Privacy Policy

We collect information you give us directly when you sign up for an account, join the waitlist, or use the service. This includes your name, email address, password (hashed before storage), phone number, zip code, and — for collectors and restaurants — the additional profile data needed to operate the marketplace (inventory size, region focus, restaurant name and address, wine-program description). Restaurants and collectors also provide bank-account details to Stripe directly during payout and remittance setup; we receive an identifier, not the raw bank credentials.

We also collect technical data automatically when you use the service: device type, browser version, IP address, session identifiers, request logs, and security tokens (CSRF, session cookie). When a diner reserves a bottle, the reservation creates a transaction record connecting the diner, the bottle, and the restaurant; the diner's contact information is shared with the restaurant so they can confirm the reservation (see §3).

We use the information we collect to operate the service, route bottle reservations to the correct restaurant, process payouts to collectors and platform fees to CellarList, send transactional email (confirmations, receipts, status updates, password resets), detect and prevent fraud and abuse, debug and improve the service, comply with legal obligations, and enforce our Terms of Service.

We do not use collected information to make automated decisions that produce legal or similarly significant effects about you without human review.

When a diner reserves a bottle at a participating restaurant, CellarList shares the diner's name and contact information with that restaurant for the limited purpose of confirming the reservation and serving the diner at the venue. Collectors do not see diner contact information. Diners do not see collector identity — collector anonymity is enforced by our marketplace operating procedures. Restaurants learn the identity of the collector whose bottle they are storing only under the limited disclosure rule in those procedures.

We may share aggregate, anonymized analytics about the marketplace — for example, total reservations per neighborhood, average list-to-sale time — that do not identify any individual user, collector, or restaurant.

We may also disclose information when required by law, valid legal process, or to protect the safety, rights, or property of CellarList, our users, or the public.

CellarList relies on a small set of vendors to operate the service. Your information may be processed by these vendors for the purposes stated below:

• Stripe — payment processing, marketplace payouts, and bank-account verification. CellarList does not store full bank credentials; Stripe does.
• PostHog — privacy-preserving product analytics for the signed-in app. Configured cookieless (it writes nothing to your device) and keyed only to an opaque account identifier; we do not send your name, email, phone, or address. Used to understand how the product is used so we can improve it — never for advertising.

We also work with service providers for application hosting, database storage, file storage, transactional email, and, where restaurant operators opt in, automated extraction of wine-list content from photographs. These providers process information only as needed to deliver the service and only under their own terms and privacy policies. Diner and collector personal information is not sent to providers whose role does not require it.

We work to choose providers whose practices are designed to be compatible with applicable U.S. privacy expectations, pending counsel review.

CellarList sets a small number of essential cookies and similar client-side storage entries: a session cookie that keeps you signed in, a CSRF token cookie that protects against cross-site request forgery, and a sessionStorage flag that records that you have confirmed you are 21 or older when you first visit a diner-facing page. The age-confirmation flag is per-tab and is cleared when you close the tab.

We do not use third-party advertising trackers and do not run cross-site advertising pixels. We use a cookieless product- analytics tool (PostHog) on the signed-in app to understand how the product is used; it is configured to store nothing on your device — no cookies, no local storage — and is keyed only to an opaque account identifier, so it requires no cookie banner. If we ever add cookie-based analytics or marketing email tracking, we will surface a cookie banner and a clear opt-out before the tracking is enabled.

Account data and transaction history are retained for the lifetime of your account so you can review prior reservations, consignments, and payouts. Anonymous lead data (waitlist signups that do not result in confirmed accounts) may be retained for a limited period for fraud prevention and to prevent rapid re-signup abuse.

Operational logs (request logs, security event logs) are retained for a rolling window appropriate to the security and debugging needs of the service. Audit-log entries related to account or marketplace transactions are retained as long as the underlying account exists, and where required by tax or financial-recordkeeping law, longer.

You can access and correct most of your account information from within the app's account settings. You can request deletion of your account by contacting us at the address below; we will close the account and delete personal data that is not subject to a legal retention obligation.

Because CellarList facilitates real-money transactions between restaurants, collectors, and the platform, certain transaction records (sales, payouts, dispute outcomes, audit-log entries) may be retained for legal, tax, and financial-recordkeeping compliance even after you close your account. We will surface the scope of any such retention when you request deletion.

CellarList is intended exclusively for users 21 years of age or older — the federal minimum drinking age in the United States. We do not knowingly collect personal information from anyone under 21. Diner-facing pages enforce age affirmation at signup. If we learn that we have collected personal information from a person under 21, we will delete that information from our systems.

California residents may have additional rights under the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act, and New York residents may benefit from obligations CellarList holds under the New York SHIELD Act.

California and New York residents may exercise statutory rights by contacting privacy@cellarlist.com; we will respond as the law requires.

CellarList serves all traffic over TLS. Database storage, file storage, and payment data are encrypted at rest by the providers that host them. Passwords are hashed before storage. Two-factor authentication is available on every account and is required for operator and administrative roles. We continue to improve our security practices and welcome reports of vulnerabilities at security@cellarlist.com. No system is perfectly secure; we cannot guarantee absolute protection against unauthorized access.

CellarList sends two kinds of email: transactional email related to your account or transactions (password resets, reservation confirmations, sale receipts, payout notifications, dispute outcomes), and — if you opt in to it in the future — marketing or product email.

Transactional email cannot be opted out of while you have an active account, because it is required for the service to function. Marketing email, when introduced, will include a one-click unsubscribe link in every message and will honor opt-out within a reasonable period.

CellarList is built for the United States market. We do not offer the service to users outside the United States, and international users access at their own risk. EU residents specifically: CellarList does not yet implement a GDPR-rights mechanism (controller representative, data-portability export, full purpose-and-basis disclosure).

We will notify users of material changes to this Privacy Policy via email or in-product notice prior to the effective date of the change. Non-material changes — for example, clarifying language, fixing typographical errors, or updating contact information — may be made without notice. Continued use of the service after a material change becomes effective means you accept the change.

Privacy questions can be sent to privacy@cellarlist.com. TODO: confirm the privacy contact address and any required registered-office disclosures once counsel review is complete.