Burnt Beans
Privacy Policy
Last updated: 12 June 2026
Burnt Beans provides digital loyalty cards for independent coffee shops, operated from London, United Kingdom. This policy explains what personal data we collect, why, and the choices you have — whether you run a shop on Burnt Beans or hold a loyalty card from one. The short version: we collect the minimum the service needs, we never sell personal data, and customers only ever hear from the shop they chose to join.
1. The data we collect
If you run a shop
- Your name, email address and password (stored hashed).
- Your shop's details: name, branding, reward settings and billing information.
If you hold a loyalty card
- The name and email address you give when joining a shop's card.
- Your stamp activity: stamps received, rewards earned, and which shop your card belongs to.
Everyone
- Basic technical records when you use the site, such as IP address and browser type, kept in server logs for security.
2. How we use it
- To run the service: creating cards, recording stamps and unlocking rewards.
- To send transactional email, such as your card link or a reward notice (delivered via Resend).
- To issue and update Apple Wallet passes, if you choose to add your card to Apple Wallet.
- To share a customer's name and email with the shop they joined — that is the purpose of signing up, and consent is asked for at the point of signup. Marketing then comes from the shop, not from us.
We do not sell personal data, and we do not use it for third-party advertising.
3. Our lawful bases
- Contract — providing the service you or your shop signed up for.
- Consent — joining a shop's mailing list and receiving its marketing.
- Legitimate interests — keeping the service secure and improving how it works.
4. Who we share data with
- The shop whose loyalty card you hold (your name, email and stamp activity).
- Service providers who help us run Burnt Beans: Supabase (database hosting), Resend (email delivery), Vercel (web hosting) and Apple (Wallet passes, if you add your card).
Some providers may process data outside the UK. Where they do, transfers are protected by appropriate safeguards such as UK-approved standard contractual clauses.
5. How long we keep it
We keep personal data while your account or loyalty card is active. If you ask us to delete your data, or a shop closes its account, we delete the associated personal data within 30 days, allowing for short-lived backups.
6. Your rights
Under UK data protection law you can ask us to:
- access the personal data we hold about you;
- correct or delete it;
- restrict or object to how we use it;
- provide it in a portable format.
Email hello@burntbeans.xyz to exercise any of these. You can also unsubscribe from a shop's marketing at any time using the link in its emails or by asking the shop. If you are unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ico.org.uk).
7. Cookies
We use only essential cookies — the ones needed to keep you signed in and the service working. We do not use advertising or cross-site tracking cookies.
8. Children
Burnt Beans is not directed at children and we do not knowingly collect personal data from anyone under 13.
9. Changes to this policy
If we make material changes we will update this page and, where appropriate, notify you by email. The date at the top shows when it last changed.
10. Contact
Privacy questions: hello@burntbeans.xyz