Privacy Policy

Last updated: 7 May 2026

1. Who We Are

SommelAI Ltd ("we", "us", "our") is a company registered in England and Wales. We operate the SommelAI mobile application ("the App").

Contact: hello@sommel.ai

2. What Data We Collect

We collect and process the following personal data:

• Account information: Your name and email address when you create an account.
• Wine preferences and ratings: Wines you rate, tasting notes you write, and your taste profile generated from these ratings.
• Wine cellar data: Wines you add to your digital cellar, including names, producers, regions, vintages, and quantities.
• Flight data: Wine flights you create, including wine details, tasting scripts, and audio cache identifiers.
• Images: Photos of wine labels you capture or upload for wine identification. These are processed in real-time and not stored on our servers.
• Voice data: When you use the "Hey Sidney" feature, your voice is processed by your device's built-in speech recognition framework (Apple's Speech framework on iOS, Google's SpeechRecognizer on Android). On iOS this is typically processed on-device; on Android it may be processed via Google's cloud speech service depending on your system settings. Voice audio is not transmitted to our servers. Only the transcribed text of your question is sent to OpenAI for processing.
• Device information: Device type, operating system version, and app version for debugging and compatibility purposes.
• Usage data: How you interact with the App (features used, session duration) to improve the service.

3. How We Use Your Data

We use your data for the following purposes:

• To provide the service: Identifying wines, generating tasting scripts, creating taste profiles, suggesting wines, and generating food pairing recommendations.
• To personalise your experience: Building your taste profile from your ratings to provide better wine suggestions.
• To enable sharing: When you share a flight via QR code, the wine names, producers, regions, vintages, and other wine details are encoded in the QR code. No personal data is included in shared QR codes.
• To sync your data: On platforms that support it (currently iOS), your wine ratings, cellar, and flights may be synced across your devices via your platform's cloud-sync service (Apple iCloud/CloudKit on iOS). Synced data is stored in your personal cloud account and is governed by your platform provider's privacy policy. On Android, data is currently stored locally on your device only.
• To improve the App: Analysing aggregate usage patterns to improve features and fix issues.

4. Legal Basis for Processing (UK GDPR)

• Contract: Processing necessary to provide you with the service you signed up for (wine identification, tasting guidance, cellar management).
• Legitimate interest: Improving the App, fixing bugs, and ensuring security.
• Consent: For optional features such as microphone access (Hey Sidney) and camera access (wine label scanning). You can withdraw consent at any time via your device Settings.

5. Third-Party Data Processors

We share data with the following third parties to provide our service:

AI Service Providers

To deliver SommelAI's core features (wine identification, tasting narration, food pairing, recommendations, and the "Ask Sidney" / "Hey Sidney" Q&A), the App relies on third-party AI services. The following data may be sent for processing:

• Wine label images (for identification - processed in real-time, not retained)
• Wine details (names, regions, grapes, tasting notes) for script and recommendation generation
• Your questions when using "Ask Sidney" or "Hey Sidney"
• Your rated wines and preferences for taste profile and suggestion generation

We minimise the data sent to AI services - we do not send your name, email, or any personal identifiers. Only wine-related data necessary for the specific feature is transmitted, and the providers we use confirm that data sent via their APIs is not used to train their models.

International transfer: Some processing occurs outside the United Kingdom, including in the United States. Where this happens, we rely on adequacy decisions, standard contractual clauses, or equivalent safeguards under UK GDPR, including the UK Extension to the EU-US Data Privacy Framework where applicable.

Platform Cloud Sync

On iOS, your wine ratings, cellar, flights, and tasting notes are synced via Apple's CloudKit. This data is stored in your personal iCloud account and is encrypted in transit and at rest. Apple's handling of this data is governed by Apple's Privacy Policy. On Android, data is currently stored locally on your device only — no cloud sync is performed.

App Stores and In-App Purchases

The App is distributed through Apple's App Store (iOS) and Google Play (Android). If you make purchases through the App, payment processing is handled entirely by the respective store provider (Apple or Google). We do not receive or store your payment card details. Each store's handling of payment data is governed by its own privacy policy.

6. Data Storage and Retention

• On-device storage: Your wine ratings, cellar, flights, tasting notes, and cached audio are stored locally on your device using your platform's local storage framework (Core Data on iOS, Room on Android).
• Cloud sync (iOS only): On iOS, the same data is synced to your iCloud account for backup and multi-device access. On Android, data remains on the device.
• We do not operate our own servers for user data storage. Your data lives on your device and, on iOS, in your iCloud account.
• Draft flights: Unfinished flights are stored temporarily on your device and are deleted when you complete or discard them.
• Device authentication key: A cryptographic key generated and stored securely on your device on first launch, used to verify your installation when accessing AI features. This never leaves your device.

We retain your data for as long as you use the App. If you delete the App, your local data is removed. On iOS, your iCloud data can be managed through your iCloud settings.

7. Your Rights (UK GDPR)

Under the UK General Data Protection Regulation, you have the following rights:

• Right of access: Request a copy of your personal data.
• Right to rectification: Request correction of inaccurate data.
• Right to erasure: Request deletion of your data ("right to be forgotten").
• Right to restrict processing: Request that we limit how we use your data.
• Right to data portability: Request your data in a machine-readable format.
• Right to object: Object to processing based on legitimate interest.
• Right to withdraw consent: Withdraw consent for camera, microphone, or speech recognition at any time via your device Settings.

To exercise any of these rights, contact us at hello@sommel.ai. We will respond within 30 days.

8. Cookies

Our website uses localStorage (not cookies) solely to manage access to the early access preview section. No tracking cookies are used. No analytics cookies are used.

9. Children's Privacy

SommelAI is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a person under 18, we will delete it promptly.

10. Data Security

We take appropriate technical and organisational measures to protect your data:

• All communication with our backend and with OpenAI's API is encrypted via HTTPS/TLS.
• Cloud-synced data on iOS (iCloud) is encrypted in transit and at rest by Apple.
• On-device data is protected by your device's passcode and biometric security.
• We do not store passwords. Where account authentication is offered, it is handled by your platform's identity provider (Sign in with Apple on iOS).

11. Data Breach Procedures

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach.
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

12. Complaints

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO):

• Website: ico.org.uk/make-a-complaint
• Telephone: 0303 123 1113

13. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes through the App or via email. The "Last updated" date at the top of this page indicates when this policy was last revised.

14. Contact Us

SommelAI Ltd
Email: hello@sommel.ai