Privacy Policy
Last updated: April 21, 2026
What we collect
When you create a host account we collect your name, email, username, and any profile information you choose to add (bio, photo, venues, availability, safety contact email). If you sign up with Google, Apple, or LinkedIn, we receive the name and email address associated with that account. When a guest books a coffee chat we collect their name, email, and any optional note. We store your bookings, cancellations, waitlist entries, and attendance marks (showed / no-show), and any blocks or reports you file.
If you set a metro area and/or intent tags on your profile, we store them. Metro area is a coarse regional identifier (e.g., “State College, PA”); we do not collect precise location (GPS or IP-based geolocation). Tags are selected from a curated list.
Lawful basis for processing
| Data | Purpose | Lawful basis |
|---|---|---|
| Host profile (name, email, username) | Operate the service | Contract |
| Booking records | Facilitate meetings | Contract |
| Guest name & email | Booking confirmation and reminders | Contract (with host) |
| Marketing opt-in | Product updates and announcements | Consent |
| Safety contact email | Pre-fill safety share form after you book | Consent |
| Metro area & intent tags | Discovery features (dashboard widget, biweekly digest) | Consent (via discovery opt-in) |
| Reports and blocks | Safety and abuse prevention | Legitimate interests |
| Error and performance data (Sentry) | Service reliability | Legitimate interests |
| Aggregate traffic data (Cloudflare) | Understand usage | Legitimate interests |
How we use it
We use your information solely to operate JavaMe — to publish your booking page, process bookings and waitlists, send transactional email, and enforce your blocks and reports. We do not sell your data, and we do not use it for advertising or profiling. We use Cloudflare Web Analytics, a cookie-free service, to understand how visitors use JavaMe. No personal data is collected.
Your public profile page is never indexed by search engines. If you opt into discovery and set a metro area, we may include your profile in JavaMe's discovery features — the dashboard widget shown to signed-in users in your metro area, and a biweekly digest email sent to opted-in users. You can opt out at any time in Settings.
Data retention
| Data | Retention period |
|---|---|
| Account and profile data | Until account deletion |
| Metro area and intent tags | Until you clear them or delete your account |
| Booking records | Anonymised 30 days after account deletion |
| Safety reports and blocks | Up to 2 years (abuse prevention) |
| Error logs (Sentry) | 90 days |
| Aggregate analytics (Cloudflare) | No personal data retained |
Transactional email
We send booking confirmations (with a calendar .ics attachment), reminders before meetings, cancellation and waitlist-promotion notices, and — for hosts — block/report action links. These are essential to the service and cannot be opted out of while you have active bookings.
Marketing communications
If you opt in during registration or in Settings, your email is synced to a Mailgun mailing list, and we may occasionally send you product updates, new feature announcements, and news about JavaMe. Every marketing email contains a one-click unsubscribe link and we honor the RFC 8058 List-Unsubscribe header. You can withdraw consent at any time via Settings or the unsubscribe link; your email is removed from the mailing list on opt-out. Opting out of marketing does not affect transactional emails related to your bookings.
Safety share
If you use the “Share my meeting” feature, we send a one-time email to the address you enter containing your meeting details (host name, date, time, venue). The recipient address is not added to any mailing list and is not used for any other purpose. If you choose to save a safety contact email in Settings, we store it on your profile only to pre-fill the share form the next time you book — it is never emailed until you click “Share” on a specific meeting.
Data storage
Account data, bookings, venues, availability, and profile photos are stored on Supabase (PostgreSQL + Storage), which runs on AWS in the US East region. Row-level security restricts access so that hosts only see their own bookings and guests only receive their own confirmations.
Data protection mechanisms
We apply the following technical safeguards to protect your data:
- Encryption in transit— all communication between your browser and JavaMe's servers, and between our servers and third-party APIs, is encrypted via TLS 1.2 or higher (HTTPS).
- Encryption at rest (OAuth tokens) — when you connect Google Calendar or Outlook Calendar, the OAuth access and refresh tokens are encrypted with AES-256-GCM before being written to the database. The encryption key is never stored alongside the data. Raw tokens are never logged or exposed in application responses.
- Minimum-scope OAuth access — calendar integrations request only the narrowest scope necessary:
calendar.eventsfor Google andCalendars.ReadWritefor Microsoft. We do not request access to contacts, email, files, or any other account data. - Row-level security— Supabase enforces row-level security policies on every table. Database queries for calendar tokens, bookings, and profile data are scoped to the authenticated user's ID; no query can return another user's tokens or records.
- Token revocation— you can disconnect Google Calendar or Outlook Calendar at any time from Settings → Calendar Sync. Upon disconnection, both the access token and refresh token are deleted from our database, and we make a best-effort revocation request to Google's or Microsoft's token revocation endpoint so the grant is invalidated on their side as well.
- No secondary use of calendar data — calendar data retrieved via these integrations (event titles, times, attendees) is used only in real time to determine busy periods and to create or delete a single booking event. It is not stored, aggregated, analyzed, or shared.
- Access controls — production database credentials and encryption keys are stored as environment secrets in Vercel and are not committed to source code or accessible to application-layer code except through environment variable injection at runtime.
Third-party services
We rely on the following sub-processors. All have Data Processing Agreements in place.
- Supabase — authentication, database, and file storage
- Vercel — web hosting and edge delivery
- Mailgun / Sinch — transactional email delivery
- Cloudflare — DDoS protection, edge delivery, and privacy-first web analytics (no cookies, no personal data)
- Sentry — error monitoring in the EU data region; personal data scrubbed before transmission
- Google OAuth, Apple Sign in with Apple, and LinkedIn — optional login providers
- Google Places / Maps — venue search for hosts, and static venue map images displayed on profiles. Map images are fetched through a JavaMe server-side proxy so that your IP address is not sent to Google when you view a profile.
- Google Calendar — optional calendar sync for hosts. When a host connects their Google Calendar, JavaMe uses the
calendar.eventsscope for two purposes only: (1) reading the host’s calendar events to detect busy times so that conflicting slots are hidden from guests, preventing double-bookings; and (2) writing a calendar event to the host’s Google Calendar when a guest confirms a booking, containing the meeting date, time, venue, and guest name. Hosts can disconnect at any time from Settings → Calendar Sync. We do not store, share, or use calendar data for any other purpose. - Microsoft Outlook Calendar — optional calendar sync for hosts, mirroring the Google integration. When a host connects their Microsoft account, JavaMe uses the
Calendars.ReadWritescope via Microsoft Graph for the same two purposes: reading events for busy-time detection and writing a calendar event for confirmed bookings. Hosts can disconnect at any time from Settings; Microsoft also provides a consent management page at account.live.com/consent/Manage for personal accounts. We do not store, share, or use calendar data for any other purpose.
Cookies
We set only the cookies needed to keep you logged in (Supabase auth session) and to protect the booking form (Cloudflare Turnstile). We do not use analytics or advertising cookies.
Your rights
Under GDPR and applicable privacy law, you have the following rights:
- Access — download a copy of your data via Settings → “Download my data”
- Erasure — delete your account via Settings → “Delete account” (30-day grace period before permanent deletion)
- Rectification — edit your profile at any time from Settings
- Portability — machine-readable JSON export via Settings → “Download my data”
- Object to processing — opt out of marketing emails at any time via Settings or unsubscribe link
- Withdraw consent — marketing opt-out in Settings (does not affect transactional emails)
- Discovery — turn off discovery, remove your metro area, or remove tags at any time via Settings
To exercise rights not covered above, email hello@javame.com.
Terms of Service consent and marketing preferences are logged with timestamps for users who registered on or after April 2026.
Age
JavaMe is intended for adults 18 and older. You confirm you are 18+ when you create an account.
Contact
Questions? Email hello@javame.com.