Privacy Policy

1. Introduction

This Privacy Policy explains how Corey Evans, operating as Demijohn Journal ("we", "us", "our"), collects, uses, stores, and protects your personal data when you use the Demijohn Journal mobile application and website (collectively, "the Service").

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable international data protection laws.

2. Who We Are

The data controller for the purposes of UK GDPR is:

• Corey Evans (sole trader)
• 44 Stratford Avenue, Exeter, EX4 8ES, United Kingdom
• Email: corey@demijohnjournal.com
• Website: demijohnjournal.com

3. Data We Collect

3.1 Data you provide directly

• Account information: email address, username, display name, password (stored as a hash — we never see your plain-text password)
• Profile information: bio (up to 200 characters), optional location (town/city only), profile photo, favourite brew styles
• Recipe content: recipe names, descriptions, ingredients, process steps, photos, and any associated notes
• Brew logs: fermentation readings (gravity, temperature), tasting notes, personal scores, brew dates
• Social content: check-in posts, captions, photos, comments, ratings and reviews
• Direct messages: text messages sent between users
• Communications: emails or messages you send to us directly

3.2 Data collected automatically

• Usage data: screens visited, features used, actions taken within the app
• Device data: device type, operating system version, app version
• Technical data: IP address, crash reports, performance data
• Interaction data: recipes liked, saved, cloned; users followed

3.3 Data from third parties

• Google Sign-In: if you register or log in using Google, we receive your name, email address, and Google profile photo
• Apple Sign-In: if you register or log in using Apple ID, we receive a unique identifier and, optionally, your name and email address

4. How We Use Your Data

4.1 To provide the Service

• Create and manage your account
• Display your recipes, brews, and profile to you and, where public, to other users
• Enable social features: follows, likes, comments, check-ins, direct messages
• Send push notifications (where you have enabled them)
• Process your unit preference and personalise the app accordingly

4.2 Legal basis (UK GDPR)

• Contract performance: processing necessary to provide the Service you have signed up for
• Legitimate interests: improving the Service, preventing fraud, ensuring security
• Consent: sending marketing communications (where opted in), using non-essential cookies
• Legal obligation: complying with applicable laws, responding to lawful requests

4.3 We do NOT

• Sell your personal data to any third party
• Use your data to serve third-party advertising
• Share your email address with other users — it is never publicly visible
• Use your data for automated decision-making that produces legal or similarly significant effects

5. Data Sharing

We do not sell, rent, or trade your personal data. We may share data only in the following limited circumstances:

• Service providers: Supabase (database and file storage, hosted on EU-based infrastructure); we have data processing agreements in place
• Push notification providers: Expo and Apple/Google push notification services receive device tokens to deliver notifications
• Legal compliance: where required by law, court order, or to protect the rights and safety of users or the public
• Business transfer: in the event of a merger or acquisition, your data would transfer subject to the same privacy protections

6. Data Retention

• Account data: retained for as long as your account is active, plus 30 days after deletion to allow recovery
• Recipe and brew data: deleted immediately upon account deletion
• Public content (recipes, check-ins): retained until deleted by you or removed by moderation
• Direct messages: retained until deleted by either party or upon account deletion
• Logs and analytics: retained for up to 12 months in aggregated, anonymised form

7. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of access: request a copy of all personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): request deletion of your data — available in-app under Settings > Delete Account
• Right to data portability: request your recipe and brew data in a machine-readable format (JSON)
• Right to restrict processing: request we limit how we use your data in certain circumstances
• Right to object: object to processing based on legitimate interests
• Rights related to automated decision-making: we do not use automated decision-making

To exercise any of these rights, email corey@demijohnjournal.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. International Transfers

Demijohn Journal is a global service. Your data may be processed outside the UK, including in the United States (where some of our service providers operate). Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK Government.

9. Children and Age Verification

Demijohn Journal is strictly for users aged 18 or over. We do not knowingly collect personal data from anyone under 18.

• We require users to confirm they are 18 or over during registration by entering their date of birth
• Accounts where the declared age is under 18 are permanently blocked with no ability to create a new account
• If we discover that a user is under 18, we will immediately delete their account and all associated data
• If you believe a minor has created an account, please contact corey@demijohnjournal.com immediately

10. Security

We take reasonable technical and organisational measures to protect your data, including:

• All data transmitted over HTTPS/TLS encryption
• Passwords stored using bcrypt hashing — we never have access to your plain-text password
• Row-level security on our database — users can only access their own data
• Regular security reviews of our infrastructure

No method of transmission over the internet is 100% secure. We cannot guarantee absolute security but will notify you and the ICO promptly in the event of a data breach.

11. Cookies and Tracking

The Demijohn Journal mobile app does not use cookies. The website (demijohnjournal.com) may use essential cookies for functionality. We will request consent before setting any non-essential cookies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or in-app notification at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact

For any privacy-related questions, requests, or complaints:

• Email: corey@demijohnjournal.com
• Post: Corey Evans, 44 Stratford Avenue, Exeter, EX4 8ES, United Kingdom