Privacy Policy — Spirit Library

This Privacy Policy explains how Spirit Library ("we," "our," or "us") collects, uses, shares, and retains information when you use the Spirit Library mobile application (the "App"). It also describes your rights under applicable privacy laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).

Please read this policy carefully. By using the App, you acknowledge you have read and understood it.

1. Who We Are (Data Controller)

For purposes of the GDPR, the data controller is:

Spirit Library
Contact: claudesonnet111@gmail.com
Website: spiritlibrary.app
App Store: apps.apple.com/app/spiritlibrary

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the right to lodge a complaint with your local supervisory authority if you believe we are processing your personal data unlawfully.

2. Data We Collect

We collect only the data necessary to provide the App's features. We do not sell your personal data.

2a. Data You Provide Directly

Data	When collected	Required?
Email address	Account registration	Yes (for sign-in)
Username	Account registration	Yes (unique identifier for your profile)
Display name	Account registration or profile edit	No (defaults to username)
Profile photo	Profile edit (camera or photo library)	No

If you sign in with Google or Apple, we receive only the email address and name that those providers share with us. Apple Sign In may provide a relay email address at your option — we treat relay addresses identically to real ones.

2b. Data Generated by Your Use of the App

Data	What it contains	Where it is stored
Saved cocktails	List of cocktail IDs you have hearted	Your device (local storage) and your cloud profile if you are signed in
Custom lists	List names, descriptions, and the cocktail IDs in each list	Your device and your cloud profile if signed in
Shopping list	Ingredient names, optional cocktail reference	Your device and your cloud profile if signed in
Recently viewed	Up to 20 cocktail IDs, most recent first	Your device and your cloud profile if signed in

2c. Data We Do Not Collect

We do not collect:

Payment or financial information
Precise GPS location (the location permission, if granted, is reserved for a future "find nearby bars" feature and is not currently active)
Contacts (the contacts permission, if granted, is reserved for a future sharing feature and contacts data is never uploaded to our servers)
Health or fitness data
Browsing history outside the App
Advertising identifiers (IDFA), unless you grant App Tracking Transparency permission

2d. Data Collected Automatically

Crash reports and diagnostics — if you grant permission, anonymised crash logs may be sent to our crash-reporting provider to help us fix bugs. No personal data is included in these reports.
Analytics events (future) — if you grant App Tracking Transparency (ATT) permission on iOS, we may collect anonymised product-interaction events (e.g. which features you use most) to improve the App. If you deny ATT, no tracking events are sent.

3. How We Use Your Data

Purpose	Data used	Legal basis (GDPR)
Create and manage your account	Email, username, display name	Performance of a contract (Art. 6(1)(b))
Sync your saved cocktails, lists, and shopping list across devices	Saved cocktails, lists, shopping list, recently viewed	Performance of a contract (Art. 6(1)(b))
Let you sign in with Google or Apple	Email from OAuth provider	Performance of a contract (Art. 6(1)(b))
Display your profile and display name within the App	Username, display name, profile photo	Performance of a contract (Art. 6(1)(b))
Fix bugs and improve stability	Crash reports (anonymised)	Legitimate interests (Art. 6(1)(f))
Improve App features and understand usage patterns (if ATT granted)	Anonymised analytics events	Legitimate interests (Art. 6(1)(f)) / Consent where required
Comply with legal obligations	Any data necessary	Legal obligation (Art. 6(1)(c))

We do not use your data for targeted advertising, profiling, automated decision-making, or sale to third parties.

4. Third-Party Services and Data Sharing

We share data with the following third parties only to the extent necessary to operate the App. We do not sell your data to any third party.

4a. Supabase (Backend and Authentication)

What: Supabase provides our database and authentication infrastructure.
Data shared: Email address, username, display name, saved cocktails, lists, shopping list, recently viewed cocktails.
Location: Supabase, Inc. is headquartered in San Francisco, CA, USA. Data may be stored in AWS data centres (primarily US East). Supabase offers a Data Processing Agreement (DPA) and relies on Standard Contractual Clauses (SCCs) for EEA transfers.
Link: supabase.com/privacy

4b. Google (OAuth Sign-In)

What: If you choose "Sign in with Google," Google authenticates you and shares your email address and name with us.
Link: policies.google.com/privacy

4c. Apple (OAuth Sign-In / App Store)

What: If you choose "Sign in with Apple," Apple authenticates you and shares a verified email address (or relay address) with us. Apple also collects standard App Store analytics.
Link: apple.com/privacy

4d. Instacart (Shopping List Deep Link)

What: Tapping "Buy on Instacart" opens the Instacart app or website with ingredient names pre-filled in the search bar. This is a URL deep link — we do not transmit your account information, device ID, or any personal data to Instacart.
Link: instacart.com/privacy

4e. Legal Disclosures

We may disclose your data if required by law, court order, or to protect the rights, safety, or property of Spirit Library, its users, or the public.

5. Data Retention

Data	Retention period
Account data (email, username, display name)	Retained until you delete your account
Profile data (saved cocktails, lists, shopping list, recently viewed)	Retained until you delete your account
Profile photo	Deleted within 30 days of account deletion
Local device data	Retained until you uninstall the App or clear App storage
Crash reports	Retained for 90 days, then automatically deleted
Analytics events (if applicable)	Retained in aggregated, anonymised form for up to 24 months

When you delete your account, we delete your profile and all associated data within 30 days.

6. Data Security

Encryption in transit: All communication between the App and our backend uses TLS 1.2 or higher.
Encryption at rest: Data at rest is encrypted using AES-256.
Row-Level Security: Database policies ensure each user can only read and write their own profile row.
Authentication tokens: Session tokens are stored in the iOS Keychain and Android Keystore — hardware-backed secure storage encrypted by the device passcode. They are never logged or transmitted to third parties.

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at claudesonnet111@gmail.com.

7. Your Rights

7a. Rights Under GDPR (EEA, UK, Switzerland)

Right	What it means
Access (Art. 15)	Request a copy of all personal data we hold about you
Rectification (Art. 16)	Correct inaccurate or incomplete data
Erasure (Art. 17)	Request deletion of your personal data ("right to be forgotten")
Restriction (Art. 18)	Ask us to pause processing your data while a dispute is resolved
Portability (Art. 20)	Receive your data in a structured, machine-readable format (JSON)
Objection (Art. 21)	Object to processing based on legitimate interests
Withdraw consent	Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at claudesonnet111@gmail.com. We will respond within 30 days (extendable to 90 days for complex requests, with notice).

You also have the right to lodge a complaint with your local data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

7b. Rights Under CCPA/CPRA (California Residents)

Right	What it means
Right to Know	Know what personal information we collect, use, disclose, and sell
Right to Delete	Request deletion of your personal information
Right to Correct	Request correction of inaccurate personal information
Right to Opt Out of Sale/Sharing	We do not sell or share personal information for cross-context behavioural advertising — this right is not applicable
Right to Non-Discrimination	We will not discriminate against you for exercising any of these rights

To submit a CCPA/CPRA request, email claudesonnet111@gmail.com with the subject line "California Privacy Request." We will respond within 45 days (extendable to 90 days with notice).

8. Children's Privacy

The App is not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, contact us at claudesonnet111@gmail.com and we will delete it promptly.

9. International Data Transfers

Spirit Library is operated from the United States. If you are located in the EEA, UK, or Switzerland, your data is transferred to and processed in the United States. We rely on the EU Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) as the lawful transfer mechanism for these transfers.

10. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Display an in-app notice on next launch for significant changes.

Continued use of the App after the effective date of a revised policy constitutes your acceptance of the changes.

11. Contact Us

For privacy questions, access requests, or deletion requests:

claudesonnet111@gmail.com

Response time: within 30 days for GDPR requests · within 45 days for CCPA requests

Home Terms of Use Delete My Data Support