Data Processing
Last updated: March 1, 2026
This page provides detailed information about how Profresso processes personal data, the legal bases for that processing, the third-party sub-processors we engage, and the measures we take to keep your data secure. It is intended to complement our Privacy Policy for users who need more technical detail — particularly those subject to GDPR.
1. Data Controller
Profresso acts as the data controller for all personal data collected through the platform. We determine the purposes and means of processing in accordance with applicable data protection law including the EU General Data Protection Regulation (GDPR) and the UK GDPR.
Contact: support@profresso.com
2. Categories of Personal Data Processed
Identity & contact data
Name, email address, username, profile picture. Provided by you at registration via Clerk.
User-generated content
Espresso profiles, shot logs, coffee entries, grinder records, posts, and comments. This data constitutes the core of the Profresso service.
Technical & usage data
IP address, browser type, OS, page views, and feature interactions. Generated by Cloudflare as part of standard hosting infrastructure. Not stored at individual level.
AI interaction data
Prompts submitted to the Profresso AI assistant and the generated responses. Retained for 90 days for safety review, then deleted.
Payment data
Subscription status and payment confirmation. Card details are processed and stored exclusively by Stripe — Profresso receives only a subscription status token.
3. Legal Bases for Processing
| Processing activity | Legal basis | GDPR article |
|---|---|---|
| Account creation and authentication | Contract performance | Art. 6(1)(b) |
| Storing profiles, shots, and coffee data | Contract performance | Art. 6(1)(b) |
| Delivering AI assistant responses | Contract performance | Art. 6(1)(b) |
| Aggregated usage analytics | Legitimate interests | Art. 6(1)(f) |
| Fraud and abuse prevention | Legitimate interests | Art. 6(1)(f) |
| Marketing emails | Consent | Art. 6(1)(a) |
| Non-essential analytics cookies | Consent | Art. 6(1)(a) |
| Legal compliance and record-keeping | Legal obligation | Art. 6(1)(c) |
4. Sub-processors
We engage the following third-party sub-processors to deliver the Profresso service. Each is bound by a data processing agreement and operates under appropriate legal transfer mechanisms.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Clerk | Authentication, session management, webhooks | USA | EU-US DPF |
| Convex | Real-time database, serverless functions | USA | SCCs |
| Cloudflare | Hosting (Pages), CDN, object storage (R2), content moderation (Workers AI) | USA (global edge) | SCCs |
| Stripe | Subscription billing, payment processing | USA | EU-US DPF |
| Anthropic | AI language model (Claude) | USA | SCCs |
SCCs = EU Standard Contractual Clauses. DPF = Data Privacy Framework.
5. Data Retention Schedule
| Data category | Retention period |
|---|---|
| Account and content data | Duration of account + 30 days post-deletion |
| Authentication session tokens | 30 days (rolling renewal) |
| AI interaction logs | 90 days |
| Aggregated analytics | 24 months |
| Payment records | 7 years (legal/tax requirement) |
| Abuse / moderation logs | 12 months |
6. Security Measures
We implement the following technical and organisational measures to protect personal data:
- Encryption in transit — all traffic is served over TLS 1.3. API endpoints are HTTPS-only.
- Encryption at rest — database storage at Convex is encrypted at rest by default.
- Authentication — managed by Clerk with support for MFA, session management, and anomaly detection.
- Access controls — production database access is restricted to authorised Convex serverless functions. No direct database access from the client.
- Least privilege — API keys and service credentials are scoped to the minimum permissions required.
- Dependency management — dependencies are audited regularly for known vulnerabilities.
7. Data Subject Rights
Users in the EEA and UK may exercise the following rights by contacting support@profresso.com:
- Right of access (Art. 15) — obtain a copy of your personal data we hold.
- Right to rectification (Art. 16) — correct inaccurate personal data.
- Right to erasure (Art. 17) — request deletion of your account and data.
- Right to data portability (Art. 20) — receive your content in a structured, machine-readable format.
- Right to restriction (Art. 18) — limit processing in specific circumstances.
- Right to object (Art. 21) — object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)) — withdraw consent for marketing or analytics at any time.
We respond to verified requests within 30 days.
8. Supervisory Authority
If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). In the EU, contact the authority in your country of residence.
9. Contact
For data protection enquiries or to submit a rights request:
Email: support@profresso.com