Privacy policy

Last updated: 30 April 2026

Enable Coffee only collects the information it needs to run the service. We don't sell your data, run ads, or track you across other apps.

Who we are

Enable Coffee ("the app", "we", "us") is operated by Ironstone Software in Australia. The operator is Brian Dance, trading as Ironstone Software.

Privacy contact: [email protected]
General support: [email protected]

We aim to respond to privacy enquiries within 5 business days.

What we collect

What	When	Why
Email address	When you sign up	To create your account and contact you about your orders
Display name	When you sign up	So your runner or clients see who they're dealing with
Phone number (optional)	If you choose to add it in Settings	Helps a runner reach you about an order
Role (runner or client)	When you sign up	The app behaves differently for the two roles
Business details (runners only)	When you set up your business	So clients can identify your service when pairing
Order details	When you place or accept an order	Orders are the core of the service
Receipt photos (runners only)	When you complete an order	So clients can see what was bought; underlying record for the tab
Tab + reconciliation entries	From your orders + recorded payments	We track who owes whom; we don't process the payment itself
Push notification token	When you grant permission	So we can deliver order updates to your device
Authentication metadata	Every sign-in	Account security (timestamps, IP at login, device type)

What we don't collect

We do not collect your real-time location
We do not collect your contacts or calendar
We do not collect biometric data
We do not receive or store payment card details — there is no in-app payment
We do not track you across other apps or websites
We do not sell or rent any of your data, ever

How we use your information

To run the app — show your orders, deliver push notifications, calculate your tab balance, surface receipts to the client whose order they relate to
To support you — investigate bugs, respond to email enquiries
To meet legal obligations — when we're legally required to disclose (for example, in response to a valid Australian court order)

We do not use your information for advertising, profiling, or behavioural analytics.

Who we share your information with

We use a small set of third-party services to operate the app. None of them are sold your data — they are processors acting on our instructions.

Provider	What they receive	Where
Supabase (database, authentication, file storage)	Everything in the table above, stored at rest	Sydney, Australia (ap-southeast-2)
OneSignal	Push token + a non-personal user ID — nothing else	United States
Render	Transient HTTP traffic only (no at-rest storage)	Singapore
Apple Push Notification Service (APNs)	Push token (iOS only)	Apple infrastructure
Firebase Cloud Messaging (FCM)	Push token (Android only)	Google infrastructure
Resend	Your email address + transactional message body (e.g. password reset)	United States
Cloudflare	Email metadata (envelope sender, recipient alias) when you write to us	Cloudflare's edge network

We do not share your information with advertisers, data brokers, or analytics platforms.

How long we keep your information

Data	Retention
Account profile (email, name, phone)	While your account is active. Anonymised within 30 days of account deletion.
Your orders	While your account is active. After deletion, anonymised but retained for the linked counterparty's records.
Tab + reconciliation entries	Same — anonymised but retained for the counterparty.
Receipt photos	Deleted within 30 days of account deletion.
Push tokens	Removed within 24 hours of sign-out, uninstall, or revoking notification permission.
Authentication logs	90 days, then automatically purged.

If a deletion would leave the linked counterparty with an incomplete record (e.g. half a tab), we anonymise rather than delete the order rows — the counterparty sees their record intact, but with no personal information about you.

How we keep your information secure

In transit: all traffic is encrypted with HTTPS (TLS 1.2 or higher)
At rest: Supabase encrypts both the database and file storage at rest
Access: the database has row-level security — every read is checked against the requesting user's identity; you can only see your own data
Authentication: managed by Supabase Auth using industry-standard JWTs
Passwords: handled by Supabase Auth — we never see them
API tokens (e.g. for push providers) are scoped to the minimum necessary

We are a small team and don't yet have an external security audit. If that changes, we'll update this policy.

Your rights

Whichever country you're in, you have rights over your data. We aim to honour them all without making you invoke a specific framework.

Access — request a copy of your data: email [email protected]
Correction — edit your name, email, or phone in Settings, or email us
Deletion — delete your account in Settings → Delete account, or see how to delete your account
Portability — request an export of your orders + tab history; we'll send a JSON file
Withdraw consent — uninstall the app and delete your account at any time, no notice required
Complain — if you're unhappy with how we've handled your data, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au — and we'd really appreciate hearing about it first so we can fix it

Children

Enable Coffee is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has used the service and given us their information, please email [email protected] and we'll delete the account.

International transfers

Your data is stored in Australia (Supabase's Sydney region). Some processors operate from elsewhere — Render hosts our API in Singapore; OneSignal, APNs and FCM are based in the United States. Where data crosses borders, the receiving processor handles it under contractual arrangements that meet Australian Privacy Principle 8 ("cross-border disclosure of personal information").

If you're in the European Economic Area or the UK, transfers outside the EEA are made under the relevant Standard Contractual Clauses. If you're in California, see the CCPA section below.

Australian Privacy Principles

We comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth). We treat the obligations seriously even though, as a small business, we may technically fall outside the Act's threshold. The contact for APP-related queries is [email protected].

GDPR / UK GDPR (if you're in the EEA or UK)

Lawful basis: we process your data on the basis of (a) contract — we can't run the app without it — and (b) legitimate interest — to keep the service secure and functional. We don't rely on consent except for push notifications, where you must explicitly grant permission.
Right to lodge a complaint: with your country's supervisory authority. The list is at edpb.europa.eu.
Data Protection Officer: we are too small to be required to appoint one; the contact for GDPR queries is [email protected].

CCPA (if you're in California)

The right to know what personal information we collect (covered above)
The right to delete it (in-app + email)
The right to opt out of "sale" or "sharing" — we do not sell or share your data, so there is nothing to opt out of
The right to non-discrimination for exercising any of these rights

Changes to this policy

If we make material changes (for example, start using a new third-party processor, change retention periods, or expand what we collect), we'll:

Update the "Last updated" date at the top of this page
Show a banner in the app on next launch asking you to acknowledge the change
Email you if the change is significant

Contact

What you want	Where to reach us
Privacy questions	[email protected]
General support	[email protected]
Bug reports	[email protected]
Postal mail	Ironstone Software, 24 Heron Place, Hazelbrook NSW 2779, Australia