Privacy Policy

Last updated: 2026-07-10

Who we are

Saignée (“we”, “us”) is the data controller for personal data processed through this website and app. The Service is operated primarily for users in the United States; we do not currently target the EEA, UK, or Switzerland as markets. For privacy questions or to exercise any right described below, contact privacy@saignee.com.

What we collect when you use the app

  • Account data — your email address and authentication records, managed through Supabase-backed authentication.
  • Cellar and bottle data — the wines you add (name, producer, vintage, region, rack position, valuation figures you enter), consumption logs, ratings, tasting notes, and wishlist / order-list items.
  • Account preferences — plan tier, active-cellar selection, push and email notification prefs, and (if set) account-deletion schedule timestamps.
  • Photos and meal descriptions — wine-label photos you submit to the Label Scan feature and dish or meal text you submit to the pairing and recipe features.
  • Taste signals and usage counters — activity-derived signals that power your taste profile, and per-month feature counters used to enforce plan limits.
  • Push subscriptions — if you enable drinking-window alerts, the push endpoint your browser issues us.
  • Consent records — the exact wording and version of each consent you give (terms acceptance, marketing, AI training), with a timestamp, a salted irreversible hash of your IP address, and your browser user-agent string — kept to demonstrate consent was given from your device, not to identify you.
  • Product analytics events — page paths, product and marketing funnel actions (for example sign-in, bottle added, pairing generated), browser and device technical context, and — after you sign in — your account user id so we can understand usage across sessions. We do not send your email address to our analytics provider for identification. See Product analytics (PostHog) below.

What we collect at the waitlist

  • Email address you submit.
  • The plan you registered interest in and your selected billing cycle.
  • The exact wording of the consent you agreed to, and a timestamp.
  • A salted, irreversible hash of your IP address and your browser user-agent string — used to demonstrate consent was given from your device, not to identify you.

AI features and your data

When you use Label Scan, food pairing, recipe generation, or recommendations, the content you submit (label photos, dish descriptions, and relevant cellar context) is sent to OpenAI so the model can generate a response. That is inference processing — it is required for the feature to work. OpenAI acts as our processor / service provider for that request.

Provider model training. Under OpenAI’s API data-use policy, data sent through the OpenAI API is not used to train or improve OpenAI’s foundation models unless a customer explicitly opts in to share it. We do not opt our product API traffic into that sharing. We also configure requests so response application state is not retained for later retrieval where the API supports that control (and we pursue Zero Data Retention / equivalent org controls when available — see our ops record for the production organization).

Saignée product training and evaluation (optional). Separately, you may switch on an opt-in toggle in account settings that allows us to use your User Content (for example label scans, tasting notes, and pairing feedback) to train, fine-tune, evaluate, or benchmark Saignée’s AI features. That toggle defaults to off, is unbundled from sign-up and from inference processing, and can be withdrawn at any time. Turning it off does not stop Label Scan or pairing — those features still need inference processing as described above. We do not send your data to third-party model providers for their training under that toggle.

Product analytics (PostHog)

We use PostHog (PostHog Inc.) as a product analytics and product- observability provider. PostHog acts as our processor / service provider. We are the controller / business.

What we send to PostHog:

  • Usage events such as page views, key product actions, and marketing funnel events, with technical context (for example page path and browser/device type). Approximate location derived from IP may be available depending on project configuration.
  • An account identifier (your user id) after you sign in, so we can understand product usage across sessions. We do not send your email address to PostHog for identification.
  • Error diagnostics (exception events) to help us fix bugs.
  • AI feature telemetry (metrics only — for example model name, token counts, latency, and cost). OpenAI remains the processor that generates AI responses as described above. We do not send free-text prompts, generated completions, or label-scan images to PostHog via analytics instrumentation.

What we do not do with PostHog:

  • We do not use PostHog session recording / session replay.
  • We do not use PostHog for advertising, retargeting, or selling your data.
  • Browser autocapture of clicks and form inputs is disabled.

PostHog is configured with in-memory persistence so it does not set its own long-lived tracking cookies. That reduces device storage but does not mean we collect no analytics data. See our Cookie Policy for device-storage details.

Events are processed on PostHog Cloud in the United States (we do not operate a separate PostHog EU project today). For signed-in product use, we also send limited server-side product events keyed by your account user id so we can understand feature usage and reliability across devices; that server capture is not controlled by the browser cookie banner. Where personal data is transferred internationally (for example if you access the Service from outside the United States), we rely on appropriate safeguards under our agreement with PostHog (including Standard Contractual Clauses and/or the EU-U.S. Data Privacy Framework, as applicable).

Analytics events are retained for typically 30 days, then deleted or aggregated under our PostHog project settings. We do not run automated PostHog person-delete as part of self-serve account closure; after you close your account we stop associating new product activity with it, and analytics data ages out under that retention. If you want product analytics erased in PostHog sooner (or in addition to ageing), email privacy@saignee.com. After we verify your request, we aim to complete that manual deletion within 14 calendar days using PostHog’s tools.

Legal basis

  • Contract (GDPR Article 6(1)(b)) — processing your account, cellar data, and AI feature requests to provide the service you signed up for.
  • Consent (Articles 6(1)(a) and 7) — marketing email and AI-model training. You can withdraw consent at any time, with no effect on past processing.
  • Legitimate interests (Article 6(1)(f), where GDPR applies) — abuse prevention, plan metering, service security, and product analytics(including server-side product events for signed-in users and metrics-only AI telemetry) to understand and improve the Service. We balance this against your rights; you may object via privacy@saignee.com. Browser product-analytics storage also offers an Accept/Reject choice where our cookie banner is shown.

Who we share it with

Our processors include:

  • Supabase — authentication and the database where your account, cellar, and consent records live.
  • Vercel — hosts the application, stores uploaded images (Vercel Blob), and provides cookieless, aggregated Web Analytics and Speed Insights(performance and traffic metrics). Those metrics are essential for operating a reliable Service; they are not advertising or cross-site profiling, and they are not gated on the browser Accept/Reject choice used for PostHog product analytics. See also our Cookie Policy.
  • OpenAI — processes AI feature inputs through the OpenAI API, as described above.
  • MailerLite — delivers waitlist verification email and any marketing updates you opt into. MailerLite acts as our processor under a signed DPA.
  • PostHog — product analytics and product observability, as described above. PostHog acts as our processor under our agreement with PostHog.

We do not sell personal data. We do not share it with advertisers. For California residents, see our Do Not Sell or Share My Personal Information notice.

Where these processors handle data outside the EEA, UK, or Switzerland, transfers rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and/or the EU-U.S. Data Privacy Framework, as applicable.

How long we keep it

  • Account and cellar data are kept while your account is active. If you schedule self-serve account deletion, product access ends immediately and you have 30 days to export your application data or cancel deletion; after that we permanently delete application data and revoke access (including your login). Product analytics in PostHog are not auto-deleted as a person record at that moment; they are retained for typically 30 days and age out under that limit once we stop processing your account (or sooner if you request a verified privacy@ wipe — 14 calendar days after verification). You can cancel self-serve deletion during the export window from the account-closure page after sign-in.
  • Label photos saved to a bottle are stored in private storage and deleted when you delete the bottle, the cellar, or your account. Dish text and other AI inputs are retained only as long as needed to deliver and cache the corresponding result.
  • Unverified waitlist entries are deleted automatically 14 days after signup.
  • Verified waitlist entries are kept until you unsubscribe, then a minimal audit record is retained for 30 additional days before being deleted.
  • Product analytics events are retained for typically 30 days, then deleted or aggregated. We will update this policy if that period changes.

Your rights

Under GDPR (EU/UK) and CPRA (California), you have the right to:

  • Access the personal data we hold about you.
  • Have it corrected if inaccurate.
  • Have it deleted (the “right to be forgotten”). This includes personal data in our application database and login (self-serve account deletion or via privacy@). Product analytics in PostHog are retained for typically 30 days and then removed under that retention. For a verified request to delete your PostHog person and events sooner (or in addition to ageing), contact privacy@saignee.com; we aim to complete that wipe within 14 calendar days of verification.
  • Object to processing based on legitimate interests, including product analytics.
  • Withdraw browser product-analytics choice (Accept/Reject) via Cookie settings, and withdraw consent for marketing email at any time.
  • Lodge a complaint with your local data protection authority.
  • California residents: learn about sale/share practices on our Do Not Sell or Share page (we do not sell or share for cross-context behavioral advertising).

Self-serve export vs. full erasure. Account settings let you download a JSON export of application data we store for your account (for example bottles and consumption logs you created, pairing sessions, taste signals, wishlist items, plan and notification preferences, your cellar memberships and household invites involving you, usage counters, and consent history). That download is not a complete dump of all product-analytics telemetry in PostHog (those events age out under the retention period above; the export file also notes this exclusion). To request access beyond that export, object to analytics, or ask for PostHog-side person/event erasure (14-day target after verification), email privacy@saignee.com.

To exercise any of these rights: use the tools in your account settings where available, click the management link in any email we send you, or contact privacy@saignee.com. We respond within 30 days (GDPR) or 45 days (CPRA). Verified PostHog analytics erasure requests are handled under the 14 calendar-day deletion target described above.

Unsubscribing

Every marketing email contains a one-click unsubscribe link. Clicking it removes you from the marketing list immediately; the corresponding consent record is updated to reflect that withdrawal.

Security

Data is transmitted over HTTPS and stored encrypted at rest. Access is restricted to the smallest set of staff and processors necessary to operate the service.

Changes to this policy

We will post material changes here with an updated date. If you have already consented and a change materially affects the basis of that consent, we will ask for fresh consent before relying on it.