Skip to content

Privacy Policy

Last updated: 15 May 2026

Who we are

The Cheeky Beans (“we”, “us”, “our”) is a café located in Port Melbourne, Victoria, Australia. This app lets you order ahead and collect from our store.

What we collect

  • Email address — to sign you in via magic link and send order confirmations.
  • Name (optional) — so the barista knows who the order belongs to.
  • Phone number (optional) — so we can text you if there’s an issue with your order.
  • Birthday month & day (optional) — to send you a free coffee on your birthday. We never collect your birth year (Privacy Act 1988 data minimisation).
  • Order history — what you ordered, when, and how much you paid.
  • Loyalty stamps — how many coffees you’ve bought towards your next free one.

What we don’t collect

  • We never see your card details — they go directly to Square.
  • We don’t track your location.
  • We don’t sell or share your data with third parties for marketing.

How we use your data

  • To process and fulfil your orders.
  • To track your loyalty stamps and free coffee rewards.
  • To send you order confirmations and receipts via email.
  • To send you marketing emails only if you opt in (Spam Act 2003). You can opt out any time in your profile.

Third-party services

  • Square — processes payments. Their privacy policy applies to card data.
  • Resend — delivers transactional emails on our behalf.
  • Supabase — hosts our database in Sydney (ap-southeast-2). Your data stays in Australia.
  • Vercel — hosts this web app.

Your rights (Privacy Act 1988)

  • Access — you can download all the data we hold about you from your profile page at any time.
  • Correction — you can update your name, phone, and birthday in your profile.
  • Deletion — you can delete your account from your profile. This removes your personal data immediately. We keep anonymised order records for 5 years as required by ATO tax invoice rules.
  • Complaint — if you’re unhappy with how we handle your data, contact us first. You can also lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

Data retention

We keep your account data for as long as your account is active. After deletion, anonymised order records are retained for 5 years (ATO requirement). Loyalty transaction history is anonymised but preserved for reconciliation.

Security

Passwords are never used — we use magic-link email authentication. Session tokens are stored in HttpOnly cookies inaccessible to JavaScript. All connections use HTTPS. Card payments are tokenised by Square and never touch our servers.

Contact

Questions about your privacy? Email us at hi@thecheekybeans.com.au.