Paul Caputo

Legal

Privacy Policy

Last updated: 26 April 2026

This page explains what personal data paulcaputo.wine collects, why, who has access to it, and the rights you have over it. The site is run by Paul Caputo as a personal wine-criticism business based in the United Kingdom. If you have any question about your data, the fastest way to reach me is paul@paulcaputo.wine.

Who is the data controller?

Paul Caputo, trading as paulcaputo.wine, is the data controller for any personal data described on this page. Contact: paul@paulcaputo.wine.

What data I collect

The site only collects data you actively give me, in three contexts:

  • When you create an account: name, email address, hashed password (I never see your plaintext password), and your audience choice (consumer or wine professional). Consumers also choose a country and may add a city and a mailing-list preference.
  • When you register a business or claim a producer / Wine People profile: the information you provide on the form, plus the email address tied to your account.
  • When you submit a sample: any details you fill in (wine, vintage, dispatch date, tracking number).

The site does not use marketing trackers, advertising cookies, or third-party analytics that identify visitors. It does set a small session cookie to keep you signed in.

Why I collect it (lawful basis)

  • To run your account — sign-in, password reset, email verification, claim and sample workflows. Lawful basis: contract.
  • To send you the occasional newsletter, only if you ticked the mailing-list box. Lawful basis: consent. You can withdraw consent at any time from your account settings or via the unsubscribe link in any email.
  • To process payments if you upgrade to a paid subscription (Reader, Trade, Producer tiers). Lawful basis: contract. Payment data is handled by Stripe; I never see your card number.

Who else sees your data (sub-processors)

I keep the list of third-party services short and trusted. Each acts as a data processor:

  • Amazon Web Services (AWS Lightsail) — hosts the database. Region: London, United Kingdom.
  • Vercel — hosts the website application code. No data is stored on Vercel; it queries the AWS database for each request.
  • SendGrid (Twilio) — sends transactional and newsletter emails on my behalf.
  • Stripe — processes payments if you subscribe to a paid tier. Stripe sees your payment details directly; I do not.

Where your data is stored

The database is hosted in the United Kingdom (AWS London region). Where a sub-processor (e.g. SendGrid, Stripe) is based outside the UK/EEA, transfers are governed by Standard Contractual Clauses or other equivalent legal mechanisms.

How long I keep it

  • Active accounts: for as long as your account exists. You can delete your account at any time (this feature is being added shortly — until then, email me and I will delete it manually).
  • Mailing-list subscribers: until you unsubscribe.
  • Payment records: retained for six years for UK tax and accounting compliance, after which they are deleted.

Your rights

Under UK GDPR you have the right to:

  • access the data I hold about you;
  • correct anything that’s wrong;
  • have your data deleted (the “right to be forgotten”);
  • export your data in a portable format;
  • object to its use, or restrict its processing;
  • complain to the Information Commissioner’s Office (ico.org.uk) if you think I’ve handled your data unfairly.

To exercise any of these rights, email me at paul@paulcaputo.wine. I will respond within 30 days.

Cookies

I use one essential cookie — the session cookie that keeps you signed in after you log in. It does not track you across other sites. The site does not use third-party advertising or analytics cookies.

Children

paulcaputo.wine is intended for adults. Accounts should not be created by anyone under 18. If you believe a child has created an account, email me and I will delete it.

Changes to this policy

If this policy changes meaningfully, I’ll update the “Last updated” date at the top and, where the change affects how I use existing data, I’ll let registered users know by email.

This document is intended to be plain-language and is not a substitute for legal advice. If you have a specific concern about how your data is handled, please email me.