Somma Privacy Policy

Effective Date: May 19, 2026 Last Updated: May 19, 2026

Somma is operated by Vima Development, Inc., a Delaware corporation ("Vima," "we," "us," or "our"). This Privacy Policy explains what information we collect when you use the Somma mobile application (the "App"), how we use it, who we share it with, and the choices you have.

By using Somma, you agree to the practices described here. If you don't agree, please don't use the App.

What we collect

We only collect the information needed to run the App and personalize your experience.

Account information. When you create an account, we collect your email address and password. You also choose a username and display name, which are visible to other users.

Profile and taste data. Onboarding includes a short taste quiz; your responses, plus any ratings or preferences you set later, are stored as a "taste profile" and used to personalize recommendations. You also provide a date of birth (used to confirm you meet the age requirement to use Somma) and may add an optional profile photo.

Wine logs and journal content. When you log a wine, we store the wine details, your rating, tasting notes, occasion notes, optional photos, and an optional venue tag. This is your journal — you control what you log and what stays private.

Photos. You can take or upload photos of wine bottles, labels, and menus. Menu and label photos are sent to our AI provider for text extraction (described below). Photos are stored in our backend and tied to your account.

Approximate location. When you choose to tag a venue on a wine log, we request location permission and use your approximate location (accurate to roughly 100 meters) to suggest nearby restaurants, bars, and wine shops via Google Maps Platform. We do not track your location continuously or in the background.

Social activity. Follows, follow requests, likes, comments, and posts you make are stored to power the social features of the App. Visibility depends on your privacy settings.

Notifications. If you grant notification permission, we receive a push token tied to your device. This token is used solely to deliver notifications about your account activity (new followers, likes, comments, follow requests).

Usage analytics (only with your consent). If you opt in to analytics during onboarding, we record product-usage events — screens visited, taps, feature usage — to understand how Somma is used and to improve it. You can opt out at any time from in-app settings. Without your consent, no analytics events are collected.

Diagnostic logs. We collect a limited stream of in-app and server-side event logs (errors, request timing, feature outcomes) to debug issues and improve reliability. These logs can be tied to your account so we can investigate problems you report.

Contacts (only when you opt in). If you tap "Sync contacts" in the friend-discovery feature, the App requests permission to read your device's contact list. Phone numbers from your contacts are SHA-256 hashed on your device before being sent to our servers; we use those hashes to find existing Somma users whose own (also hashed) phone numbers match. We do not store your contact list, do not transmit raw phone numbers, and do not retain the inbound hashes after the matching query completes. You can revoke contacts permission at any time in iOS Settings.

Your phone number (only if you provide it). Friend discovery also allows you to add your own phone number so other Somma users with you in their contacts can find you. Your phone number is SHA-256 hashed on your device; we only store the hash, never the plaintext number. You can remove the hash at any time from Privacy & Security in the App.

What we do not collect

We do not collect:

  • Phone numbers, physical addresses, financial information, health or fitness data, contact lists, or browsing history outside the App.
  • Precise background location, or location data when the App is not in use.
  • Any data through third-party advertising or attribution SDKs. Somma contains no advertising.
  • An IDFA (Apple's advertising identifier) or any cross-app tracking identifier.

We do not sell your personal information. We do not share it with data brokers.

Service providers we use

To run the App, we share certain data with the following processors, each operating under their own privacy and security commitments:

  • Supabase, Inc. — Hosts our database, authentication, file storage, and serverless functions. Effectively all data described above is stored and processed via Supabase on our behalf.
  • Anthropic, PBC — Powers AI features including personalized recommendations, menu and label text extraction from photos, and natural-language descriptions of wines. When you use these features, we send the relevant inputs (taste-profile signals, wine names, photo content) to Anthropic's API. Per Anthropic's terms, your inputs are not used to train Anthropic's models.
  • Google LLC (Google Maps Platform / Places API) — Provides venue and place lookups when you tag a wine log location. We send the search query and approximate coordinates; results are returned to the App.
  • Resend, Inc. — Sends transactional and waitlist emails (e.g., account confirmations, waitlist approval notifications).
  • Expo (650 Industries, Inc.) — Provides the build, update, and push-token infrastructure for the App.
  • Apple, Inc. (Apple Push Notification Service) — Delivers push notifications from our backend to your device.

We may also disclose information when required by law, to protect rights or safety, or in connection with a corporate transaction such as a sale or merger. In any such case, we will require recipients to honor this policy or we will notify you of any changes.

How long we keep data

We keep your account data as long as your account is active. If you delete your account, we delete or anonymize your personal data within 90 days, except where we are required to retain it by law (for example, tax, legal-claim, or fraud-prevention obligations). Diagnostic logs are typically retained for up to 12 months before deletion.

Your rights and choices

Regardless of where you live, you can:

  • View or edit your profile, taste data, logs, and follows in the App.
  • Delete your account from in-app settings; this initiates deletion of your data per the retention schedule above.
  • Withdraw analytics consent at any time in settings.
  • Revoke permissions (camera, photos, location, notifications) through your device's system settings.

California residents (CCPA/CPRA). You have the right to know what categories of personal information we collect, the purposes of processing, the right to access and request deletion of that information, and the right not to be discriminated against for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising.

EU/EEA/UK residents (GDPR/UK GDPR). You also have the right to data portability, to object to or restrict certain processing, and to lodge a complaint with your local supervisory authority. Our legal bases for processing are your consent (for analytics), performance of our contract with you (for core App functionality), and our legitimate interests (for security and improvement). To exercise these rights, email us at the address below.

We respond to verifiable requests within 45 days.

Children

Somma is intended for users 17 years of age or older and references alcohol throughout. We do not knowingly collect personal information from anyone under 17. If you believe a child has provided us information, please contact us so we can remove it.

Security

We use industry-standard safeguards including encryption in transit, encryption at rest for stored content, and access controls on our backend. No system is perfectly secure; please use a strong, unique password for your account.

International data transfers

Somma is operated from the United States. If you use the App from outside the U.S., your information will be transferred to and processed in the United States and other countries where our service providers operate. We rely on appropriate safeguards (such as Standard Contractual Clauses) for international transfers where required by law.

Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you in the App or by email, and we will update the "Last Updated" date above. Continued use of Somma after a change means you accept the updated policy.

Contact

Privacy questions, requests, or complaints:

Vima Development, Inc.
Attn: Privacy
cheers@sommaapp.com