Important privacy and security information about My Coffee Card

Revised June 21, 2011

My Coffee Card is a third party application

My Coffee Card for Android is developed entirely by Stewart Gateley (aka "birbeck"), an independent third party developer. Apps by birbeck has no direct affilition with Starbucks Corporation and My Coffee Card is not endorsed, funded by or supported by Starbucks Corporation.

For balance inquiries, transaction history and mobile payments the application must store your Starbucks Card number and security code. To track rewards, the application must also store your username and password. If you have any concerns regarding supplying your Starbucks Card data or account information to a third-party application, do not install or use My Coffee Card.

Why should I trust My Coffee Card?

My Coffee Card is effectively a user-agent, such as a web browser, optimized for Starbucks customers. It simply collects information from the end-user and handles the communication between the end-user and the public web servers. All data is willfully provided by the end-user, and the highest security measures have been taken to protect provided data. You have the option to log out, clear the cache, or completely remove all application data at any time.

The application uses high-grade security for storage and transmission. In fact, it uses stronger encryption than the official Starbucks Card Mobile application for iPhone and BlackBerry. The data is transmitted directly to servers, instead of going through a third party service as the official applications do. My Coffee Card is not only the quickest and easiest Starbucks Card manager, it is also the safest and most secure.

"birbeck" is an established developer and a respected member of the Linux and Android communities and Android applications developed by Apps by birbeck quickly become top picks in their respective categories. If the goal of the application was to simply obtain Starbucks Cards for un-authorized use, the significant time required to develop, support and maintain such a high quality and popular application would not have been invested. It is not worth the risk to the reputation or popularity of Apps by birbeck that such a malicious act would cause.

Data storage

All application data is stored securely on your Android device using protected storage that is only accessible to My Coffee Card. Public external storage (SD card) is only used for encrypted database backups. Other applications on the device cannot access any application data stored by My Coffee Card.

Your account password is stored using strong encryption, and you may protect your payment barcodes from un-authorized use with a user-defined PIN. Your PIN is stored using a one-way hash which cannot be retrieved by other applications.

If the PIN is forgotten, the only way to reset it is to clear all application data including: saved Starbucks Cards, account login, payment barcodes and PIN.

You can opt-in to store a single credit card in the application for faster reloading. The card is stored encrypted on the device with a unique encryption key per install. Credit card data is not included in the on-device backup and is never shared with anyone except Starbucks over SSL. Saved card data can be deleted at any time by opting out of the save feature.

Data transmission

All data transmitted from the application communicates directly with over HTTPS using SSLv3 strong encryption with the exception of barcode generation.

To generate your payment barcode, your Starbucks Card number must be trasmitted via an HTTPS POST request to a script residing on The card number is sent using strong encryption and is not stored on the server in any way. For your security, the requests do not show up in any logs or web stats. This must be done because the software to do it directly on the device is $1500 and as an independent developer, this is not something I can afford.

In-app reloads

By popular request, the ability to reload your Starbucks Card directly from My Coffee Card was added. This feature must collect your credit card data and billing address to send to Starbucks to perform the reload.

Your cardholder data, including credit card number; PIN (CVC); name on card and expiration date, are stored by the application only when requested to do so. Card data is stored encrypted with a unique encryption key per install and is never shared with anyone except Starbucks. All card data is securely transmitted directly to Starbucks to perform the reload at the time the reload is requested. For added usability, the last used billing address is retained to be used for future reloads.

Because reloading your card using PayPal requires two-way communication between PayPal and Starbucks, this cannot be made available as a form of payment in My Coffee Card.

If you want to use PayPal or do not wish to enter your credit card information into My Coffee Card, you can press the Menu button on the reload screen and select "Reload on" to open a browser window directly to Note: This will require you to have the Starbucks Card present to enter the card number into the form on Your card may also be reloaded by scanning the barcode at a register in-store the same way you would for mobile payments.


You can prevent un-authorized use of your payment barcodes by assigning a PIN to the payment screen. To set a PIN, open My Coffee Card and press the Settings button.

Registered Starbucks Cards are protected by Starbucks Corporation from un-authorized use for up to $500 (the maximum balance you can load on the card).

If your cards are registered, balance transfers can only be performed between two cards registered to the same account.

If you believe your card is being used without your permission, immediately contact Starbucks to report your card as Lost/Stolen at or by calling 1-800-STARBUC.

Obtaining My Coffee Card

Only download and install My Coffee Card from the Android Market and Amazon Appstore. Do not install it from any other market or via sideloading from an .APK file dowloaded from any other site. Files downloaded from other websites may contain viruses or other data sharing practices that differ from this policy.