Privacy Policy

Account information

• Email address: provided when you sign in via magic link or OTP code
• Display name: optional, you choose this in Settings
• Timezone and notification hour: required for delivering peak-day notifications at the right local time
• Cohort assignment: see Section 3

Bag tracking data

• Roaster name, coffee name, roast date, purchase date, opened date
• Process method (washed, natural, honey)
• Grind state (whole bean or ground)
• Storage method
• Weight and remaining quantity (optional, you provide)
• Notes (optional, you provide)
• Computed values: freshness percentage, days since roast, status transitions

Device and session data

• OneSignal player ID: a unique device identifier generated by OneSignal when you grant push notification permission. Used to deliver notifications to your specific browser/device.
• Acquisition data: if you arrive via a referral link with UTM parameters, we capture those once on first signup (utm_source, utm_medium, utm_campaign) to understand where users come from.
• Last active timestamp: updated when you use the app

Affiliate click data

When you click a reorder link from a stale bag, we record:

• The bag and roaster involved
• Your freshness score at the moment of click
• Days since roast at the moment of click
• The traffic source (notification, organic, etc.)
• Whether the click eventually converted to a purchase (received from affiliate networks via webhook)

This snapshot data is what lets us measure whether peak-timed reorder suggestions actually drive incremental purchases versus generic affiliate recommendations. It is essential to our business model and to the value we offer to roaster partners.

App events

We log key actions you take in the app: signing up, creating bags, viewing bags, marking opened/finished, viewing reorder cards, dismissing reorder cards, granting or denying notification permissions. These are stored against your user ID for funnel analysis and product improvement.

User submissions (Mug Wall)

When you submit a photo to our public Mug Wall, we collect the image file, a title, optional attribution (such as a name, an email shown on the wall, an Instagram handle, Reddit username, or website URL), a short story or caption, your email address for moderation contact only, your IP address (used for abuse prevention such as basic rate limiting), and your acceptance of our submission disclaimer. Approved images are stored in Supabase Storage (public bucket) and referenced from our database; submissions may be summarized along with other site content by third-party AI and search systems once published.

• Moderation: submissions are reviewed before appearing publicly; we may approve or reject without providing a reason (you will receive an email when a submission is approved, not when it is rejected).
• Retention: pending and rejected submissions are retained so our team can moderate consistently; contact mugs@day9.coffee to request deletion of your Mug Wall submission data.

To operate the service:

• Compute freshness scores and dispatch peak-day notifications
• Save your bag history and preferences across sessions
• Authenticate your identity via Supabase magic link / OTP
• Match your tracked roasters against our affiliate catalog to suggest reorders

To improve the service:

• Analyze funnel drop-off (how many users sign up, log a first bag, get their first peak notification, click a reorder)
• Measure notification effectiveness via cohort comparison (see Section 3)
• Identify which roaster partnerships convert best for users with similar preferences

To run the affiliate revenue model:

• Track which affiliate clicks resulted in commissioned purchases
• Aggregate click and conversion data to negotiate partnership terms with roasters

What we do NOT do:

• We do not sell your data to any third party
• We do not share individual user data with roasters or affiliate networks
• We do not display advertising of any kind
• We do not track you across other websites
• We do not use your bag data to build profiles for sale

To measure whether day9's notifications and recommendations actually drive behavior change, we use a randomized holdout group. When you sign up, you are randomly assigned to one of two groups:

• Treatment: receives peak-day notifications and personalized reorder suggestions (most users)
• Control: does not receive notifications, but their organic activity is still tracked

This assignment is permanent and invisible — you cannot tell which group you are in based on app usage. Both groups have full access to bag tracking, freshness scores, and the calculator. The only difference is whether peak-day notifications and certain reorder prompts are dispatched.

We use this experimental data to demonstrate to roaster partners that day9 drives incremental sales (purchases that would not have happened without day9), which is the foundation of our commission rate negotiations.

If you would prefer not to be part of this experimental design, contact us at hello@day9.coffee and we will remove you from the cohort assignment system.

day9 uses the following third-party services. Each has its own privacy policy governing how they handle data:

• Supabase (authentication and identity): manages email-based magic-link / OTP authentication. Stores hashed credentials and session tokens. Hosted on Supabase infrastructure.
• Render (application hosting and database): hosts the day9 backend API and PostgreSQL database. Your bag data, app events, and user profile live here.
• Vercel (frontend hosting): serves the day9.coffee website and PWA. Vercel may collect anonymous server logs.
• Google Analytics: collects anonymized pageview, referrer, and engagement data via cookies, but only after you grant consent via our cookie banner. Used to measure content performance and understand how readers find our articles. We have configured Google Analytics 4 with IP anonymization enabled. We do not share this data with advertisers or use it for cross-site tracking. You can opt out at any time by clearing your cookies or visiting Google Analytics opt-out browser add-on.
• Resend (transactional email): delivers magic-link / OTP sign-in emails. Resend processes the recipient email address solely for delivery.
• OneSignal (push notifications): manages browser and PWA push notification delivery. May collect device identifiers and notification engagement data.
• Impact (affiliate network): tracks affiliate clicks for partnered roasters. When you click a reorder link, Impact processes the click via their tracking domain and sets a cookie to attribute future purchases. We pass anonymized identifiers (your bag UUID and freshness percentage) as SubID parameters for our internal reporting.
• Amazon Associates (affiliate fallback): for roasters not in our direct partner catalog, we may direct you to Amazon search results with our affiliate tag. Amazon's privacy policy governs interactions on Amazon.

day9 may request permission to send you push notifications for peak-day events: when a bag enters its peak window, when it begins declining, and when it's gone past peak. This is entirely optional.

You can:

• Manage notification permissions in your browser or device settings
• Disable notifications via the day9 Settings page (sets your notification hour to disabled)
• Revoke permission at any time in your browser/device privacy settings

Granting notification permission does not give us access to any other data on your device.

day9 earns commissions on purchases you make through reorder links to our affiliate partners. This is our primary revenue source.

When you click a reorder card or affiliate link:

• You are redirected to the partner roaster's website (or Amazon search) via the affiliate network's tracking domain
• The affiliate network sets a cookie or similar identifier to attribute any future purchase you make
• If you make a purchase within the cookie window (typically 30 days), the affiliate network reports the conversion to us and we receive a commission
• The price you pay is unaffected — affiliate commissions come from the roaster's marketing budget, not from a markup on your purchase

We curate our roaster partnerships and recommendations based on quality and fit, not commission rate. We aim for transparency: every affiliate link in day9 is labeled as such, and we explicitly distinguish "direct partner" links (where we have a relationship) from Amazon fallback links (where we don't).

day9 uses authentication cookies (managed by Supabase) to keep you signed in, localStorage for caching session state and remembering UI preferences, sessionStorage for one-time use during signup (UTM parameters, pre-fill data from the calculator), affiliate network cookies (set when you click reorder links, managed by the network), and Google Analytics cookies (only if you granted analytics consent — typically named _ga and _ga_*).

We do not use advertising cookies, cross-site tracking pixels, or third-party analytics that profile users beyond aggregate behavior on day9.coffee itself.

You can manage or disable cookies in your browser settings. Disabling authentication cookies will prevent you from signing in. Disabling analytics cookies has no effect on functionality.

day9 is intended for general adult audiences interested in specialty coffee. We do not knowingly collect personal information from children under 13. If you believe a child has provided personal information through our service, please contact us at hello@day9.coffee and we will delete it.

Account data: retained while your account is active. You can delete your account from the app (Settings → Account → Delete account) or follow the instructions on our account deletion page. If you cannot access the app, email hello@day9.coffee from the address on your account; we will process the request within 7 days (see the deletion page for details).

Bag data: deleted when you delete the bag, or when your account is deleted.

App events: retained for analytics for up to 24 months, then aggregated and anonymized. Individual events older than 24 months are removed.

Affiliate click records: retained for 36 months for accounting, partnership reporting, and tax compliance. After this period, individual records are aggregated and anonymized.

Notifications: log of dispatched notifications retained for 90 days, then deleted.

Cohort assignment: retained while your account exists; removed if you opt out via email request.

You can request deletion of your account and associated data at any time. See our account deletion page for instructions.

Depending on your location, you may have rights including:

• Access to data we hold about you
• Correction of inaccurate data
• Deletion of your account and data
• Data portability (receive your data in a structured format)
• Withdrawal of consent for data collection
• Objection to processing for specific purposes
• Opt-out of cohort assignment

To exercise any of these rights, contact us at hello@day9.coffee. We will respond within 30 days.

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and sell
• Request deletion of your personal information
• Opt out of the sale of personal information (we do not sell personal information)
• Non-discrimination for exercising these rights

To exercise these rights, contact hello@day9.coffee.

If you are a Connecticut resident, the Connecticut Data Privacy Act gives you rights including:

• Confirmation of whether we process your personal data
• Access to your personal data
• Correction of inaccurate personal data
• Deletion of personal data
• Data portability
• Opt-out of targeted advertising, sale of personal data, and certain profiling (we do not engage in any of these activities for any user)

To exercise these rights, contact hello@day9.coffee.

day9 is operated from the United States. If you access the service from outside the U.S., your data will be transferred to and processed in the United States. By using day9, you consent to this transfer.

If you are in the European Economic Area, United Kingdom, or other regions with data protection laws (such as GDPR), you have additional rights including those described in Section 10. Our legal basis for processing your data is your consent (when you sign up) and our legitimate interest in operating the service.

We protect your data using industry-standard security practices including encrypted connections (TLS), secure password hashing for authentication, and access controls on our database. No system is perfectly secure, but we take reasonable precautions to safeguard your information.

If we become aware of a data breach affecting your information, we will notify you in accordance with applicable law.

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated via email to registered users. Continued use of day9 after changes constitutes acceptance of the updated policy.

Questions about this policy, or want to exercise your rights? Contact us at hello@day9.coffee.