formatting updates do not require renewed consent.


11. Contact

Privacy: partners@sonaya.aiSupport: support@sonaya.ai


Thank you for using Coffee Language.

Privacy Policy as of July 3, 2026