Privacy Policy

Effective date: May 25, 2026 · Last updated: May 25, 2026

Astralis Coffee Works Private Limited ("Astralis", "we", "our", or "us") operates the TRUE BLACK mobile application (the "App") and the website at trueblack.coffee. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the choices and rights you have. By using the App or the website you agree to this policy.

This policy is issued in accordance with India's Digital Personal Data Protection Act, 2023 (the "DPDP Act") and applicable rules. For users outside India, equivalent protections apply to the extent required by local law.

1. Who is the data fiduciary?

Astralis Coffee Works Private Limited is the data fiduciary for personal data processed through the App. Our registered address and contact details are in Section 12.

2. Information we collect

2.1 Information you provide

• Account information: phone number (used for OTP-based sign-in) and the name you set on your profile.
• Profile information (optional): email address and date of birth, used for receipts and birthday rewards.
• Order information: items ordered, customizations, the store you selected, payment method, time, and order status.
• Customer support and chat: messages you send to our support team or to the in-app AI assistant.
• Voice input (optional): when you use the voice feature of the in-app assistant, the audio is captured on your device and sent for transcription. We do not store raw audio after transcription unless you explicitly save it.
• Membership and loyalty data: punches earned, free items redeemed, and Club tier status.

2.2 Information collected automatically

• Device information: device model, OS version, app version, language, time zone, and a randomly-generated device identifier used for crash reporting and analytics.
• Approximate or precise location: with your permission, we use location to show your nearest TRUE BLACK store and to default the pickup store at checkout. You can deny or revoke this permission in your device settings; the App will still work, you will need to pick a store manually.
• Usage data: screens viewed, taps, search queries inside the App, items added to cart, and crashes.
• Push notification tokens: a Firebase Cloud Messaging token tied to your device so we can send order-status and promotional notifications. You can disable notifications in your device settings.
• Biometric authentication (optional): if you enable Face ID / fingerprint unlock for the App, the biometric template stays on your device in the OS keystore. We never receive or store the biometric itself.

2.3 Information from third parties

• Payment confirmation: Razorpay shares the transaction ID, payment method type, and status with us after each successful payment. We do not see your full card number, UPI VPA, or net-banking credentials.
• POS: our point-of-sale system (Rista) confirms invoice numbers and order status which we display back to you.

3. How we use your information

We use the data above to:

• create and authenticate your account (OTP);
• place, track, and fulfil your orders at the store you selected;
• operate the membership, loyalty, and rewards programs (including birthday offers);
• send order updates, account notices, and (with your consent) promotional messages;
• provide customer support and respond to your queries;
• run analytics to understand how the App is used, and to fix bugs and crashes;
• prevent fraud, abuse, and security incidents;
• comply with applicable law and to respond to lawful requests from authorities.

4. Legal basis

We process personal data on the basis of your consent (where required), to perform a contract with you (for example, to deliver an order you placed), to comply with legal obligations, and for our legitimate interests in operating, securing, and improving the App.

5. How we share your information

We share personal data only with the following categories of recipients, and only to the extent necessary:

• Rista POS: we send order details (items, customizations, customer name, phone, store) so your order can be prepared at the selected store.
• Razorpay (payment processor): processes your payment. Razorpay's privacy policy governs its handling of card / UPI / net-banking details.
• Firebase (Google LLC): provides authentication, cloud database, cloud functions, crash reporting (Crashlytics), in-app messaging, push messaging (FCM), and generative-AI inference (Vertex AI in Firebase) used by the in-app assistant.
• Cloudinary: stores and serves images shown inside the App (menu, banners). User personal data is not stored on Cloudinary.
• Analytics: Google Analytics and Google Ads conversion tracking, used on our website only.
• Hosting: our backend runs on Railway. Our website is hosted on Firebase Hosting.
• Authorities: we may disclose data if required by law, court order, or a valid government request.
• Successors: in case of a merger, acquisition, or sale of business assets, your data may be transferred to the successor, subject to this policy.

We do not sell your personal data to advertisers or data brokers.

6. International transfers

Some of our processors (notably Google / Firebase, Razorpay, Cloudinary, and Railway) store or process data on servers outside India. Where required, we rely on standard contractual clauses or equivalent safeguards offered by these providers.

7. Data retention

• Account profile data is retained for as long as your account is active.
• Order history is retained for 7 financial years to comply with Indian tax and accounting requirements.
• Crash and analytics data is retained for up to 14 months.
• Voice transcripts associated with the in-app assistant are retained for up to 30 days for quality review.
• When you delete your account, we delete or anonymise data we are not legally required to keep. Anonymised order data may be retained for analytics.

8. Data security

We use TLS / HTTPS for all data in transit, OTP-based authentication, role-based access controls, encrypted credentials storage, automated dependency scanning, and regular security reviews. No system is 100% secure, but we take reasonable steps to protect your data.

9. Your rights

Subject to the DPDP Act and other applicable law, you have the right to:

• access the personal data we hold about you;
• correct inaccurate or incomplete data;
• request deletion of your account and associated data (see Section 10);
• withdraw consent for processing where we rely on consent;
• opt out of marketing communications at any time, by tapping the unsubscribe link in any promotional message or by disabling notifications in your device settings;
• nominate another individual to exercise your rights in the event of your death or incapacity;
• file a grievance with our Grievance Officer (Section 12), and, if unresolved, with the Data Protection Board of India.

10. Account deletion

You can request deletion of your TRUE BLACK account and the personal data tied to it. There are three ways:

1. In the App: go to Profile → Settings → Delete Account, and confirm.
2. By email: write to privacy@trueblack.coffee from the email or with the phone number on your account, with subject "Delete my TRUE BLACK account".
3. On the web: follow the steps at trueblack.coffee/delete-account.

We will action verified deletion requests within 30 days. We retain order and invoice data for the period required by Indian tax law (currently 7 financial years) in anonymised or pseudonymised form.

11. Children

The App is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has used the App, contact us and we will delete the data.

12. Cookies and similar technologies

The App itself does not use browser cookies. Our website uses Google Tag Manager, Google Analytics, and Google Ads conversion tracking, which set cookies for measurement. You can block cookies through your browser settings.

13. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be announced in the App or via email at least 7 days before they take effect.

14. Contact us