Privacy Policy

Effective date: January 26, 2026 • Last updated: February 13, 2026

Cream Finder ("we", "our", "us") provides a Guinness pub discovery and review experience. This policy explains what we collect, why we collect it, and how you can control your data.

Information We Collect

Account and profile data

• Email address (used for sign-in and account management).
• Display name and avatar URL (if provided via your identity provider).
• Identity verified through Google Sign-In or Apple Sign-In (OAuth-based authentication).
• Activity points total, which tracks your engagement with the app (e.g., submitting reviews, check-ins).

User content

• Reviews and ratings you submit.
• Photos you upload with reviews.
• Check-ins and favorites.
• Pub submissions you contribute (including pub name, coordinates, address, description, city, and region).
• Price paid for a pint (optional, submitted with check-ins).

Device and usage data

• A local device identifier stored on your device to support anonymous features and syncing.
• Approximate or precise location (only while the app is in use) to show nearby pubs and directions.
• On mobile, authentication session tokens are stored locally on your device.
• On-device caching of favorites, ratings, reviews, check-ins, and onboarding state via local storage.
• On the web version, sessions are held in memory only and are not persisted to the browser.

Automatically collected data

• IP address hashing: For anonymous check-in rate limiting (10 per day), your IP address is hashed using SHA-256 with a salt. Only the hash is stored; your raw IP address is never retained in our database.
• IP-based rate limiting for pub submissions: Pub submissions are rate-limited at 5 per hour. Your IP address is used in-memory for this purpose and is not persisted to the database.

Camera and photo library

• The app requests camera access to take photos for reviews (mobile only).
• The app requests photo library access to select existing photos for reviews (mobile only).
• Photos are uploaded to private cloud storage (maximum 5 MB; JPEG, PNG, and WebP formats accepted).
• Uploaded photos are stored with randomized filenames and accessed via time-limited signed URLs.

Reports and safety

• Reports you submit about user content (reason and timestamp).
• Block relationships (used to hide content from users you block).

How We Use Your Information

• Provide core app features (nearby pubs, reviews, ratings, check-ins, favorites).
• Keep your data synchronized across devices when you sign in.
• Maintain safety and content integrity through reporting and moderation.
• Prevent abuse and enforce rate limits (e.g., limiting anonymous check-ins and pub submissions).
• Track activity points to reward engagement.
• Improve app quality and reliability.

Third-Party Services

We do not sell your personal information. We share data only with the following categories of third-party services, limited to what is necessary to operate the app:

• Cloud infrastructure and database: Supabase (hosting, database, authentication, file storage, and edge functions).
• Crash reporting and analytics: Firebase Crashlytics (crash and error reporting on mobile) and Firebase Analytics (anonymous usage analytics). These services may collect device identifiers, crash logs, and interaction events. See Google's Privacy Policy for details.
• Authentication providers: Google Sign-In and Apple Sign-In (OAuth identity verification only).
• Mapping and geolocation: OpenStreetMap / Nominatim (geocoding and pub discovery) and CartoDB (map tiles).
• Content verification: OpenAI (image analysis to verify uploaded review photos). Uploaded images may be processed by OpenAI's API. See OpenAI's Privacy Policy.
• Typography: Google Fonts (font delivery).

Data Retention

• Account data is retained until you delete your account.
• After account deletion, your reviews and associated photos are anonymized and retained indefinitely (no longer linked to your identity).
• IP hashes used for rate limiting are retained alongside the associated check-in records.
• Search query logs are automatically deleted after 90 days.
• Local data stored on your device can be cleared by uninstalling the app.

Your Rights

You have the following rights regarding your personal data:

• Access: You can request a copy of the data we hold about you by contacting us at the email below.
• Correction: You can edit your profile and reviews directly in the app.
• Deletion: You can delete your account and associated data from within the app (see Account Deletion below).
• Data portability: You can export your data in JSON format from the Settings screen in the app, or by contacting us at the email below.
• Restrict processing: You can request that we limit how we process your data by contacting us at the email below.

If you are located in the EU/EEA, you may also exercise rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with your local data protection authority.

Legal Basis for Processing (GDPR)

For users in the EU/EEA, we process your data on the following legal bases:

• Contract performance: Providing core app features such as nearby pub discovery, reviews, check-ins, and favorites.
• Legitimate interest: Preventing abuse through rate limiting and maintaining content integrity through moderation.
• Consent: Location access and camera/photo library access, each requested at the point of use via your device's permission prompts. Analytics and crash reporting, controllable via in-app settings.

Account Deletion

You can delete your account in the app. When you delete your account:

• Your profile, favorites, ratings, and check-ins are deleted.
• Your reviews remain in the app but are anonymized (no longer linked to your account).
• Review photos remain with the anonymized reviews.

Content Reporting and Blocking

• You can report content in the app using preset reasons.
• You can block users to hide their content from your view.

Location Access

We request location access only while the app is in use to show nearby pubs and directions. We do not request background location access. On iOS and Android, you will be prompted with a system permission dialog requesting "while in use" location access.

Data Security

We take reasonable steps to protect your data using industry-standard practices, including:

• Private storage buckets with time-limited signed URLs for uploaded content.
• PKCE-based authentication flow to prevent authorization code interception.
• Column-level allowlists to restrict data exposure through APIs.
• Row-level security (RLS) enforced on all database tables.

Web vs. Mobile

The web version of Cream Finder has limited functionality compared to the mobile app:

• The web version does not support sign-in, ratings, favorites, reviews, or photo uploads.
• The web version uses in-memory sessions only; no authentication tokens are stored in the browser.
• Anonymous features such as browsing pubs, viewing ratings, quick check-ins, and submitting pubs are available on both platforms.

Children

This app is focused on pub discovery and alcohol-related content and is not intended for anyone under 18 years of age.

Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you through the app or on our website. Your continued use of the app after changes are posted constitutes your acceptance of the updated policy.

Contact

For data protection enquiries, contact our Data Protection Officer at feedback@creamfinder.com.