Privacy Policy

• We collect only what we need to serve you boba and run our rewards program.
• We never sell your data. Period.
• You can request a copy or delete your account any time by emailing us.
• We use Stripe for payments — we never see or store your full card number.

• Account info: name, email, optional phone, optional birthday. Used for rewards + receipts.
• Order history: drinks you ordered, when, where, how much. Used for receipts, rewards, and to spot your favorite.
• Payment: handled by Stripe. We receive a token + last-4 digits, never the full card.
• Site analytics: anonymous page views, device type, performance metrics. No personally identifiable info.
• Communication preferences: whether you've opted in to marketing emails (default: yes, but you can unsubscribe any time).

• To fulfill your orders and award rewards points.
• To email you receipts and the occasional drink drop / reward you can claim.
• To improve the menu (what's popular, what we should retire).
• To detect fraud (e.g. duplicate accounts created to abuse a signup bonus).
• To meet legal obligations (tax records, etc.).

We share data only with the service providers we need to run the business:

• Stripe — payment processing.
• Resend — sending email receipts and marketing emails.
• Twilio (if/when we add SMS) — sending text reminders.
• Our hosting provider — running the app and database.

All of these are contractually bound to keep your data private and secure.

We use a single HTTP-only session cookie ("bp_session") to keep you logged in. It can't be read by JavaScript, which protects against XSS attacks. We also use localStorage for non-sensitive UI state (e.g. your current cart, sidebar collapse preference).

• Access: request a copy of your data at any time.
• Correction: update inaccurate info from your rewards portal.
• Deletion: ask us to delete your account and we will, within 30 days. Note that we keep transactional records as required by US tax law.
• Marketing opt-out: every promotional email has an "Unsubscribe" link at the bottom.

Email contact@theboba.place for any of the above.

We do not knowingly collect data from children under 13. If you believe a child has signed up, contact us and we'll delete their account.

Passwords are hashed with bcrypt; session tokens are HttpOnly + Secure cookies; all traffic is TLS-encrypted. We routinely patch our systems and audit access. No system is bulletproof, but we take this seriously.

We may revise this Privacy Policy from time to time. Material changes will be announced via email or a prominent notice on the site.

Questions, requests, or concerns? Email contact@theboba.place or stop by the shop. We'll get back to you within a few business days.