1. Data Controller Information
Data Controller: Sommy
Address: Switzerland
Email: privacy@sommy.wine
DPO Contact: dpo@sommy.wine
2. Data We Collect
Information You Provide:
- Email Address: When you subscribe to our newsletter or create an account
- Date of Birth: For age verification (legal drinking age compliance)
- Marketing Preferences: Your consent to receive marketing communications
- Contact Information: Name and other details if you contact our support
Information We Collect Automatically:
- Analytics Data: Page views, session duration, referral sources (opt-in only via PostHog)
- Technical Data: IP address, browser type, device information
- Cookies: Small files stored on your device for functionality and analytics
- Geographic Data: IP geolocation for content localization
Mobile App Data:
- Course Progress: Lessons completed, quiz scores, and learning streaks
- Tasting Notes: Wine observations you record during tasting exercises
- Wine Photos: Images you submit for AI analysis (processed by Google Gemini, not stored permanently)
- XP and Achievements: Gamification data tied to your learning progress
3. Purposes and Legal Bases
| Purpose | Legal Basis |
|---|
| Email newsletter delivery | Consent (Article 6(1)(a) GDPR) |
| Product analytics (PostHog) | Consent (Article 6(1)(a) GDPR) |
| AI wine photo analysis (Google Gemini) | Contract performance (Article 6(1)(b) GDPR) |
| Customer support | Legitimate interest (Article 6(1)(f) GDPR) |
| Legal compliance | Legal obligation (Article 6(1)(c) GDPR) |
| Age verification | Legal obligation (Article 6(1)(c) GDPR) |
4. Data Sharing and International Transfers
Service Providers:
- Buttondown: Email newsletter service (USA) - adequacy decision covers data transfers
- PostHog: Product analytics (USA) - opt-in only, privacy-focused analytics
- Google Gemini AI: Wine photo analysis (USA) - photos are processed in real-time and not stored by Google for training
- Firebase: Authentication and hosting (USA) - Google Cloud data processing terms apply
- Railway: Application hosting and PostgreSQL database (USA)
- Sentry: Error monitoring (USA) - anonymized error data only
International Transfers: Some of our service providers are located outside the EU/EEA. We ensure appropriate safeguards are in place, including adequacy decisions, standard contractual clauses, or certification schemes as approved by the European Commission.
5. Data Retention
- Account data: Until you delete your account
- Email subscribers: Until you unsubscribe or withdraw consent
- Analytics data: 12 months (PostHog retention)
- Wine photos: Not stored after AI analysis is complete
- Contact inquiries: 3 years or until resolution of inquiry
- Legal compliance data: As required by applicable law
6. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of Access (Article 15): Request a copy of your personal data
- Right to Rectification (Article 16): Correct inaccurate or incomplete data
- Right to Erasure (Article 17): Request deletion of your data
- Right to Restrict Processing (Article 18): Limit how we use your data
- Right to Data Portability (Article 20): Download your data in JSON format via the app
- Right to Object (Article 21): Object to processing based on legitimate interest
- Right to Withdraw Consent: Withdraw consent for analytics and marketing at any time
How to Exercise Your Rights:
In-app: Use "Download My Data" (Profile > Settings) for data portability
In-app: Use "Delete Account" (Profile > Settings) for erasure
Email us at: privacy@sommy.wine
We will respond to your request within 30 days.
7. Cookies and Tracking
We use cookies and similar technologies to improve your experience. For detailed information about the cookies we use and how to manage your preferences, please see our Cookie Policy.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. This includes encryption of data in transit and at rest, regular security assessments, and access controls.
9. Age Restrictions
Our services are not intended for individuals under the legal drinking age. We do not knowingly collect personal data from minors. If you are under 18 (or the legal drinking age in your jurisdiction), please do not provide us with your personal information.
10. Changes to This Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the updated notice on our website and updating the "Last Updated" date.
11. Supervisory Authority
If you believe we have not handled your personal data in accordance with this notice or applicable law, you have the right to lodge a complaint with your local data protection authority or the Swiss Federal Data Protection and Information Commissioner (FDPIC).
12. Contact Us
If you have any questions about this Privacy Notice or our data processing practices, please contact: