Privacy & Data Policy

Last updated: 18/07/2026. This policy explains what data we collect, why, and what we do and don't do with it. It covers both personal data (about people — UK GDPR applies) and business data (about your shop — governed by our contractual commitments in the Terms of Use, section 4).

Contact: team@cellarate.co.uk

1. The short version

  • We benchmark the wine market using publicly visible retail data and data merchants choose to share with us.

  • We never publish or pass to suppliers anything that identifies your business unless you explicitly opt in. Everything else is aggregate-only.

  • POS connections are read-only.

  • Delete your account and we delete your data (section 8).

  • We don't sell personal data. Ever.

2. What we collect and where it comes from

a) Account data (personal data) — name, business email, business name and address, login credentials. Provided by you at signup.

b) Billing data (personal data) — handled by our payment processor (Stripe); we don't store card numbers.

c) Business data you provide — stock lists and sales exports you upload; stock, sales and pricing data retrieved via a POS connection you authorise (read-only). This is business data; where a sales record incidentally contains personal data (e.g. a customer name in an export), we filter or discard those fields — upload sales data with customer-identifying columns removed where your POS allows.

d) Publicly available retail data — product listings, prices and stock indications visible on merchant websites, collected by automated means. This includes data from your own website, potentially before you sign up (it's how we produce the briefing that may have introduced us). It contains no personal data about shoppers.

e) Business contact data for outreach (personal data) — names, roles and business email addresses of merchant businesses, compiled from public trade sources, used to send relevant B2B communications (e.g. a briefing about your shop). See section 6.

f) Usage data — pages viewed, actions taken in the product, email opens/clicks, device and log data. Used for product improvement and the metrics that make recommendations better.

3. Why we process it (lawful bases for personal data)

Purpose

Lawful basis

Providing the service to account holders

Contract

Billing and accounting

Contract / legal obligation

B2B outreach to trade contacts

Legitimate interests (relevant business communication to trade recipients; opt-out honoured immediately)

Product analytics and improvement

Legitimate interests

Service and security emails

Contract / legitimate interests

Marketing emails to account holders

Legitimate interests with opt-out (or consent where required)

4. What we do with business data

  • Produce your benchmarks, Decisions and briefings.

  • Compute aggregate, de-identified market statistics, style-family benchmarks and the Cellarate Rate of Sale index. Aggregates use minimum panel sizes so no individual merchant can be inferred.

  • Calibrate our market models (e.g. comparing website-derived estimates against POS data) — again only ever surfaced in aggregate.

What we don't do: publish your name or figures; share merchant-identifiable data with importers, distributors or anyone else without your explicit opt-in; write to or act on your POS; sell your data.

5. The supplier opt-in

If you switch on the supplier feed, importers/distributors subscribing to Cellarate can see your business name associated with specified range information, as described at the point you opt in. You can switch it off at any time; your name stops appearing from that point. Opting in is never a condition of using the merchant service.

6. Outreach emails (before you have an account)

We send unsolicited business emails to wine merchants — typically a one-off briefing about their publicly visible range. We do this under legitimate interests / the B2B provisions of PECR, to business contacts at incorporated businesses. Every email includes a working unsubscribe; unsubscribing removes you from all future outreach. If your business is a sole trader or unincorporated partnership and you'd rather not hear from us, the same unsubscribe applies and we honour it identically.

7. Who we share data with

  • Processors who host and run the service for us (Posthog, WorkOS, AWS, Stripe) — under contracts limiting use to our instructions.

  • Suppliers — only per section 5, only with opt-in.

  • Authorities — if legally required.

  • No sale of personal data; no advertising networks.

International transfers, where they occur (e.g. US-based processors), use UK-approved safeguards (adequacy or standard contractual clauses).

8. Retention and deletion

  • Account and business data: kept while your account is active. On deletion, removed from production systems within 30 days and from backups within 90 days.

  • Aggregate statistics already computed: retained (they don't identify you and can't be reversed out).

  • Billing records: kept as required by tax law (6 years).

  • Outreach contact data: deleted on unsubscribe request, retained on a suppression list only to honour the opt-out.

  • Publicly collected retail data: retained as part of the market dataset; it is not linked to your account once your account is deleted.

9. Your rights (personal data)

Under UK GDPR you can request access, correction, deletion, restriction, portability, and object to processing based on legitimate interests. Email team@cellarate.co.uk; we respond within one month. You can complain to the ICO (ico.org.uk), though we'd appreciate the chance to fix things first.

10. Cookies

We use essential cookies (login, security) and analytics via our analytics provider PostHog for the sole purpose of improving the service we offer. No third-party advertising cookies.

11. Security

Encryption in transit and at rest, access controls, least-privilege access to POS credentials (OAuth tokens stored encrypted, revocable by you at any time from your POS platform or from Cellarate settings).

12. Changes

Material changes notified by email to account holders 30 days before taking effect.

© 2026 All Rights Reserved

© 2026 All Rights Reserved