Privacy Policy.

Hopfly is a beer-tracking and social app operated by Hopfly (the "Company," "we," "us," or "our"). We are the data controller within the meaning of the EU General Data Protection Regulation (GDPR) for personal data processed in connection with the Hopfly app and website.

If you have any questions about this policy or our data practices, contact us at support@hopfly.app.

Account data

When you register, we collect your email address, chosen username, and password (stored as a bcrypt hash — we never see your password in plaintext).

Usage data

We record the actions you take inside the app: posts, beer scans, hops earned, challenges created or joined, badges unlocked, and venue tags. This is the core of the Hopfly experience.

Location data

Location is opt-in only. If you enable venue detection, we request your device's GPS coordinates to suggest nearby bars. We do not continuously track your location. You can revoke this permission at any time in your device settings.

Device and technical data

When you use the app or website we receive standard technical information: IP address, browser type, operating system, and referrer URL. This data is used for security and to diagnose technical problems.

Communications

If you contact us by email or through the app's support flow, we keep the content of that correspondence to resolve your issue.

• Run the service — authenticate your account, store and display your posts, calculate leaderboards and badges.
• Push notifications — if you grant permission, notify you of friend activity, nearby check-ins, and challenge updates.
• Service improvement — understand feature usage and prioritise development. We use aggregated, anonymised metrics where possible.
• Security — detect and prevent fraud, abuse, and unauthorised access.
• Legal compliance — meet our obligations under applicable law.

We do not use your data for advertising, profiling for third parties, or any automated decision-making with legal or similarly significant effects.

We process your personal data only where we have a lawful basis to do so:

• Contract (Art. 6(1)(b)) — processing your account data and activity is necessary to provide the Hopfly service you signed up for.
• Legitimate interests (Art. 6(1)(f)) — improving the app, maintaining security, and communicating service-related updates. We balance these interests against your rights; you can object at any time.
• Consent (Art. 6(1)(a)) — optional features such as location access and push notifications. You may withdraw consent at any time without affecting the lawfulness of prior processing.

We do not sell, rent, or trade your personal data. We share it only in the following limited circumstances:

Infrastructure providers

Our servers run on European cloud infrastructure. All providers are bound by data-processing agreements and, where applicable, EU Standard Contractual Clauses.

Analytics

We use a self-hosted instance of Umami for website analytics. It collects no personally identifiable information and sets no tracking cookies. Data stays on our own servers.

Legal requirements

We may disclose information if required by law, court order, or governmental authority, or to protect the safety of our users.

We keep your account data for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where we are required by law to retain it for longer (e.g., billing records).

Server logs containing IP addresses are retained for 90 days for security purposes, then deleted.

Aggregated, anonymised analytics data (no link back to you) may be kept indefinitely.

Under GDPR you have the following rights regarding your personal data. To exercise any of them, email us at support@hopfly.app. We will respond within 30 days.

• Access (Art. 15) — request a copy of the personal data we hold about you.
• Rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
• Erasure (Art. 17) — request deletion of your data ("right to be forgotten").
• Restriction (Art. 18) — ask us to limit how we process your data while a dispute is resolved.
• Portability (Art. 20) — receive your data in a structured, machine-readable format.
• Objection (Art. 21) — object to processing based on legitimate interests.
• Withdraw consent — at any time, for consent-based processing, without penalty.

You also have the right to lodge a complaint with your national data protection authority. In Germany, that is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).

The Hopfly website uses only technically necessary session cookies — no advertising cookies, no cross-site tracking.

Our analytics tool (self-hosted Umami) is privacy-respecting by design: it measures aggregate page views without fingerprinting you, does not set persistent cookies, and the data never leaves our servers.

Hopfly is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with their data, please contact us and we will delete it promptly.

We may update this policy from time to time. For material changes we will notify you by email or via an in-app notice before the change takes effect. The "Last updated" date at the top of this page always reflects the most recent revision.