shayoink

Shayoink — Privacy Policy

Last updated: June 15, 2026

This Privacy Policy explains how Shayoink LLC ("Shayoink", "we", "us", or "our") collects, uses, and shares information when you use the Shayoink mobile and web applications and related services (the "Service").

If you have questions, email privacy@shayoink.com.

1. Information We Collect

1.1 Information you give us

Category	What it is	Why we need it
Account credentials	Username, display name, email address, password (stored as a hash, never in plain text)	To create your account and let you log in on multiple devices
Profile	Optional avatar photo, anonymous-mode preference	To show you in messages, search, and Find Menus the way you want to be seen
Menu content	Sections, drinks, ingredients, prices, ornaments, theme, custom background images, taglines	This is the Service — the menu you create
Messages	Text, images, recipe cards, reactions, and reply/edit metadata for messages you send and receive in direct and group threads	To deliver them to recipients and render the conversation history accurately, including replies that quote earlier messages
Contacts	Users you save as contacts, including optional friendly-name and full-name fields you add for your own reference	So you can find them again and label them the way you want to see them
Bookmarks and cart	Drinks and ingredients you save	To remember them between sessions
Recognition data ("yoinks")	A record of each time you save another user's recipe, including the recipe content at the time you saved it, your per-yoink anonymity preference, and a timestamp	To show recipe owners that their recipes have been valued, to power the count and attribution surfaces, and to prevent gaming of those counts
Reactions	Emoji reactions you add to messages	To display them on the message in the thread
Reports	Reports you submit about other users or content, including the report category and any free-text description	To investigate abuse and enforce our Terms
Block list	Users you have blocked	To filter their content and prevent them from contacting you
Venue early-access / commercial details (if you request venue early access or use venue features — rolling out)	Venue name, full postal address, phone number, website, hours of operation, a contact email address, your display preferences, and your answers to a short product-research poll. Some of this is collected before account creation.	To process your venue early-access request, contact you about venue features, and prepare your venue listing for when venue features launch (see § 1.4 and § 3). The street address is geocoded to coordinates as described in § 1.2. Poll answers are used for product research only — they are not analytics-tracked, shared with third parties, or used for advertising.

1.2 Information collected automatically

Category	What it is	Why we collect it
Approximate location (consumer menu mirror)	A coarse geohash (roughly 1 km precision) derived for discoverable accounts. Used only for accounts that have enabled "Be Discoverable." Personal accounts are not surfaced by location — see § 1.4 below.	To power location-based discovery surfaces (Find Menus, rolling out for venues).
Venue / business address and precise coordinates (venue features — rolling out)	If you submit a venue or business street address (for example, when you request venue early access or use venue features), we geocode that address to precise coordinates (latitude/longitude) and a fine-grained geohash using a third-party geocoding service. This applies to the venue/commercial path only; it is not collected for ordinary personal accounts.	To power venue location features such as Find Menus when venue features launch. See § 1.4 and § 3.
Device & app info	App version, device model, operating system	To diagnose problems and improve the app
Push notification tokens	A device-specific identifier issued by Apple Push Notification service (APNs), passed to us via Firebase Cloud Messaging, only if you grant notification permission	To deliver push notifications you've opted into (new messages, contact requests, etc.). The token is tied to your account and device. We delete it when you sign out, deny permission, uninstall the app, or after 60 days of inactivity.

Analytics and crash reporting (mobile app). The Shayoink iOS app uses no third-party analytics or crash-reporting SDKs, and we do not build advertising or behavioral profiles. If we add analytics or crash-reporting tools to the app in the future, we will update this policy and provide any controls required by applicable law before doing so.

Website analytics and cookies. Our website (shayoink.com, including public recipe pages) uses Google Analytics 4, a web-analytics service provided by Google, to understand how visitors find and use the site — for example, which pages are viewed and roughly where traffic comes from — so we can improve it. Google Analytics sets cookies (named _ga and _ga_*) and processes information such as your IP address (which Google Analytics 4 uses to derive an approximate, city-level location and does not retain), device and browser type, and the pages you view. We do not use this data for advertising, do not enable Google's advertising or "Signals" features, and do not combine it with your in-app account.

We use CookieYes, a consent-management platform, to control these cookies. On your first visit you are shown a cookie banner, and in regions where consent is legally required (including the EEA and the UK) Google Analytics is loaded in a consent-denied state and sets no analytics cookies or measurement data until you accept (implemented via Google Consent Mode). You can change or withdraw your choice at any time using the cookie-preferences control on the site. The only cookie set before you make a choice is CookieYes's own cookie that remembers your preference. The mobile app does not use cookies.

1.3 Information from third parties

If you purchase Shayoink Pro (a one-time in-app purchase) or, when venue features launch, subscribe to Shayoink for Venues (an auto-renewing subscription), Apple processes the transaction and provides us with a confirmation that the purchase or renewal succeeded. We do not receive your payment card or full Apple ID details from Apple. We use RevenueCat, a third-party payment-infrastructure and subscription-management service, to validate receipts and track entitlement status; RevenueCat receives your account identifier (the identifier we use for your account) along with the purchase and entitlement signals it needs to confirm whether your purchase is active. See § 3.

1.4 Notes on specific features

Anonymous yoinks. Shayoink lets you save another user's recipe ("yoink it") with your handle visible to the recipe owner or anonymously to them. "Anonymous" here means anonymous to the recipe owner only, not anonymous to Shayoink. When you yoink anonymously, the recipe owner sees only an updated count and an "anonymous" marker — they do not learn your username, display name, or any other identifier. Shayoink itself retains the underlying record of who yoinked what, for three reasons:

Anti-gaming: preventing the same user from inflating their own counts via multiple accounts.
Abuse moderation: investigating reports of coordinated harassment or other abuse involving yoinks.
Legal compliance: responding to valid legal process that requires us to identify a specific user's activity.

If you delete your account, all your yoink records (both as a yoinker and on your recipes as an owner) are deleted along with the rest of your data.

Messaging features. Shayoink lets you send and receive direct and group messages, including text, images, recipe cards, and emoji reactions. Messages you send are visible to the participants of the thread (and to Shayoink, for routing and abuse handling). You can delete messages you sent; deleted messages leave a "This message was deleted" placeholder in the thread for context, but the original text or image is removed from our servers. You can edit your own text messages within a 15-minute window of sending; edited messages are marked as edited. Other participants may quote a message of yours in a reply before you delete or edit it; the quoted snippet stored alongside their reply is a separate piece of content and persists with their message.

Content reporting and blocking. You can report another user, a message, or a recipe via the in-app reporting flow. Reports are visible only to Shayoink and are used to investigate violations of these terms. Blocking another user hides their content from your experience and prevents them from messaging you, yoinking your recipes, or seeing yoinks you perform; the blocked user is not notified that they have been blocked.

Find Menus discovery radius (venue accounts only). Find Menus is a geographic discovery surface scoped to commercial venue accounts — bars, restaurants, hotel lounges using Shayoink to display menus to paying customers. Personal accounts (home-bar hosts and craft-cocktail enthusiasts) are not surfaced by location and do not appear in Find Menus regardless of their Be Discoverable state; personal-account discovery happens via Community (Trending, Classics, Rooms — see the next paragraph), which is topic-based and carries no location signal. This split reflects a deliberate product design decision: a commercial venue's location is the venue's public address (already published by the venue), while a personal account's location is the user's home — a category of information that warrants a different discovery model.

When a commercial account enables Be Discoverable, the venue's menu becomes findable by other Shayoink users in nearby geographic areas. Find Menus runs each search at the tightest geographic tier first (approximately 1 mile / 1.6 km) and silently expands outward when there are not enough nearby results to display — to wider local areas, then to your state or region, then potentially to your country or globally during periods of low adoption density. This means a discoverable venue's listing may be visible to users far outside its immediate area, particularly while Shayoink is small. As adoption grows, the radius tightens automatically. A commercial account can opt out of all of this at any time by toggling Be Discoverable off in Privacy & Preferences, which removes the venue from Find Menus entirely. To power the consumer-facing discoverable-menu mirror we use a coarse geohash (roughly 1 km precision). Separately, when you submit a venue or business street address through the venue/commercial path, we geocode that address to precise coordinates (latitude/longitude) and a fine-grained geohash to support venue location features such as Find Menus (see § 1.2). We do not derive precise coordinates from ordinary personal accounts.

Community discovery (Trending, Classics, Rooms — non-geographic). Community is Shayoink's topic-based and activity-based discovery surface, available to all account types. It carries no location signal — your geographic area is not used to determine what Community shows you or who Community shows your content to.

*Trending.* When you enable Be Discoverable, your recipes become eligible to appear in the Community → Discover → Trending surface, where Shayoink algorithmically surfaces recipes that are currently picking up yoinks across the platform. Inclusion is based on recent yoink velocity (a time-decayed score over the past 7 days) and rotates regularly so the surface stays fresh; appearance is not ranked, and recipes that have surfaced for several consecutive days are temporarily benched so newer recipes can rotate in.
*Classics.* A curated library of classic cocktail recipes maintained by Shayoink. Browsing Classics involves no information about you and no signal about your menu.
*Rooms.* Themed topic groupings (such as Tiki, Classic, Modern Mixology, Low-ABV, etc.) you can opt your menu into via Style settings. Discoverable menus with matching room tags appear in the corresponding Room. The room list is curated by Shayoink. Rooms involve no location data.

The same Be Discoverable toggle in Privacy & Preferences controls Community inclusion for Trending and Rooms: turning it off removes your menu and recipes from those surfaces with no separate opt-out required. Recipes and menus from non-discoverable accounts never enter Trending or Rooms regardless of yoink count or room-tag state.

2. How We Use Information

We use the information we collect to:

Operate the Service: authenticate you, sync your menu across devices, deliver messages, and display Find Menus listings;
Deliver push notifications to your devices for events you've opted into (new messages, @mentions, contact requests, etc.);
Recover access to your account if you forget your password;
Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms;
Comply with applicable law and respond to lawful requests;
Improve the Service through aggregated, anonymous analysis of non-identifying operational data (the app uses no third-party analytics SDKs; our website uses Google Analytics as described in § 1.2);
Send critical service notices (e.g. account-security alerts, material policy changes). We do not send marketing email unless you separately opt in.

We do not use your menu content, messages, contacts, bookmarks, or cart for advertising. We do not build advertising profiles.

3. How We Share Information

We do not sell or rent your personal information. We share it only as described below:

With other Shayoink users: Your username, display name, avatar, and menu appear publicly on the Service when discoverable or when you message someone. When you yoink another user's recipe with your handle visible (the default), your username, display name, and avatar appear in that user's list of yoinkers for the recipe; when you yoink anonymously, only an updated count is visible to them (see § 1.4).
Publicly: images you post to community Rooms (or otherwise share publicly): When you post a recipe to a public Room (or share content publicly), its image is made publicly readable by URL and is distributed to and cached on global content-delivery-network (CDN) servers so it loads quickly for everyone. This means: (a) anyone with the image URL can view it without signing in; (b) copies are stored on third-party CDN edge servers worldwide (e.g., Google's network); and (c) because these images are cached aggressively, a deleted image may persist in CDN caches and on other users' devices for some time after you remove it — deletion removes the source, but cached copies are not instantaneous or globally guaranteed to clear (see § 5). Images in your private library that you have not shared are not made public — they remain access-controlled.
With service providers: We use third-party vendors to host servers, deliver push notifications, validate purchases, geocode venue addresses, and send transactional email. These vendors are bound by confidentiality and may use your data only to provide services to us. Our current vendors are:
Google Cloud / Firebase — Authentication, Firestore (database), Cloud Functions, Firebase Storage (images), Firebase Cloud Messaging (push delivery).
Google Analytics — web-analytics service for our website only (not the app). When you have not declined analytics cookies, Google receives the analytics data described in § 1.2 (cookie identifiers, IP address, device/browser type, pages viewed) and processes it as our service provider, subject to Google's privacy terms.
CookieYes — consent-management platform that displays our website cookie banner, records your cookie choices, and gates analytics cookies until you accept where consent is required (see § 1.2).
Apple Push Notification service (APNs) — delivers push notifications to your iOS device.
RevenueCat — payment-infrastructure and subscription-management service for Shayoink Pro and (when it launches) Shayoink for Venues. RevenueCat receives your account identifier along with the purchase and entitlement signals needed to validate receipts and track entitlement status (see § 1.3).
GIPHY (Shutterstock) — powers the GIF picker in messaging. When you search for a GIF inside the picker, your search query is sent to GIPHY's servers to retrieve matching results. GIPHY does not receive any of your account identifiers (we send only the search text and a generic API key). The GIFs themselves are served from GIPHY's CDN to your device, which means GIPHY observes the IP address requesting each GIF. We do not link IP addresses to your account on our side.
Google Maps Geocoding API — when you submit a venue or business street address through the venue/commercial path (rolling out), that address is sent to Google's Geocoding API to convert it to coordinates (see § 1.2). This is not used for ordinary personal accounts.
Resend — transactional and welcome email delivery. When we send you (or a venue contact) account or early-access email, Resend receives the recipient email address and message content. We do not use Resend for marketing email unless you separately opt in.
With Apple: For in-app purchases and subscriptions, to the extent necessary to complete and renew the transaction.
When you cast your menu: When you use the casting feature, your account identifier (uid) is transmitted to the Shayoink-hosted Cast receiver web app (shayoink-1.web.app) so it can load and display your menu on the casting device. No other account details are sent to the receiver for this purpose.
For legal reasons: To comply with valid legal process, enforce our Terms, or protect the rights, property, or safety of Shayoink, our users, or the public.
In a business transfer: If we are acquired or merge with another company, your information may transfer as part of that transaction. We will notify you and post a notice in the app.

4. Your Rights and Choices

Depending on where you live, you may have rights under privacy laws such as the EU/UK GDPR, California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Brazil LGPD, and others. These can include the right to:

Access the personal data we hold about you;
Correct inaccurate data;
Delete your data ("right to erasure" / "right to be forgotten");
Port your data to another service in a machine-readable format;
Object to or restrict certain processing;
Withdraw consent for processing that relies on consent;
Lodge a complaint with your local data protection authority.

To exercise these rights, email privacy@shayoink.com. We may need to verify your identity before acting. We will respond within the time required by applicable law (generally 30–45 days).

You can also:

Edit your profile and toggle discovery / messaging settings from Privacy & Preferences in the app;
Manage notification categories, message previews, and quiet hours from Privacy & Preferences > Notifications, or disable notifications entirely from your device's iOS Settings (which also revokes our ability to send pushes to that device);
Set your default yoink anonymity from Privacy & Preferences > Recognition;
Block another user from their profile or any conversation with them, which removes their content from your experience and prevents them from messaging or yoinking your recipes;
Report another user or specific content via the in-app reporting flow available on profiles, messages, and recipes;
Delete your account at any time from Privacy & Preferences > Delete Account.

(The mobile app uses no third-party analytics or crash-reporting SDKs; our website's use of Google Analytics and your cookie choices are described in § 1.2.)

4.1 California Residents

The CCPA/CPRA gives California residents the right to know what personal information we collect, request deletion, correct inaccurate data, and opt out of "sales" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under California law. To exercise your rights, contact privacy@shayoink.com. We will not discriminate against you for exercising any of your rights.

4.2 EEA / UK Residents

Where GDPR applies, our lawful bases for processing are:

Contract — to provide the Service you signed up for;
Legitimate interests — to operate, secure, and improve the Service in ways you would reasonably expect;
Consent — for optional features such as discoverability, and for website analytics cookies (Google Analytics), which load only after you accept where consent is required (see § 1.2);
Legal obligation — where we must process data to comply with law.

You have the right to lodge a complaint with your local supervisory authority.

5. Retention

We keep your personal information for as long as your account is active. When you delete your account, we delete or anonymize your personal data within 30 days, except where we are required to retain it longer for legal, accounting, fraud-prevention, or safety purposes. In particular:

Abuse reports you submit (and reports submitted about you) may be retained beyond account deletion as long as needed to investigate, enforce our Terms, and respond to valid legal process.
Messages in shared threads are stored as part of the conversation; when you delete your account, messages you sent remain visible to other thread participants in their thread history, but are no longer associated with your identity (your username is replaced with a generic deleted-user marker).
Yoinks of others' recipes that you performed are removed when you delete your account; yoinks of *your* recipes performed by others are also removed when your account is deleted (the recipe itself goes with the account).
Publicly shared images (Rooms / public shares) are served as public, CDN-cached files (see § 3). When you delete such an image or your account, we remove it from our storage, but cached copies on CDN edge servers and on other users' devices may persist for a period afterward before they expire and clear. We cannot guarantee immediate or worldwide removal of cached copies of content you previously made public.
Venue early-access / commercial details (if you submitted them — venue name, address, phone, website, hours, contact email, display preferences, and poll answers) are retained while your request is pending and, when venue features launch, for a limited period afterward so a late-redeeming user still has their record, after which the personal details are deleted or anonymized.
Aggregated or anonymized data that cannot be linked back to you may be retained indefinitely.

6. Security

We use industry-standard measures to protect your information, including encrypted transport (HTTPS/TLS) and password hashing. No method of transmission or storage is 100% secure, however, and we cannot guarantee absolute security. If we learn of a security breach affecting your data, we will notify you and the appropriate authorities as required by law.

7. International Data Transfers

If you are located outside the United States, your information may be transferred to and processed in countries with different data-protection laws. Where required, we use safeguards such as Standard Contractual Clauses to protect your data during such transfers.

8. Children

Shayoink is intended for users who are of legal drinking age in their jurisdiction (21 and older in the United States), and is not directed to children. We do not knowingly collect personal information from children under 13 (or the equivalent age of digital consent in your country). The age requirement to use Shayoink is generally higher than 13 because the Service is built around alcoholic-drink recipes and menus; see the Terms of Service for the full eligibility requirement. If you believe we have collected information from a child, please contact us at privacy@shayoink.com and we will delete it.

9. Apple's App Privacy "Nutrition Label"

The disclosures we make to Apple in App Store Connect reflect the data practices active in the shipped build. Because the current build is consumer-only (venue/commercial features are not yet active), the App Store App Privacy labels are narrower than this policy, which is written to cover venue features when they launch (see the note in § 3). The labels will be updated to disclose the venue data flows when venue features ship. If you see a discrepancy that is not explained by this rollout, this policy controls and we will update the App Store disclosure to match.

10. Changes to This Policy

We may update this policy from time to time. If changes are material we will notify you in the app or by email. The "Last updated" date at the top reflects the latest revision.

11. Contact

Shayoink LLC

2501 Chatham Rd #5195, Springfield, IL 62704, USA

Privacy questions: privacy@shayoink.com

General contact: support@shayoink.com