Back to Pourfolio

Privacy Policy

Last updated: April 25, 2026

⚠️ Plain-language notice

This document was drafted by the project maintainer without formal legal review. It describes our good-faith data practices but is not legal advice and may contain errors or omissions. If you need to rely on this Policy for a specific legal matter (GDPR/CCPA enforcement, etc.), please consult a qualified attorney.

🔒 Privacy by Design

Pourfolio is designed to minimize personal information in our database. Your email and password are held by our authentication provider (Supabase). Our database holds anonymous IDs, your wine data, and any display name you choose.

1. Who We Are

Pourfolio (“we,” “us,” “our”) operates the Pourfolio wine cellar management application at pourfolio.wine. Pourfolio is an independent personal project — not a registered business or commercial entity. It was built as a passion project to help wine enthusiasts manage their collections, and is offered free of charge with no ads, no paid tiers, and no monetization.

For the purposes of the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA), the project maintainer acts as data controller.

Contact: privacy@pourfolio.wine

2. What We Collect

Data We Store Directly

DataPurposeStored Where
Anonymous user ID (UUID)Link your data togetherOur database
Display name (you choose)Community featuresOur database
Wine preferences & settingsPersonalize your experienceOur database
Cellar data, ratings, wishlist, tasting sessions, favorite wineries, membershipsCore app functionalityOur database
Age verification (boolean)Legal complianceOur database

Data Held by Third Parties (Not in Our Database)

DataHeld ByOur Access
Email addressSupabase (auth provider)Read-only for sending notifications
Password (hashed)SupabaseNone — we never see your password

Data We Do NOT Collect

  • Real name
  • Date of birth (only a boolean "age verified" flag)
  • Physical address
  • Phone number
  • Location / GPS data
  • Device fingerprints
  • Browsing history outside our app

3. How We Use Your Data

PurposeLegal Basis (GDPR)
Provide core features (cellar tracking, ratings, tasting sessions, recommendations)Contract performance
Personalize recommendationsLegitimate interest
AI sommelier responsesLegitimate interest / Consent
Drink window notificationsLegitimate interest
Age verificationLegal obligation
Prevent abuse and fraudLegitimate interest

4. Who We Share Data With

We share data only with service providers necessary to operate Pourfolio:

ProviderPurposeData Shared
SupabaseAuthentication, database hostingEmail, hashed password, app data
Resend (via Supabase)Transactional email deliveryEmail address (handled by Supabase, not stored by us). Used for password resets and email confirmations.
OpenAIAI sommelier, label scanningWine queries and label photos (anonymized, no PII). Photos are processed and immediately discarded.
Microsoft AzureApplication hostingApplication data in transit/at rest
CloudflareDNS, DDoS protection, CDNIP addresses (standard web traffic), no PII stored
MeilisearchWine search engineWine catalog data only (no user data)

Community Features: If you rate or review a wine, your display name and review content may be visible to other Pourfolio users on the Community page. Your display name is the only identifier shown — no email, real name, or profile photo is exposed. You can delete any review at any time from your My Ratings page.

We do NOT sell your personal information to anyone. We do not share data with advertisers, data brokers, or any third parties not listed above.

5. Your Rights

All Users

  • Access your data: Settings → "Export My Data" downloads everything we have
  • Delete your account: Settings → "Delete My Account" permanently removes all your data within 24 hours
  • Update your preferences: Changeable anytime in Settings

EU Users (GDPR)

Under the General Data Protection Regulation, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate personal data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interest
  • Restrict processing — request limitation of processing
  • Withdraw consent — where processing is based on consent
  • Lodge a complaint — with your local data protection authority

To exercise these rights, email privacy@pourfolio.wine or use the self-service tools in Settings.

California Users (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:

  • Know what personal information we collect and how it's used
  • Delete your personal information
  • Opt out of sale — we do not sell your data, but you can confirm this in Settings
  • Non-discrimination — we will not treat you differently for exercising your rights
  • Correct inaccurate personal information
  • Limit use of sensitive personal information — we do not collect sensitive PI

To exercise these rights, email privacy@pourfolio.wine or use the self-service tools in Settings.

6. Data Retention

We retain your data for as long as your account is active. When you delete your account:

  • Your profile, cellar, ratings, tasting notes, wishlist, and memberships are permanently and irreversibly deleted within 24 hours
  • Your authentication record (email and password) is deleted from Supabase
  • Community contributions to the shared wine catalog (e.g. corrections, missing-wine submissions) are anonymized rather than deleted, since other users rely on the corrected data — attribution is replaced with "Anonymous Contributor"
  • Backups containing your data are purged within 30 days

If automatic deletion of your authentication record fails (e.g. a transient outage at our auth provider), the deletion request is logged and we complete it manually — your application data is removed regardless.

7. Data Security

We implement the following security measures:

  • Encryption in transit (TLS 1.3) and at rest
  • Database-level Row Level Security (users can only access their own data)
  • No personally identifiable information in our database or application logs
  • JWT-based authentication with token rotation
  • Rate limiting to prevent abuse
  • Regular dependency security scanning

In the event of a data breach: Because we minimize personal information in our database, the impact of a database-only incident is limited compared to typical apps. We will still notify affected users and relevant authorities within the timeframes required by GDPR (72 hours) and applicable US state laws.

8. Cookies and Tracking

Pourfolio uses minimal cookies:

  • Authentication token — required to keep you logged in. This is a functional cookie exempt from consent requirements under GDPR.
  • Local storage — stores your preferences (dark mode, units, rating scale). Not a cookie, but disclosed for transparency.

We do NOT use:

  • Analytics cookies (no Google Analytics, no Facebook Pixel)
  • Advertising cookies
  • Third-party tracking cookies
  • Device fingerprinting

9. International Data Transfers

Your data may be processed in the United States, where our servers are hosted. For EU users, we rely on:

  • EU-US Data Privacy Framework (where applicable)
  • Standard Contractual Clauses with our service providers

Our sub-processors (Supabase, Resend, OpenAI, Microsoft Azure, Cloudflare) maintain their own data transfer mechanisms in compliance with GDPR.

10. AI and Automated Processing

Pourfolio uses AI in two distinct ways that you should be aware of:

1. AI processing of your data. The AI Sommelier and recommendation features process your wine ratings, tasting notes, and cellar contents to generate personalized suggestions. This is automated processing of your data within the meaning of GDPR Article 22.

2. AI-generated reference content shown to you. Most descriptive content displayed in the app (wine descriptions, drink windows, grape profiles, region information, fun facts, etc.) is generated by large language models from public data sources. This content does not involve processing of your personal data, but it is AI-generated and may contain errors. See Section 6 of our Terms of Service for the full scope of AI-generated content and its limitations.

You have the right to:

  • Opt out of AI-powered personalized recommendations in Settings
  • Request human review of any automated decision that significantly affects you
  • Know the general logic behind recommendations (documented in our app)

AI features are informational only and do not make legally or financially significant decisions about you. AI-generated reference content should not be relied on for purchase, storage, aging, or service decisions of consequence.

11. Children's Privacy

Pourfolio is not intended for use by anyone under the legal drinking age. We do not knowingly collect personal information from minors. If you believe a minor has created an account, please contact us at privacy@pourfolio.wine and we will promptly delete the account.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Service and updating the "Last updated" date. Your continued use after changes constitutes acceptance.

13. Contact Us

For privacy-related inquiries or to exercise your rights:

Email: privacy@pourfolio.wine

We aim to respond to all privacy requests within 30 days (or sooner where required by law).