Privacy Policy

Som ("Company," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, retain, and safeguard your information when you use the Som application and related services (the "Service"). This policy applies to all users of the Service, regardless of location, and is designed to comply with applicable data protection laws including the California Consumer Privacy Act (CCPA/CPRA), the General Data Protection Regulation (GDPR), and other applicable state, federal, and international privacy laws.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2.1 Information You Provide Directly

Account Information: When you create an account, we collect your name, email address, and profile information provided through our OAuth authentication provider. We do not collect or store passwords directly.

Collection Data: Wine and spirits information you enter or scan, including producer names, wine names, vintages, regions, tasting notes, personal ratings, consumption logs, and photographs of bottle labels.

Payment Information: When you subscribe, payment processing is handled entirely by Stripe, Inc. We receive only a Stripe customer identifier, subscription status, and billing period information. We never receive, process, or store your full credit card number, CVV, or card expiration date.

Communications: If you contact us for support, we collect the content of your messages and any information you choose to provide.

2.2 Information Collected Automatically

Usage Data: We collect information about how you interact with the Service, including pages visited, features used, scan frequency, and session duration. This data is collected through privacy-respecting analytics and does not include advertising identifiers.

Device Information: We may collect device type, operating system, browser type, and screen resolution to optimize the Service experience.

Cookies and Local Storage: We use essential cookies for authentication session management and local storage for user preferences. We do not use third-party advertising cookies or cross-site tracking technologies.

2.3 Information from Third-Party Sources

AI-Generated Data: When you use our scanning and sommelier features, we use artificial intelligence services to identify wines, generate scores, retrieve publicly available review information, and estimate market pricing. This data is derived from publicly available sources and AI models, not from your personal information.

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain, and improve the Service, including wine identification, collection management, scoring, and sommelier features.
• Account Management: To create and manage your account, process subscriptions, and communicate with you about your account.
• Personalization: To personalize your experience, including AI-generated insights about your collection and consumption patterns.
• Security: To detect, prevent, and address fraud, unauthorized access, and other illegal activities.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

We may share your information only in the following limited circumstances:

Service Providers: We share information with trusted third-party service providers who assist us in operating the Service, including cloud hosting providers, payment processors (Stripe), authentication providers, and AI service providers. These providers are contractually obligated to use your information only for the purposes of providing services to us.

Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

With Your Consent: We may share your information with third parties when you explicitly consent, such as when you use the share collection feature to generate a read-only link to your inventory.

We retain your personal information for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal information within thirty (30) days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing our agreements). Anonymized and aggregated data that cannot be used to identify you may be retained indefinitely for analytical purposes.

We implement industry-standard technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS/SSL), encryption of data at rest, secure authentication protocols, regular security assessments, and access controls limiting employee access to personal information on a need-to-know basis. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

7.1 All Users

Regardless of your location, you have the right to: access the personal information we hold about you; request correction of inaccurate information; request deletion of your account and associated data; export your collection data (via CSV export); and opt out of non-essential communications.

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act, including: the right to know what personal information we collect, use, and disclose; the right to delete your personal information; the right to opt out of the sale or sharing of personal information (we do not sell or share your personal information); the right to non-discrimination for exercising your privacy rights; and the right to limit the use of sensitive personal information. To exercise these rights, contact us at [email protected]. We will respond within forty-five (45) days.

7.3 European Economic Area Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the GDPR, including: the right to access, rectify, erase, restrict processing, and port your data; the right to object to processing based on legitimate interests; and the right to lodge a complaint with your local data protection authority. Our legal bases for processing are: contract performance (providing the Service), legitimate interests (improving the Service, security), consent (where applicable), and legal obligation.

The Service is not intended for individuals under twenty-one (21) years of age or the legal drinking age in their jurisdiction. We do not knowingly collect personal information from minors. If we become aware that we have collected personal information from a minor, we will take steps to delete that information promptly.

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from your jurisdiction. We ensure appropriate safeguards are in place for such transfers, including standard contractual clauses where required.

We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification or email at least thirty (30) days before taking effect. The "Last Updated" date at the top of this policy indicates when the most recent revisions were made.

For California residents: You may also submit a verifiable consumer request by emailing [email protected] with the subject line "CCPA Request."