Privacy Policy
Last updated: 30 March 2026
1. Introduction
This Privacy Policy explains how Wine Uni (“we”, “us”, “our”) collects, uses, stores, and shares your personal data when you use the Wine Uni mobile application (“App”).
We are committed to protecting your privacy and complying with the New Zealand Privacy Act 2020, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) (to the extent it applies to our EU users), the UK GDPR, and other applicable data protection laws.
Data Controller:
Jakub Jurkiewicz (sole trader), operating as Wine Uni
New Zealand
Email: support@thewineuni.com
Website: https://thewineuni.com
If you have any questions about this policy or wish to exercise your rights, contact us at support@thewineuni.com.
2. Data We Collect
We collect the following categories of personal data:
2.1 Account Data
When you create an account, we collect:
- Email address — provided by Apple or Google during OAuth sign-in
- Name — if shared by your chosen sign-in provider (optional and controlled by you)
- Account creation timestamp
2.2 Profile and Preferences Data
- Selected WSET exam level (Level 2, Level 3, Diploma, General)
- Exam timing goal (e.g., within 1 month, 1–3 months, 3+ months)
- Self-assessed knowledge level (captured during onboarding diagnostic quiz)
- Onboarding completion status
2.3 Quiz and Performance Data
- Quiz sessions: score, duration, quiz mode, exam level, date
- Individual question attempts: question ID, your answer, whether it was correct, category
- Per-category accuracy statistics
- Practice streak data: current streak count, last quiz date, last streak milestone date
2.4 Subscription Data
- Subscription tier (Free, Pro Monthly, Pro Annual, Grandfathered)
- Trial usage status (has trial been used: yes/no)
- Subscription event history (subscription start, renewal, cancellation, expiry)
- Subscription verification timestamps
2.5 Analytics Data
We use TelemetryDeck to collect pseudonymised usage analytics, including:
- App screens visited and features used
- Onboarding flow interactions
- Quiz engagement events (quiz started, completed, abandoned)
- Paywall interaction events
- Subscription lifecycle events (trial started, upgrade tapped, etc.)
TelemetryDeck signals are hashed using a one-way algorithm and are not directly linked to your name or email address. However, because a hashed device or user identifier is used, this data is pseudonymised rather than fully anonymised under the GDPR — it remains personal data and is handled accordingly. We have conducted a Legitimate Interests Assessment (LIA) and determined that our interest in improving the App is not overridden by your privacy rights, given the minimal nature of the data and the privacy-preserving design of TelemetryDeck. See Section 6 for more detail.
2.6 Technical Data
Collected automatically by Supabase’s infrastructure:
- IP address (processed by Supabase servers; not stored persistently by us in the application database)
- Device type and operating system (iOS version, device model — derived from request headers)
- App version
2.7 Data We Do NOT Collect
We do not collect:
- Location data
- Camera or microphone data
- Contacts or address book data
- Health or fitness data
- Any financial or payment card information (payments are handled entirely by Apple)
3. Legal Basis for Processing
Under the GDPR, we rely on the following legal bases:
| Data Category | Legal Basis |
|---|---|
| Account data | Contract (Art. 6(1)(b)) — necessary to provide the service |
| Profile and preferences | Contract (Art. 6(1)(b)) — necessary to personalise the learning experience |
| Quiz and performance data | Contract (Art. 6(1)(b)) — core functionality of the service |
| Subscription data | Contract (Art. 6(1)(b)) and Legal obligation (Art. 6(1)(c)) |
| Pseudonymised analytics (TelemetryDeck) | Legitimate interests (Art. 6(1)(f)) — to improve the service; LIA conducted; does not override your rights |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
4. How We Use Your Data
We use your data to:
- Create and manage your account
- Deliver and personalise quiz content based on your exam level and progress
- Track and display your performance, streaks, and readiness scores
- Process and verify your subscription status
- Restore your progress when you sign in on a new device
- Improve the App through pseudonymised usage analytics
- Send important service communications (e.g., account deletion confirmation)
- Comply with legal obligations
- Enforce our Terms of Service
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
5. Data Retention
We retain your data for as long as your account is active or as necessary to provide the service.
| Data Type | Retention Period |
|---|---|
| Account and profile data | Until account deletion + 30 days (for deletion processing) |
| Quiz sessions and attempts | Until account deletion |
| Subscription event history | 7 years (legal/tax obligation) |
| Pseudonymised analytics (TelemetryDeck) | Up to 2 years per TelemetryDeck’s retention policy, after which data is deleted or re-hashed by TelemetryDeck |
| Inactive accounts | We may delete accounts inactive for 24+ consecutive months after giving you 30 days’ notice |
After deletion, data is removed from our systems within 30 days, except where a longer retention period is required by law (e.g., subscription billing records).
6. Third-Party Service Providers
We share data with the following processors under appropriate data processing agreements:
6.1 Supabase
Role: Data Processor
Purpose: Backend infrastructure — database, authentication, serverless edge functions
Data shared: Account data, profile data, quiz performance data, subscription data
Location: EU region (EU data residency available)
Privacy Policy: https://supabase.com/privacy
6.2 Apple (Sign in with Apple)
Role: Independent Controller
Purpose: Authentication — provides a verified email address or relay address
Data shared: Minimal — email address or anonymised relay address selected by you
Privacy Policy: https://www.apple.com/legal/privacy/
6.3 Google (Sign in with Google)
Role: Independent Controller
Purpose: Authentication — OAuth identity provider
Data shared: Email address and basic profile info as authorised by you
Privacy Policy: https://policies.google.com/privacy
6.4 TelemetryDeck
Role: Data Processor
Purpose: Privacy-focused usage analytics
Data shared: Pseudonymised usage events; signals are hashed and not linked to your name or email by default
Location: EU-based servers
Privacy Policy: https://telemetrydeck.com/privacy/
6.5 Apple App Store
Role: Independent Controller
Purpose: In-app purchase processing and subscription management
Data shared: None directly by us — Apple handles all payment data
Privacy Policy: https://www.apple.com/legal/privacy/
We do not sell your personal data. We do not share it with any other third parties except as described above, or where required by law.
7. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our service providers operate infrastructure.
Where such transfers occur, we ensure they are protected by:
- Standard Contractual Clauses (SCCs) adopted by the European Commission
- UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs (approved by the ICO), for transfers subject to the UK GDPR
- Adequacy decisions where applicable
Supabase and TelemetryDeck both offer EU-region hosting. If you require data residency within the EEA, contact us at support@thewineuni.com.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure:
- All data in transit is encrypted using TLS
- Supabase enforces Row-Level Security (RLS) on all user-specific database tables — you can only access your own data
- Authentication tokens are stored securely using the Supabase SDK (device Keychain)
- Sensitive flags (e.g., grandfathered status) are stored in the iOS Keychain
- We use OAuth-only authentication — we never store passwords
- Account deletion removes all personal data from Supabase within 30 days
No method of electronic transmission or storage is 100% secure. If we become aware of a data breach that causes, or is likely to cause, serious harm or risk to affected individuals, we will notify you and the relevant supervisory authority as required by applicable law — including the GDPR (Art. 33–34), the NZ Privacy Act 2020 (s112), and the UK GDPR.
9. Your GDPR Rights
If you are in the European Economic Area, United Kingdom, or another jurisdiction with equivalent laws, you have the following rights:
| Right | What It Means |
|---|---|
| Right of access (Art. 15) | Request a copy of the personal data we hold about you |
| Right to rectification (Art. 16) | Request correction of inaccurate or incomplete data |
| Right to erasure (Art. 17) | Request deletion of your personal data (“right to be forgotten”) |
| Right to restriction (Art. 18) | Request that we limit how we process your data |
| Right to data portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Right to object (Art. 21) | Object to processing based on legitimate interests |
| Right not to be subject to automated decisions (Art. 22) | We do not make automated decisions that significantly affect you |
How to exercise your rights: Contact us at support@thewineuni.com. We will respond within 30 days. We may ask you to verify your identity before processing the request.
New Zealand residents: Under the NZ Privacy Act 2020, you have the right to request access to personal information we hold about you (Information Privacy Principle 6) and to request correction of that information if it is inaccurate, out of date, incomplete, irrelevant, or misleading (Information Privacy Principle 7). The process is the same as described above — contact us at support@thewineuni.com.
You also have the right to lodge a complaint with your local data protection supervisory authority:
- New Zealand: Office of the Privacy Commissioner (OPC) — https://www.privacy.org.nz
- European Union: Your national data protection authority (list at https://edpb.europa.eu)
- United Kingdom: Information Commissioner’s Office (ICO) — https://ico.org.uk
10. Account Deletion
You can delete your account at any time from within the App (Settings → Delete Account). Upon deletion:
- Your profile, quiz sessions, and question attempts are deleted from Supabase within 30 days
- Subscription billing records are retained for the legally required period (up to 7 years)
- Pseudonymised analytics data processed by TelemetryDeck is retained according to their retention policy (up to 2 years). Upon account deletion, the link between your account and any hashed identifiers used by TelemetryDeck is destroyed, meaning the remaining analytics data can no longer be attributed to you
11. Children’s Privacy
The App is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. In compliance with the US Children’s Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us at support@thewineuni.com and we will delete it promptly.
12. Cookies and Tracking
The App does not use browser cookies. On-device data is stored using:
- SwiftData / Core Data — local quiz sessions and performance data
- UserDefaults — app preferences and feature flags
- iOS Keychain — authentication tokens and sensitive flags
These local storage mechanisms are used solely to deliver the App’s functionality and are not used for cross-app tracking or advertising.
13. Push Notifications
The App does not currently send push notifications. If we introduce this feature in the future, we will request your consent and update this policy accordingly.
14. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes — such as new categories of data collected, new third-party processors, or changes to how we use your data — we will provide at least 30 days’ advance notice via the App or the email address on your account. The “Last updated” date at the top of this policy reflects the most recent revision.
If you do not agree with a material change, you may delete your account before the change takes effect. Continued use of the App after the effective date constitutes your acceptance of the revised policy.
15. Contact Us
For any questions about this Privacy Policy, to exercise your rights, or to make a data-related complaint, contact us:
Email: support@thewineuni.com
Website: https://thewineuni.com/privacy
We aim to respond to all legitimate requests within 30 days.