Privacy Policy

Effective date: April 19, 2026

The short version: We collect the minimum data needed to run Wing Beer Specials, we never sell it, we never show you ads, we do not use third-party tracking cookies, and we store everything on infrastructure we control. Our site analytics runs entirely on our own servers.

1. Who we are

Wing Beer Specials (WBS, we, us, our) is a small Canadian team operating a restaurant discovery platform at wingbeerspecials.com and any associated mobile applications. This Privacy Policy explains how we handle your information.

For any privacy question, data request, or complaint, email us at [email protected].

2. What this policy covers

This policy applies to:

Our main site at wingbeerspecials.com, including /deals, /cities, individual city pages (e.g. /toronto), and per-restaurant pages (/r/<name>)
The restaurant management portal at /manage and /manage-truck
Any mobile application we release (currently iOS via Capacitor, wrapped around the same site)

It does not cover third-party sites you may reach by following links from WBS. Those have their own privacy practices.

3. Information we collect

Browsing (no account required)

Approximate location — only when you click the "Near Me" button and grant the browser geolocation permission. Location is processed in your browser to centre the map; we never store it on our servers.
Map area (bounding box) — the rectangle of coordinates currently visible, so our backend knows which deals to return.
IP address — handled briefly by our CDN provider (Cloudflare) for routing, abuse protection, and security. We do not log IPs to our own database.
Basic request metadata — browser type, referring page, preferred language.
Anonymous device identifier (anon_id) — when you first visit the site we generate a random identifier (a UUID prefixed with anon_) and store it in your browser's localStorage. It lets us associate your saved deals and push-notification subscriptions with this device without an account. The anon_id is a random number — not linked to any other data we collect — and stays local to your device until (a) you sign in (it silently claims your saves to your account), or (b) you sign out (we clear it completely), or (c) you clear your browser storage.
Browser storage preferences — age-gate acknowledgement, privacy-policy acknowledgement timestamp, filter settings, cached map position. Stored locally on your device.

When you create an account

Email address
Display name (optional)
Authentication tokens handled by our auth provider, Supabase. We never see or store your password.
If you sign in with Google, the basic profile information Google shares (email, display name, profile photo URL).

When you claim a restaurant

Phone number, used once for SMS or voice verification via Twilio. After verification the number is used only if you enable phone-based account recovery.
Ownership record linking your account to the restaurant listing.

When you subscribe to Featured

Payment information is handled entirely by Stripe. We never see or store your card number, CVV, or full billing address.
We store only the Stripe customer ID and subscription status so that the /manage dashboard can show your plan details.

When you save deals, write reviews, or submit tickets

The IDs of deals you save. If you're signed in, we associate them with your account. If you're browsing anonymously, we associate them with your device's anon_id — you don't need an account to save deals. When you later create an account or sign in, any anonymous saves on your current device are moved silently to your account in a single background operation (nothing to click, nothing to confirm).
Review text, ratings, owner responses, and any images you upload. These are published alongside your display name on the restaurant page. Reviews require an account.
Support-ticket content and conversation history. Tickets require an account.

When you enable push notifications

Push subscription credentials — when you tap a bell icon and grant notification permission, your browser generates a push endpoint (a URL operated by your browser vendor's push service: Google for Chrome/Android, Mozilla for Firefox, Apple for Safari) plus a pair of encryption keys. We store these on our servers so we can deliver the notifications you asked for. They are per-device — one endpoint per browser on each device you use.
Follow list — the restaurants and specific deals you've tapped the bell on. Stored against either your anon_id (if anonymous) or your account. Visible only to you and used only to decide which subscriptions receive a given push.
Delivery and open tracking — when a push is delivered to your device and when you tap it, we record a timestamp. This helps restaurant owners see aggregate open rates ("347 delivered, 142 opened") for each notification. Individual per-user timings are not exposed to restaurants, only counts.
Retention — push subscriptions marked inactive (e.g. you unsubscribed, or your browser invalidated the endpoint) are automatically hard-deleted after 60 days of inactivity.
You can revoke notification permission at any time through your browser settings, or unsubscribe this device via the "Disable on this device" button in your account. Both take immediate effect.

4. How we use this information

To show you relevant nearby deals and let you save the ones you like
To authenticate you and keep you signed in across the site
To process Featured subscriptions through Stripe
To verify restaurant ownership when you claim a listing
To run our scan, crawl, and analysis pipeline that keeps deal listings fresh
To respond to support tickets you submit
To understand overall site usage (page views, device types, referrer) via self-hosted analytics — no cookies, no individual tracking
To provide restaurants with aggregate pin-view counts (for example, "your listing was viewed 134 times this week"). These counts are never tied to individual users.

5. Third-party services we rely on

WBS is built on a small number of external services. Each has its own privacy policy, and your data may be processed by them when you use WBS.

Service	Purpose	Privacy policy
Supabase	Authentication (email sign-in, password reset, Google OAuth)	supabase.com/privacy
Stripe	Payment processing for Featured subscriptions	stripe.com/privacy
Twilio	SMS and voice phone verification for restaurant claims	twilio.com/legal/privacy
Twilio SendGrid	Transactional email delivery (sign-up confirmations, password resets, billing receipts)	twilio.com/legal/privacy
Cloudflare	DNS, CDN, DDoS protection, and TLS termination for wingbeerspecials.com	cloudflare.com/privacypolicy
Google Workspace	Team inbox hosting for [email protected] (and aliases). When you email our team, message content and your email address are stored on Google's servers.	policies.google.com/privacy
Google Identity Platform	Optional "Sign in with Google" flow	policies.google.com/privacy

We do not use Google Analytics, Facebook Pixel, Meta Audiences, Twitter tracking, TikTok tracking, or any other third-party advertising or behavioural profile service. Our site analytics (Umami) runs entirely on servers we operate — no analytics data is shared with outside parties.

5a. AI training crawlers and our public directory

Our public restaurant directory pages (the homepage, city pages, and individual restaurant listings at /r/{slug}) may be crawled and indexed by AI training systems operated by third parties — for example, OpenAI's GPTBot, Anthropic's ClaudeBot, Google's Google-Extended, Perplexity, and similar services. We permit this because our restaurant data is already public information aggregated from publicly available sources, and being discoverable in AI-assisted search tools drives real users to our site.

When AI systems reference WBS data, we ask that they cite wingbeerspecials.com as the source — our restaurant specials change frequently, and linking users back to the live source ensures they see current information rather than stale AI-cached data.

Your account information is never exposed to crawlers. Pages requiring authentication (/account, /manage, /billing, /claim), our API endpoints (/api/*), and all internal admin tooling are explicitly excluded from crawling via robots.txt and protected behind authentication. No crawler (AI-training or otherwise) has access to your email, saved deals, claim submissions, or private messages.

6. Cookies and browser storage

We do not use tracking cookies. The only browser storage we use is:

localStorage — to remember your age verification, privacy-policy acknowledgement, filter preferences, cached map position, anonymous device identifier (wbs_anon_id), push subscription reference (wbs_subscription_id), and a local cache of your saved deals. On sign-out we clear all of these so the next user of a shared device starts fresh.
sessionStorage — to temporarily hold your authentication session while you are signed in.
A single HTTP cookie (cf_clearance/__cf_bm) may be set by Cloudflare for security purposes. It does not contain personal information and expires after a short period.

You can clear any of this at any time through your browser settings. Doing so will sign you out and reset saved preferences.

7. How long we keep data

Account data: kept as long as your account exists.
After account deletion: we remove your profile, saved deals, reviews, and ownership links within 30 days.
Anonymized logs and analytics aggregates may be kept longer for security and operational purposes.
Billing records: if you subscribed to Featured, Stripe retains its own billing records for the minimum period required by tax law (typically 7 years). We cannot delete these on your behalf, but you can contact Stripe directly.
Support tickets: retained for up to 2 years after resolution in case you need to reference them.

8. Your rights under Canadian law

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and equivalent provincial laws, you have the right to:

Access: request a copy of the personal information we hold about you
Correct: request corrections to inaccurate information
Delete: request deletion of your information (subject to the legal retention obligations above)
Withdraw consent: withdraw consent to our processing. Withdrawing consent may mean we can no longer provide some or all of the service.
Complain: submit a complaint to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

To exercise these rights, email [email protected] from the address associated with your account, or submit a support ticket from inside the app. We aim to respond within 30 days.

9. Security

All traffic between your device and our servers is encrypted using HTTPS with TLS 1.2 or higher.
Passwords are hashed by Supabase using industry-standard algorithms and never stored in readable form.
Our backend services are not exposed to the public internet except through the authenticated API. Our databases are accessible only from a private mesh network.
We run a self-hosted analytics platform so behavioural data never leaves our infrastructure.

No system is perfectly secure. If we ever become aware of a breach affecting your personal information, we will notify affected users and the Office of the Privacy Commissioner of Canada without undue delay, as required by law.

10. International data transfers

Some of our third-party providers (listed in section 5) may process data in the United States or other countries. When you use WBS, you consent to the transfer of relevant information to those providers. We select providers that meet recognized privacy standards and publish their own data-protection policies.

11. Children

WBS is an alcohol-adjacent service and is not directed to children. You must be of legal drinking age in your province (19 in Ontario) to use WBS. We do not knowingly collect information from anyone under the applicable legal drinking age. If you believe we have inadvertently collected information from a minor, please contact us at [email protected] and we will delete it.

12. Email communications

Transactional emails (verification, password reset, Featured subscription receipts) are sent when you take an action that requires them. If we ever introduce a marketing or newsletter mailing list, it will be opt-in only and every email will include an unsubscribe link, in compliance with Canada's Anti-Spam Legislation (CASL).

13. Restaurant data sources

Restaurant names, addresses, phone numbers, hours, menu items, photos, and deal listings are gathered from publicly available sources — including restaurant websites, social media, and public business directories. Restaurant owners can claim their listing to correct, update, or remove information through the /claim and /manage flows.

14. Changes to this policy

We may update this Privacy Policy as the service evolves. When we do, the effective date at the top will change, and material changes will be announced on the WBS changelog accessible from the landing page BETA badge. Your continued use of WBS after the effective date of a revised policy constitutes acceptance of the updated terms.

15. Contact

Privacy questions, data requests, or complaints: [email protected]

Privacy Commissioner of Canada (escalation): priv.gc.ca