Privacy Policy

1. Information We Collect

Information You Provide

• Email address (required for account creation)
• First name and last name (required at signup)
• Password (stored as a one-way hash by our authentication provider, Outseta — we never see your plaintext password)
• Discord user ID (when you authorize Discord connection)
• Mobile phone number (optional, only if you enable SMS alerts on the Barrel Proof tier)
• Bottle and store preferences (which bourbons and locations you want alerts for)
• Payment information (handled directly by Stripe — we do NOT store full card numbers; we receive only the last 4 digits and card brand for receipts)

Automatically Collected

• IP address and approximate geographic location (city/region level)
• Browser type, operating system, device type
• Pages visited, links clicked, time spent on pages
• Referrer URL (the site that linked you to us)

From Third Parties

• Outseta provides us with your authenticated identity and subscription status
• Stripe provides us with your subscription billing status
• Discord provides us with your verified Discord user ID after you authorize the connection

2. How We Use Your Information

We use your information to:

• Deliver real-time inventory alerts you've subscribed to
• Process and manage your subscription
• Send you account-related emails (confirmations, password resets, billing receipts, service announcements)
• Communicate with you about your account
• Detect and prevent fraud, abuse, and security threats
• Comply with legal obligations
• Improve the Service through aggregated, anonymized metrics

We do NOT:

• Sell your personal data to third parties
• Use your data for advertising or marketing on third-party platforms
• Share your data with retailers, distilleries, or other alcohol-industry parties
• Store credit card numbers ourselves

3. Third-Party Services

We use the following third-party services that may process your data. Each has its own privacy practices, listed at the links below:

• Outseta (authentication, subscription management, CRM) — outseta.com/privacy
• Stripe (payment processing) — stripe.com/privacy
• Discord (community delivery) — discord.com/privacy
• Cloudflare (CDN, security, DNS) — cloudflare.com/privacy
• SendGrid (transactional email) — twilio.com/legal/privacy
• Hostinger (web hosting) — hostinger.com/privacy-policy

4. Data Retention

• Account data: retained while your account is active and for 90 days after cancellation, then permanently deleted (except as required by law for tax/accounting records, which may be retained for up to 7 years)
• Email and server logs: retained 30 days
• Inventory alert history: retained 12 months for service-improvement analytics, then deleted
• Discord chat history: governed by Discord's own retention policies, not ours

5. Cookies

We use essential cookies for:

• Outseta authentication (so you stay signed in across sessions)
• Stripe payment session (during checkout only)
• Cloudflare bot protection

We do NOT use marketing/advertising cookies, third-party tracking pixels, or analytics that profile individual users. We may add Cloudflare's privacy-friendly aggregate analytics in the future.

You can disable cookies in your browser, but doing so will prevent login.

6. Your Rights

Regardless of where you live, you may:

• Access the data we hold about you (request via email)
• Correct inaccurate data (update directly in your account, or request via email)
• Delete your account and all associated personal data (subject to legal retention)
• Export your data in machine-readable format (request via email)
• Opt out of non-essential communications (unsubscribe link in every marketing email)

GDPR (EU/UK residents): you also have the right to restrict processing, object to processing, and lodge a complaint with a supervisory authority.

CCPA (California residents): you have the right to know what categories of personal information we collect, the right to opt out of "sales" (we do not sell data), and the right to request deletion.

To exercise any of these rights, email [email protected].

7. Children

The Service is intended only for users 21 years of age or older. We do not knowingly collect personal information from anyone under 21. If you believe a minor has provided us information, contact us immediately and we will delete it.

8. Security

We use industry-standard security measures including TLS encryption in transit, hashed passwords, secrets stored as environment variables (never in code or logs), and access controls limiting who can view personal data. No system is 100% secure; we cannot guarantee absolute security.

9. International Transfers

Bottle Scout's servers are located in the United States. If you access the Service from outside the U.S., your data will be transferred to and processed in the U.S., which may have different data protection laws than your home country.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 14 days before they take effect. The "Effective" date at the top of this page reflects the latest version.

11. Contact

Privacy questions, data requests, or concerns: [email protected]