This Privacy Policy describes how Sippd (“Sippd”, “we”, “our”) collects, uses, and protects your personal data when you use the Sippd mobile application and this website (together, the “Service”). We comply with the EU General Data Protection Regulation (GDPR) and applicable national laws.
1. Data Controller
The controller responsible for your personal data is the operator of Sippd. Contact details are listed in the Imprint.
2. Data We Collect
2.1 Account data
When you create an account, we store your email address, chosen username, and (optionally) a display name and profile picture.
2.2 Content you create
Wine ratings, tasting notes, photos you attach, and groups you create or join. By design, this content is stored locally on your device first and synced to our backend (Supabase) so you can access it across devices and share it with group members.
2.3 Location data (optional)
If you grant permission, the app may tag a rating with the approximate location or venue where you drank a bottle. This is optional and can be turned off at any time in your device's settings.
2.4 Technical data
Device type, operating system version, crash reports, and basic diagnostic logs we use to improve reliability. We do not use third-party advertising trackers.
3. Legal Basis for Processing
- Contract (Art. 6(1)(b) GDPR) — to provide the features of the Service you sign up for.
- Consent (Art. 6(1)(a) GDPR) — for optional data such as location tags or push notifications.
- Legitimate interest (Art. 6(1)(f) GDPR) — to keep the Service secure and diagnose crashes.
4. Who We Share Data With
We share the minimum data necessary with the following processors:
- Supabase — backend database, authentication, file storage. Servers in the EU.
- Firebase Cloud Messaging— delivering push notifications you've opted in to receive.
- Resend — sending transactional emails such as account confirmation and password reset.
- OpenStreetMap / Nominatim — reverse-geocoding coordinates into venue names when you choose to tag a rating with a location. Only the coordinates you explicitly share are sent.
- Vercel — hosting this website.
We do not sell your data. We do not share it with advertisers.
5. International Transfers
Some processors (e.g. Firebase) may transfer data outside the EU. In that case we rely on the EU Standard Contractual Clauses to ensure an equivalent level of protection.
6. Retention
We retain account data for as long as your account is active. You can delete your account at any time from the app settings; deletion removes your account data from our servers within 30 days. Content you've shared with a group may remain visible to group members in their own copies until they remove it.
7. Your Rights
You have the right to:
- access the data we hold about you;
- request correction of inaccurate data;
- request deletion of your data;
- object to or restrict processing;
- data portability (export in a machine-readable format);
- lodge a complaint with your local data protection authority.
To exercise any of these rights, contact us at privacy@sippd.xyz.
8. Security
We use TLS in transit, encrypted storage at rest, and role-based access controls on our backend. No online service is fully immune to compromise; we will notify affected users without undue delay in the event of a reportable breach.
9. Children
Sippd is not intended for users under the age of 18. We do not knowingly collect data from minors.
10. Changes
We may update this policy. Material changes will be announced in the app and posted here with an updated “Last updated” date.