Privacy policy

Account information. Email address, username, display name, profile photo (optional), and home city. If you sign in with Apple or Google, we receive the name and email associated with that account.

Check in data. When you pull a shop, we collect: two photographs (captured in-app only — one of the inside of your cup, one of your drink with the shop environment visible), GPS coordinates, GPS accuracy, timestamp, device identifier, IP address, accelerometer data, and an optional rating and note. Photos are stored in Supabase Storage (cloud storage). Photos may be reviewed by automated AI systems and human reviewers for fraud prevention and challenge verification. We do not sell photographs to third parties.

Payment data. Subscriptions are processed by Apple (StoreKit) or Google (Play Billing). We receive a transaction identifier and subscription status but never see your full payment card details. Your PayPal email is collected solely for the purpose of processing challenge reward payouts. It is not used for any other purpose or shared with third parties beyond PayPal.

Device and usage data. Device type, operating system, app version, session duration, screens viewed, and crash reports. We use device information as one signal in our fraud detection system. We do not use device data for purposes beyond app operation and fraud prevention.

Precise location data. We collect your precise GPS coordinates (latitude and longitude) during each check in. This data is used to verify your proximity to the claimed shop (within approximately 80 meters (250 feet)). Location data is stored with your check in record and is used for verification, fraud prevention, leaderboard ranking, and to populate your Pull Map. We do not track your location in the background. We do not sell location data to third parties. Aggregated, anonymized location data may be used for internal analytics and product development.

Behavioral data. Streak history, challenge enrollment and progress, tier selection, badge achievements, leaderboard ranking history, subscription and purchase history (tier, billing dates, trial status), and in-app activity (screens viewed, features used). This data is used to operate the app, calculate leaderboard positions, verify challenge completions, and improve the product.

Tax information. For users whose cumulative rewards reach $500 in a calendar year, we collect full legal name, mailing address, and a tax identification number (such as a Social Security Number, Employer Identification Number, or local equivalent) for tax reporting compliance. This information is encrypted at rest using Supabase vault encryption and is never transmitted in plain text. Tax information is used solely for compliance with applicable tax reporting obligations in your jurisdiction and is not used for any other purpose.

Referral data. When you share your referral code or sign up using a referral code, we collect the referral relationship between accounts, the date of referral, and device identifiers to prevent fraud. This data is used to administer referral credits and detect abuse of the referral program. Referral data is not sold or shared with third parties.

We use your data to operate the app, verify check ins, process challenge rewards, maintain leaderboards, prevent fraud, send transactional emails (welcome, challenge updates, payout confirmations), and improve the product. GPS and photo data are used for check in verification only and are not repurposed for advertising or profiling. We do not sell your personal data to third parties. Aggregated, anonymized data (such as total check in counts per city or shop) may be used for internal analytics and product development. Tax information is shared with applicable tax authorities as required by law in your jurisdiction.

We share data with the following services as necessary to operate Pulled:

• Supabase, backend infrastructure, database, authentication, and photo storage
• Google Places, shop location data and nearby shop detection
• Mapbox, mapping and location services
• Resend, transactional and waitlist email delivery
• PayPal, reward and referral payouts (USD only)
• AI-based photo verification services for challenge check ins and content moderation
• OneSignal, push notifications
• Apple and Google, subscription billing and app distribution

Each service processes data under its own privacy policy. We recommend reviewing them independently.

Account data is retained for as long as your account is active. Check in metadata is retained while your account is active. Verification photos (the drink photos captured during check in) may be retained for up to 90 days for fraud review purposes, after which they are permanently deleted. If you delete your account, we remove your personal data within 30 days. Anonymized, aggregated data (total check ins per shop, city-level statistics) may be retained indefinitely.

Challenge completions and Winners page. If you complete a challenge and your withdrawal is processed, your completion may be displayed on our Winners page (pulled.coffee/winners) and in the in-app Winners screen using your first name, last initial, city, challenge type, and payout amount. The exact date of your completion is never displayed. You can opt out at any time in Settings under "Show my completions on the Winners page." Opting out removes you from the Winners feed going forward.

Ratings and survey responses. Individual ratings and micro survey responses (drink type, satisfaction rating, return intent) are anonymized and retained permanently, even after account deletion. Your personal identity is removed from these records, but the data points themselves are preserved to maintain the integrity of shop ratings over time. Shop owners and third parties receive only aggregated data. Your individual ratings are never shared with the shop you rated or any third party.

Tax records, including any tax identification information and filing data, are retained for a minimum of 7 years as required by applicable recordkeeping regulations. This data is retained even after account deletion.

Trial account data is retained for 30 days after trial expiration. Users who subscribe within that period retain full access to their data. Accounts dormant for more than 30 days are permanently deleted.

All data is transmitted over HTTPS. Photos and personal data are stored in Supabase with row-level security policies. Payment credentials are handled entirely by Apple, Google, and PayPal. We never store card numbers. Access to production data is restricted to authorized personnel.

You can request a copy of your data, correct inaccurate data, or delete your account at any time by contacting hello@pulled.coffee. If you are in the EU, UK, or California, you have additional rights under GDPR, UK GDPR, or CCPA respectively, including the right to data portability and the right to opt out of data sales (we do not sell data, but you may still exercise this right formally).

You can delete your account at any time through the app settings. Upon deletion, all personal data including your profile, check in history, and photos is removed within 30 days. Tax records are retained for the legally required period (minimum 7 years) regardless of account deletion. Subscriptions must be cancelled separately through Apple or Google to stop billing.

Pulled Coffee is intended for users 13 and older. We do not knowingly collect personal information from children under 13 in compliance with COPPA (Children's Online Privacy Protection Act). If we learn that a user is under 13, we will delete their account and associated data immediately.

Cash reward challenges require users to be 18 or older. The app enforces an age confirmation gate before first challenge enrollment. Users between 13 and 17 may use the app for check ins, social features, and leaderboards but may not enroll in cash challenges.

We collect optional behavioral data through short in-app questions about your coffee habits, preferences, and visit context (called Quick Pulse). This data is anonymized and may be used in aggregate to improve the product and generate industry insights. Individual responses are never shared with third parties in identifiable form.

The pulled.coffee website uses essential cookies only (no third-party tracking cookies). The mobile app does not use cookies.

We may update this policy from time to time. Material changes will be communicated via email or in-app notification. Continued use of Pulled after changes constitutes acceptance of the updated policy.

Questions or requests: hello@pulled.coffee