Privacy Policy

Co•fé — Privacy Policy

Last updated: March 2026

1. Introduction

Welcome to Co•fé. We are Co-fé GmbH, a company registered in Germany ("we", "us", "our"). We operate the Co•fé mobile application (available on iOS and Android) and the website co-fe.de.

We respect your privacy and are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications Digital Services Data Protection Act (TDDDG).

This privacy policy explains what personal data we collect, why we collect it, how we use it, and what rights you have.

2. Controller

The data controller responsible for your personal data is:

Co-fé GmbH
Petersbergstr. 13, 50939 Köln, Germany
Email: privacy@co-fe.de
Represented by: Benedict Schönenstein

3. What data we collect

We collect different categories of personal data depending on how you use Co•fé:

3.1 Account data

When you create an account, we collect your email address and password (encrypted). If you sign up via Apple ID, we receive the information you choose to share (typically name and email). We also store your username and profile information you voluntarily provide, such as your profession, languages spoken, and a profile photo.

3.2 Location data

Co•fé can use your device's location to show cafés near you on the map. If you do not grant location permission, the app remains fully usable with a default location (Cologne, Germany) and manual map navigation. When you check in to a café, we store the café name and your check-in time. We do not track or store your GPS coordinates continuously. We only process your location when you actively use the map or check in.

If you enable the "working now" feature or Work Buddy mode, your presence at a specific café becomes visible to other opted-in users. This optional social visibility can be controlled per check-in.

Legal basis: Your consent (Art. 6(1)(a) GDPR). Device location access is granted through your operating system's permission prompt and can be revoked at any time in your device settings. Social visibility features (working now, Work Buddy mode) are separately controlled within the app per check-in.

3.3 Social and interaction data

If you use our social features, we process data related to your interactions:

  • Friends: When you add someone as a friend, we store the connection between your accounts. Friends can see when and where you are checked in.
  • Say Hi (ping): When you send a ping to another user, we store a record of the ping (sender, recipient, timestamp). Pings are subject to a cooldown period.
  • Work Buddy visibility: When you check in with Work Buddy mode enabled, other users who are also checked in at the same café with Work Buddy mode can see your profile. This is bilateral: you only appear to others who have also opted in.
  • Groups: If you create or join a group, we store your membership, role (owner/member), and any group content you provide (name, description, image).

Legal basis: Performance of the contract (Art. 6(1)(b) GDPR) and your consent for optional social features (Art. 6(1)(a) GDPR).

3.4 User-generated content

You may add cafés to the map, upload photos, or provide reviews and information about cafés. This content is visible to other users and is stored on our servers.

Legal basis: Performance of the contract (Art. 6(1)(b) GDPR).

3.5 Subscription and payment data

If you subscribe to a paid plan, payments are processed entirely by Apple (App Store) or Google (Google Play). We do not receive or store your credit card number or bank details. We only receive confirmation of your subscription status and tier from the respective app store.

Legal basis: Performance of the contract (Art. 6(1)(b) GDPR).

3.6 Technical and usage data

When you use the app, we automatically collect certain technical data: device type, operating system, app version, IP address (stored temporarily and truncated where possible), and general usage patterns (e.g. which features you use). We use this to maintain and improve the app.

Legal basis: Our legitimate interest in maintaining, securing, and improving the service (Art. 6(1)(f) GDPR).

4. How we use your data

We use your personal data for the following purposes:

  • Providing and operating the Co•fé app, including the map, check-in, and social features.
  • Managing your account and subscription.
  • Enabling communication between users through the social features you opt into.
  • Maintaining the security and stability of our service.
  • Improving the app based on aggregated, anonymised usage data.
  • Complying with legal obligations.

We do not use your data for automated decision-making or profiling.

5. Who we share your data with

We share your data only where necessary and with appropriate safeguards:

5.1 Other users

Depending on your settings, other Co•fé users may see your profile information, check-in location, and social activity. All social visibility features are opt-in. You control what others can see through your settings and per-check-in choices.

5.2 Service providers (sub-processors)

We use the following third-party services to operate Co•fé:

  • Supabase Inc. (database, authentication, file storage, API) — hosted on AWS infrastructure in the EU (Frankfurt region). We have a Data Processing Agreement (DPA) in place with Supabase. Supabase is a US company; data transfers are covered by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.
  • Google LLC (Google Places API for café search and autocomplete, Google Maps) — processes location queries. Google is certified under the EU-US Data Privacy Framework.
  • Apple Inc. (authentication via Apple ID, payment processing via App Store) — processes data in accordance with Apple's privacy policy.
  • Google LLC (payment processing via Google Play) — processes data in accordance with Google's privacy policy.
  • Brevo (Sendinblue) (email newsletter service, if you subscribe to our newsletter) — EU-based. We have a DPA in place.

5.3 International data transfers

Some of our service providers are based in the United States. Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, certification under the EU-US Data Privacy Framework.

6. Data retention

We retain your personal data only as long as necessary for the purposes described in this policy:

  • Account data: Retained for the duration of your account. Deleted within 30 days after you delete your account.
  • Check-in history: Retained for the duration of your account for your personal history. Deleted when you delete your account.
  • Social interaction data (pings, friend connections): Deleted when you delete your account or remove the respective connection.
  • User-generated content (café reviews, photos): May be retained in anonymised form after account deletion to preserve community content.
  • Technical logs: Automatically deleted after 90 days.
  • Subscription data: Retained as required for accounting and tax purposes (up to 10 years under German law, § 147 AO, § 257 HGB).

7. Your rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): You can request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16 GDPR): You can ask us to correct inaccurate data.
  • Right to erasure (Art. 17 GDPR): You can request deletion of your data. You can also delete your account directly in the app under Profile Settings → Delete Account.
  • Right to restriction of processing (Art. 18 GDPR): You can ask us to restrict how we process your data.
  • Right to data portability (Art. 20 GDPR): You can request your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21 GDPR): You can object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@co-fe.de. We will respond within one month.

8. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for Co-fé GmbH is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestr. 2–4, 40213 Düsseldorf, Germany
Website: www.ldi.nrw.de

9. Children's privacy

Co•fé is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without appropriate consent, we will delete it promptly.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted data transmission (TLS), encrypted password storage, access controls, and regular security reviews.

11. Changes to this policy

We may update this privacy policy from time to time. We will notify you of material changes through the app or by email. The date at the top of this policy indicates when it was last updated.

12. Contact

For any questions about this privacy policy or your personal data:

Email: privacy@co-fe.de
Co-fé GmbH, Petersbergstr. 13, 50939 Köln, Germany