This Privacy Policy explains how Wineberry, Inc. ("Wineberry," "we," "us") handles personal information when you visit wineberry.ai, use the BerryEval assessment, or use the WineberryOS platform (collectively, the "Services"). It applies to two distinct relationships:
- Visitors and prospects — people browsing the marketing site or submitting a contact form.
- Customers and end users — organizations and their authorized users who access WineberryOS. For customer data processed through WineberryOS, Wineberry acts as a data processor on behalf of the customer (the controller), subject to the Customer's instructions and any Data Processing Addendum.
1. Information We Collect
From visitors to the marketing site
- Contact form submissions — name, email, company, and message you provide.
- Server logs — IP address, user-agent, referring URL, and timestamps. Retained for operational and security purposes.
- Cookies — see the Cookies section below.
From customers and authorized users
- Account information — name, email, role, and organization, provided directly or through our authentication provider.
- Customer Data — operational data ingested from connected systems you designate (e.g., CRM, email, messaging platforms, spreadsheets), processed to deliver recommendations and approved remediations.
- Provider credentials — OAuth tokens and API keys for connected systems, stored encrypted at rest.
- Usage and telemetry — actions taken in the platform, approvals, errors, and performance metrics. Used to operate, secure, and improve the Services.
2. How We Use Information
- Provide, secure, and improve the Services;
- Generate evidence-backed recommendations and execute Customer-approved remediations;
- Authenticate users, prevent abuse, and enforce tenant isolation;
- Communicate about your account, security, and product changes;
- Respond to inquiries, support requests, and legal obligations.
We do not sell personal information. We do not use Customer Data to train foundation models. AI outputs are generated per request using third-party inference providers under contractual confidentiality obligations.
3. Legal Bases (EEA / UK Visitors)
Where the GDPR or UK GDPR applies, we process personal information under the following legal bases: performance of a contract (delivering the Services), legitimate interests (security, product improvement, communication with prospects), legal obligation, and consent (where required, e.g., certain cookies).
4. Sub-Processors
We engage the following sub-processors to operate the Services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Clerk | Authentication and identity management | United States |
| Railway | Application hosting and managed Postgres / Redis | United States |
| Fireworks AI | Inference for language model workloads | United States |
| Resend | Transactional email delivery | United States |
| Cloudflare | DNS, edge caching, and DDoS protection | Global |
We require each sub-processor to maintain security and confidentiality obligations consistent with this Policy. We will provide notice of material changes to the sub-processor list to Customer administrators.
5. How We Share Information
- Sub-processors — as described above, solely to deliver the Services.
- Within your organization — Customer Data is accessible to your Authorized Users per your configuration.
- Connected systems — only the writes you approve, sent to the systems you designate.
- Legal and safety — to comply with law, lawful requests, or to protect rights, property, and safety. We notify Customers of requests where lawful.
- Business transfers — in connection with a merger, acquisition, or sale of assets, subject to confidentiality.
6. Security
- Encryption in transit via TLS for all customer-facing endpoints.
- Encryption at rest for provider credentials and sensitive fields, with the encryption key held as a deployment secret separate from the database.
- Tenant isolation enforced at the database query, queue payload, and worker layers; every query includes an organization scope and workers re-validate ownership.
- Human-in-the-loop guardrails prevent autonomous high-risk actions; outbound email, billing, and permanent deletes are blocked at the platform level.
- Worker isolation — background workers run as a separate deployment from the user-facing API.
- Structured output validation — model outputs are JSON-schema validated before use.
No system is perfectly secure. If you believe your account or data has been compromised, contact us immediately at legal@wineberry.ai.
7. Data Retention
We retain Customer Data for the duration of your subscription and for a reasonable period afterward to allow for export. Marketing contact submissions are retained for up to 24 months unless you request deletion sooner. Backups and audit logs may be retained longer to meet legal and security obligations. On termination, Customer Data is deleted in accordance with the applicable Order Form and DPA, subject to retention required by law.
8. Your Rights
Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal information, restrict or object to processing, withdraw consent, and lodge a complaint with a supervisory authority. To exercise these rights, contact us at legal@wineberry.ai. If your data is processed through WineberryOS on behalf of a Customer, please direct requests to that Customer; we will assist the Customer in responding.
9. Cookies and Similar Technologies
The marketing site uses essential cookies for functionality and limited analytics cookies to understand aggregate usage. The client portal uses cookies for authentication and session management. You may control cookies through your browser settings; blocking essential cookies will impair the Services.
10. International Transfers
Wineberry is based in the United States, and personal information may be processed in the U.S. and in countries where our sub-processors operate. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.
11. Children
The Services are not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided personal information to us, contact legal@wineberry.ai and we will delete it.
12. Changes to This Policy
We may update this Policy from time to time. Material changes will be communicated by email to Customer administrators or via the Services. The "Effective" date at the top of this page reflects the latest version.
13. Contact
Privacy questions, requests, or complaints? Contact us at legal@wineberry.ai.