Privacy
CellarMinder is a wine cellar for one household. It is not a business and it has no users to monetise. This page says what it stores, where that lives, and how to get rid of it — in plain words, because a page you can't read is not a disclosure.
What it stores
- If you sign in with Google: your Google account ID (an opaque number — the
sub), your email address, and the name the cellar owner gave you in his household list.
The email is stored for one reason, and it is a safety reason: it is how the owner can see which Google account is linked to a person, and therefore spot that the wrong one is. It is shown on the household page and nowhere else — it is never used to log you in, never used to look you up, and you will never be emailed, because nothing in this app sends mail. - Nothing else from your Google account. Not your profile picture, not your real name, not your contacts, not anything else Google offered.
- Wine. What the bottles are, where they came from, what they cost, and where they are in the rack.
- Ratings and tasting notes, attached to whoever gave them.
- If you are a guest at a party: your rating, and your first name only if you chose to type one. That is the whole list. See below — it is shorter than you expect.
- Paired devices (a printer relay, a cellar kiosk): a name the owner gave the device, and a hashed access token. Never the token itself.
It does not store your photos, your location, your IP address, an advertising ID, or a fingerprint of your phone. It sets no tracking cookies, because it does no tracking, and so there is no cookie banner to click.
Access tokens — the ones that let a device or an invite link do something — are stored hashed, never in a readable form. If someone stole a copy of the database, they would get a list of scrambled fingerprints they cannot use.
The label photos go to Google. Say it out loud.
When a bottle is photographed, the picture is sent to Google's Gemini API to read the label. That is the one place your data leaves this app, and it is the most important sentence on this page.
We never keep the photo.It lives in memory for the few seconds of the request and is gone — not written to a disk, not uploaded to storage, not put in a log. What survives is the text that came back: the wine's name, its vintage, its grape. What Google does with an image after we send it is Google's business, governed by their terms, not ours — which is exactly why the app never sends anything but a picture of a wine bottle.
An anonymous guest rating cannot be traced to you. On purpose.
If you rate a wine at a party and do not type a name, the rating is stored with the bottle. Nothing is stored with you: no account, no device ID, no fingerprint, no IP. There is no thread from that rating back to a person, and it is not a gap — it is the design. We know who someone is because they told us, not because we recognised their phone.
The honest consequence, which most privacy policies would leave you to discover: we cannot delete that rating on request, because we cannot find it. There is nothing linking it to you for us to search by. If you would rather be identifiable, type your first name — that is what the field is for, and it is the only way anyone learns who you are.
Where it lives
In Amazon DynamoDB, in a single AWS region, in an account belonging to the cellar's owner. It is encrypted at rest (AES-256, by AWS, always on) and encrypted in transit (HTTPS, no exceptions — the app will not speak plain HTTP).
Nobody but the household reads it. It is not shared, not sold, not syndicated, and there is no analytics vendor in the page. Apart from Google — for sign-in, and for reading label photos — the data goes nowhere.
How long it is kept
Wine, ratings and notes are kept until the owner deletes them. That is the point of a cellar book: a bottle drunk in 2019 is still worth remembering in 2029.
Pairing codes expire in minutes and delete themselves. A label photo does not survive the request that carried it.
Getting rid of it
Ask the owner — this is a house, not a helpdesk, and he is the one with the database. He can delete a wine, a bottle, a rating, or a member.
Unlinking a Google account from a member removes the login. It does not erase what that person said about a wine — those ratings stay with the person, which is the same reason they were worth recording.
And, again: an anonymous guest rating cannot be deleted on request, because there is no way to know which one was yours.
Changes, and what this page is not
This page describes what the code does today. When the code changes, this page changes with it.
It makes no claim to be a legal compliance document. It does not say the app is GDPR- or CCPA-compliant, because that is a statement no one here is qualified to make. It says what is stored and what is not, and each sentence is true.