Privacy Policy

This Policy applies to personal information we collect through the Platform from:

• Store Operators — licensed retailers who subscribe to the Platform, use the dashboard, and manage their online store.
• Shoppers — individuals who browse, create an account, place an order, or pick up an order through a Store Operator’s Storefront.
• Visitors — anyone else who interacts with our marketing site, blog posts, support channels, or public pages.

This Policy does not describe data practices of Store Operators when they use personal data outside the Platform, of payment networks, of third-party websites, or of any entity that links to or is linked from the Platform but is not operated by us.

For information we collect to provide our own services (such as operating the Platform, securing the infrastructure, authenticating Store Operators, and administering subscriptions), we are the business or “controller.”

For information collected and used by Store Operators through a Storefront (such as a Shopper’s account with that specific retailer, order details, pickup preferences, and customer-service interactions), the Store Operator is the business or controller of that data and is responsible for its privacy practices. We process that data on the Store Operator’s behalf as a “service provider” or “processor.”

If you are a Shopper and want to exercise privacy rights regarding the data a specific Store Operator holds about you, please contact that Store Operator directly. We will support them as required and may also acknowledge or forward your request.

3.1 Information You Provide

• Account information — name, username, email address, password (always stored hashed, never in plaintext), phone number, and, where applicable, date of birth.
• Identity and age attestation — the fact that you attested to being at least 21 years old when using a Storefront.
• Store-operator information — business name, store slug, address, license details provided during onboarding, Stripe Connect account identifiers, and any store-level content you upload (logos, product data, hours, contact info).
• Order and checkout information — items, quantities, pickup type, scheduled pickup time, customer notes, contact details for guest checkout, and order status history.
• Support and communications — messages you send to us or to a Store Operator through the Platform, feedback forms, and any information you volunteer in correspondence.

3.2 Information Collected Automatically

• Device and connection data — IP address, user-agent string, device type, approximate location inferred from IP, referrer URL, and language preference.
• Usage data — pages visited, features used, timestamps, search queries you type into the storefront search bar, click and scroll events necessary to diagnose issues, and aggregated analytics.
• Cookies and local storage — authentication tokens, cart contents, customer session data, preferences, and a flag indicating whether the age-verification gate has been passed. See Section 9.
• Server logs — timestamped records of requests and errors used for debugging, abuse prevention, and security monitoring.

3.3 Information From Third Parties

• Payment processors (Stripe) — transaction identifiers, payment status, last four digits of a card and card brand, dispute and chargeback events. We do not store full card numbers on our servers; those are handled by Stripe in a PCI-DSS-compliant environment.
• Email delivery providers (Resend and its underlying infrastructure) — delivery, open, and bounce events for transactional emails.
• Analytics (Vercel Analytics) — page-level traffic information in aggregate form.

3.4 Categories of “Personal Information” under CCPA/CPRA

For California residents, the categories of personal information we have collected in the past 12 months correspond to: identifiers (e.g., name, email, IP address); customer records (e.g., phone number, account credentials); commercial information (e.g., purchase history); internet or network activity (e.g., browsing history on the Platform); geolocation (inferred from IP); and inferences drawn from the above (e.g., likely product interest). We do not knowingly collect sensitive personal information such as Social Security numbers, precise geolocation, biometric data, or genetic data.

We collect information directly from you when you sign up, place an order, complete a form, or contact us; automatically when you interact with the Platform through a browser or device; and from third-party providers listed in Section 8, including Stripe (payment events), Resend (email delivery events), and Vercel (aggregate analytics).

• To operate, maintain, secure, and improve the Platform and its features;
• To create and authenticate accounts, including hashing and storing credentials, issuing session tokens, and verifying login attempts;
• To process subscriptions, online orders, refunds, and payouts (through Stripe);
• To send transactional communications such as order confirmations, pickup reminders, cancellation notices, refund confirmations, and password-reset emails;
• To help Store Operators fulfill orders and communicate with their Shoppers;
• To detect, investigate, and prevent fraud, abuse, unauthorized access, and violations of our Terms of Service;
• To comply with legal and regulatory obligations, respond to lawful requests, and enforce our rights;
• To provide customer support and respond to questions, feedback, and complaints;
• To generate aggregated, de-identified analytics that help us understand usage and product performance;
• To apply machine-learning models to Store Operator product-catalog data for purposes such as matching products against our master catalog (see Section 10); and
• Where permitted, to send product updates or marketing communications; you can opt out of marketing at any time by following the unsubscribe link in the email or contacting us.

Depending on the circumstances and applicable law, we process personal information under the following legal bases or purposes: (a) performance of a contract (to provide the Platform you subscribed to or the order you placed); (b) our legitimate interests (to secure and improve the Platform and prevent fraud), balanced against your rights; (c) compliance with a legal obligation (for example, tax recordkeeping or responding to valid legal process); and (d) your consent (for example, for optional marketing, where consent is required).

We share personal information only in the following circumstances:

• With the relevant Store Operator — when you place an order through a Storefront, the Store Operator receives the information needed to fulfill the order (name, contact details, order contents, and pickup preferences).
• With service providers and subprocessors — we share data with third parties that host our infrastructure or deliver specific functions on our behalf, under contracts that require them to protect your information and use it only for the purposes we specify. See Section 8.
• With payment networks — Stripe, card networks, and acquiring banks process payments, payouts, refunds, and disputes.
• For legal and safety reasons — we may share information to comply with a law, subpoena, court order, or other valid legal process; to enforce our Terms; to respond to a claimed violation of law; or to protect the rights, property, or safety of us, our users, or the public.
• In a business transaction — if we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our business or assets, we may disclose and transfer personal information to the counterparty, subject to customary confidentiality protections.
• With your consent — we will share information for additional purposes with your consent.

We do not “sell” personal information in the sense used by the California Consumer Privacy Act, and we do not share personal information with third parties for their own cross-context behavioral advertising.

We currently rely on the following categories of subprocessors:

We may update this list from time to time. Material changes will be reflected in an updated version of this Policy.

We use cookies and browser local-storage mechanisms for essential functions such as keeping you signed in, remembering your cart contents between sessions, remembering that you have passed the 21+ age-verification gate, and ensuring the Platform works correctly across subdomains. We also use a small number of performance and security cookies.

Most browsers allow you to block or delete cookies and to clear local storage. Disabling these mechanisms may prevent parts of the Platform from working — for example, you may be unable to stay signed in or complete a checkout.

We use machine-learning models to assist Store Operators with bulk product imports. When a Store Operator uploads a CSV file from their point-of-sale system, models hosted on Google Cloud (Vertex AI) help detect column roles, extract structured product attributes such as name, brand, size, and category, and match the extracted products against our master catalog using vector similarity.

The output is a suggested mapping that the Store Operator reviews before confirming. These models do not make decisions that produce legal or similarly significant effects about individual Shoppers, and we do not use them to evaluate Shoppers or to determine whether to provide a service to them.

We do not train third-party AI models on your personal information.

We retain personal information only for as long as needed to provide the Platform and for the purposes described in this Policy, including to comply with legal obligations, resolve disputes, and enforce our agreements.

Typical retention timelines:

• Account records — while the account is active, plus a reasonable period after closure to defend against disputes and comply with law.
• Orders and transaction records — for the period required by applicable tax, accounting, and alcohol-beverage recordkeeping rules, typically several years.
• Password-reset tokens — expire within 30–60 minutes of issuance and are marked used or expired; the underlying rows are retained briefly for audit.
• Server logs — short-lived, typically thirty (30) to ninety (90) days.
• Support and correspondence records — kept for a reasonable period after resolution.

When we no longer need personal information, we delete it or take steps to irreversibly de-identify it.

We use administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, alteration, disclosure, and destruction. These include: HTTPS in transit, encryption at rest for managed database storage, bcrypt-hashed passwords, SHA-256-hashed single-use password-reset tokens, tokenized payment handling by Stripe, role-based access controls, audit logging, and regular dependency and vulnerability review.

No method of transmission or storage is completely secure. You are also responsible for protecting your own credentials and device. If you believe your account has been compromised, please contact us immediately.

Depending on where you live and applicable law, you may have one or more of the following rights regarding personal information that we control as a business:

• Right to know / access — request confirmation of whether we process your information and obtain a copy, along with information about the categories, sources, purposes, and recipients.
• Right to delete — request deletion of personal information we collected from you, subject to statutory exceptions.
• Right to correct — request correction of inaccurate or incomplete personal information.
• Right to portability — request a copy of personal information in a portable, machine-readable format where applicable.
• Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising, but the right remains yours to exercise under state law.
• Right to limit use of sensitive personal information — we do not knowingly collect sensitive personal information.
• Right to non-discrimination — we will not discriminate against you for exercising any of these rights.
• Right to appeal — in states that grant an appeal right (such as Virginia, Colorado, and Connecticut), you may appeal our decision in response to your request.

These rights apply to information for which FineWinesLiquors is the controller. Where a Store Operator is the controller (for example, your account at that specific store), please submit requests to that Store Operator. We will assist them as required.

To submit a privacy request, email support@finewinesliquors.com with the subject “Privacy Request.” Please include enough information for us to verify your identity and locate your records (for example, the email address associated with your account and, if applicable, the Storefront slug).

We will respond within the timelines required by applicable law, typically within forty-five (45) days, and may extend once where permitted. If we cannot verify your identity, we may ask for additional information or decline the request. If we decline, we will explain why, and (where available) how to appeal.

You may authorize an agent to act on your behalf. We will ask to verify both your identity and the agent’s authority.

The Platform is intended only for adults aged 21 or older. We do not knowingly collect personal information from anyone under 13, and we do not permit anyone under 21 to create an account or place an order. If you believe a child under 13 has provided us personal information, please contact us and we will take appropriate steps to delete it.

The Platform is operated for users in the United States. If you access it from outside the United States, you understand that your information will be transferred to, processed in, and stored in the United States, which may have data-protection rules different from those in your country. We do not hold ourselves out to be compliant with the European Union General Data Protection Regulation for consumer-facing operations and do not intend to offer the Platform in countries where such operation would be unlawful.

Because there is no consistent industry or legal standard for recognizing or honoring Do-Not-Track signals, we do not currently respond to them. We may revisit this position if a broadly accepted standard is adopted.

We may update this Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For material changes, we will provide additional notice (for example, by email or a Platform notification). Your continued use of the Platform after the effective date of an updated Policy constitutes acceptance of the changes.

If you have questions about this Policy or our privacy practices, contact us at support@finewinesliquors.com.

For legal or official notices, please include “Privacy” in the subject line. Our Terms of Service complement this Policy.