Privacy Notice

This site is operated by Profound Labs Ltd., a company registered in England & Wales at 76 Franciscan Road, London, England, SW17 8HH. For the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018), we are the “data controller” of personal data collected through cellartag.io.

For any privacy questions or to exercise your rights, contact us at [email protected].

We only collect personal data that you actively give us, plus a small amount needed to keep the site running.

Waitlist sign-ups

When you join our waitlist we collect:

• your email address;
• your answers to a short survey (collection size, current tracking tool, whether you still use it, and any feedback you choose to share).

Purpose: to email you when CellarTag launches and to understand what we should build first. Lawful basis: your consent (UK GDPR Art. 6(1)(a)), given when you press “Join Waitlist”. You can withdraw it at any time by emailing the address above.

Technical data

Like every website, our hosting and security providers automatically receive your IP address, user-agent string and request metadata when you visit. Lawful basis: our legitimate interests (UK GDPR Art. 6(1)(f)) in keeping the site secure and operational.

• Waitlist data: until launch + 12 months, or until you ask us to delete it — whichever comes first.
• Server logs from our hosting providers: typically up to 30 days.

We don’t sell or rent your data. We do use a small set of trusted processors to run the service:

• Cloudflare, Inc. — hosts the marketing site and provides bot/DDoS protection.
• Google Cloud (Cloud Run) — runs our backend API in the EU region.
• Neon, Inc. — managed Postgres database where waitlist entries are stored.

Each of these providers acts as a processor under a Data Processing Agreement and only processes your data on our instructions.

Some of our processors are based in the United States. Where your personal data leaves the UK, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or an equivalent adequacy mechanism, to protect it.

We do not use analytics, advertising or tracking cookies. We do not load Google Fonts, Google Analytics, Meta Pixel or similar third-party scripts. The only cookies you may encounter are strictly-necessary cookies set automatically by Cloudflare to protect the site against bots and abuse:

• __cf_bm — bot-management challenge token, expires after 30 minutes of inactivity.
• cf_clearance — verification cookie set after a successful security challenge.

Under PECR Regulation 6, strictly-necessary cookies don’t require your consent, but we list them here for transparency. We don’t store anything in your browser’s local storage or session storage.

Under UK GDPR you have the right to:

• access the personal data we hold about you;
• have it corrected if it’s wrong;
• have it deleted;
• object to or restrict our processing;
• receive your data in a portable format;
• withdraw consent at any time (without affecting processing already carried out).

To exercise any of these, email [email protected]. We’ll respond within one month.

If you’re not happy with how we’ve handled your data, you can complain to the UK Information Commissioner’s Office at ico.org.uk/make-a-complaint or call 0303 123 1113. We’d appreciate the chance to put things right first — please get in touch with us before going to the ICO.

If we make material changes we’ll update the date at the top of this page and, where appropriate, email existing waitlist members.