Privacy

What we track. What we don't.

Plain English. No legalese.

What we track

Page views. Two tools.

  • Vercel Analytics — cookieless, runs by default, counts page loads and rough traffic geography. No personal data.
  • Google Analytics 4 — sets cookies, runs only if you accepted on the consent banner. Helps us see which teas and articles people read most so we know what to write more of.

Account data. Only when you sign in. Saved in Supabase:

  • Profile — display name, handle, the date you joined.
  • Bookmarks — the teas and teahouses you saved.
  • Tasting notes — body, brewing method, optional rating, flavour tags. Default private; you toggle per note to share with the tea table.
  • Teahouse notes — short notes you wrote after visiting a teahouse. Default private.
  • Suggested flavour tags — when you add a flavour that isn't in the dropdown, your suggestion goes into a queue so we can review it and add it to the curated set for everyone.

Security telemetry. Two automated, anonymous streams that help us keep TEAKI safe.

  • Browser security reports — when our Content Security Policy would block a resource, your browser sends a small JSON report (which page, what was blocked, your browser type) so we can spot misconfigurations. No personal data; no account data; only fires if our policy is over-strict for your device.
  • Cloudflare Turnstile— when you sign up, sign in, or request a password reset, a bot-check widget runs. Cloudflare evaluates browser signals (IP, user-agent, behavioural patterns) for the moment of that submission to decide human vs bot. Cloudflare's privacy policy applies to this transient evaluation; we receive only the pass/fail result.

Errors. Crash reports via Vercel hosting. No personal data attached.

What we don't

  • No ads. None planned, none ever.
  • No cross-site tracking. Your TEAKI activity stays at TEAKI.
  • No data sales.
  • No persistent browser fingerprinting. Cloudflare Turnstile evaluates browser signals at the moment of an auth request only — not stored, not used to identify you across sessions.

Cookies and local storage

Cookies set after you accept analytics:

  • _ga and _ga_* (Google Analytics) — count distinct visitors and sessions, roughly 13-month expiry.
  • Supabase session cookie if you signed in — keeps you logged in, removed on sign out.

If you rejected analytics on the consent banner, the GA cookies are never set. Google Consent Mode v2 enforces this with ad_storage, ad_user_data, and ad_personalizationpermanently denied — so even if GA loads, it can't place advertising cookies.

Local browser storage — small entries we set on your device, never sent to our servers:

  • Your consent decision (so the banner doesn't ask you again on every page load).
  • Whether you've dismissed the install banner or the sign-up prompt, and how recently.
  • Pages you've visited this session — used by the sign-up prompt to decide whether to show. Cleared when you close the browser.
  • Your Supabase login token, if you're signed in. Stored locally; sent to Supabase only when you make an authenticated request.

Where your data lives

TEAKI uses a small number of trusted third parties to run the service:

  • Supabase — hosts your account, bookmarks, and notes.
  • Vercel — hosts the website and serves it to your browser.
  • Google — Google Analytics (only if you accepted) and Google Fonts.
  • Cloudflare — Turnstile bot-check on auth forms.
  • Resend (EU region): sends our account emails (sign-up confirmation, password reset). Processes the recipient address and message contents purely for delivery.

Some of these process data in the US. EU and UK users — standard contractual clauses apply where required.

Change your mind

If you accepted and want to opt out (or vice versa), tap the button below. The consent banner reopens; pick again.

Contact

Questions, corrections, requests under UK GDPR (access, deletion, export): [email protected].

Last updated: 2026-05-08.