Legal

Privacy Policy

Effective date: [DATE] Controller: [LEGAL NAME / Einzelunternehmen], [ADDRESS], Austria — contact [EMAIL].
Draft template, not legal advice. Prepared to be reviewed and finalised by a qualified lawyer before publication. Complete every [BRACKETED] placeholder, and pay particular attention to the items in the cover note (GDPR controller/processor roles, international transfers, automated-processing disclosure, cookie consent).

1. Scope

This policy explains how Cupper ("we", "us") collects and uses personal data when you use the Cupper app, the website at cupper.ai, and related services (the "Service"). We process personal data in line with the EU General Data Protection Regulation (GDPR) and Austrian data-protection law.

2. Data we collect

  • Account data: name, email address, and authentication credentials (managed by our authentication provider).
  • Waitlist data: email address and any details you submit when requesting early access.
  • Content you create or upload: photographed or scanned score sheets and images, templates, session and sample details, scores, notes, and exports.
  • Evaluator data entered by organisers: names or identifiers of cuppers entered by a session organiser (see §8).
  • Usage & device data: log data, device and browser type, IP address, interactions, and analytics.
  • Cookies and similar technologies: see §10.
  • Payment data: if you buy a paid plan, billing is handled by our payment processor; we do not store full card details.

3. Why we process it, and our legal bases

  • To provide the Service (accounts, capture, processing, storage, export) — performance of a contract, Art. 6(1)(b).
  • To process score-sheet images into structured data via automated extraction — contract and your instructions.
  • To send service and waitlist/marketing emails — consent, Art. 6(1)(a), withdrawable at any time (essential service messages may rely on legitimate interests).
  • For security, fraud prevention, analytics, and product improvement — legitimate interests, Art. 6(1)(f).
  • To comply with legal obligations — Art. 6(1)(c).

4. Automated image processing (OCR / AI)

To turn a photographed score sheet into structured data, images and their contents are processed by automated optical-character-recognition and AI models, which may run on our infrastructure and/or via the processors listed in §6. This produces values you then review and confirm. Outputs may contain errors; the Service flags uncertain values for your review, and you remain responsible for verifying them (see the Terms of Service).

5. Sharing and disclosure

We do not sell personal data. We share it only with the processors in §6, where required by law or in a business transfer, and with other users only as you direct (e.g., session participants, shared templates).

6. Processors and third parties

We rely on the following categories of processors (complete with the specific providers you adopt):

  • Hosting, database, authentication, file storage: [Supabase] — region [EU / …].
  • Automated OCR / AI processing: [provider(s)].
  • Email delivery: [Resend / MailerLite / …].
  • Analytics: [provider].
  • Payments: [processor].

Each is bound by a data-processing agreement. [List and link each provider.]

7. International transfers

Where a processor is located outside the EU/EEA (e.g., [US-based AI or email providers]), transfers rely on an adequacy decision or appropriate safeguards such as Standard Contractual Clauses. [Confirm the mechanism per provider with your lawyer.]

8. Organisers and evaluators (controller vs processor)

When you, as a session organiser, enter or upload personal data about other people (such as evaluator names), you are the controller of that data and we process it on your behalf, on your instructions, as your processor. You are responsible for having a lawful basis for that data and for informing those individuals. [A separate Data Processing Agreement may be required for business customers.]

9. Retention

We keep personal data while your account is active and as needed to provide the Service, then delete or anonymise it within [PERIOD], unless a longer period is required by law. Waitlist emails are kept until launch or until you unsubscribe.

10. Cookies

We use [essential / analytics / preference] cookies. Non-essential cookies are set only with your consent. [Describe and link your cookie banner / consent mechanism.]

11. Your rights

Under the GDPR you may access, rectify, erase, restrict, and port your data, object to certain processing, and withdraw consent at any time. To exercise these, contact [EMAIL]. You may also complain to the Austrian Data Protection Authority (Österreichische Datenschutzbehörde, dsb.gv.at) or your local supervisory authority.

12. Security

We use appropriate technical and organisational measures — including encryption in transit, access controls, and row-level security — to protect personal data. No method of storage or transmission is perfectly secure.

13. Children

The Service is not directed to children under [16 / applicable age], and we do not knowingly collect their data.

14. Changes

We may update this policy; we will notify material changes via the Service or email and revise the effective date above.

15. Contact

[LEGAL NAME], [ADDRESS], [EMAIL]. [Data Protection Officer, if appointed.]

Back to home