Your data,
treated like a tab you trust us to close.

01Who we are

The data controller responsible for your personal data is the beerreal team, a small team based in Amsterdam, the Netherlands, who build and operate the beerreal app and website. Full corporate details will be published on our imprint page before public launch. You can reach us for any privacy matter via the privacy / GDPR form.

We're a small team and we don't have a designated Data Protection Officer (DPO) under Article 37 GDPR — our processing doesn't meet the threshold that requires one. Messages sent via the privacy form above reach a real person on the team, not a black hole.

02Scope of this policy

This policy applies to:

• The beerreal mobile application for iOS (and, when released, Android).
• The beerreal website at beerreal.app and any subdomains.
• Communications you have with us by email, social media, or in-app support.

It does not cover third-party venues, services, or websites we link to — they have their own policies, and you should read them.

03What we collect

We try to collect as little as possible. Here's the full list, grouped by category.

Account & identity

• Phone number — verified via SMS one-time code, used to log in and to find you when friends invite you.
• Apple ID / Google account identifier — only the opaque token returned by Sign in with Apple or Google. We do not receive your password.
• Display name, handle, avatar — chosen by you.
• Date of birth — for age verification only. We store your age band, not the date itself, after verification.

Posts & content

• Beer posts (timestamp, optional photo or video, optional caption, optional reaction).
• Auto-detected night sessions, including the venues visited and when.
• Reactions and comments you leave on other people's posts.
• Streaks, badges, records, and personal stats derived from your activity.

Location

• Coarse and precise location when you post a beer or have the live "Where's the Vibe" feature on (you control this in iOS settings).
• The resolved venue (name, type, address) we match your location to using Apple Maps POI data.

Social graph

• Friend connections, group memberships, and crew invites you create or accept.
• If you import contacts, we send hashed phone numbers to find which of your contacts are already on beerreal. We do not store your contact book.

Device & technical

• Device model, OS version, app version, language, timezone.
• An anonymous installation ID for crash and analytics attribution.
• Push notification token issued by Apple Push Notification Service.
• IP address (used briefly for fraud prevention, never stored long-term against your account).

Communications

• Anything you send us by email or in-app support, plus our reply.

04Why & on what legal basis

GDPR (Article 6) requires us to have a lawful basis for every purpose. Here it is, line by line.

05Location data

Location is the heart of the product, so we want to be very clear.

• iOS asks you for permission. You can choose While Using the App, Always, or Never at any time in iOS Settings → Privacy → Location Services → beerreal.
• If you say Never, you can still use beerreal — you'll just have to tag the venue manually when you post.
• Precise coordinates are used only at the moment you post (or while the live presence map is open). They are translated into a venue and then discarded; only the venue is stored against your post.
• We do not silently track you in the background.

06Photos, videos & captions

Photos and videos you post are stored on DigitalOcean Spaces (an S3-compatible object store) located in Frankfurt, Germany (EU). We process them to generate thumbnails and to extract video audio.

• EXIF metadata (including embedded GPS) is stripped on upload.
• Posts are visible only to your accepted friends, unless you mark them public.
• If you delete a post, the underlying media is removed from our active store within 24 hours and from backups within 30 days.

07Friends, contacts & QR invites

You can find friends three ways: by handle, by scanning a QR code, or by importing your iOS contacts.

• Contact import is opt-in. iOS will ask you separately.
• We hash each phone number locally on your device (SHA-256 with a salt) and only send hashes to our server to look for matches.
• Hashes are matched in memory and discarded — we don't store your contacts list.
• If a contact isn't on beerreal, we do not contact them on your behalf and we do not retain their hash.

08Push notifications

Push tokens come from Apple Push Notification Service. We use them to send notifications about activity that involves you (a friend posted, someone reacted, a crew invited you). You can mute any category in app Settings → Notifications, or turn them all off in iOS Settings.

09Analytics & crash reports

We use a small set of privacy-respecting tools to keep the app working. None of them sell data. None of them build advertising profiles on you.

• PostHog (self-hosted, EU region) — product analytics. We attribute events to an anonymous installation ID, not to your phone number.
• Sentry (EU region) — crash reports. Stack traces and device info; we scrub PII from breadcrumbs.
• Apple App Store Connect — aggregate, anonymised install and crash metrics that Apple shares with all developers.

You can opt out of product analytics inside the app at Settings → Privacy → Share usage data. Crash reports remain on, because they're how we know the app is broken — but they contain no profile information.

10Who we share data with

We share personal data only with these categories of recipients:

• Other users — your posts, name, avatar, and live presence are visible to friends you've accepted (or to everyone, if you mark something public).
• Infrastructure providers acting as our processors: DigitalOcean (hosting, EU region), MongoDB Atlas (database, EU region), Cloudflare (CDN, edge cache).
• Communication providers: Twilio (SMS OTP), Apple Push Notification Service.
• Identity providers: Apple, Google — only if you choose to sign in with them.
• Authorities when we receive a binding legal request (court order, DSA Art. 9 order, valid law-enforcement request from a competent EU authority).

We do not sell personal data. We do not share it for cross-context behavioural advertising. We do not use it to train third-party AI models.

11International transfers

We try hard to keep data inside the EU. The following providers may process limited data outside the EU/EEA:

• Apple Push Notification Service (USA) — push token routing. Apple is certified under the EU-US Data Privacy Framework.
• Cloudflare (USA) — CDN. Standard Contractual Clauses (Module 2) plus EU edge routing.
• Twilio (USA) — SMS delivery for one-time codes. Standard Contractual Clauses, EU sub-processors where available.

For any transfer that doesn't rely on the EU-US DPF, we use the European Commission's 2021 Standard Contractual Clauses and have performed a transfer-impact assessment. You can request a copy via the privacy form.

12How long we keep things

13Your rights under GDPR

You have all of the following, free of charge, exercisable at any time:

• Access — get a copy of your data. In-app: Settings → Privacy → Download my data.
• Rectification — correct inaccurate data. Most fields are editable in your profile.
• Erasure — delete your account and your data. See our account deletion page or use Settings → Account → Delete account.
• Restriction — pause processing while we sort out a dispute.
• Portability — get your data in a machine-readable format (JSON).
• Object — to processing based on legitimate interest. We'll stop unless we have an overriding reason.
• Withdraw consent — for the newsletter or any other consent-based processing, at any time. Doesn't affect processing done before withdrawal.
• Lodge a complaint with your supervisory authority. Ours is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), autoriteitpersoonsgegevens.nl. You may also complain to the authority in your country of residence.

To exercise any right that isn't a button in the app, send us a message via the privacy form. We'll respond within 30 days as required by Article 12(3).

14Minors

beerreal is for adults of legal drinking age in their country. Drinking ages we enforce by default:

• Belgium · 16 (beer & wine), 18 (spirits)
• Netherlands · 18 (all alcohol)
• Germany · 16 (beer & wine), 18 (spirits)
• Most other regions · 18+ or 21+

We require all users to be at least 18 to create an account, even where the local drinking age is lower for some beverages. We do not knowingly collect personal data from anyone under 18. If you believe a minor has signed up, message us via the trust & safety form and we'll close the account immediately.

15Security

We protect your data with industry-standard measures: TLS 1.3 in transit, AES-256 at rest, hashed and salted credentials, principle of least privilege for staff access, audit logs, and a vulnerability-disclosure channel via our security form. No system is perfect; if a personal data breach occurs that's likely to risk your rights, we will notify you without undue delay and the supervisory authority within 72 hours, as required by Articles 33–34 GDPR.

16Changes to this policy

When we change this policy in a way that materially affects your rights, we'll notify you in-app and by email (if we have one) at least 14 days before it takes effect. Smaller wording changes are recorded with a new "last revised" date at the top of this page. A full version history is available on request.

17How to reach us