Cup Collective

Privacy Policy

Your privacy matters. Here's how we protect your data.

Effective: December 2025
Version 1.0

1. Introduction

Welcome to Cup Collective™, a digital coffee loyalty app that helps customers earn rewards at their favorite local coffee stores. This Privacy Policy explains how AR Capital Innovations Pty Ltd ("we," "us," or "our") collects, uses, stores, and protects your information when you use the Cup Collective™ mobile application.

"Cup Collective" is a trademark of AR Capital Innovations Pty Ltd.

2. Information We Collect

For All Users

When you create an account, we automatically generate:

  • Unique account identifier (UUID) - a random string used to identify your account internally

For Store Owners

When you register as a store owner, we collect:

  • Store name
  • Business email address
  • Business address (optional)
  • Business phone number (optional)
  • Approval status for participation in the Cup Collective network

For Customers

When you use Cup Collective as a customer, we collect:

  • Email address (for authentication and loyalty tracking)

Transaction & Loyalty Data:

  • Purchase records (coffee stamps earned)
  • Redemption records (free coffees claimed)
  • Loyalty progress (current stamp count per store)
  • Transaction timestamps (when loyalty points are earned and redeemed)
  • Associated store location (where loyalty points are earned and redeemed)

What We Don't Collect

  • Personal identification beyond email address
  • Device identifiers
  • Location tracking data
  • Photos or images
  • Financial information
  • Age or demographic data
  • Behavioural analytics or usage tracking

3. How We Use Your Information

Store Owner Data

  • Verify and approve store participation
  • Display store information to customers
  • Enable loyalty program functionality
  • Communicate important service updates and critical notifications

Customer Data

  • Authenticate your account via email verification
  • Track loyalty points and rewards
  • Provide transaction history
  • Enable reward redemption at participating stores
  • Send critical service notifications (e.g., major outages or security issues)

4. Camera Permission

Cup Collective requests camera access solely for QR code scanning functionality:

  • Purpose: Store owners scan customer QR codes to process loyalty transactions
  • Data Processing: Camera images are processed locally on the device in real-time
  • Storage: No photos or images are stored, saved, or transmitted to our servers
  • Security: Camera data never leaves your device

5. Data Storage & Security

  • Storage Provider: Supabase (secure cloud database)
  • Server Location: Sydney, Australia (ap-southeast-2 region)
  • Encryption: All data transmission is encrypted using industry-standard protocols
  • Local Storage: We use AsyncStorage to keep you logged in on your device. This data is stored locally on your device only and is not transmitted to our servers
  • Access Control: Customer emails are private and not accessible to stores or other users

6. Third-Party Services

We use the following third-party services to operate Cup Collective:

  • Supabase: Database and authentication services. Authentication is handled directly by Supabase—we do not use third-party login SDKs that may repurpose your data
  • Expo/React Native: Mobile app development framework
  • Apple App Store & Google Play Store: App distribution platforms

Note: Apple and Google may collect their own analytics about app downloads and usage through their respective app stores. This data collection is governed by their privacy policies, not ours.

7. Tracking

Cup Collective does not track you. We do not:

  • Link your data with third-party data for advertising
  • Share data with data brokers
  • Use advertising identifiers (IDFA)
  • Display targeted advertisements
  • Collect analytics beyond what is necessary to operate the loyalty service

8. Data Sharing

We do not share, sell, rent, or trade your personal information with third parties for marketing purposes. Your data is only used to provide the Cup Collective service as described in this policy.

Transaction data (timestamps and store locations) is only visible to:

  • You (the customer) - in your transaction history
  • The specific store where the transaction occurred
  • Us (AR Capital Innovations) - for operating the platform

9. Communications

We will only send you emails for:

  • Account verification and authentication
  • Critical service notifications (major outages, security issues)
  • Important changes to our Terms of Service or Privacy Policy

We do not send marketing emails or promotional content. You are not subscribed to any marketing lists.

10. Data Retention

  • Customer Data: Retained until you request account deletion
  • Store Data: Retained while the store participates in the Cup Collective network
  • Transaction History: Deleted along with your account upon request
  • Backup Data: Deleted account information may remain in backups for up to 90 days before permanent deletion

11. Data Breach Notification

In accordance with the Australian Privacy Act 1988, if we experience a data breach that is likely to result in serious harm, we will:

  • Notify affected users via email within 72 hours of becoming aware of the breach
  • Notify the Office of the Australian Information Commissioner (OAIC)
  • Provide details about the breach and steps you can take to protect yourself

12. Your Rights & Choices

Account Deletion

You have the right to delete your account and all associated data at any time:

  • In-App: You can request account deletion directly within the Cup Collective app
  • Via Email: Contact us at contact@arcapital.io from the email address associated with your account with "Account Deletion" in the subject line
  • We will permanently delete all your information, including transaction history and loyalty data
  • Deletion requests are processed within 30 days
  • Note: Data may remain in backups for up to 90 days before permanent deletion

Data Access & Correction

  • Review your transaction history within the app
  • Update store information through the app interface
  • Contact us for any data access requests

13. Children's Privacy

Cup Collective does not knowingly collect information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

14. International Users

Currently, Cup Collective is only available and intended for use within Australia. We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 and applicable data protection laws.

15. Security Measures

We implement appropriate technical and organisational security measures:

  • Secure authentication via email verification
  • Encrypted data transmission
  • Regular security updates
  • Access controls and authentication systems
  • Secure cloud infrastructure via Supabase

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

  • Posting the new policy on our website
  • Updating the effective date
  • Email notifications for significant changes
  • In-app notifications for significant changes

17. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact:

AR Capital Innovations Pty Ltd

Email: contact@arcapital.io

Website: https://arcapital.io

18. Legal Basis for Processing (Australia)

Under Australian Privacy Law, we collect and process your information based on:

  • Your consent when using the Cup Collective app
  • The necessity to provide our loyalty service
  • Compliance with legal obligations under the Privacy Act 1988

Last Updated: December 2025 | Version: 1.0