Privacy Policy
1. Data controller
SUDAMERICO, Société par Actions Simplifiée (SAS), is the data controller for the processing described in this Policy.
- SIREN: 831 183 538
- Registered office: 33 rue de la République, Allée B, 69002 Lyon, France
- Contact: bruno@vinalitica.com
No Data Protection Officer (DPO) is mandatory under GDPR for our scale of operations. Bruno Colbalchini handles privacy matters and can be reached at the email above.
2. Data we collect
| Category | Examples |
|---|---|
| Identification | Email, full name, organization name, professional role |
| Authentication | Hashed password (if set), session/refresh tokens, OAuth identity (Google sign-in if used) |
| Technical | IP address at login, browser type, language preference |
| Usage | Pages visited, searches performed, downloads (timestamp + size), queries sent to Baco AI |
| Billing | Subscription plan, invoice information (handled by payment processor, not stored in our systems) |
| Communications | Emails sent to support, queries to Baco AI |
3. Purposes & legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Account creation and authentication | Contract (Art. 6.1.b) |
| Service delivery (data access, reports, downloads) | Contract (Art. 6.1.b) |
| Quota enforcement and abuse prevention | Legitimate interest (Art. 6.1.f) |
| Aggregated analytics (improve platform) | Legitimate interest (Art. 6.1.f) |
| Transactional emails (signup confirmation, password reset) | Contract (Art. 6.1.b) |
| Marketing emails (new features, promotions) | Consent (Art. 6.1.a) — only if you opt in |
| Legal obligations (accounting, tax) | Legal obligation (Art. 6.1.c) |
4. Cookies
Cookies actively used
| Cookie name | Purpose | Duration |
|---|---|---|
| sb-access-token | User authentication (Supabase JWT) | 60 days, refreshed automatically |
| sb-refresh-token | Session refresh (Supabase) | 60 days |
| vh_lang | Language preference (localStorage) | Persistent until cleared |
| vh_seen_welcome | First-visit popup state | 365 days |
| vh_pwd_banner_dismissed | Password tip banner state | 90 days |
What we DO NOT use
- ❌ Google Analytics or any third-party analytics tracker
- ❌ Facebook Pixel, LinkedIn Insight, or any marketing/advertising cookies
- ❌ Behavioral tracking across other websites
- ❌ Sale of data to third parties
5. Sub-processors
To deliver our services, we rely on the following sub-processors. Each is bound by Data Processing Agreements (DPA) and complies with GDPR.
| Provider | Service | Location |
|---|---|---|
| Supabase Inc. | Authentication + database | USA / EU (data hosted in EU by default for our project) |
| Railway Corp. | Application hosting | USA (with EU data center option) |
| Anthropic PBC | AI (Baco assistant — Claude API) | USA |
| Brevo SAS | Transactional & marketing emails | France 🇫🇷 |
| Google LLC | Sign-In with Google (optional) | USA / EU |
Transfers outside the EU
Some sub-processors are based in the USA. Transfers are protected by:
- Standard Contractual Clauses (SCC) approved by the European Commission
- For Anthropic specifically: data is processed via API calls for the duration of your query only and is not used for model training (per Anthropic's enterprise agreement)
- For Google Sign-In: only your identity (email, name) is shared, never your activity inside Vinalitica
6. Data retention
| Data category | Retention period |
|---|---|
| Account data (email, profile) | Duration of subscription + 24 months after termination |
| Authentication tokens | Up to 60 days (auto-rotated) |
| Usage logs (downloads, page views) | 24 months |
| Baco AI query history | 24 months |
| Billing records | 10 years (French accounting law obligation) |
| Marketing email subscribers | Until you unsubscribe |
7. Your rights
Under GDPR, you have the following rights regarding your personal data:
Right of access (Art. 15)
You can request a copy of the personal data we hold about you.
Right of rectification (Art. 16)
You can request correction of inaccurate or incomplete data.
Right of erasure / "right to be forgotten" (Art. 17)
You can request deletion of your data. Note that some data may be retained for legal obligations (accounting, fraud prevention).
Right to restriction of processing (Art. 18)
You can request that we limit how we use your data (e.g., during a dispute over accuracy).
Right to data portability (Art. 20)
You can request your data in a structured, commonly-used, machine-readable format (e.g., CSV or JSON).
Right to object (Art. 21)
You can object to processing based on legitimate interest. We will stop unless we demonstrate compelling legitimate grounds.
How to exercise your rights
Send your request to bruno@vinalitica.com. We will respond within 30 days. You may be asked to verify your identity.
8. Right to lodge a complaint
If you believe your data is not being handled properly, you have the right to lodge a complaint with:
- CNIL (Commission Nationale de l'Informatique et des Libertés) — French data protection authority
3 place de Fontenoy, 75007 Paris, France
www.cnil.fr - Or your local data protection authority in your EU country of residence
We encourage you to contact us first so we can address your concerns.
9. Security
We implement reasonable technical and organizational measures to protect your data:
- HTTPS encryption for all communications
- Hashed passwords (bcrypt via Supabase Auth) — we never see your plaintext password
- Database encryption at rest
- Restricted admin access with audit logs
- Regular security updates
No system is 100% secure. If a data breach affects your data, we will notify you within 72 hours as required by GDPR Article 34.
10. Children
Vinalitica is a B2B platform intended for professionals in the wine industry. We do not knowingly collect data from individuals under 18. If we become aware that we have collected data from a minor, we will delete it promptly.
11. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email. Continued use of the service after notification constitutes acceptance of the new Policy.