Hanko: Coffee Passport Privacy Policy
Effective date: 2026-04-28 Last updated: 2026-04-28
1. Who We Are
Hanko: Coffee Passport (the "App," "Service," "we," "our," or "us") is a coffee-logging and discovery application owned and operated as a sole proprietorship by:
Jericho Francis A. Carlos, trading as Hanko Coffee
Contact: hello@hankocoffee.app
Data requests: https://hankocoffee.app/request
For the purposes of the DPA, the sole proprietor is the Personal Information Controller ("PIC"). For the purposes of the GDPR, the sole proprietor is the "Controller." Where the CCPA/CPRA applies, the sole proprietor is the "Business."
We have designated the sole proprietor as the point of contact for all privacy matters, acting in the role of Data Protection Officer ("DPO") for the DPA until a separate DPO is appointed.
2. Scope
This Policy applies to personal data we collect through:
- the Hanko: Coffee Passport mobile applications for iOS and Android (together, the "App");
- the website at
hankocoffee.appand its subdomains (the "Website"); - our back-end application programming interfaces at
api.hankocoffee.app(the "API"); and - any communications you exchange with us by email, web form, or in-App support channels.
This Policy does not apply to third-party services you access through the App (for example, websites linked from a cafe listing), which are governed by their own privacy notices.
3. Eligibility and Children's Privacy
The Service is strictly for users who are eighteen (18) years of age or older. At registration, you must truthfully declare that you are at least 18. Accounts where the declared age is below 18 are automatically denied.
We do not knowingly collect personal data from anyone under 18. If we discover that we have collected personal data from a person under 18, we will delete that data and terminate the account. If you believe a child under 18 has provided us data, please contact us at hello@hankocoffee.app.
Because we accept this age declaration in good faith and without a practical means of independent verification, any misrepresentation of age may result in immediate account denial, suspension, termination, and deletion of the related personal data.
4. Personal Data We Collect
We collect personal data in three ways: (a) data you provide to us, (b) data we collect automatically from your device, and (c) data we receive from third parties.
4.1 Data you provide to us
When you create an account and use the App, you may provide:
- Account data: email address, password credentials handled through our authentication provider, display name, handle, age declaration, and the country you select.
- Profile data: profile photo, bio, preferences (e.g., favorite drink).
- Authentication data: if you sign in with Google or Apple, we receive the basic identity attributes those providers return (name, email, and a stable identifier). We do not receive your Google or Apple password.
- Log entries and reviews: cafes you visit, drinks you order, ratings, written notes, photos, and the timestamp and approximate location associated with each log.
- Cafe contributions: when you add or edit a cafe, we collect the cafe name, address, coordinates, opening hours, photos, and any other attributes you choose to submit.
- Support communications: the content of messages you send to hello@hankocoffee.app or through our web form.
- Purchase and subscription data: if you purchase a subscription or consumable, RevenueCat (on our behalf) and the Apple App Store or Google Play Store process the transaction. We receive a receipt identifier, subscription status, product identifier, and renewal metadata. We do not receive or store your full payment-card number or CVV.
4.2 Data we collect automatically
When you use the App or Website, we and the service providers listed in Section 7 may automatically collect:
- Device and technical data: device model, operating system and version, App version, language, time zone, screen metrics, crash logs, network type, and a randomly generated installation identifier.
- Usage data: the screens or pages you view, the features you use, sessions, website performance measurements, and basic interaction events (for example, "log saved," "cafe searched").
- Location data: with your explicit operating-system permission, your device's coarse and/or precise location when the App is in the foreground, used to show nearby cafes and to attach an approximate location to a log you choose to save. If you deny location permission, the App continues to function with reduced features. We do not collect background location.
- Log and diagnostic data: IP address, request timestamps, user-agent strings, and error traces captured by Cloudflare, Railway, Vercel, and Supabase when you connect to our infrastructure. IP addresses are considered personal data under the DPA and GDPR.
- Cookies and similar technologies (Website only): the Website uses strictly necessary cookies to keep you signed in and to remember preferences, and may use analytics cookies if you consent through the cookie banner. The native App does not use browser cookies.
4.3 Data we receive from third parties
- Identity providers: when you choose "Sign in with Google" or "Sign in with Apple," Google or Apple sends us your name, email, and a stable identifier as described in Section 4.1.
- App stores: Apple and Google share receipt data, fraud signals, and subscription events with us through RevenueCat.
4.4 Sensitive personal information
We do not intentionally collect sensitive personal information as defined under the DPA (e.g., health, religious belief, sexual orientation, government identifiers, financial account numbers). Please do not include such information in free-text fields (notes, reviews, bios). If you do, we will treat it with the same protections described in this Policy but recommend you remove it.
5. How We Use Your Data
We use personal data for the following purposes. Under the GDPR, each purpose is supported by at least one lawful basis, stated in brackets.
- To operate the Service — creating your account, authenticating sign-in, loading your journey map and log history, syncing data across your devices. [Contract; Legitimate interests]
- To provide location-based features — finding nearby cafes, attaching location to a log. [Consent via OS permission; Contract]
- To process subscriptions and purchases — verifying entitlements, recognizing renewals and cancellations, preventing duplicate charges. [Contract; Legal obligation]
- To communicate with you, including by email and push notification —
- Transactional messages (account confirmations, security alerts, receipts, password resets, service notices). [Contract; Legal obligation]
- Service announcements (material updates to this Policy, the Terms of Service, or the Service). [Legitimate interests; Legal obligation]
- Product updates and marketing (new features, tips, occasional promotions). We only send these with your prior opt-in, and each message includes a one-click unsubscribe. [Consent]
- Push notifications on your device for the same categories above, controlled by your OS permission and in-App settings.
- To improve and secure the Service — diagnosing crashes, measuring feature adoption, preventing abuse, investigating fraud. [Legitimate interests; Legal obligation]
- To comply with law — responding to lawful requests from regulators, courts, and tax authorities; meeting retention obligations. [Legal obligation]
- To protect rights and safety — enforcing our Terms of Service, protecting users, and defending legal claims. [Legitimate interests; Legal claims]
We do not sell your personal data, and we do not engage in cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.
We do not make decisions that produce legal or similarly significant effects on you solely by automated means (no automated decision-making or profiling in the GDPR Article 22 sense).
6. How We Share Your Data
We share personal data only with the categories of recipients below, and only to the extent necessary for the purposes stated. Some third parties process personal data on our behalf as Personal Information Processors under the DPA and "Processors" under the GDPR. Other third parties, such as app stores and sign-in providers, may process personal data as independent controllers under their own terms and privacy notices.
- Service providers listed in Section 7.
- Other users of the Service. If you choose to make your profile, reviews, or log entries public, other users can see that content along with your display name and avatar. You control visibility through in-App settings.
- Successors in interest. If we undergo a merger, acquisition, reorganization, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected users and, where required, seek fresh consent.
- Law enforcement and regulators. We may disclose data to comply with valid legal process (subpoenas, warrants, orders from the National Privacy Commission, tax authorities, or equivalent foreign bodies) or to protect the Service and its users from imminent harm.
- Professional advisors. Lawyers, auditors, and insurers, under duties of confidentiality.
We do not sell or rent your personal data to advertisers, data brokers, or other third parties for their own marketing.
7. Third-Party Services and International Transfers
The following third-party services help us operate the Service. Where a provider processes personal data on our behalf, we use a written data processing agreement or equivalent contractual terms; where a provider acts independently, its own terms and privacy notice also apply. Where data is transferred outside the Philippines, we rely on the safeguards noted below (e.g., GDPR Standard Contractual Clauses, adequacy decisions, or equivalent contractual protections recognized under the DPA).
| Service | Role | Purpose | Data Categories | Primary Location |
|---|---|---|---|---|
| Supabase, Inc. | Processor / PIP | Authentication (email/password, OAuth), primary database for account and log data, file storage for photos | Account data, profile data, log entries, photos, IP addresses, device metadata | United States / EU regions |
| Railway Corp. | Processor / PIP | Hosts our API (api.hankocoffee.app) that serves cafe data, processes logs, and orchestrates back-end workflows | Account identifiers, log entries, cafe contributions, IP addresses, request logs | United States |
| Vercel Inc. | Processor / PIP | Hosts the marketing and support website (hankocoffee.app) and data-request portal; provides website analytics and performance insights | Website visitor IP addresses, user-agent strings, page views, performance metrics, form submissions | Global edge network |
| Cloudflare, Inc. | Processor / PIP for our traffic; independent controller for some security operations | DNS, CDN, DDoS protection, and bot mitigation for the Website and API | IP addresses, request headers, TLS metadata, limited request bodies for security screening | Global edge network |
| RevenueCat, Inc. | Processor / PIP | Subscription management, entitlement verification, receipt validation for App Store and Play Store purchases | App user identifier, subscription status, product identifier, receipt data, device metadata | United States |
| Google LLC (Sign-In) | Independent controller; processor where configured by contract | Google OAuth for sign-in | Name, email, Google account identifier | Global |
| Apple Inc. (Sign in with Apple) | Independent controller | Apple OAuth for sign-in | Name (optionally relayed or private), email (optionally relayed), Apple ID token | United States |
| Apple Inc. (App Store, push notifications) | Independent controller for App Store purchases; processor for push delivery where applicable | App distribution; delivery of push notifications to iOS devices | Device token, notification payload, purchase receipts | United States |
| Google LLC (Play Store, Firebase Cloud Messaging) | Independent controller for Play Store purchases; processor for push delivery where applicable | App distribution; delivery of push notifications to Android devices | Device token, notification payload, purchase receipts | United States |
You can review each provider's own privacy practices at the following links:
- Supabase, Inc. — supabase.com/privacy
- Railway Corp. — railway.com/legal/privacy
- Vercel Inc. — vercel.com/legal/privacy-policy
- Cloudflare, Inc. — cloudflare.com/privacypolicy
- RevenueCat, Inc. — revenuecat.com/privacy
- Google LLC (Sign-In, Play Store, Firebase Cloud Messaging) — policies.google.com/privacy
- Apple Inc. (Sign in with Apple, App Store, push notifications) — apple.com/legal/privacy
Because most of these providers are located outside the Philippines, your personal data will be transferred across borders, including to the United States. Under Section 21 of the DPA we remain accountable for your data when it is processed by third parties on our behalf. Under the GDPR, we rely on Standard Contractual Clauses and supplementary measures where applicable. Under the UK GDPR, we rely on the UK International Data Transfer Addendum.
We will update this table as our third-party stack changes and will notify users of material additions.
8. Retention
We keep personal data only as long as necessary for the purposes described in this Policy.
- Account data and log history: retained while your account is active. On account deletion, we delete or irreversibly anonymize this data within thirty (30) days, except as noted below.
- Subscription and tax records: retained for ten (10) years after the last transaction to comply with the Philippines National Internal Revenue Code and equivalent obligations.
- Security and audit logs: retained for up to twelve (12) months.
- Support communications: retained for up to twenty-four (24) months after the ticket is closed.
- Backups: encrypted backups that contain your data may persist for up to ninety (90) days after deletion before they are rotated out.
We may retain personal data longer if required to comply with a legal obligation, resolve a dispute, or enforce our agreements.
9. Security
We apply organizational, physical, and technical measures to protect personal data from unauthorized access, alteration, disclosure, and destruction, including encrypted transport (TLS), access controls on our back-end, least-privilege database roles, hashed passwords, and regular review of our infrastructure. No system is perfectly secure. If we become aware of a personal data breach that is likely to cause serious harm, we will notify the National Privacy Commission and affected users within seventy-two (72) hours of knowledge as required under Section 38 of the DPA's IRR, and we will comply with analogous obligations under the GDPR and CCPA.
10. Your Rights
You have the following rights with respect to your personal data. We respond to verified requests within fifteen (15) calendar days under the DPA, within one (1) month under the GDPR, and within forty-five (45) days under the CCPA. We may extend these periods as permitted by law and will inform you if we do.
10.1 Rights of all users (DPA baseline)
Under the Data Privacy Act, you have the right to:
- Be informed of the existence, processing, and disclosure of your personal data (this Policy is the principal notice).
- Access the personal data we hold about you.
- Object to processing, including for direct marketing, and to withdraw any consent you previously gave.
- Rectify inaccurate or incomplete personal data.
- Erasure or blocking of personal data that is outdated, incomplete, unlawfully obtained, or no longer necessary.
- Damages for violations that cause harm, as provided under the DPA.
- Data portability, receiving a structured, commonly used, machine-readable copy of the data you provided to us, and to have that copy transmitted to another controller where technically feasible.
- File a complaint with the National Privacy Commission at https://privacy.gov.ph.
You can modify most of your personal data directly in the App (profile, email, password, logs). For anything else, submit a request at https://hankocoffee.app/request or email hello@hankocoffee.app. We may ask you to verify your identity before fulfilling a request.
10.2 Additional rights for users in the EEA and United Kingdom (GDPR)
In addition to the rights above, you have the rights to:
- Restrict processing in the circumstances set out in Article 18 GDPR.
- Withdraw consent at any time, without affecting the lawfulness of prior processing.
- Lodge a complaint with your local supervisory authority. A list is available at edpb.europa.eu. In the UK, contact the Information Commissioner's Office at ico.org.uk.
10.3 Additional rights for California residents (CCPA/CPRA, where applicable)
Where the CCPA/CPRA applies to us, California residents have the right to:
- Know the categories of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it (see Sections 4 through 7).
- Delete personal information we have collected, subject to statutory exceptions.
- Correct inaccurate personal information.
- Opt out of sale or sharing of personal information. We do not sell or share personal information as defined under the CCPA/CPRA. We will still honor a "Do Not Sell or Share" signal if we receive one.
- Limit use of sensitive personal information. We do not use sensitive personal information for any purpose that requires a limit-use right under the CCPA.
- Non-discrimination for exercising your rights.
You can submit a California-specific request at https://hankocoffee.app/request. We do not charge a fee for verified requests. An authorized agent may submit a request on your behalf with written proof of authorization.
11. Consent
Where processing requires consent, consent is collected through a separate, explicit consent form presented during registration or through the relevant device, website, or in-App permission flow. During registration, you confirm (i) that you are at least 18 years old, (ii) that you have read this Policy, and (iii) that you agree to consent-based processing described here. You may withdraw consent at any time by changing the relevant setting, deleting your account, or contacting us; withdrawal does not affect the lawfulness of prior processing and may prevent you from using some or all of the Service.
12. Cookies and Similar Technologies (Website only)
The Website (hankocoffee.app) uses:
- Strictly necessary cookies (for example, to keep you logged in on the data-request portal). These are always on.
- Analytics cookies (if any are deployed). These require your consent via the cookie banner and can be refused without losing access to the site.
The native App does not use browser cookies but uses equivalent on-device identifiers (see Section 4.2).
13. Links to Third-Party Services
The App and Website may contain links to third-party websites or services (for example, a cafe's Instagram page). We do not control those services and are not responsible for their privacy practices. Review their privacy notices before providing personal data.
14. Changes to This Policy
We may update this Policy from time to time. When we make material changes, we will notify you by email, by an in-App notice, or by posting a prominent notice on the Website at least fifteen (15) days before the change takes effect. The "Last updated" date at the top of this Policy indicates when it was last revised. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
15. How to Contact Us
- Email: hello@hankocoffee.app
- Data-subject request portal: https://hankocoffee.app/request
- Regulator (Philippines): National Privacy Commission, 5th Floor Delegation Building, PICC Complex, Pasay City — privacy.gov.ph
If you are in the EEA or UK, you may contact your local supervisory authority. If you are in California, you may contact the California Attorney General's Office.