PRIVACY

Beisl Privacy Policy

Effective date: 12 May 2026
Last updated: 12 May 2026

This Privacy Policy describes how Timmo Caspar Achsel (“Beisl”, “we”, “us”, or “our”), as the operator of the Beisl mobile application and the website at beisl.pub (together, the “Service”), collects, uses, shares, and protects personal data.

We are the data controller for the personal data processed through the Service within the meaning of the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, and equivalent laws.

1. Who we are and how to reach us

Controller:
Timmo Caspar Achsel
Stockholm, Sweden
Email: hello@beisl.pub

Beisl is currently operated as a sole proprietorship. If you have questions, want to exercise a privacy right, or wish to lodge a complaint with us before approaching a supervisory authority, please email us at the address above. We aim to respond to verifiable requests within 30 days.

We have not appointed a Data Protection Officer because we are not legally required to do so, but the email above reaches the person responsible for privacy at Beisl.

2. Scope of this Policy

This Policy applies to:

the Beisl iOS app (bundle identifier pub.beisl.app) distributed through the Apple App Store; and
the Beisl website at beisl.pub, including invite landing pages, the Apple App Site Association file used for universal links, and any associated subdomains we operate (e.g. api.beisl.pub).

This Policy does not apply to third-party services that you reach from links inside the Service (for example, Apple Maps directions to a bar, or another user's external website). Their privacy policies govern your use of those services.

3. Summary at a glance

Topic	Short answer
Account creation	Sign in with Apple only. We never see your real Apple ID password.
What you must give us	A persistent Apple identifier (“Apple sub”), a unique handle (your `@username`), and a display name.
Email	We do not store your email address.
Location	Coarse location (used on-device only) for nearby-bar suggestions. Precise location is shared with the friends in your active crawl only if you turn the per-crawl “Share location” switch on. Live position points are deleted from our server within ~60 seconds.
Friends	Your handle, display name, premium status, and limited activity (e.g. whether you are currently in a crawl) are visible to people who add you as a friend. Your bar ratings are visible to friends only if you enable “Share ratings”.
Third-party processors	Apple (Sign in with Apple, push notifications, in-app purchases) and our hosting provider Hetzner Online GmbH (Germany). A transactional-email provider (Brevo, France) is planned for moderation emails but not currently in use.
Analytics	We do not use third-party analytics, attribution, advertising, or crash-reporting SDKs.
Children	The Service is intended for adults. You must be at least the legal drinking age of your jurisdiction (and in any case at least 18) to use it.
Your rights	Access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint. You can delete your account from inside the app at any time.

The summary is provided for convenience. The detailed sections below are legally controlling.

4. Personal data we collect

4.1 Data you provide directly

When you sign in to Beisl using Sign in with Apple, Apple sends us a signed identity token from which we extract a stable, opaque user identifier (the “Apple sub”). The Apple sub is unique to your Apple ID and to the Beisl Services ID; it cannot be linked back to your Apple ID by us. Apple may also include an email address in that token (your real address, or a relay address of the form <random>@privaterelay.appleid.com). We do not store the email address. It is read once, in memory, only to validate the token; we then discard it.

After signing in for the first time, you must also choose:

a handle — a unique short username, displayed as @yourhandle, that other people use to find and add you; and
a display name — a free-text name shown to your friends and crew.

Both are required to finish creating your account. You can change either of them at any time from the Profile screen, subject to the handle remaining unique.

When you create or interact with content in the app, you may also provide:

bar entries (a venue name, optional area label, an optional latitude/longitude, and a colour hue);
ratings and notes about a bar (eight scores from 1–5 covering atmosphere, music, selection, quality, price, staff, toilets, and “linger”; an optional drink-kind text; an optional free-text note up to 1,000 characters);
visits (timestamped records of when you arrived at a bar);
crawls (a name, planned date and time, mode of transport, and an ordered list of stops);
try-lists and bar lists (custom personal lists of bars; bar lists with multiple lists are a Premium feature);
friend relationships (you choose whom to invite, accept, or block);
moderation reports (a target type, target ID, and a free-text reason capped at 500 characters); and
a logbook caption (a short text persisted with a completed crawl, sometimes called the “verdict”).

4.2 Data collected automatically

When you use the Service we automatically collect:

a persistent user record identifier generated by us (a UUID stored on our server and tied to your Apple sub);
session tokens (JSON Web Tokens issued by us, stored in your device's iOS Keychain);
APNs device tokens issued to your device by Apple's Push Notification service so we can deliver notifications to you, together with the APNs environment (sandbox or prod) and the date the token was registered or revoked;
Live Activity tokens issued per active crawl so we can update your iOS Live Activity / Dynamic Island banner;
a record of your premium subscription status (the product identifier and an expiry timestamp), kept in sync with Apple's StoreKit;
the App Store Server Notifications that Apple sends us about your subscription (we keep the signed JWS message we receive from Apple as an audit record of the transaction);
crawl event records (arrived, left, rated, deviated, completed, reminded, position) generated as you participate in a crawl; and
standard server log information for each request to our API: a request identifier, the requesting user identifier (when authenticated), the HTTP method and path, the response status, error messages, and a high-resolution timestamp. These logs are written to standard output on our servers and rotated by the host operating system. They are not exported to a third-party log aggregator.

We do not collect:

your real name, postal address, or phone number;
your email address (Apple's identity token contains it, but we discard it as described above);
contacts from your address book;
photographs, video, audio, microphone input, motion or fitness data, or HealthKit data;
a device advertising identifier (IDFA), and we do not use Apple's App Tracking Transparency framework because we do not track you across apps or websites;
any biometric, government-issued, financial, employment, or health information; or
anything from a “Sensitive Personal Information” category under California or EU law.

4.3 Location data

Location is the most privacy-significant category we handle. It deserves a careful description.

Coarse “When in Use” location. When you grant the iOS When In Use location permission, the Beisl app uses an on-device coarse-location reading (kilometre-scale accuracy) to suggest bars near you when you search and to label your area in the app. This coarse reading stays on your device. It is not transmitted to our servers.

Precise “Always” location during an active crawl. When you start or join a crawl, we ask for the iOS Always location permission. We then run two location-based services on your device, only while a crawl is in the active state and you are a member of it:

Geofencing. The app registers a circular geofence around each stop in the crawl (radius 100 metres, with a 95 m / 120 m hysteresis band and a dwell timer of 30 seconds for walking and transit modes, 10 seconds for taxi mode). When you arrive at a stop, the app fires a local arrival prompt and writes an arrived crawl event; when you leave, it writes a left event. The geofence runs locally on your device using Apple's CoreLocation framework, including in the background.
Live position broadcast. If — and only if — you have the per-crawl “Share location” switch turned on, the app sends your latitude, longitude, and horizontal accuracy to our server every 30 seconds, or whenever you have moved more than 50 metres, with a minimum 5-second floor between transmissions. These points are written to a crawl_events row of kind position and are streamed live to the other members of your crawl over a server-sent events connection so they can see the crew's positions on the active-crawl map.

Retention of live position points. A background job on our server runs every 30 seconds and deletes every position event older than 60 seconds. The worst-case lifespan of a single position point on our server is therefore approximately 90 seconds. If you toggle “Share location” off mid-crawl, the app additionally calls a delete endpoint that immediately removes all of your position events for that crawl.

No background location outside an active crawl. When no crawl is active, we do not run background location updates and we do not register geofences. The app uses the location background mode (declared in Info.plist) only to keep these per-stop geofences alive while a crawl is in progress.

Bar coordinates. When you create a new bar entry, the latitude and longitude you supply (typically picked from Apple Maps) are stored as part of the bar record so it can be shown on a map and used for proximity searches. Bar coordinates are not personal data on their own, but a bar you created remains attributed to you (subject to anonymisation on account deletion — see Section 9).

4.4 Data we receive from third parties

Apple sends us your Apple sub, and may send us your email address (which we discard), through the Sign in with Apple flow.
Apple's StoreKit sends us signed transaction information when you start, renew, refund, or cancel a Premium subscription, both when your device submits the receipt and when Apple's App Store Server Notifications service posts a webhook to our /v1/premium/notifications endpoint.
Other Beisl users can attach you to a crawl by inviting you (using your user identifier), or send you a friend request, in which case our server stores the relationship between your account and theirs.

We do not buy personal data from data brokers, and we do not enrich your profile from advertising networks, social-media graphs, public records, or generative-AI providers.

5. How we use personal data, and the legal bases we rely on

We only process personal data for the purposes listed below. For users in the European Economic Area, the United Kingdom, and Switzerland, the table identifies the legal basis under Article 6(1) of the GDPR.

Purpose	Data used	Legal basis
Create and authenticate your account; keep you signed in	Apple sub, our user UUID, JWT session tokens	Performance of a contract (Art. 6(1)(b))
Show your handle and display name to your friends and crew	Handle, display name, premium status flag	Performance of a contract; legitimate interests in operating a social feature you opted into (Art. 6(1)(f))
Suggest nearby bars and label your current area	Coarse on-device location (not transmitted)	Performance of a contract; the processing happens locally on your device
Detect arrivals and departures at crawl stops	Precise device location (geofencing); crawl event records	Performance of a contract; consent for the iOS Always permission
Show crew members each other's live position on the active-crawl map	Latitude, longitude, accuracy (with the per-crawl “Share location” switch ON)	Consent (Art. 6(1)(a)); you can withdraw at any time by toggling the switch off
Deliver push notifications (arrival prompts, crawl invites and reminders, friend requests, friend-at-bar, crawl completion)	APNs device tokens, Live Activity tokens, notification payload data	Consent for the iOS notifications permission; performance of a contract
Fulfil and verify Premium subscriptions	StoreKit transaction identifiers, signed JWS receipts, product IDs, premium expiry timestamp	Performance of a contract
Operate community-safety and moderation features (reports, hide / delete)	Reporter ID, target type and ID, free-text reason; admin actions	Legitimate interests in keeping the Service safe and accurate, and in some jurisdictions a legal obligation under online-safety laws
Diagnose errors and protect against abuse	Server logs (request IDs, user IDs, error messages)	Legitimate interests in operating a secure Service
Comply with legal obligations (tax records on Premium revenue, lawful requests)	Whatever subset of the above is strictly necessary	Legal obligation (Art. 6(1)(c))
Send a service email if you contact us	Your email address (only because you used it to write to us)	Performance of a contract or legitimate interests in answering you

We do not use your data for advertising, profiling that produces legal effects on you, or automated decision-making within the meaning of Article 22 of the GDPR.

6. How we share personal data

We share personal data only with the categories of recipient described below, and only to the extent necessary for the purposes in Section 5.

6.1 Other Beisl users

The whole point of Beisl is to share a night out with the people you invite. Specifically:

Anyone who looks you up in the friends search can see your handle, display name, and an indication of whether you are currently in an active crawl.
Your friends can additionally see, on your friend profile, the bars you have visited (count and list) and your bar ratings and notes — but only if you have enabled the “Share ratings” switch in your Profile. By default, ratings are visible to friends; you can turn this off at any time.
The members of a crawl you are in can see your handle and display name, your current stop, your arrival and departure events, and the drink kind you logged, for as long as that crawl exists in their app. If you have the per-crawl “Share location” switch on, they can also see your live position on the map.
A person who holds a friend-invite link generated by you can call our public preview endpoint and see the inviter's handle and display name. They cannot see your user identifier from this endpoint.

If you block another user, the app stops showing them your activity and stops showing you theirs.

6.2 Service providers (data processors)

We use the following third parties to operate the Service. Each of them processes personal data on our instructions and is bound by a written contract (a Data Processing Agreement, or equivalent terms in their standard developer or hosting agreement) that meets the requirements of Article 28 of the GDPR.

Apple Inc. (One Apple Park Way, Cupertino, CA 95014, USA) — provides Sign in with Apple identity verification, the Apple Push Notification service, the StoreKit in-app purchase platform, App Store Server Notifications, the iOS operating system, and distribution through the App Store. Apple's privacy policy is available at https://www.apple.com/legal/privacy/.
Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) — provides the virtual machine on which our API, database, and web server run. All Beisl databases and application servers are physically located in Germany. Hetzner's data-protection information is available at https://www.hetzner.com/legal/privacy-policy/.
Brevo (Sendinblue SAS) (106 boulevard Haussmann, 75008 Paris, France) — planned transactional-email provider. Once configured, Brevo will deliver moderation report emails from our backend to our admin address when you file a report. Brevo is established in France and processes data within the EEA. Brevo's privacy policy is available at https://www.brevo.com/legal/privacypolicy/. At the time of writing, no SMTP relay is configured, and moderation reports are reviewed only via direct database access by Beisl personnel; no third-party email processor handles them. We will update this Policy before Brevo is enabled.

We do not use any third-party advertising network, attribution provider (AppsFlyer, Adjust, Branch, Singular, Kochava, etc.), analytics SDK (Firebase, Mixpanel, Amplitude, Segment, PostHog, etc.), or crash-reporting SDK (Sentry, Crashlytics, Bugsnag, etc.) inside the Service.

6.3 Legal disclosures

We may disclose personal data when we believe in good faith that disclosure is necessary to:

comply with a court order, subpoena, search warrant, or other lawful request from a competent authority;
enforce our Terms of Service or investigate suspected violations;
protect the rights, property, or safety of Beisl, our users, or the public, including action against fraud, abuse, or imminent harm; or
effect a corporate transaction such as a merger, acquisition, financing, reorganisation, bankruptcy, or sale of all or part of our assets, in which case the recipient will be bound to honour this Policy or give you notice and a meaningful choice.

If we receive a request from a government or law-enforcement body, we will challenge requests we consider overbroad, and we will tell you about the request unless we are legally prohibited from doing so.

6.4 No sale or sharing for cross-context behavioural advertising

We do not sell your personal data, and we do not share it for cross-context behavioural advertising, within the meaning of the California Consumer Privacy Act (as amended by the California Privacy Rights Act), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, or any similar U.S. state law. We have not done so in the previous twelve months.

7. International data transfers

Our servers and database are located in Germany. Most of your data therefore stays inside the European Economic Area.

A subset of processing necessarily involves transfers outside the EEA:

Apple Inc. (USA). Sign in with Apple identity tokens are signed by servers located in the United States, Apple Push Notification service messages are routed through Apple's global infrastructure, and StoreKit transaction verification involves Apple's servers. Apple is, at the time of writing, certified under the EU–U.S. Data Privacy Framework, which the European Commission has recognised as providing an adequate level of protection (Commission Implementing Decision (EU) 2023/1795). Where the Data Privacy Framework does not apply, we and Apple rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) as a transfer safeguard.
Brevo (Sendinblue SAS, France). Brevo is established in the EEA, so its use does not in itself involve a transfer of personal data outside the EEA. If Brevo subprocesses any portion of the processing to a non-EEA recipient, we and Brevo rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and Brevo's published transfer safeguards. As stated above, the SMTP relay is not currently active.

You can request a copy of the safeguards we rely on by emailing hello@beisl.pub.

8. Security

Sensible security is non-negotiable for an app that touches your real-time location. We implement and maintain technical and organisational measures appropriate to the risks of the processing, including:

TLS 1.2 / 1.3 (with certificates issued by Let's Encrypt and renewed automatically) for every connection between the Beisl app, the Beisl website, and our API;
session tokens stored in the iOS Keychain with the kSecAttrAccessibleAfterFirstUnlock accessibility class, so they require the device to be unlocked at least once after boot before they can be read;
isolated Docker networks for inter-service traffic on our server;
a hardened, distroless container image for the API binary;
principle-of-least-privilege database roles;
bcrypt-equivalent hashing or signed envelopes for any secret material we hold (we do not store passwords, since authentication is delegated to Apple);
rate limiting and authentication on every non-public endpoint;
automatic deletion of live position points within ~60 seconds (see Section 4.3);
no inclusion of personal data in URLs or query strings beyond opaque identifiers; and
a strict change-management process whereby every backend change is reviewed and tested in CI before deployment.

No system is perfectly secure. If we become aware of a security incident affecting your personal data that meets the threshold for notification under Article 33 GDPR, we will notify the competent supervisory authority within 72 hours. If the incident is likely to result in a high risk to your rights and freedoms, we will also notify you under Article 34 GDPR using the contact information available to us, which in the absence of an email address will be a notice inside the app.

9. How long we keep your data

We keep personal data only for as long as we need it for the purposes set out in this Policy.

Category	Default retention
Account record (Apple sub, handle, display name, settings, premium expiry)	Until you delete your account
Bar entries you created	Indefinitely (anonymised on account deletion — see below)
Ratings, notes, visits, try-lists, bar lists, logbook captions	Until you delete the entry, or until you delete your account
Crawls and crawl membership	Until the crawl owner deletes the crawl, or until both you and the owner delete your accounts
Crawl event log (arrived, left, rated, deviated, completed, reminded)	Lifespan of the crawl
Live position events (`kind = 'position'`)	Auto-deleted within ~60 seconds (worst case ~90 s)
APNs device tokens	Until you sign out, until the token is revoked by Apple, or until you delete your account
Live Activity tokens	Lifespan of the corresponding Live Activity (max 8 hours per Apple's limits) and the underlying crawl
Premium transaction records (signed JWS audit copies)	Up to 10 years where required by tax law (Swedish Bokföringslagen 1999:1078, 7 kap. 2 §); otherwise until you delete your account
Moderation reports	Until resolved, plus a reasonable period (up to 12 months) to detect repeat patterns
Server logs	30 days on rotated disk
Backups	Up to 30 days, after which they age out of the backup window

When you delete your account (see Section 10), your record is soft-deleted: the deleted_at field is set and your handle is cleared so it can be reused. Records that depend on you are then handled as follows:

Your device tokens, Live Activity tokens, ratings, visits, try-list entries, bar-list entries, friendship rows, crawl-member rows, premium transaction records, and reports you filed are hard-deleted (cascading SQL ON DELETE CASCADE).
Bars you created and crawls you owned are anonymised: their creator/owner field is rewritten to a sentinel “deleted user” identifier so the venue or shared crawl history that other people have built on top of your contribution survives, but cannot be traced back to you.
Where we are required to retain financial or transactional records (e.g. for tax law), we retain the minimum subset needed and then delete it at the end of the legal retention period.

Where data must be retained for backup or legal reasons after account deletion, it is no longer used for any other purpose and is securely deleted at the end of the retention period.

10. Your privacy rights

Subject to applicable law, you have the following rights with respect to your personal data:

Access. You can ask us for a copy of the personal data we hold about you. Most of it is already visible to you in the app: open Profile, your friend profile, the rating sheet for any bar you have rated, and the crawls list. If you would like a structured export beyond what the app shows, email us and we will provide one within 30 days.
Rectification. You can update your handle and display name at any time from the Profile screen. For anything else, email us.
Erasure (“right to be forgotten”). You can delete your entire account at any time from inside the app: Profile → Account → Delete Account. Deletion takes effect within seconds; the consequences are described in Section 9. You can also email us if you prefer.
Restriction. You can ask us to restrict processing in the limited cases set out in Article 18 GDPR.
Portability. You can ask us to provide the personal data that you provided to us in a structured, commonly used, machine-readable format.
Objection. You can object to processing carried out on the basis of our legitimate interests on grounds relating to your particular situation. If you object, we will stop unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Withdrawal of consent. Where we rely on consent (for example, for the iOS Always location permission, for live position broadcast inside a crawl, or for push notifications), you can withdraw consent at any time. You can revoke iOS permissions in Settings → Privacy & Security. You can toggle the per-crawl “Share location” switch off inside the active-crawl sheet. Withdrawing consent does not affect the lawfulness of processing that took place before you withdrew it.
Complaint to a supervisory authority. If you live in the EEA, the United Kingdom, or Switzerland, you have the right to lodge a complaint with your local data protection authority. As Beisl is operated from Sweden, our lead supervisory authority is the Integritetsskyddsmyndigheten (IMY), Drottninggatan 29, plan 5, 104 20 Stockholm, imy@imy.se. If you live in another EEA country, you may also lodge your complaint with the supervisory authority of your habitual residence or place of work.

To exercise any of these rights, email hello@beisl.pub from the email address associated with your Apple ID, or include enough information for us to confirm that you are the account holder (typically your handle and the approximate date you signed up). We do not charge a fee unless your request is manifestly unfounded or excessive.

10.1 Additional rights for California residents

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), gives you the rights described above and the following additional rights:

the right to know the categories and specific pieces of personal information we have collected about you;
the right to know the categories of sources from which we collected your personal information, the business or commercial purposes for collecting it, and the categories of third parties with whom we shared it;
the right to delete personal information we have collected from you;
the right to correct inaccurate personal information;
the right to opt out of the sale or sharing of personal information; and
the right to limit the use or disclosure of sensitive personal information.

We do not sell or share personal information within the meaning of the CCPA, and we do not collect or use sensitive personal information beyond what is strictly necessary to provide the Service. We will not discriminate against you for exercising any of your CCPA rights.

The categories of personal information we have collected in the previous twelve months, mapped to the categories listed in Cal. Civ. Code § 1798.140, are: identifiers (Apple sub, our user UUID, device tokens), customer-record information (handle, display name), commercial information (Premium subscription status), geolocation data (the live position points described in Section 4.3, retained for ~60 seconds), internet or other electronic-network activity information (server logs, crawl events), and inferences are not drawn.

10.2 Additional rights for residents of other U.S. states

If you live in Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, or any other U.S. state with a comprehensive consumer-privacy statute in force, you have rights substantially equivalent to those listed above. To exercise them, email hello@beisl.pub. If we deny your request, you may appeal by replying to our denial; if your appeal is denied you may contact your state Attorney General.

11. Children

Beisl is intended for adults. The Service is built around the social experience of going to bars, and Premium content includes bar-related features. You must be at least the legal drinking age in your jurisdiction (and in any case at least 18 years old) to create an account. We do not knowingly collect personal data from anyone under 18.

If you believe a person under 18 has provided personal data to us, please contact us at hello@beisl.pub and we will delete the account.

In the App Store, Beisl is rated 17+ to reflect this restriction.

12. Changes to this Policy

We may update this Policy from time to time to reflect changes in the Service, in our practices, or in applicable law. When we do, we will:

update the “Last updated” date at the top of this document;
post the revised Policy at the same URL where you found this one; and
if the changes are material — for example, if we add a new category of recipient, a new processing purpose, or a new legal basis — we will give you prominent notice inside the app and, where required by law, ask for your renewed consent before the change takes effect.

Past versions of this Policy are available on request.

13. Definitions and references

“Beisl app” — the iOS application distributed under the bundle identifier pub.beisl.app.
“Apple sub” — the value of the sub claim in an identity token issued by Apple's Sign in with Apple service. It is unique to a given Apple ID and to a given relying party (here, Beisl); it cannot be used to look up the underlying Apple ID.
“Crawl” — a planned sequence of bar visits scheduled in the app, with optional friends.
“Crew” — the set of users who are members of a particular crawl.
“Geofence” — a virtual circular boundary around a geographic point, monitored by iOS so the operating system can wake the app when the device crosses it.
“Live position event” — a row in the crawl_events table of kind position, containing a latitude, a longitude, a timestamp, and the user identifier of the device that produced it.
“Premium” — the auto-renewing subscription tier of Beisl, provided through Apple's StoreKit. Product identifiers: pub.beisl.app.premium.annual and pub.beisl.app.premium.monthly.

This Policy was prepared in English. In case of discrepancy with any translation, the English version controls.