Privacy Policy

Who we are

Uva Cellars Inc. and Uva Technologies Inc. (collectively 'Uva', 'we', 'us', or 'our') provide wine cellar racking systems and companion software, including the Uva Cellars website at uvacellars.com and the Uva Cellars iOS application (together, the 'Services').

This Privacy Policy applies to all users of our Services, including individual wine collectors and business users such as restaurants, hotels, private clubs, and wine retailers. Where this policy applies differently to business users, we note this clearly.

Uva Cellars Inc. and Uva Technologies Inc. are the joint data controllers for the personal information described in this policy. Our contact details are set out in Section 15.

Information we collect

Account & profile information

When you create an account, we collect your name, email address, and a password. Business account holders also provide company name, business type, and billing contact details.

Wine collection data

We collect and store the information you enter about your wine collection — bottle details, labels, vintages, purchase dates, valuations, tasting notes, and any other records you choose to add. This information is yours. We use it only to operate the Services for you and as described in this policy.

Cellar environment data

If you use Uva's smart cellar monitoring features, we collect environmental sensor data including temperature and humidity readings. This data powers monitoring alerts and cellar condition reports.

Usage and analytics data

We automatically collect information about how you use the Services — features accessed, screens viewed, session duration, and interactions with app functionality. We also collect crash reports and diagnostic data to improve stability and performance.

Device information

We collect information about the device you use to access the Services, including device type, operating system version, device identifiers (such as IDFA), and network connection type.

Communications

If you contact us for support or send feedback, we collect the content of your communications, your email address, and any other information you choose to provide.

In-app purchase data

In-app purchases are processed entirely by Apple through the App Store. Uva receives transaction confirmation data (such as subscription status and purchase date) but does not receive or store your payment card details.

Wine catalogue data

Certain wine information displayed in the app — ratings, tasting notes, label images, and producer details — is sourced from third-party databases, including Vivino. Uva does not claim ownership of this catalogue data.

Information we do not collect

We do not collect payment card numbers, bank account details, or government-issued identification numbers. We do not knowingly collect personal information from individuals under the age of 16.

How we use your information

We use personal information for the purposes below. For EU and UK users, the lawful basis under GDPR and UK GDPR is noted alongside each purpose.

AI & automated processing

AI-powered recommendations

Uva uses artificial intelligence to power wine recommendations, cellar insights, and personalised suggestions (collectively, 'AI Features'). These features analyse your wine collection, purchase history, tasting notes, and usage patterns. You can opt out at any time under Account Settings > Personalisation — this will not affect access to core cellar management features.

Third-party AI services

We use third-party AI services to power certain features. These providers process only the data necessary to deliver the specific feature, under contractual restrictions prohibiting use of your data for their own training or commercial purposes. We enter into Data Processing Agreements with each such provider.

AI training — future use

We plan to use customer data to train and improve our AI recommendation models. We will not use your personal data for this purpose without first obtaining your explicit, opt-in consent through a clearly presented mechanism within the app. You may withdraw consent at any time.

Automated decision-making

Our AI Features generate recommendations and suggestions but do not make decisions that produce legal effects or otherwise significantly affect you. All AI-generated recommendations are suggestions only — you remain in complete control of your cellar management decisions. If you believe an AI-generated output has materially affected you, contact [email protected] to request a human review. EU and UK users have this right under GDPR Article 22.

EU AI Act

Uva's AI recommendation system is classified as a limited-risk AI system under the EU AI Act (Regulation 2024/1689). We comply with applicable transparency obligations, including notifying you when you are interacting with AI-generated content within the app.

Cookies & tracking technologies

Website (uvacellars.com)

Our website uses a Cookie Consent Management Platform. When you first visit, you will be presented with a consent banner — non-essential cookies are blocked until you make a choice. You can change your preferences at any time via the 'Cookie Settings' link in the footer.

Mobile app (iOS)

The Uva iOS app uses Firebase Analytics (app usage, crash reporting), Google Ads on-device conversion tracking (active only where you have consented via the iOS ATT prompt), and Firebase App Check (security verification only). You can change tracking settings at any time under iOS Settings > Privacy & Security > Tracking.

Sharing your information

We do not sell your personally identifiable information. We share your personal information only with service providers who help us operate the Services (listed below), with Apple for in-app purchase processing, where required by law, in a business transaction involving a merger or acquisition (with notice to you), or with your explicit consent for anything else.

International data transfers

Uva's servers are hosted in the United States (Google Cloud us-central-1). Transfers from the EU/UK are governed by Standard Contractual Clauses (EU 2021/914) or the UK IDTA respectively. Canadian transfers comply with PIPEDA's transfer accountability obligations. UAE, Singapore, and Hong Kong transfers are protected by contractual safeguards consistent with the applicable local data protection laws (UAE PDPL, Singapore PDPA, and Hong Kong PDPO). Copies of applicable transfer safeguards are available on request.

Data retention

Your rights

Depending on your location, you may have certain rights regarding your personal data. To exercise any right, contact us at [email protected]. We may ask you to verify your identity before processing your request.

Rights available to all users

• Access — request a copy of the personal data we hold about you.
• Correction — request that we correct inaccurate or incomplete data.
• Deletion — request deletion of your data, subject to legal retention obligations.
• Opt out of marketing — unsubscribe at any time via the link in any email or by contacting us.
• Opt out of AI profiling — via Account Settings > Personalisation.

EU & UK — GDPR / UK GDPR (30-day response)

Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), right to object (Art. 21), rights related to automated decisions (Art. 22), and the right to lodge a complaint with your local supervisory authority (see Section 15).

Canada — PIPEDA / Quebec Law 25 (30-day response)

Access and correction; withdrawal of consent to non-essential processing. Quebec Law 25 additional rights: data portability, de-indexing, and the right to be informed of automated decision-making and request human review.

US — CCPA/CPRA and other states (45-day response)

Right to know, delete, correct, and opt out of sale or sharing. We do not sell personal information. California residents may opt out of data sharing for advertising via Cookie Settings or the 'Do Not Sell or Share My Personal Information' link in the website footer. Residents of Virginia, Colorado, Connecticut, Texas, and other comprehensive state privacy law jurisdictions have similar rights — contact [email protected].

UAE, Singapore & Hong Kong

UAE residents have access, correction, deletion, and objection rights under the PDPL (30-day response). Singapore residents have access and correction rights under the PDPA (30-day response). Hong Kong residents may make a Data Access or Correction Request under the PDPO (40-day response); a prescribed fee may apply for data access requests.

Business (B2B) users

Business account administrators are responsible for ensuring staff members are informed of this Privacy Policy before accounts are created on their behalf. By adding a staff member, you represent that you have a lawful basis to provide us with that person's personal information.

For personal data of staff members provided in the context of your business subscription, Uva acts as a data processor on your behalf and you act as the data controller. B2B invoices are issued directly by Uva and retained per our schedule in Section 8.

Minimum age

Uva Cellars provides wine racking and cellar management software — we are not a wine retailer and do not sell alcohol. We require users to be at least 16 years of age to create an account, consistent with GDPR Article 8 and comparable requirements across our primary markets. We do not knowingly collect personal information from individuals under 16. If you believe we have done so inadvertently, contact us at [email protected] and we will promptly delete it.

Security & breach notification

We implement appropriate technical and organisational measures to protect your personal information, including TLS encryption in transit, encryption at rest, access controls, and regular security reviews. No transmission over the internet is completely secure — notify us immediately if you suspect unauthorised access to your account.

In the event of a personal data breach posing a risk to your rights and freedoms, we will notify relevant supervisory authorities and affected individuals within legally required timeframes: 72 hours for EU/UK; as soon as feasible (no later than 72 hours where technically feasible) for Canada; 3 business days for Singapore; and within the timeframes prescribed by the UAE PDPL and Hong Kong PCPD guidance.

Open source software

The Uva iOS application incorporates open source software components. Full licence texts, version details, and copyright notices are available within the app under Settings > Acknowledgements. The incorporation of open source components does not affect Uva's obligations or your rights under this Privacy Policy.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting an updated policy with a new effective date, and by email or in-app notification where the change is material. Non-material updates — such as clarifications that do not affect how we process your data — may be made without prior notice. Where applicable law requires fresh consent, we will seek it before the new processing begins.

Contact us & supervisory authorities

Privacy contact

EU representative (Article 27 GDPR)

UK representative

To be designated. In the interim, UK residents may direct data protection enquiries to [email protected].

Quebec privacy officer

Supervisory authorities