baki

Privacy Policy

Last updated: March 2026

What we collect

Bakio is designed to collect only the minimum data necessary to provide the service. We store:

  • Email address — for account login and optional updates (if you opted in)
  • OAuth provider ID — to link your Google, Apple, or Facebook login
  • Display name (optional) — shown on your reviews if you choose to set one
  • Reviews and ratings — the content you submit about coffees
  • Submissions — price reports, coffee listings, and vendor suggestions you contribute

We do not collect or store: passwords (handled by our auth provider), location history, browsing behavior, payment information, or any other unnecessary personal data.

How we use your data

  • To authenticate your identity and maintain your session
  • To display your reviews and contributions alongside your chosen display name
  • To send you updates about new cities and features (only if you opted in during signup)
  • To improve the platform based on aggregate, anonymized usage patterns

Data processing

Your data is stored and processed by Supabase (our database and authentication provider) on secure servers. We use row-level security policies to ensure users can only access and modify their own data. Passwords are never stored directly — authentication is handled entirely by Supabase Auth, which uses industry-standard bcrypt hashing.

Cookies

Bakio uses essential cookies to maintain your login session. We do not use tracking cookies or third-party advertising cookies. Google Maps, used on city pages, may set its own cookies as described in Google's privacy policy. If you choose to accept analytics cookies, we may use basic, anonymized analytics to understand how the platform is used.

Your rights (GDPR)

You have the right to:

  • Access your personal data at any time through your profile page
  • Correct your display name and email through your profile settings
  • Delete your account and all associated data through the account deletion option in your profile
  • Export your data — contact us and we will provide your data in a portable format
  • Withdraw consent for marketing emails at any time

When you delete your account, all your personal data, reviews, and submissions are permanently removed from our systems. This action cannot be undone.

Legal basis for processing (GDPR)

We process your personal data on the following legal bases:

  • Contract performance — to provide the Bakio service when you create an account
  • Legitimate interest — to improve the platform, prevent abuse, and maintain data quality
  • Consent — for marketing emails (only if you opted in; withdrawable at any time)

Data retention

We retain your personal data for as long as your account is active. Reviews and ratings are displayed publicly under your chosen display name. When you delete your account, all personal data is permanently removed within 30 days. Anonymized, aggregated data (such as average ratings) may be retained after account deletion.

Third-party services

  • Supabase — database, authentication, and storage (EU-hosted)
  • Vercel — hosting and content delivery
  • Google Maps — interactive maps on city pages (Google may collect usage data subject to Google's Privacy Policy)
  • Google / Apple / Facebook — OAuth login providers (only if you choose to log in with them)

We do not sell or share your personal data with any third parties for advertising purposes.

International transfers

Your data may be processed in the EU and the United States. Where data is transferred outside the EU/EEA, we ensure adequate protection through Standard Contractual Clauses or equivalent safeguards as required by GDPR.

Changes to this policy

We may update this privacy policy from time to time. Material changes will be communicated to registered users by email or through a notice on the platform.

Contact

For privacy-related questions or to exercise your data rights, contact us at privacy@bakio.co.

Found an issue?