1. Introduction and Data Controller
This Privacy Policy describes how Tasting And Toasting Inc., together with its subsidiary Tasting And Toasting SL (collectively "we", "us", "our", "the Company"), collects, uses, stores, and protects personal data of visitors and users ("you", "your") of the website tastingandtoasting.com, its subdomains, and any associated mobile applications (collectively, the "Service").
This Policy is issued in compliance with:
-
Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR")
-
Spanish Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights ("LOPDGDD")
-
Spanish Law 34/2002 on Information Society Services and Electronic Commerce ("LSSI-CE")
-
Spanish General Telecommunications Law 11/2022
-
Other applicable Spanish and European Union laws
Data Controller Identification
The data controller for personal data processed through this Service is:
| Legal name | Tasting And Toasting Inc. |
|---|---|
| Type of entity | Corporation organized under the laws of the State of Delaware, USA |
| Registration number | 7494277 (Delaware Division of Corporations) |
| Date of incorporation | 02 June 2023 |
| Registered office | [ADDRESS OF DELAWARE REGISTERED AGENT, TO BE COMPLETED] |
| Local subsidiary (Spain) | Tasting And Toasting SL [pending registration / registered with] |
| Spanish tax ID (NIF/CIF) | [TO BE COMPLETED ONCE SL IS REGISTERED] |
| Spanish operational address | Valencia, Spain [exact address to be completed] |
| Privacy contact email | info@tastingandtoasting.com |
| General contact email | info@tastingandtoasting.com |
Data Protection Officer
At this stage of development, the Company has determined that appointment of a formal Data Protection Officer (DPO) is not legally required under Article 37 GDPR or Spanish law, given the limited scope and volume of data processing. This determination is reviewed regularly. For all privacy-related inquiries, contact info@tastingandtoasting.com.
2. Categories of Personal Data We Collect
2.1 Information You Provide Directly
Waitlist and Pre-Registration
When you sign up to be notified about our launch:
-
Email address
-
First name (optional)
-
Country / region of interest (optional)
-
Source of referral (how you heard about us, optional)
Contact and Inquiries
When you contact us through forms or email:
-
Name and email address
-
Content of your message
-
Any additional information you choose to share
Future Service Account (Post-Launch)
When the Service becomes operational, account registration will additionally collect:
-
Phone number (for OTP authentication)
-
Date of birth (for age verification, must be 18+ for any wine-related services)
-
Display name
-
Profile picture (optional)
-
Wine preferences and tasting history (as you generate it through Service use)
-
Delivery address (for physical kit deliveries)
-
Payment information (processed by third-party payment processors, see Section 5)
2.2 Information Collected Automatically
Technical Data
-
IP address (anonymized after 30 days)
-
Browser type and version
-
Operating system
-
Device identifiers
-
Referral URL
-
Pages viewed and time spent
-
Date and time of access
-
Approximate geographic location (country/region level only, derived from IP)
Cookies and Similar Technologies
See our separate Cookie Policy for details on cookies, web beacons, and similar tracking technologies. Non-essential cookies are activated only with your prior, informed consent in accordance with Article 22 LSSI-CE.
2.3 Information from Third Parties
We may receive limited information from:
-
Authentication providers (if you choose to log in via Google, Apple, or similar, limited to public profile information you authorize)
-
Payment processors (transaction confirmations, never full card details)
-
Analytics providers (aggregated usage data)
2.4 What We Do NOT Collect
We do not collect:
-
Special categories of personal data (race, ethnic origin, political opinions, religious beliefs, health data, sexual orientation) under Article 9 GDPR, except where you voluntarily share such information in tasting notes or correspondence
-
Government identification numbers (NIE, DNI, passport) except where strictly required for age verification at delivery
-
Banking credentials or full payment card numbers (these are processed exclusively by certified payment processors)
-
Data of children under 14 (the Spanish minimum age for digital consent under Article 7 LOPDGDD)
3. Legal Basis for Processing
We process your personal data on the following legal bases under Article 6 GDPR:
| Processing activity | Legal basis (GDPR Art. 6) |
|---|---|
| Waitlist registration | Consent, Art. 6(1)(a) |
| Responding to inquiries | Pre-contractual measures, Art. 6(1)(b) |
| Account creation and authentication (post-launch) | Performance of contract, Art. 6(1)(b) |
| Order processing and delivery (post-launch) | Performance of contract, Art. 6(1)(b) |
| Marketing emails | Consent, Art. 6(1)(a) (with double opt-in per AEPD guidance) |
| Service improvement and analytics | Legitimate interest, Art. 6(1)(f) |
| Security, fraud prevention | Legitimate interest, Art. 6(1)(f) |
| Legal compliance (tax, alcohol regulations) | Legal obligation, Art. 6(1)(c) |
| Age verification for alcohol services | Legal obligation, Art. 6(1)(c) |
You can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
4. Purposes of Processing
We process your personal data for the following specific purposes:
4.1 Pre-Launch Phase (current)
-
Sending you launch-related notifications when you join the waitlist
-
Responding to your inquiries and requests
-
Improving our website and pre-launch communications
-
Building demonstration materials for partners and investors (using only aggregated, anonymized data)
-
Complying with legal and regulatory obligations
4.2 Post-Launch Phase (after operational licenses obtained)
-
Creating and managing your user account
-
Processing orders for wine kits, event tickets, and subscriptions
-
Coordinating delivery (including age verification at delivery)
-
Providing customer support
-
Personalizing wine recommendations based on your tasting history
-
Sending transactional notifications (order confirmations, delivery updates)
-
Sending marketing communications (only with separate, explicit consent)
-
Operating the wine tasting game functionality
-
Connecting players, mediators, and winery partners
-
Generating aggregated analytics for winery partners (you cannot be individually identified)
-
Fraud prevention and security
-
Tax compliance, accounting, and regulatory reporting
5. Recipients of Your Personal Data
We share personal data only with the following categories of recipients, and only to the extent necessary for the stated purposes:
5.1 Service Providers (Processors under Article 28 GDPR)
All processors are bound by Data Processing Agreements containing the safeguards required by GDPR Article 28:
| Category | Provider examples | Purpose |
|---|---|---|
| Cloud hosting | Amazon Web Services, Cloudflare | Hosting infrastructure |
| Authentication and SMS | Twilio | OTP delivery, phone verification |
| Email delivery | Resend, Postmark, or equivalent | Transactional and marketing emails |
| Payment processing | Stripe, Bizum (via Redsys) | Order payment processing |
| Analytics | Plausible Analytics, PostHog, or equivalent | Aggregated usage analytics |
| Customer support | Help desk software (TBD) | Support ticket management |
| Shipping and delivery | SEUR, MRW, or equivalent Spanish couriers | Order delivery (post-launch) |
| Accounting | Spanish gestoría / accounting software | Tax and financial compliance |
5.2 Group Companies
Personal data may be shared between Tasting And Toasting Inc. (Delaware, USA) and Tasting And Toasting SL (Valencia, Spain) as part of group operations. International transfers between these entities are governed by Standard Contractual Clauses (SCCs) approved by the European Commission.
5.3 Authorities
We may disclose personal data to public authorities (tax authorities, courts, regulatory bodies including AEPD, Hacienda) when required by law, court order, or formal legal request.
5.4 Business Transfers
In the event of a merger, acquisition, sale of assets, or insolvency, your personal data may be transferred as part of such transaction, subject to ongoing protection equivalent to this Policy.
5.5 What We Do NOT Do
-
We do not sell your personal data to third parties
-
We do not share your individual data with winery partners or advertisers
-
We do not engage in cross-context behavioral advertising based on your activity
6. International Data Transfers
Some of our service providers may process personal data outside the European Economic Area (EEA), including in the United States. When we transfer personal data outside the EEA, we ensure appropriate safeguards under Chapter V GDPR:
-
Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
-
Adequacy decisions where applicable (e.g., EU-US Data Privacy Framework for certified providers)
-
Supplementary technical and organizational measures (encryption in transit and at rest)
You may request a copy of the safeguards in place for any specific transfer by contacting info@tastingandtoasting.com.
7. Data Retention Periods
| Data category | Retention period |
|---|---|
| Waitlist data (pre-launch) | Until launch + 6 months, or until you unsubscribe |
| Account data | Duration of account + 3 years after closure (Spanish commercial law) |
| Order and transaction data | 6 years (Spanish commercial law and tax requirements) |
| Marketing consent records | Until consent is withdrawn + 3 years (proof of consent) |
| Server logs and analytics (raw) | 90 days, then anonymized |
| Customer support correspondence | 3 years from last contact |
| Cookie consent records | 12 months or until withdrawal |
| Age verification records | Duration of account + 5 years (alcohol regulations) |
After the retention period expires, data is either deleted or anonymized. Aggregated, anonymized data may be retained indefinitely for analytical purposes, as it no longer constitutes personal data.
8. Your Rights as a Data Subject
Under GDPR Articles 15-22 and the LOPDGDD, you have the following rights regarding your personal data:
8.1 Right of Access (Article 15 GDPR)
Obtain confirmation of whether we process your personal data, and access to that data, including the purposes, categories, recipients, retention period, and your other rights.
8.2 Right to Rectification (Article 16 GDPR)
Request correction of inaccurate or incomplete personal data we hold about you.
8.3 Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)
Request deletion of your personal data when one of the legal grounds applies (no longer necessary for the purposes, you withdraw consent and there is no other legal basis, you object to processing, etc.).
8.4 Right to Restriction of Processing (Article 18 GDPR)
Request that we limit processing of your data in certain circumstances.
8.5 Right to Data Portability (Article 20 GDPR)
Receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller.
8.6 Right to Object (Article 21 GDPR)
Object at any time to processing based on legitimate interests, including profiling. For direct marketing purposes, your right to object is absolute.
8.7 Right to Withdraw Consent (Article 7(3) GDPR)
Withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal.
8.8 Rights Under Spanish Law (LOPDGDD Articles 79-97)
-
Right to digital education
-
Right to digital disconnection
-
Right to update of personal data in digital media
-
Right to be forgotten in internet searches and on social media
-
Right to digital testament
8.9 How to Exercise Your Rights
To exercise any of these rights, contact info@tastingandtoasting.com. We will respond within one (1) month, extendable by two (2) additional months for complex requests, in accordance with Article 12 GDPR. We may request reasonable identification to verify your identity before processing the request.
8.10 Right to Lodge a Complaint
You have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos):
-
Website: www.aepd.es
-
Address: C/ Jorge Juan, 6, 28001 Madrid, Spain
-
Phone: +34 901 100 099 / +34 91 266 35 17
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Article 32 GDPR:
-
Encryption of data in transit (TLS 1.3) and at rest (AES-256)
-
Role-based access controls and principle of least privilege
-
Multi-factor authentication for administrative access
-
Regular security audits and vulnerability assessments
-
Logging and monitoring of access to personal data
-
Vendor due diligence and Data Processing Agreements with all processors
-
Incident response procedures and breach notification protocols
-
Regular backups with encryption
-
Employee training on data protection
In the event of a personal data breach likely to result in high risk to your rights and freedoms, we will notify you and the AEPD within 72 hours as required by Articles 33-34 GDPR.
10. Automated Decision-Making and Profiling
We do not engage in solely automated decision-making with legal or similarly significant effects on you (Article 22 GDPR).
Limited profiling occurs for the following purposes, with appropriate safeguards:
-
Wine recommendations based on your tasting history (you can opt out)
-
Fraud detection (low-risk classification only)
-
Aggregated analytics for service improvement (anonymized)
You have the right to obtain human intervention, express your point of view, and contest any automated decision. AI-based features comply with the EU AI Act where applicable.
11. Children's Privacy
Our Service is intended for adults aged 18 or older, given its alcohol-related nature. We do not knowingly collect personal data from minors under 18.
Under Article 7 LOPDGDD, the minimum age for valid consent for digital services in Spain is 14. However, due to the alcohol-related nature of our Service, we apply a strict 18+ requirement enforced through:
-
Date of birth verification at registration
-
Age verification at delivery (ID check by courier)
-
Compliance with Spanish alcohol sales regulations
If we become aware that we have inadvertently collected data from a minor under 18, we will delete it promptly. If you believe we hold data of a minor, contact info@tastingandtoasting.com.
12. Cookies and Tracking Technologies
Detailed information about cookies and similar technologies is provided in our separate Cookie Policy, available at tastingandtoasting.com/cookies. Non-essential cookies are activated only with your prior, informed consent in accordance with Article 22.2 LSSI-CE and AEPD Cookie Guidelines.
13. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be notified to you by:
-
Email notification (if you have provided your email)
-
Prominent notice on the website
-
Update to the "Effective Date" at the top of this Policy
Material changes affecting your rights become effective only after a reasonable notice period (typically 30 days). Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
14. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices:
Privacy contact: info@tastingandtoasting.com
General contact: info@tastingandtoasting.com
Postal address: Tasting And Toasting SL, [Valencia address, TO BE COMPLETED]
This Privacy Policy was last updated on [DATE]. A Spanish-language version is available at tastingandtoasting.com/privacidad. In case of inconsistency between language versions, the [English / Spanish, TO BE DECIDED] version prevails.
© Tasting And Toasting Inc. and Tasting And Toasting SL. All rights reserved.