Privacy Policy

1. Who We Are (Data Controller)

Roastable.com (“Roastable,” “we,” “us,” or “our”) is operated by Brandon Olson, a sole proprietor based in the State of Wyoming, United States. For the purposes of applicable data protection laws (including the GDPR), we are the data controller responsible for your personal information.

By accessing or using the website at Roastable.com (the “Site”) and our services (collectively, the “Service”), you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

When you use the Service, we may collect the following categories of personal information that you voluntarily provide:

• Name (first and last name) — used to personalize your roast content
• Email address — used to deliver your roast, send purchase receipts, and communicate with you regarding your order
• Date of birth — used as an input to personalize your roast content

For gift purchases, the purchaser provides their own name and email, along with the recipient's first name and email address. The gift recipient separately provides their own last name and date of birth if they choose to claim the gift.

2.2 Payment Information

All payment transactions are processed by our third-party payment processor, Stripe, Inc. When you make a purchase, your payment information (including credit card number, expiration date, and CVV) is transmitted directly to Stripe via their secure payment interface. Roastable does not collect, store, process, or have access to your full payment card information. For more information on how Stripe handles your data, please refer to Stripe's Privacy Policy.

2.3 Information Collected Automatically

When you access the Site, we may automatically collect certain technical information, including:

• Device information — browser type, operating system, and device type
• Usage data — pages visited, time spent on pages, referring URLs, and interaction patterns
• IP address — used for security, fraud prevention, and rate limiting

2.4 Analytics

We use Plausible Analytics, a privacy-friendly analytics service, to understand how visitors interact with the Site. Plausible does not use cookies, does not collect personal data, and does not track users across websites. All data is aggregated and cannot be used to identify individual visitors. Plausible is compliant with GDPR, CCPA, and PECR without requiring cookie consent. For more information, see the Plausible Data Policy.

3. How We Use Your Information

We use the personal information we collect for the following purposes:

• To provide the Service — generating and delivering your personalized roast content
• To process transactions — facilitating purchases and sending receipts
• To communicate with you — responding to inquiries, providing customer support, and sending order-related notifications
• To improve the Service — analyzing usage patterns and feedback to enhance functionality and user experience
• To protect the Service — detecting and preventing fraud, abuse, security incidents, and other harmful activity
• To comply with legal obligations — fulfilling applicable legal, regulatory, or contractual requirements

We do not use your personal information for targeted advertising. We do not sell your personal information to third parties. We do not send unsolicited marketing communications unless you have explicitly opted in.

4. AI-Generated Content and Data Processing

Your date of birth is processed locally on Roastable's servers to derive non-personal, esoteric data points, including but not limited to numerological values, zodiac associations, elemental affinities, age bracket, and personality archetypes. These calculations are performed entirely within our infrastructure.

Only your first name, age, and these derived non-personally identifiable data points are transmitted to Anthropic, PBC (“Anthropic”), our third-party AI service provider, for the purpose of generating your personalized roast content. Your last name, date of birth, email address, and other personal details are not shared with, sent to, or accessible by Anthropic or any other AI provider.

AI Training Disclosure: Under our agreement with Anthropic, the data we send for content generation is processed via their API and is not used to train Anthropic's AI models. Roastable does not use your personal information to train any machine learning models. We may use anonymized, aggregated analytics data (which cannot identify any individual) to improve the quality of our prompts and service.

By using the Service, you consent to the local processing of your personal information and the transmission of derived, non-personal data to Anthropic for content generation purposes. You may withdraw this consent at any time by discontinuing use of the Service and requesting deletion of your data (see Section 9 below).

5. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share your information only in the following limited circumstances:

• Service providers — We share information with trusted third-party vendors who perform services on our behalf (see Section 6 for the complete list). These providers are contractually obligated to use your data only for the purposes of providing services to Roastable and are bound by data protection obligations.
• Legal requirements — We may disclose your information if required to do so by law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
• Business transfers — In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Site at least 30 days before any change in ownership or use of your personal information.

6. Sub-Processors and Third-Party Services

We use the following third-party service providers (sub-processors) to operate the Service. Each provider only receives the minimum data necessary for its function:

All sub-processors are bound by data processing agreements that require them to protect your data in accordance with applicable privacy laws. We will update this list if we add or change sub-processors, and material changes will be noted in the “Last Updated” date of this policy.

7. Cookies and Tracking Technologies

Roastable uses cookies for the following purposes:

• Essential cookies — Required for payment processing (Stripe), session management, and basic site functionality. These cannot be disabled as they are necessary for the Service to work.

We do not use analytics cookies. Our analytics provider (Plausible) is cookie-free and does not track individual users (see Section 2.4).

We do not use third-party advertising cookies, cross-site behavioral tracking pixels, or retargeting technologies. We do not serve ads on the Site.

You may control cookies at any time through your browser settings. Disabling essential cookies may affect your ability to make purchases or use certain features. If we add any non-essential cookies in the future (such as for additional analytics or marketing), we will update this policy and request your consent before setting those cookies.

8. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy. Specific retention periods are as follows:

• Roast content and order records — Retained indefinitely so you can access your roast at any time after purchase, unless you request deletion.
• Payment records — Retained for 7 years as required for accounting, tax, and legal compliance purposes under U.S. law.
• Email addresses — Retained for as long as your roast order exists, or until you request deletion.
• Server logs and IP addresses — Automatically deleted after 90 days.
• Analytics data — Plausible retains aggregated, anonymous analytics data indefinitely. No personal data is collected by our analytics.
• Error tracking data (Sentry) — Automatically deleted after 90 days.

You may request deletion of your personal data at any time by contacting us (see Section 16 below). Upon receiving a valid deletion request, we will delete your personal information within 30 days, except where retention is required by law (such as payment records for tax purposes).

9. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal information, including:

• Right to access — You may request a copy of the personal information we hold about you.
• Right to correction — You may request that we correct any inaccurate or incomplete personal information.
• Right to deletion — You may request that we delete your personal information, subject to certain legal exceptions.
• Right to data portability — You may request a copy of your data in a structured, commonly used, and machine-readable format (JSON or CSV).
• Right to object — You may object to the processing of your personal information in certain circumstances.
• Right to restrict processing — You may request that we limit the processing of your personal information in certain circumstances.
• Right to withdraw consent — Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days (or such shorter period as required by applicable law). We will not charge a fee for processing reasonable requests. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or decline to act.

10. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/SSL
• Encryption of sensitive data at rest
• Secure authentication and access controls for internal systems
• Regular security assessments and monitoring
• Rate limiting and fraud detection measures

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your information.

11. Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will:

• Notify affected users via email within 72 hours of becoming aware of the breach, where feasible
• Notify the relevant supervisory authority within 72 hours as required under the GDPR (where applicable)
• Post a notice on the Site if the breach affects a large number of users
• Describe the nature of the breach, the types of data affected, and the measures we are taking to address it

Where the breach is unlikely to result in a risk to your rights and freedoms, notification may not be required under applicable law, but we will still document the incident internally.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

• The right to know what personal information is collected, used, shared, or sold
• The right to delete personal information held by businesses
• The right to opt out of the sale or sharing of personal information
• The right to non-discrimination for exercising your privacy rights
• The right to correct inaccurate personal information
• The right to limit the use and disclosure of sensitive personal information

We do not sell or share personal information as defined under the CCPA/CPRA. We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA/CPRA.

To submit a verifiable consumer request, please contact us at [email protected]. We will verify your identity before processing any request, typically by confirming the email address associated with your order.

13. European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data is processed in accordance with the General Data Protection Regulation (GDPR).

Legal Bases for Processing

We process your data under the following legal bases, mapped to specific activities:

• Contract performance (Art. 6(1)(b)) — Processing your name, email, and date of birth to generate and deliver your roast; processing payment via Stripe; sending order confirmation and roast delivery emails via Postmark
• Legitimate interests (Art. 6(1)(f)) — Fraud prevention and rate limiting via Upstash; error tracking via Sentry; improving Service quality through aggregated analytics
• Consent (Art. 6(1)(a)) — Any future non-essential cookies or marketing communications
• Legal obligation (Art. 6(1)(c)) — Retaining payment records for tax compliance; responding to lawful data requests

International Data Transfers

Your data is transferred to and processed in the United States. For transfers from the EEA/UK to the United States, we rely on:

• The EU-U.S. Data Privacy Framework (where applicable to our sub-processors)
• Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our data processing agreements with sub-processors that do not participate in the Data Privacy Framework

You may request a copy of the safeguards we use for international transfers by contacting us at [email protected].

You have the right to lodge a complaint with your local data protection authority if you believe your rights under the GDPR have been violated.

14. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe that a child under 18 has provided us with personal information, please contact us at [email protected].

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the “Last Updated” date at the top of this page. Where required by applicable law, we will provide additional notice (such as via email to the address associated with your order, or a prominent notice on the Site). Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

For GDPR-related inquiries, you may also contact your local data protection authority.