Privacy Policy

Effective date: 29 April 2026 · Last updated: 29 April 2026

1. Who we are

WineGate is a wine-discovery application operated by PorteVin OÜ, a private limited company registered in Estonia (registry code 17473145, registered address: Karusambla tee 25, Leppneeme küla, 74009 Harju maakond, Estonia).

For the purposes of the EU General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act, PorteVin OÜ is the data controller for the personal data described in this Policy. You can reach us at privacy@wine-gate.com.

2. Scope

This Policy describes how we collect, use, disclose and protect personal data when you:

• visit wine-gate.com and related subpages;
• use the WineGate mobile or web application (the "App");
• contact us by email or other channels.

It does not cover third-party websites, services or applications that we link to but do not operate. Please review the privacy notices of those third parties.

3. Data we collect

3.1 Data you provide directly

3.2 Data collected automatically

3.3 Data we do not collect

• We do not knowingly collect government identifiers, financial account numbers, or biometric identifiers beyond the wine-label image you scan.
• We do not collect precise location (GPS) unless you explicitly enable a feature that requires it.
• We do not sell your personal data.

4. Why we use your data

• To provide the service: create and maintain your account, identify wines you scan, save your cellar, generate AI-powered descriptions and pairing suggestions.
• To personalise: tailor recommendations based on your taste profile and scan history.
• To improve: analyse usage patterns, debug crashes, evaluate feature performance.
• To communicate: respond to your support requests, send essential service notices, and (with your consent) product updates.
• To comply: meet legal obligations, prevent fraud or abuse, enforce our Terms of Service.

5. Legal basis for processing (GDPR Article 6)

• Performance of a contract (Art. 6(1)(b)) — when processing is necessary to deliver the service you requested (account, scanning, cellar).
• Legitimate interests (Art. 6(1)(f)) — for service improvement, security, fraud prevention, where these interests are not overridden by your rights and freedoms (see §6 below).
• Consent (Art. 6(1)(a)) — for optional analytics, marketing communications, or features you explicitly enable.
• Legal obligation (Art. 6(1)(c)) — to comply with applicable laws (e.g. tax, accounting, lawful requests from public authorities).

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

6. Our legitimate interests in detail

Where we rely on legitimate interests as our legal basis, we have carried out a balancing test as required by GDPR Recital 47. Specifically, our legitimate interests are:

• Service security & integrity — preventing fraud, abuse, automated attacks, account takeover, and protecting other users.
• Service improvement — analysing aggregated usage patterns to identify bugs, prioritise features, and improve recommendation quality. Wherever possible we use anonymised or pseudonymised data.
• Internal business operations — financial reporting, audits, due diligence in connection with potential investments or acquisitions, and defence of legal claims.
• Direct communication about your account — sending essential notices about your account, service changes, security alerts, and responding to your enquiries.

You may object to processing based on legitimate interests at any time by writing to privacy@wine-gate.com. We will stop the processing unless we can demonstrate compelling legitimate grounds that override your rights, or for the establishment, exercise or defence of legal claims.

7. Profiling and automated recommendations

WineGate generates personalised wine recommendations using your taste profile, scan history, ratings and similar in-app activity. Under GDPR (Art. 4(4) and Art. 22) this counts as profiling. We want to be transparent about how it works:

• What the system does: our algorithms (including third-party AI models from OpenAI and Anthropic) compare your stated preferences and past scans with general wine knowledge to suggest bottles, regions, food pairings and articles you may enjoy.
• What it does NOT do: our recommendations have no legal effect on you, do not determine prices, do not affect any contract or service eligibility, and do not deny you access to any feature. Article 22 GDPR (rights regarding solely automated decisions with legal or similarly significant effects) does not apply.
• You stay in control: you can edit your taste profile, delete any scan from your cellar, or turn off personalised recommendations entirely in your Profile settings. You may also object to profiling at any time at privacy@wine-gate.com; we will switch you to a non-personalised experience.
• Data minimisation: when we send your wine-label image to AI providers, we strip out account identifiers. The provider sees an image and a generic prompt — not who you are.

8. Sharing & sub-processors

We share personal data only with carefully selected service providers acting as our processors under written agreements:

Where AI providers process your wine-label photograph, we send only the image and a generic prompt; no account identifiers are shared. We do not allow these providers to use your data to train their public models.

We may also disclose data:

• to comply with legal obligations, court orders, or lawful requests from public authorities;
• to enforce our Terms or protect rights, property, or safety;
• in connection with a merger, acquisition or sale of assets — in which case you will be notified.

9. International transfers

Some of our processors are located outside the European Economic Area, including in the United States. When we transfer your data outside the EEA, we rely on safeguards approved under GDPR, in particular:

• European Commission adequacy decisions (e.g. EU-US Data Privacy Framework where applicable);
• Standard Contractual Clauses (SCCs);
• supplementary technical and organisational measures.

We have signed Data Processing Agreements (DPAs) with each of our sub-processors, incorporating Standard Contractual Clauses where required. You may request a copy of the safeguards in place for any specific transfer by emailing privacy@wine-gate.com.

EU representative: as PorteVin OÜ is established in Estonia (an EU Member State), no additional representative under Article 27 GDPR is required. The data controller acts directly within the EU.

10. How long we keep your data

• Account data — for as long as your account is active. After deletion, we retain a minimal record (email hash, deletion timestamp) for up to 30 days for security and audit purposes.
• Cellar & scan history — until you delete the entry or your account.
• Diagnostic logs — typically 30–90 days, then anonymised or deleted.
• Communications — up to 24 months from the last interaction.
• Marketing consent records — kept while consent is active and for up to 24 months after withdrawal, to evidence compliance.
• Legal-hold data — for the duration required by applicable law (e.g. accounting records under Estonian law: 7 years).

11. Your rights under GDPR

If you are in the EEA or Switzerland, you have the following rights regarding your personal data:

• Right of access (Art. 15) — obtain confirmation that we process your data, a copy of it, and information about the processing;
• Right to rectification (Art. 16) — correct inaccurate or incomplete data;
• Right to erasure (Art. 17, "right to be forgotten") — delete your data, subject to legal exceptions;
• Right to restriction of processing (Art. 18) — limit processing in certain circumstances;
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format and transmit it to another controller;
• Right to object (Art. 21) — to processing based on legitimate interests, including profiling for marketing or recommendation purposes;
• Right to withdraw consent (Art. 7(3)) — at any time, where consent is the basis for processing;
• Rights related to automated decision-making (Art. 22) — see §7 above;
• Right to lodge a complaint (Art. 77) — with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee) as our lead supervisory authority, or with your local supervisory authority in your EU Member State.

You can delete your account and all associated personal data directly inside the App (Profile → Delete account) at any time, or by emailing privacy@wine-gate.com. We will verify your identity before fulfilling a request and will respond within one month of receiving the request, as required by Art. 12(3) GDPR. This may be extended by up to two further months for complex requests, in which case we will inform you within the first month.

We do not charge for handling rights requests, except where requests are manifestly unfounded or excessive (Art. 12(5)).

12. Data protection contact

Given our current scale and the nature of our processing, PorteVin OÜ is not legally required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. We have, however, designated a single point of contact for all privacy-related matters:

If we appoint a formal DPO in the future, we will update this section and notify our supervisory authority accordingly.

13. Security

We implement technical and organisational measures appropriate to the risk, in line with Article 32 GDPR. These include:

• TLS 1.2+ encryption for data in transit;
• encryption at rest for databases and file storage (AES-256);
• role-based access controls and least-privilege principles for staff;
• two-factor authentication for all administrative access;
• regular review of access logs and security configurations;
• isolation of production data from development and test environments;
• vetted sub-processors with documented security certifications (e.g. SOC 2, ISO 27001).

No system is perfectly secure. We continually review and improve our practices.

14. Breach notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• notify the Estonian Data Protection Inspectorate (AKI) within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR;
• notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR);
• document all breaches internally, including the facts, effects and remedial action taken.

Notifications will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures we are taking to address it.

15. Children

WineGate is rated 17+ and is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a minor has provided us with personal data, please contact privacy@wine-gate.com and we will delete the data and close any associated account promptly.

16. Cookies and similar technologies

Our marketing website (wine-gate.com) uses strictly necessary cookies and local storage to remember your language and theme preference and to maintain your authenticated session. These do not require your consent under the ePrivacy Directive.

We do not use advertising cookies, behavioural tracking pixels, or third-party analytics that collect personal data without your prior consent. If we introduce optional analytics or marketing cookies in the future, we will deploy a consent banner that allows you to accept or refuse before any non-essential tracker is set.

The mobile App does not use browser cookies. It uses on-device storage (Keychain, UserDefaults / Local Storage) to keep you signed in and to cache your settings.

17. Marketing communications

We will only send you product updates, newsletters or promotional content if you have explicitly opted in. You can withdraw your consent at any time by:

• clicking the unsubscribe link in any marketing email;
• changing your communication preferences in the App (Profile → Notifications);
• emailing privacy@wine-gate.com.

Transactional and security messages (e.g. account verification, password reset, important service changes) are sent on the basis of contract performance and cannot be unsubscribed from while your account is active.

18. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will notify you by email or in-app notice and update the "Last updated" date above. The most recent version is always available at wine-gate.com/privacy.

19. Contact us