Privacy Policy

1. Data Controller

The data controller responsible for processing your personal data is:

For matters relating to data protection, you may contact our Data Protection Officer at privacy@caveist.com.

2. Data We Collect

We collect the following categories of personal data:

Account Information

• Email address
• Display name
• Authentication credentials (hashed passwords or OAuth tokens)
• Account creation and last login dates

Cellar Data

• Wine bottle inventory (names, vintages, regions, appellations, grape varieties)
• Quantities, prices, purchase sources, and storage locations
• Drinking windows and bottle status
• Photos of wine labels submitted for recognition

Tasting Notes

• Ratings, tasting descriptions, and food pairing records
• Dates and contexts of tastings
• Personal preferences and purchase intent flags

Usage Analytics

• Interaction patterns with the Service (features used, frequency of use)
• Device type and browser information
• Error logs and performance data

3. How We Use Your Data

We process your personal data for the following purposes, each with a corresponding legal basis under the GDPR:

• Providing the Service (contractual necessity): managing your cellar inventory, generating recommendations, processing tasting notes, and delivering AI-powered insights;
• Account management (contractual necessity): authenticating your identity, managing your subscription, and processing payments;
• Service improvement (legitimate interest): analyzing usage patterns to improve features, fix bugs, and optimize performance;
• Communication (legitimate interest / consent): sending service-related notifications, responding to support requests, and, with your consent, marketing communications;
• Legal compliance (legal obligation): fulfilling our obligations under applicable law, including tax and accounting requirements.

We do not sell your personal data to third parties. We do not use your cellar data or tasting notes to train AI models.

4. Data Storage

Your data is stored on infrastructure provided by Supabase, hosted in the European Union (EU region). All data at rest is encrypted using AES-256 encryption. Data in transit is protected using TLS 1.2 or higher.

We do not transfer your personal data outside the European Economic Area (EEA) unless adequate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

5. Data Retention

We retain your personal data for as long as your account is active and as necessary to provide the Service. Specifically:

• Account and cellar data: retained for the duration of your active subscription, plus 30 days after account deletion to allow for recovery;
• Tasting notes: retained as part of your cellar data for the same period;
• Usage analytics: aggregated and anonymized within 12 months of collection; raw data is deleted after 90 days;
• Payment records: retained for the period required by applicable tax and accounting regulations (typically 10 years under French law);
• Uploaded images: processed for label recognition and deleted within 48 hours unless you choose to retain them in your cellar records.

Upon account deletion, we permanently erase your personal data within 30 days, except where retention is required by law.

6. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: you may request a copy of all personal data we hold about you;
• Right to rectification: you may request correction of inaccurate or incomplete data;
• Right to erasure: you may request deletion of your personal data, subject to legal retention obligations;
• Right to data portability: you may request your data in a structured, commonly used, machine-readable format (JSON or CSV);
• Right to restrict processing: you may request that we limit how we process your data in certain circumstances;
• Right to object: you may object to processing based on legitimate interest, including profiling;
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@caveist.com. We will respond within 30 days as required by the GDPR. You also have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertes (CNIL) or any competent supervisory authority.

7. Cookies

Caveist uses minimal cookies, strictly limited to what is necessary for the Service to function:

• Authentication session cookie: maintains your logged-in state. This is a strictly necessary cookie and does not require consent under the ePrivacy Directive.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not participate in cross-site tracking or retargeting.

8. Third-Party Services

We use the following third-party services to operate the platform. Each provider processes data only as necessary and under appropriate data processing agreements:

• Supabase (database and authentication): hosts your account data and cellar records on EU-region infrastructure. Supabase Privacy Policy;
• Cloudflare (hosting and content delivery): provides DNS, CDN, and DDoS protection. Cloudflare processes minimal request metadata (IP addresses, request headers) for security purposes. Cloudflare Privacy Policy.

When you use Caveist through a third-party AI assistant (such as Claude or ChatGPT), your interactions with that assistant are governed by the respective provider's privacy policy. Caveist only receives the structured tool calls made through the MCP protocol, not your full conversation history.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption at rest (AES-256) and in transit (TLS 1.2+);
• Row-level security policies ensuring users can only access their own data;
• Bearer token authentication for API access;
• Regular security audits and dependency updates;
• Access controls limiting internal access to personal data on a need-to-know basis.

No system is perfectly secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by the GDPR.

10. Children

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take immediate steps to delete that data. If you believe a child under 16 has provided us with personal data, please contact us at privacy@caveist.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email or through a prominent notice on the Service at least 30 days before taking effect.

We encourage you to review this policy periodically. The "Last updated" date at the top of this page indicates when the policy was last revised.