Skip to main content

Privacy Policy

Last updated: May 5, 2026

1. Data controller

The data controller for personal data is Mon Chez Toit SRL (trade name: Trinqo), VAT number BE0885913767.

GDPR contact point: privacy@trinqo.app. No formal Data Protection Officer (DPO) has been appointed — Trinqo does not meet the designation criteria set out in Article 37 of the GDPR.

2. Data collected

We collect the following data:

  • Account data: email address, display name (optional)
  • Tasting data: name, producer, notes, photos, ratings
  • Payment data: processed exclusively by Stripe (we do not store any card numbers)
  • Technical data: IP address, browser type, pages visited

3. Purposes of processing

Your data is used to:

  • Create and manage your user account
  • Record and display your tastings
  • Manage your subscription and payments
  • Send you transactional emails (payment confirmation, notifications). Trinqo does not send any marketing emails or newsletters without your explicit prior consent
  • Realtime Table feature: wine proposals and votes shared in a Table session are visible to all participants of that session. Guests use a temporary access token (not personal). Session data is deleted 24 hours after the session expires (except sessions saved by the account holder)
  • Story sharing (9:16): you can share a public tasting as a 9:16 image on social media. The image is generated on demand by our API and served via a CDN (1-year immutable cache). It can only be removed by switching the tasting back to private visibility (the URL then returns a 404)
  • Improve the service

4. Legal basis

The processing of your data is based on the performance of the contract (use of the service) and your consent (account creation). For payment data, processing is necessary for the performance of the subscription contract.

5. Sub-processors

Your data is processed by the following sub-processors:

  • Supabase (European Union, Ireland) — Database hosting and authentication
  • Vercel (United States) — Application hosting
  • Stripe (Ireland) — Payment processing
  • Brevo (France) — Transactional email delivery
  • Google (United States) — Image analysis and OCR via the Gemini API
  • Mistral AI (France) — OCR/label recognition via the Pixtral Vision API
  • Anthropic (United States) — AI image analysis (OCR fallback) via the Claude API
  • Sentry (United States) — Application monitoring and error tracking
  • Upstash (United States) — Rate limiting and abuse protection
  • PostHog (EU — Frankfurt) — Privacy-friendly product analytics (no cookies, memory-only persistence)
  • Open Food Facts (France) — Wine data enrichment (EAN barcodes, images, country of origin, alcohol content)
  • OpenAI (United States) — Embedding generation for similar wine search (text-embedding-3-small model)
  • Meta Platforms Ireland Ltd. (Ireland / United States) — Advertising audience measurement and retargeting via Meta CAPI server-side (Facebook/Instagram Ads), only if you have not enabled the analytics opt-out

6. Transfers outside the EU

Some sub-processors process your data outside the European Union. The following safeguards govern these transfers:

  • Supabase (European Union, Ireland) — database hosting, data processed within the EU (GDPR Art. 46 not applicable)
  • Vercel (United States) — application hosting, Data Privacy Framework (DPF)
  • Stripe (United States) — payment, certified Data Privacy Framework (DPF)
  • Brevo (France/EU) — transactional emails, no transfer outside the EU
  • Google (United States) — image analysis/OCR via Gemini, Standard Contractual Clauses (SCC)
  • Mistral AI (France/EU) — OCR, no transfer outside the EU
  • Anthropic (United States) — AI image analysis/OCR fallback via Claude, Standard Contractual Clauses (SCC)
  • Sentry (United States) — monitoring, Standard Contractual Clauses (SCC)
  • Upstash (United States) — rate limiting, Standard Contractual Clauses (SCC)
  • PostHog (EU — Frankfurt) — product analytics, data processed within the EU (GDPR Art. 46 not applicable)
  • Open Food Facts (France) — data enrichment, open source database, no transfer outside EU
  • OpenAI (United States) — embeddings for similar wine search, Standard Contractual Clauses (SCC)
  • Meta Platforms Ireland Ltd. (Ireland, data transferred to Meta Platforms Inc. in the United States) — Meta CAPI server-side for advertising conversion measurement and retargeting, Standard Contractual Clauses (SCC)

7. Data retention period

  • Profile and tasting data: duration of account, deleted immediately upon account deletion
  • Collections and shares: duration of account, deleted immediately upon account deletion
  • Invitations: 90 days after expiration of the invitation, then automatically deleted
  • Friendships: duration of account, deleted immediately upon account deletion
  • Submitted wine corrections: duration of account, deleted immediately upon account deletion
  • Support tickets: 2 years after closure of the ticket, then anonymized (data retained in case of litigation or legal audit)
  • Push notifications (subscriptions): deleted immediately upon unsubscription, or after 1 year of inactivity (when the notification can no longer be delivered)
  • Sessions (table_sessions): 24 hours after session expiration. User-saved sessions are retained as long as the account is active
  • Label photos: duration of account, deleted immediately upon account deletion
  • Payment data: retained by Stripe according to their policy (see stripe.com/privacy)
  • Technical logs (Sentry): 90 days. No personal data is sent (configuration sendDefaultPii: false — no email, no IP address, no user identifier)
  • AI usage logs (ai_usage_logs): 90 days (automatic purge)
  • Billing events (billing_events): retained anonymously for 7 years after account deletion (Belgian accounting obligation — Art. 6.1.c GDPR). After account deletion, your identifier is replaced by NULL (no data can be linked back to you)

8. Your rights

Under the GDPR, you have the following rights:

  • Access: obtain a copy of your personal data
  • Rectification: correct inaccurate data
  • Erasure: request the deletion of your data
  • Portability (Art. 20): you can export your personal data in a structured, machine-readable format from your account settings
  • Objection: object to the processing of your data
  • Restriction: request the restriction of processing

To exercise your rights, contact us at privacy@trinqo.app. We will respond within 30 days.

9. Cookies and analytics

Trinqo uses only strictly necessary cookies for the service to function. No advertising or tracking cookies are used. No consent is required for these cookies in accordance with the ePrivacy Directive.

  • Supabase session cookie: authentication of the logged-in user (session cookie, strictly necessary, expires when the browser is closed)
  • trinqo-locale: remembering the language chosen by the user (functional cookie, strictly necessary, expires after 7 days of inactivity)

The PostHog analytics tool is hosted in the EU (Frankfurt) and configured in native cookieless mode (persistence: 'memory'): no cookies, local storage, or digital fingerprint are created on your device. Your IP address is not transmitted to PostHog (ip: false). Click autocapture is disabled (autocapture: false). No profile is created for anonymous visitors (person_profiles: 'identified_only'). The legal basis is Trinqo's legitimate interest in improving its service (Art. 6.1.f GDPR), in accordance with CNIL analytics exemption — no consent is required. You can opt out of this collection from the Settings page of your account.

10. Security

We implement appropriate technical and organizational measures to protect your data: HTTPS encryption, secure authentication, restricted data access, and database-level security policies.

11. Complaints

If you believe that the processing of your data does not comply with the GDPR, you may file a complaint with the Belgian Data Protection Authority: www.autoriteprotectiondonnees.be

12. Open Food Facts

When you use the barcode scanning feature, Trinqo queries the Open Food Facts service to enrich the product record.

  • Data sent: EAN barcode of the product
  • Data received: product name, brand, category
  • Legal basis: legitimate interest (improving the product record)
  • Open Food Facts terms of use: world.openfoodfacts.org/terms-of-use

13. Data breach (Art. 33 GDPR)

In the event of a personal data breach, Trinqo follows the procedure below:

  • Detection: real-time Sentry alerts
  • Notification to the supervisory authority: within 72 hours of detection, notification to the Belgian Data Protection Authority (www.autoriteprotectiondonnees.be)
  • Communication to data subjects: if the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR)
  • Contact: info@trinqo.app

14. AI label scanning

When you use the label scanning feature, Trinqo sends the label photo to third-party AI services to automatically extract wine information (name, producer, region, vintage, grape varieties).

  • Data sent: photo of the wine label
  • Data received: extracted information (wine name, producer, region, vintage, grape varieties, alcohol content)
  • Legal basis: performance of the contract (core service feature)
  • Photo retention: the photo is transmitted in real time to the AI service API and is NOT retained by the provider after processing
  • AI services used: Google Gemini (primary), Mistral Pixtral Vision (secondary), Anthropic Claude (fallback)
  • Personal data in the photo: the photo may accidentally contain visual elements (background, reflections). Avoid including personally identifiable elements in your label photos

15. AI usage data

Trinqo collects technical data related to the use of artificial intelligence features:

  • Purpose: service improvement and operational cost monitoring
  • Legal basis: legitimate interest (Art. 6.1.f GDPR) — optimisation and monitoring of the AI service
  • Data collected: request type, AI model used, number of tokens, processing duration
  • What is NOT collected: conversation content, transmitted photos, personal data
  • Retention period: 90 days, then automatically purged

16. Meta CAPI server-side (Facebook/Instagram Ads)

Trinqo uses the Meta Conversions API (CAPI) from Meta Platforms Ireland Ltd. to measure conversions from its Facebook/Instagram advertising campaigns. Unlike the client-side Meta Pixel, this processing is carried out entirely server-side: no Meta script is loaded in your browser and no Meta cookie is set. This processing is only activated if you have not enabled the analytics opt-out in your account settings.

  • Sub-processor: Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland), with transfer to Meta Platforms Inc. (United States)
  • Purpose: advertising audience measurement, conversion attribution (sign-up, subscription), targeting and retargeting on Facebook/Instagram
  • Legal basis: legitimate interest (Art. 6.1.f GDPR) — advertising effectiveness measurement carried out server-side without setting third-party cookies
  • Data transmitted: URLs of relevant pages, conversion events (PageView, Lead, CompleteRegistration, StartTrial, Subscribe), IP address and User-Agent (transmitted in plain text to Meta for conversion event matching purposes — these technical data points do not constitute direct personal data), Meta advertising cookie identifiers (_fbc, _fbp) if present in your browser. No direct personal data (email, user identifier, password) is transmitted by Trinqo to Meta
  • Retention period: according to Meta's policy (conversion events: 28 days by default for attribution). No retention on Trinqo's side.
  • Transfer outside the EU: yes — to Meta Platforms Inc. in the United States, governed by the European Commission's Standard Contractual Clauses (SCC)
  • Opt-out mechanism: you can disable this processing at any time from the Settings > Privacy page of your Trinqo account. In case of opt-out, no event is sent to Meta.
  • Meta policy: you can consult Meta's privacy policy at facebook.com/privacy/policy and manage your advertising preferences in your Facebook/Instagram account settings

17. Automated taste profiling (Art. 22 GDPR)

Trinqo automatically computes your taste profile (user_taste_profile) from your recorded tastings. This individual profiling constitutes automated processing within the meaning of Art. 22 GDPR.

  • Processing logic: with each recorded tasting, Trinqo aggregates your scores (acidity, tannins, structure/body, sweetness, oak ageing, minerality, adventure score) and your favourite grape varieties/regions to compute preference scores (prefers_acidity, prefers_tannins, prefers_body, etc.)
  • Data used: tasting notes, grape varieties, regions, wine styles, and ratings recorded in your account
  • Purpose and consequences: this profile is used exclusively to personalise the virtual sommelier's recommendations and food-pairing suggestions. It is not used for decisions with significant effects (no dynamic pricing, no denial of service, no discrimination, no solely automated decision-making producing legal effects)
  • Legal basis: performance of the contract (Art. 6.1.b GDPR) — this personalisation is a core feature of the service
  • Retention period: duration of the account, deleted immediately upon account deletion
  • Right to object (Art. 21 and 22 GDPR): you may object to this profiling at any time. To exercise this right, contact privacy@trinqo.app: your taste profile will be deleted and your tastings will no longer be used to personalise recommendations. Deleting your account from the dashboard (Settings > Delete my account) also triggers immediate deletion of the taste profile
  • Your other rights: you may at any time request access, rectification, or portability of your taste profile by contacting privacy@trinqo.app

18. Temporary guest scan photos (try-photos-temp bucket)

When an unregistered visitor uses the label scan trial feature (/try flow), the captured photo is temporarily stored in a dedicated storage bucket hosted by Supabase (Ireland, European Union) in order to generate a 9:16 story-format share image (Instagram/Facebook) via our rendering service (Satori).

  • Purpose: enable on-the-fly generation of a 9:16 story image shareable on social media, without requiring account creation
  • Legal basis: legitimate interest (Art. 6.1.f GDPR) — offering product trial and viral sharing without forcing the user to create an account
  • Data stored: wine label photo taken by the visitor. No direct identifying data (email, name) is associated with the photo
  • Recipient: Supabase (internal storage) and the browser of the user who requested the generation. No public transmission
  • Hosting: Supabase, EU region — Ireland (no transfer outside the EU)
  • Retention period: maximum 1 hour. Deletion is automatic via a scheduled task (pg_cron) that empties the bucket after expiration
  • Your rights: given the very short duration and the absence of an identifier, the individual exercise of rights is not practically applicable. For requests, contact privacy@trinqo.app

19. Guest AI sommelier chat (askGuestSommelier)

The /try trial flow offers a mini-chat with the virtual sommelier, accessible without account creation. The visitor's questions and the metadata of the scanned wine are sent to the Google Gemini API to produce the response.

  • Purpose: allow the visitor to try the sommelier feature before registration
  • Legal basis: legitimate interest (Art. 6.1.f GDPR) — product demonstration without prior collection of account data
  • Data sent to Google Gemini: wine name, producer, appellation, vintage if available, and the visitor's question text. No personal data of the visitor (first name, email, identifier) is sent — the "name" field in the prompt corresponds to the wine name, not the user's name
  • Recipient: Google Ireland Ltd. (Ireland), with possible processing by Google LLC (United States) governed by Standard Contractual Clauses (SCC)
  • Rate-limiting: to prevent abuse, a per-IP limit is applied in ephemeral memory (Upstash, not logged beyond the counting window)
  • Retention: no retention on Trinqo's side of chat questions or answers. On Google Gemini's side, see the Gemini API policy (ai.google.dev/gemini-api/terms)
  • Your rights: to exercise your rights or request further information, contact privacy@trinqo.app

20. Photos taken on /try (guest mode) — quality retention

When an unregistered visitor uses the label scan in guest mode (/try flow), the captured photo may be retained for up to 7 days to improve recognition quality.

  • What: wine label photo taken during a guest scan (no account)
  • Why: improving recognition quality (OCR, wine database, estimated prices). Photos help identify and correct failed or incorrect identifications
  • Retention period: maximum 7 days, automatic deletion thereafter. Exceptional case: up to 30 days for documented quality analysis
  • Legal basis: legitimate interest (Art. 6.1.f GDPR) — improving the accuracy of an identification service, in line with the data minimisation principle (Art. 5.1.c GDPR)
  • Associated data: extracted wine name, producer, vintage, appellation, estimated price, confidence score, GeoIP city (never the full IP address)
  • Access: Trinqo team only, via time-limited signed URLs. Private bucket, no public access
  • No model training: photos are not used to train or fine-tune an AI model without your explicit consent
  • Your rights: you may request deletion of your photo by contacting privacy@trinqo.app. Please include the approximate date and time of the scan

21. PostHog capture of signup attempts

When the signup form is submitted, an anonymous identifier and non-personal properties are sent to PostHog (product analytics tool) before the account is created server-side. This capture is intentionally triggered before the server call so that lost signups can be detected and re-engaged in the event of a technical incident (silent server failure, error not surfaced to the user).

  • What: anonymous identifier derived from a SHA-256 hash (first 16 chars) of the email address (non-reversible), boolean properties has_email and marketing_opt_in
  • What is NOT sent: the email address in plain text, the password, first name, last name, or any directly identifying data
  • Why: detection of lost signups during technical incidents (silent server failure) and targeted re-engagement in the event of a confirmed incident
  • Retention: 7 years (PostHog default), deletable on request at privacy@trinqo.app
  • Legal basis: legitimate interest (Art. 6.1.f GDPR) — improving service reliability and reducing user loss due to technical failures
  • Associated data: email hash (16 hex chars, non-reversible), marketing_opt_in (boolean), has_email (boolean), timestamp
  • Your rights: you may request deletion of this record at privacy@trinqo.app, specifying the approximate date of your signup attempt
← Back to home