Legal
Privacy Policy
VaultSomm is built for privacy-conscious collectors. We do not sell your data, share it with advertisers, or use it to train AI models. Your cellar is yours.
1. Who We Are
VaultSomm ("VaultSomm," "we," "us," or "our") operates the VaultSomm platform at vaultsomm.com and app.vaultsomm.com. We provide wine portfolio tracking, market intelligence, and tax reporting tools for serious wine collectors.
For questions about this policy, contact us at [email protected].
2. Information We Collect
We collect information you provide directly and information generated through your use of the platform.
- Account information: Email address and password (stored securely via Supabase Auth).
- Profile information: Name, subscription tier, and preferences you set in your profile.
- Cellar data: Wine bottle records you add — including producer, vintage, region, purchase price, current value, storage location, and notes.
- Usage data: Pages visited, features used, and actions taken within the app (e.g., reports generated, searches made).
- Device data: Browser type, operating system, IP address, and approximate location (country/region level only).
- Communications: Any messages you send to our support team.
3. How We Use Your Information
We use your information only to provide and improve the VaultSomm service:
- Authenticate your account and secure your data.
- Display your cellar, portfolio, and valuation data.
- Generate PDF reports (Insurance Valuation, Schedule D, Estate Inventory, Form 709).
- Power the AI Sommelier feature — your queries are sent to Perplexity AI's API but are not stored by VaultSomm beyond your session.
- Send transactional emails (account confirmation, password reset). We do not send marketing emails without your explicit consent.
- Analyze aggregate usage patterns to improve features (never linked to individual identities).
- Comply with applicable law.
4. Data Storage & Security
Your data is stored in a Supabase-managed PostgreSQL database hosted in the United States. We implement the following safeguards:
- All data in transit is encrypted via TLS 1.2+.
- All data at rest is encrypted using AES-256.
- Authentication uses industry-standard JWT tokens with short expiry windows.
- Row-level security policies ensure users can only access their own data.
- We do not store payment card information — billing is handled by a third-party payment processor.
No security system is impenetrable. In the event of a breach that may affect your data, we will notify you within 72 hours of becoming aware of it.
5. Data Sharing & Third-Party Processors
We do not sell, rent, or share your personal data with third parties for their own marketing or advertising purposes. We share data only with the following service providers, solely to operate the platform:
- Stripe, Inc. (Payment processing) — Processes subscription payments. Stripe handles all card data; VaultSomm never stores payment card numbers. Stripe Privacy Policy
- Supabase, Inc. (Database & authentication) — Stores your account data, cellar records, and portfolio data in encrypted databases hosted in the United States. Supabase Privacy Policy
- Cloudflare, Inc. (Hosting & CDN) — Serves the VaultSomm website and application. Cloudflare may process request logs including IP addresses. Cloudflare Privacy Policy
- Perplexity AI, Inc. (AI Sommelier) — When you use the AI Sommelier or Wine Search features, your text prompts (including wine names and questions) are transmitted to Perplexity's API servers in the United States for real-time processing. These queries are not stored by VaultSomm beyond your active session. Perplexity may retain query data per their own policy. We do not transmit your name, email, payment details, or full cellar inventory to Perplexity. Perplexity Privacy Policy
- Zoho Corporation (Transactional email) — Sends account-related emails (signup confirmations, password resets). Zoho Privacy Policy
- Mapbox, Inc. (Map tiles) — Provides wine region map tiles on the Market Intelligence page. No personally identifiable user data is transmitted to Mapbox. Mapbox Privacy Policy
- Legal requirements: If required by law, court order, or governmental authority.
- Business transfers: In connection with a merger, acquisition, or sale of assets — you will be notified before your data is transferred to a new entity.
International Data Transfers
VaultSomm is based in the United States. If you access the Service from outside the United States, your personal data will be transferred to and processed in the United States, where data protection laws may differ from those in your country. All of our processors (Supabase, Stripe, Cloudflare, Perplexity AI, Zoho) operate primarily in the United States.
For users in the European Economic Area (EEA), United Kingdom, or Switzerland, such transfers are conducted under Standard Contractual Clauses (SCCs) or equivalent safeguards maintained by our processors. To inquire about our transfer mechanisms, email [email protected].
6. Cookies & Tracking
VaultSomm uses minimal, essential cookies only:
- Authentication session cookies — to keep you logged in.
- Preference cookies — to remember your theme (dark/light mode) choice.
We do not use advertising cookies, cross-site tracking pixels, or third-party analytics that identify individuals. We do not use Google Analytics.
7. Your Rights
Depending on your location, you may have the following rights under applicable privacy law (including GDPR, CCPA/CPRA, and similar state regulations):
- Access: Request a copy of the personal data we hold about you.
- Correction: Request that we correct inaccurate data.
- Deletion: Request that we delete your account and all associated data. You can also delete your account directly from the app settings.
- Portability: Request your cellar data in a machine-readable format (CSV export available in-app).
- Restriction: Request that we limit how we process your data.
- Objection: Object to processing based on legitimate interests.
- Non-discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise any of these rights, email [email protected]. We respond within 30 days (45 days for CCPA requests; 30 days for GDPR requests). For GDPR erasure requests, we will complete deletion within 30 days and confirm in writing. If we cannot fulfill a request due to a legal retention obligation, we will explain why.
Right to Lodge a Complaint (GDPR/UK GDPR). If you are in the EEA or UK and believe we have not handled your data lawfully, you may lodge a complaint with your local supervisory authority. Find your EU authority at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO). We encourage you to contact us first so we can resolve your concern directly.
Do Not Sell or Share My Personal Information (CCPA/CPRA)
VaultSomm does not sell, share, or disclose your personal information to third parties for cross-context behavioural advertising or any commercial purpose beyond operating the platform. Because we do not sell or share your data in the CCPA/CPRA sense, there is nothing to opt out of — but you have the right to confirm this and to request deletion of your data at any time.
California residents may submit a request by emailing [email protected] with the subject line "CCPA Request".
8. Data Retention
We retain different categories of data for different periods based on the purpose of collection:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account & profile data | Duration of account + 30 days after deletion | Contract performance |
| Cellar & bottle records | Duration of account + 30 days after deletion | Contract performance |
| Payment & billing records | 7 years from transaction date | Legal obligation (tax / financial records) |
| AI Sommelier queries | 90 days (conversation history visible in-app) | Service functionality |
| Usage & server logs | 90 days | Security & service improvement |
| Support communications | 3 years | Legitimate interest (dispute resolution) |
Upon account deletion, all personal data not subject to a legal retention obligation will be permanently deleted within 30 days.
9. Children's Privacy (COPPA)
VaultSomm is not directed to individuals under the age of 18, and is intended solely for adults who collect and invest in fine wine. We do not knowingly collect personal data from children under the age of 13 in compliance with the Children's Online Privacy Protection Act (COPPA). If you believe a child under 13 has created an account, please contact us at [email protected] and we will delete the account and all associated data promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify you via email or an in-app banner at least 14 days before the change takes effect.
11. Contact Us
For privacy-related questions, requests, or concerns:
- Email: [email protected]
- General: [email protected]
- Website: vaultsomm.com