Software Solutions
Software Solutions

Terms

Privacy Policy

Introduction

With this privacy policy, we explain which types of your personal data (hereinafter also referred to as „data“) we process for which purposes and to what extent as part of the provision of our mobile application „Wine Scanner AI“ (hereinafter „the App“), available on the Apple App Store and Google Play Store, and our website winescanner.ai and other (hereinafter „the Website“). Together, the App and the Website are referred to as „our Services“.

The terms used are not gender-specific.

Status: February 2, 2026

Contents

Responsible

Christian Kapp
Kriemhildenstr. 2
67240 Bobenheim-Roxheim, Germany

Authorized representative: Christian Kapp

Email: info@superm.com

Imprint: https://superm.com/impressum/

Overview of Processing

Types of Data Processed

  • Device identifiers (anonymous device ID)
  • Email addresses
  • Usage data (scans, ratings, comments, websites visited, access times)
  • Photographs of wine labels
  • Country information (derived from IP address)
  • Subscription and purchase data
  • Push notification tokens
  • Technical metadata (device type, OS version, browser type, crash logs)
  • Meta/communication data (IP addresses, device information)

Categories of Data Subjects

  • Users of the App
  • Visitors of the Website
  • Communication partners

Purposes of Processing

  • Providing AI-powered wine identification and food pairing features
  • Maintaining a personal wine collection for the user
  • Managing subscriptions and in-app purchases
  • Delivering push notifications
  • App and web analytics to improve our Services
  • Crash reporting to identify and fix technical issues
  • Provision of the Website and web hosting
  • Responding to contact requests and inquiries
  • Direct marketing (with consent)
  • Security measures and fraud prevention

We process personal data in accordance with the General Data Protection Regulation (GDPR). The following legal bases apply:

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent for a specific purpose (e.g., email marketing opt-in, push notifications, use of analytics cookies).
  • Performance of a contract (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of the service (e.g., providing wine scanning features, managing subscriptions).
  • Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which we are subject.
  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for our legitimate interests (e.g., analytics, crash reporting, security, proper operation of our Services), unless overridden by the data subject’s rights.

In addition to the GDPR, the German Federal Data Protection Act (BDSG) and applicable state data protection laws may apply.

Security Measures

We implement appropriate technical and organizational measures to ensure a level of data protection appropriate to the risk, taking into account the state of the art, implementation costs, and the nature and purposes of processing.

These measures include in particular:

  • Securing the confidentiality, integrity, and availability of data by controlling physical and electronic access.
  • All data transmitted between the App or Website and our servers is encrypted using TLS (HTTPS). You can recognize such encrypted connections by the prefix https:// in the address line of your browser.
  • Wine label images are processed on our secure backend servers and are not stored beyond what is necessary to provide the service.
  • Device identifiers are anonymous and cannot be used to identify an individual person.
  • We have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data threats.

Use of Artificial Intelligence (Google Gemini)

The App uses artificial intelligence to identify wines from photographs of their labels and to suggest food-wine pairings. This section explains how AI is used and how your data is handled in this process.

How It Works

When you scan a wine label or use the food pairing feature, the App sends the photograph of the wine label to our own backend server (winescanner.ai). Our server then forwards the image to Google’s Gemini AI service for analysis. Gemini processes the image to identify the wine and returns structured information such as wine name, winery, grape variety, region, tasting notes, and estimated pricing.

What Data Is Sent to Google Gemini

  • Wine label photographs only. The images sent to Gemini contain photographs of wine bottle labels. No selfies, portraits, or images of people are intentionally captured or transmitted.
  • Country code (e.g., „US“, „DE“) is included in the analysis prompt for wine identification context only.

What Data Is NOT Sent to Google Gemini

No personal data is transmitted to Google Gemini. Specifically, the following are never sent to Gemini:

  • Your name or email address
  • Your device identifier
  • Your IP address (our backend server makes the request to Gemini, not your device directly)
  • Your wine collection, ratings, or comments
  • Your subscription status or purchase history
  • Any other personally identifiable information

Purpose and Legal Basis

The AI processing serves exclusively to enrich wine information and provide you with detailed wine data based on the label image. This processing is necessary for the performance of the App’s core service.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

Disclosure Regarding AI-Generated Content

In accordance with Apple’s App Store guidelines, we disclose that the App uses third-party AI services (Google Gemini) to provide its wine identification and food pairing features. The AI processes wine label images only and does not receive, store, or learn from any personal user data. AI-generated results — including wine descriptions — are informational in nature and may not always be fully accurate. Users should verify information independently where precision is important.

Service provider: Google LLC / Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy policy: https://policies.google.com/privacy

Transmission of Personal Data

As part of our processing of personal data, data may be transmitted to other bodies, companies, or service providers. These include:

  • Our backend server (winescanner.ai, hosted by STRATO) – for storing wine collections, scans, ratings, and comments.
  • Google (Firebase) – for app analytics, crash reporting, and push notification delivery.
  • Google (Analytics) – for website analytics.
  • Google (Gemini) – for AI-powered wine identification (wine label images only, no personal data).
  • RevenueCat – for managing in-app subscriptions and purchases.
  • Apple App Store / Google Play Store – for processing subscription and in-app purchase payments.
  • EmailOctopus – for sending marketing emails to opted-in users.
  • STRATO – for web hosting and server infrastructure.

We observe legal requirements and conclude appropriate contracts or agreements with service providers to protect your data.

Data Processing in Third Countries

Some of the service providers we use (such as Google, RevenueCat, and EmailOctopus) may process data outside the European Union or European Economic Area. This processing only takes place in accordance with legal requirements, including on the basis of EU Standard Contractual Clauses, adequacy decisions by the EU Commission, or binding internal data protection regulations (Art. 44–49 GDPR).

Further information: EU Commission – International Dimension of Data Protection.

Deletion of Data

Data we process will be deleted in accordance with legal requirements as soon as consent is revoked or other permissions no longer apply (e.g., if the purpose of processing has ceased). If data must be retained for other legally permissible purposes (e.g., retention obligations under tax or commercial law), processing will be restricted to those purposes until the retention period expires.

The statutory retention period is ten years for documents relevant to tax law and six years for commercial and business correspondence. The period begins at the end of the calendar year in which the relevant event occurred.

You may delete individual wine entries from your collection within the App at any time. If you wish to have all your data deleted from our servers, please contact us at the email address provided above.

Use of Cookies

Cookies are small text files or other storage mechanisms that store information on your device and read information from it. Cookies can be used for various purposes, such as functionality, security, and the creation of visitor analytics.

Note: This section applies to our Website (winescanner.ai). The App itself does not use cookies.

Consent: We use cookies in accordance with legal regulations. We obtain prior consent from users, except where the storage and reading of information is strictly necessary to provide the service the user has expressly requested (e.g., session management).

Legal basis: If users consent, the legal basis is declared consent (Art. 6(1)(a) GDPR). Otherwise, cookies are processed on the basis of our legitimate interests in the operation and improvement of our Website (Art. 6(1)(f) GDPR).

Storage period:

  • Session cookies: Deleted when the user closes the browser or ends the session.
  • Persistent cookies: Remain stored after the browser is closed. For example, login status or user preferences may be saved. Unless otherwise specified, users should assume that persistent cookies may be stored for up to two years.

Revocation and opt-out: Users can revoke their consent at any time. Users may also manage cookies through their browser settings, including disabling cookies entirely (which may limit the functionality of our Website). Users can also object to the use of cookies for online marketing purposes via https://optout.aboutads.info and https://www.youronlinechoices.com/.

Provision of the Website and Web Hosting

We process user data to make our Website available. For this purpose, we process the IP address of the user, which is necessary to transmit the content and functions of the Website to the user’s browser or device.

Collection of Access Data and Log Files

Access to our Website is recorded in the form of server log files. These may include the address and name of the retrieved pages and files, date and time of retrieval, data volumes transferred, notification of successful retrieval, browser type and version, operating system, referrer URL (the previously visited page), and IP address.

Server log files are used for security purposes (e.g., to prevent server overload and DDoS attacks) and to ensure server stability. Log file information is stored for a maximum of 30 days and then deleted or anonymized, unless further retention is required for evidence purposes.

STRATO

Our Website and backend server are hosted by STRATO.

Service provider: STRATO AG, Pascalstraße 10, 10587 Berlin, Germany.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Website: https://www.strato.de
Privacy policy: https://www.strato.de/datenschutz
Data processing agreement: Provided by the service provider.

  • Types of data processed: Usage data (e.g., pages visited, access times); meta/communication data (e.g., device information, IP addresses).
  • Persons affected: Users and visitors.
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Device Identification and User Account

The App does not require a traditional user account with a username and password. Instead, the App uses an anonymous device identifier to associate your wine collection and usage data with your device:

  • iOS: Apple’s Identifier for Vendor (IDFV)
  • Android: Android ID

This identifier is anonymous and cannot be used by us to determine your real-world identity. It is stored locally on your device and transmitted to our server to manage your wine collection and subscription status.

Email address: During the App’s onboarding, you are asked to provide your email address. This email is stored locally on your device and is used for customer support, subscription management, and — if you opt in — marketing communications.

Note: If you uninstall and reinstall the App, or switch devices, your device identifier may change, and your previous wine collection may no longer be accessible. It is the user’s responsibility to back up any data they wish to retain.

  • Types of data processed: Device identifier, email address, usage data (scans, ratings, comments).
  • Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

In-App Purchases and Subscriptions

The App offers optional paid features:

  • Subscriptions (monthly or annual „Wine Scanner AI Pro“) — providing unlimited scans, full wine collection access, and community features.
  • One-time scan packs — providing a set number of additional scan credits.

All purchases are processed through the Apple App Store (for iOS) and the Google Play Store (for Android) using their respective in-app purchase systems. We do not directly collect or store any payment information such as credit card numbers, bank account details, or billing addresses. All payment processing, billing, refunds, and subscription management (including cancellation) are governed by the terms and conditions of Apple or Google respectively:

Subscriptions automatically renew unless cancelled at least 24 hours before the end of the current billing period. You can manage or cancel your subscription at any time through your device’s App Store or Google Play settings.

We use RevenueCat as a subscription management service to verify and synchronize subscription status across platforms.

  • Types of data processed: Subscription status, purchase receipts (processed by RevenueCat), device identifier, email address.
  • Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

Service provider: RevenueCat, Inc., San Francisco, CA, USA.
Privacy policy: https://www.revenuecat.com/privacy

App Analytics and Crash Reporting

We use Firebase services provided by Google to understand how the App is used and to identify and fix technical issues.

Firebase Analytics

Firebase Analytics automatically collects anonymized usage data such as app opens, session duration, device type, and operating system version. This data helps us improve the App’s functionality and user experience. No personally identifiable information is collected through Firebase Analytics.

Firebase Crashlytics

Firebase Crashlytics automatically collects crash reports and error logs when the App encounters a technical problem. This includes device type, operating system version, and the technical state of the App at the time of the error. Crashlytics is only active in production builds and helps us identify and fix bugs promptly.

  • Types of data processed: Usage data, technical metadata (device information, OS version), crash logs.
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) – improving app stability and user experience.

Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy policy: https://policies.google.com/privacy
Firebase privacy information: https://firebase.google.com/support/privacy

Push Notifications

With your permission, the App may send you push notifications about wines, recommendations, and features using Firebase Cloud Messaging (FCM).

When you grant notification permission, your device’s push notification token (APNS token on iOS, FCM token on Android) is stored on our server to deliver notifications to your device.

You can revoke notification permission at any time through your device’s system settings.

  • Types of data processed: Push notification token, device identifier.
  • Legal basis: Consent (Art. 6(1)(a) GDPR).

IP Geolocation

When you open the App, your IP address is used once to determine your approximate country location via a third-party geolocation service. Only the resulting country code (e.g., „US“, „DE“) is stored — your IP address is not stored by us.

The country code is used to display wine prices in your local currency and to tailor content to your region.

  • Types of data processed: IP address (transient, not stored by us), country code.
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) – providing a localized user experience.

Email Collection and Marketing

During the App’s onboarding, you are asked to provide your email address. This email is used to associate your device with your usage for customer support and subscription management purposes.

Optionally, you may opt in to receive marketing emails about exclusive insights, features, and offers. This opt-in is voluntary and not required to use the App.

Double opt-in: If you opt in, you may receive a confirmation email to verify your registration. This ensures that no one can subscribe using someone else’s email address.

You may withdraw your consent to marketing emails at any time by using the unsubscribe link included in each email or by contacting us at the email address provided above. After withdrawal, we may store your email address for up to three years on the basis of our legitimate interests to prove that consent was previously given. Processing of this data is limited to defending against potential claims.

EmailOctopus

We use EmailOctopus as our email marketing platform to send newsletters and marketing communications to opted-in users.

Service provider: EmailOctopus, Three Bridges LLC, 2035 Sunset Lake Rd., Suite B-2, Newark, Delaware 19702, USA.
Legal basis: Consent (Art. 6(1)(a) GDPR).
Website: https://emailoctopus.com
Privacy policy: https://emailoctopus.com/legal/privacy

  • Types of data processed: Email address, usage data (e.g., email open and click rates).
  • Legal basis: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR) for proving prior consent.
  • Opt-out: You can unsubscribe from marketing emails at any time via the unsubscribe link in each email or by contacting us directly.

Contact and Inquiry Management

When you contact us (e.g., via email or contact form), we process the information you provide to answer your inquiry and follow up on any requested measures.

  • Types of data processed: Contact details (e.g., email, phone number), content of your inquiry, meta/communication data (e.g., device information, IP address).
  • Persons affected: Communication partners.
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); performance of a contract (Art. 6(1)(b) GDPR) where applicable.

Web Analysis, Monitoring and Optimization

We use web analytics on our Website to evaluate visitor flows, understand usage patterns, and improve our services. This may include analyzing behavior, interests, or demographic information as pseudonymous values.

The IP addresses of users are saved using an IP masking process (pseudonymization by shortening the IP address) to protect users. In general, no clear user data (e.g., email addresses or names) is stored in the context of web analysis, but only pseudonyms.

Google Analytics

We use Google Analytics on our Website for web analysis, reach measurement, and measurement of user flows.

Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Legal basis: Consent (Art. 6(1)(a) GDPR).
Website: https://marketingplatform.google.com/intl/en/about/analytics/
Privacy policy: https://policies.google.com/privacy
Data processing agreement: https://business.safety.google/adsprocessorterms
Standard contractual clauses: https://business.safety.google/adsprocessorterms
Opt-out: Google Analytics Opt-out Browser Add-on; Settings for ad display: https://adssettings.google.com/authenticated
More information: https://privacy.google.com/businesses/adsservices (types of processing and data processed).

  • Types of data processed: Usage data (e.g., pages visited, interest in content, access times); meta/communication data (e.g., device information, IP addresses).
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal basis: Consent (Art. 6(1)(a) GDPR).

Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our data processing practices or legal requirements. We encourage you to review this policy periodically. If changes require your consent or other individual notification, we will inform you accordingly.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that these may change over time. Please verify the information before contacting us.

Rights of Data Subjects

Under the GDPR, you have the following rights:

  • Right to object (Art. 21 GDPR): You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data based on Art. 6(1)(e) or (f) GDPR, including profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to such processing, including profiling insofar as it is related to such direct marketing.
  • Right to withdraw consent (Art. 7(3) GDPR): You may withdraw any consent you have given at any time, without affecting the lawfulness of processing prior to withdrawal.
  • Right of access (Art. 15 GDPR): You may request confirmation of whether we process your data and receive information about such processing, as well as a copy of the data.
  • Right to rectification (Art. 16 GDPR): You may request correction of inaccurate data or completion of incomplete data concerning you.
  • Right to erasure (Art. 17 GDPR): You may request deletion of your data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18 GDPR): You may request restriction of processing under certain circumstances.
  • Right to data portability (Art. 20 GDPR): You may request to receive your data in a structured, commonly used, machine-readable format, or request transmission to another controller.
  • Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, please contact us at: info@superm.com

Definition of Terms

  • Personal data: Any information relating to an identified or identifiable natural person („data subject“). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier.
  • Processing: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure, or destruction.
  • Device identifier: An anonymous identifier assigned to your device by the operating system (e.g., Apple IDFV or Android ID), used to associate your App data with your device without identifying you personally.
  • Controller: The natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.
  • Profiles: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
  • Reach measurement: Methods used to determine the number of users who have accessed certain content or areas, and to evaluate their behavior and interests.