Privacy Policy
Corki · Last updated: 23 March 2026
This Privacy Policy explains how Corki (“we”, “us”, or “our”) collects, uses, and protects your information when you use the Corki mobile application (“App”) or visit our website at getcorki.com (“Website”), including the waitlist sign-up form. By using the App or Website you agree to this policy.
1. Who We Are
Corki is an AI-powered wine assistant operated from Australia. We are the data controller for the personal information described in this policy.
Privacy enquiries: privacy@corki.app
2. Information We Collect
2.1 App — Information You Provide
- Chat messages and questions you send to Corki
- Wine label images you photograph or upload
- Wine cellar data you enter (bottle names, quantities, notes)
- Palate preferences and tasting notes
2.2 App — Automatically Collected
- Device information: device model, OS version, app version, device locale
- Usage analytics: features used, screens viewed, session frequency and duration — collected via TelemetryDeck (see §6)
- Error and crash reports: to diagnose and fix technical issues
- Purchase data: subscription status and transaction identifiers via Apple and RevenueCat (see §6)
2.3 Website — Waitlist
If you sign up to the Corki waitlist at getcorki.com, we collect your email address. This is used solely to notify you when Corki launches or updates become available. The website itself does not use any additional analytics tools.
Our website is hosted on Vercel, which processes web traffic as part of our hosting infrastructure (see §6).
2.4 Information We Do Not Collect
- We do not require account registration in the App
- We do not collect precise GPS location
- We do not collect contact lists, health records, or financial information beyond subscription status
3. Legal Basis for Processing
For users in the European Economic Area (EEA) and UK, we rely on the following legal bases under GDPR Article 6:
| Data | Purpose | Legal basis |
|---|---|---|
| Chat messages | Provide AI responses | Art. 6(1)(b) — contractual necessity |
| Chat messages | Service improvement & analytics | Art. 6(1)(a) — consent |
| Wine preferences & cellar data | Personalisation | Art. 6(1)(f) — legitimate interest |
| Wine preferences & cellar data | Aggregate trend analysis | Art. 6(1)(a) — consent |
| Usage analytics & device info | App stability & improvement | Art. 6(1)(f) — legitimate interest (AU); Art. 6(1)(a) — consent (EEA) |
| Error & crash reports | Diagnosing technical issues | Art. 6(1)(f) — legitimate interest |
| Email address (waitlist) | Launch notifications | Art. 6(1)(a) — consent |
| Label images | Identifying wines for you | Art. 6(1)(b) — contractual necessity |
| Label images | AI model improvement | Art. 6(1)(a) — consent |
| Subscription data | Entitlement & billing | Art. 6(1)(b) — contractual necessity |
Where we rely on legitimate interest, you have the right to object at any time (see §8). Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing (see §8).
4. How We Use Your Information
- Provide, personalise, and improve the App and its AI responses
- Process your in-app subscription and restore purchases
- Send waitlist notifications (Website)
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations
- Communicate with you if you contact us for support
We do not use your data for third-party advertising, sell your personal information, or use it for any purpose incompatible with the above.
5. AI Processing & Automated Decision-Making
Corki uses OpenAI to generate wine information and answer your questions. Content you submit (chat messages, label images) is transmitted to OpenAI's servers for processing. OpenAI acts as a data sub-processor bound by contract to process data only to provide the API service. OpenAI does not use API data to train its models by default.
Automated decision-making (GDPR Art. 22): Corki uses AI to generate personalised wine recommendations based on your preferences and cellar data. These recommendations are informational and do not produce legal or similarly significant effects. You can turn off personalisation by deleting your preference data in the App settings.
OpenAI's privacy policy: openai.com/policies/privacy-policy
6. Sub-Processors
We use the following third-party processors to operate the App and Website:
| Processor | Purpose | Data location |
|---|---|---|
| OpenAI | AI response generation | United States |
| RevenueCat | Subscription management | United States |
| Neon | Database hosting | Australia (ap-southeast-2) |
| Resend | Transactional email (waitlist) | United States |
| TelemetryDeck | Privacy-first app analytics | Germany / EU |
| Vercel | Website hosting & CDN | United States (edge) |
In-app subscription payments are processed entirely by Apple; payment details are never visible to us. RevenueCat receives only anonymised transaction identifiers. RevenueCat's privacy policy: revenuecat.com/privacy
7. International Data Transfers
Our primary database is hosted with Neon in Australia (ap-southeast-2), keeping most personal data on Australian soil. However, some processors listed in §6 are based in the United States:
- OpenAI — chat messages and label images are sent to US servers for AI processing
- RevenueCat — subscription identifiers transferred to US
- Resend — your email address is transferred to US to send waitlist notifications
- Vercel — website traffic is routed through US-based edge infrastructure
Where EEA or UK personal data is transferred to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our Data Processing Agreements with each processor, as the transfer safeguard under GDPR Chapter V. You may request a copy of applicable SCCs by emailing privacy@corki.app.
Transfers from Australia to overseas recipients are made on the basis that equivalent protections apply under the recipient's applicable law or contractual obligations (APP 8).
8. Data Retention
| Data type | Retention period |
|---|---|
| Chat data (service) | 12 months; anonymised thereafter for aggregate analytics |
| Wine cellar & preference data | Lifetime of account; deleted within 30 days of account deletion request |
| Usage analytics | 24 months rolling |
| Crash & error reports | 90 days |
| Waitlist email addresses | Until 6 months after general launch, or until you unsubscribe |
| Account data | Deleted within 30 days of a deletion request |
| Subscription data | As required by Apple / RevenueCat for billing and dispute resolution (typically 7 years) |
9. Data Security
We use industry-standard security measures including HTTPS encryption for all data in transit and access controls on our database. No method of transmission or storage is 100% secure; we take reasonable steps to protect your information but cannot guarantee absolute security.
10. Your Rights
10.1 All Users
- Access — request a copy of personal information we hold about you
- Correction — request correction of inaccurate information
- Deletion — request deletion of your data (subject to legal obligations)
- Consent withdrawal — withdraw any consent you have given at any time (see below)
10.2 EEA & UK Users (GDPR)
- Right to object — object to processing based on legitimate interest (Art. 6(1)(f)); we will cease unless we demonstrate compelling legitimate grounds
- Restriction — request restriction of processing in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Lodge a complaint — with your local data protection authority (e.g. ICO in the UK, your national DPA in the EEA)
10.3 Australian Users (Privacy Act)
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you may access and correct personal information we hold. You may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Web: oaic.gov.au/privacy/privacy-complaints
- Phone: 1300 363 992
- Email: enquiries@oaic.gov.au
10.4 California Users (CCPA)
California residents have the right to know what personal information is collected, to request deletion, and to opt out of sale. We do not sell personal information.
Exercising Your Rights & Withdrawing Consent
To exercise any right or withdraw consent:
- In-App: go to Settings → Privacy → Manage Data to delete your data or toggle analytics consent
- Email: privacy@corki.app
- Waitlist: use the unsubscribe link in any email we send
We will respond within 30 days. Withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal.
11. Children
Corki is intended for users aged 18 and over. We do not knowingly collect information from anyone under 18. If you believe a minor has provided us with personal information, please contact us and we will delete it promptly.
12. Third-Party Links
The App and Website may link to third-party content. We are not responsible for the privacy practices of any third-party websites or services.
13. Changes to This Policy
We may update this policy from time to time. We will post the revised policy here and update the “Last updated” date above. For material changes, we will notify App users via an in-app notice. Continued use after changes constitutes acceptance of the updated policy.
14. Contact
Privacy questions or requests: privacy@corki.app