Zapfä
Promise

Privacy

We built Zapfä the way we'd want a small app from people we don't know to behave.

i. What we collect

The shortest version: your email address and the cellar data you choose to add.

When you create an account we store your email so you can sign in and so we can send you the occasional service note (a password reset, an account-recovery confirmation). When you add a bottle, we store the wine details, your tasting notes, the photos you upload, and the storage location you assign. That’s the whole list. We don’t ask for a phone number, a date of birth, a postal address, or anything else we don’t need.

If you sign up with Apple, Apple sends us a one-time email (which may be Apple’s private relay address) and your name on the very first sign-in. We never see your Apple ID password.

ii. What we never sell or share

We don’t run ads. We don’t share your data with advertisers, data brokers, or any third party for marketing. There is no second-party “partner” reading your cellar over your shoulder. The product makes money from subscriptions (when paid tiers ship later) — that’s the whole business model.

iii. Where your data lives

Your account, cellar data, and uploaded photos are stored in Supabase (Postgres + object storage), hosted in the EU (Frankfurt region). The website itself is served from Cloudflare’s edge CDN.

When you ask Zapfä’s AI features for a recommendation, your cellar context is sent to Anthropic’s Claude API server-side (via a Supabase Edge Function — your API key never lives in the app). Anthropic processes the request to generate the response and does not retain it for training, per their published policy for API customers.

iv. Cookies and analytics

The website does not set any cookies until you opt in to analytics. We use PostHog for product analytics — it’s the only analytics tool, and it stays opted-out by default to comply with GDPR and the ePrivacy directive. If and when you opt in, PostHog records anonymous events like “viewed the landing page” or “submitted the waitlist” — never the contents of your cellar.

The mobile app uses Supabase’s session management, which stores a token locally on your device so you don’t have to sign in every time you open the app. That token is yours alone — it lives on your device and is invalidated when you sign out.

v. Your rights (GDPR, CCPA)

You have the right to access, export, correct, or delete every piece of data we hold about you, at any time, without giving a reason.

  • Access + export: open the app → Settings → Export cellar (CSV or JSON).
  • Delete everything: open the app → Settings → Delete Account → type “DELETE” to confirm. The deletion is immediate and irreversible. (See Delete your account for the full path.)
  • Email us: if any of the above is broken or you’d rather a human handle it, write to support@zapfae.com and we’ll reply.

We’re a small team. We do not sell your data and we do not transfer it outside the EU/EEA except to the AI inference providers listed above (which are governed by their respective standard contractual clauses).

vi. Changes to this policy

If we ever materially change what we collect or how we use it, we’ll update this page and date the change at the top. For substantive changes (e.g. a new analytics provider) we’ll also send a one-time email to active accounts before the change takes effect.

vii. Contact

Questions, concerns, or “you have my data and I want it gone”: support@zapfae.com. We read every email.