Legal

Privacy Policy

Last updated: May 16, 2026

Overview

Palate Party operates palateparty.netand the Palate Party mobile application (together, the “Service”). This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have over your data.

We built Palate Party on a simple principle: your taste data belongs to you. We collect only what we need to operate the Service and improve your experience. We do not sell your personal information.

Information we collect

Information you give us directly

  • Account information — your name and email address when you create an account or subscribe.
  • Shipping address— collected at checkout and used solely to ship your box. We use Google Maps Platform’s Address Validation API to validate US addresses.
  • Payment information — processed entirely by Stripe. We never see or store your card number, expiry, or CVV. We retain only a Stripe customer ID and the last four digits of your card for display purposes.
  • Tasting ratings and notes — star ratings, attribute scores (such as sweetness or carbonation), free-text tasting impressions, and rankings you submit during a party session.
  • Taste profile responses — optional answers to in-app questions about your drink personality, consumption context, and demographic cohort (stored as a range, not an exact value). These questions are clearly labeled as optional and may be skipped at any time.
  • Communications — any messages you send us by email or through the app.

Information collected automatically

  • Tasting behavior data — your rankings, ratings, attribute scores, session interactions, and timing during tasting parties. This data is stored separately from your personal information (see Data Architecture below).
  • Device and app data — device type, operating system version, app version, and crash reports, collected via Sentry for error monitoring.
  • Usage and analytics data — screens visited, features used, session duration, and product interaction events, collected via Amplitude. This data is used to understand how the product is used and where to improve.
  • Session and authentication tokens — short-lived tokens stored in secure, encrypted storage on your device to keep you signed in.
  • Server logs — IP address, request timestamps, and API response codes, retained for security monitoring and infrastructure diagnostics. Logs are retained for 30 days and are not used to build individual user profiles.

Information from third parties

  • Stripe — payment status, subscription state, and billing events.
  • Social login providers — if you sign in with Google or Facebook, we receive your name and email from that provider. We do not receive your password or access to other data on your account.

Data architecture

We maintain a strict two-layer data model:

  • Identity layer — your name, email, shipping address, and login credentials. This layer is severed when you request anonymization and fully deleted when you close your account.
  • Behavioral layer — your tasting ratings, rankings, attribute scores, and session interactions. This data is tied to a pseudonymous internal identifier, never directly to your name or email. It persists after anonymization to preserve aggregate research integrity, but cannot be linked back to you once the mapping record is deleted.

Deleting the mapping record between these two layers severs the connection permanently. This design ensures your tasting history cannot be re-identified after you request anonymization or deletion.

How we use your information

  • To fulfill and ship your subscription box
  • To operate the tasting party experience in the app
  • To send transactional emails — order confirmations, shipping notifications, sign-in magic links, and renewal reminders
  • To send SMS notifications for critical account events (such as payment failures or security alerts) if you have provided a phone number
  • To send service-related updates about your subscription
  • To send marketing communications, where you have opted in or where permitted by applicable law. You may opt out at any time.
  • To personalize your results and recommendations based on your tasting history and taste profile
  • To produce aggregated, anonymized cohort intelligence for CPG brand partners, as described below
  • To improve the product through aggregate analysis of tasting data
  • To detect and prevent fraud, abuse, and unauthorized access
  • To comply with legal obligations

We do not use your information to show you advertising. We do not sell your personal information to third parties. We do not use your data to train third-party AI models.

CPG data and brand partnerships

A core part of the Palate Party business is sharing aggregate consumer preference intelligence with food and beverage brand partners. This is part of how we keep the service running and improving. We are transparent about this practice.

Any data shared with brand partners is:

  • Aggregated — never individual-level data; always combined across many users
  • Completely anonymized — no names, emails, or any direct or indirect identifiers
  • Cohort-level only— for example: “users aged 25–34 in the Southeast preferred X over Y in blind testing”
  • Derived from behavioral data only — never from your identity layer

You have the right to opt out of having your anonymized behavioral data included in CPG partner reports. You can exercise this right at any time from your account privacy settings at palateparty.net/account or by emailing us at hello@palateparty.net. Opting out does not affect your ability to use the Service.

How we share your information

We share your information only in these circumstances:

  • Service providers — companies that help us operate the Service and that process data only on our instructions. These include: Stripe (payment processing), Supabase (database and authentication), Postmark (email marketing and transactional email), Google Maps Platform (address autocomplete and validation), Firebase / APNs (push notifications), Resend (transactional email delivery), Twilio (SMS notifications), Sentry (error monitoring), Amplitude (product analytics), Axiom (structured logging), and Better Stack (uptime monitoring). Each provider receives only the data necessary for their specific function.
  • CPG brand partners — as described in the CPG Data section above. Aggregated and anonymized only. No personal information is ever shared.
  • Legal requirements — if required by law, court order, or to protect the rights, property, or safety of Palate Party, our users, or the public.
  • Business transfers — ifPalate Party is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before your personal information is transferred and a different privacy policy applies.

We never share your personal information with advertisers, data brokers, or any third party for their own marketing purposes.

Data retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data is retained until you close your account or request deletion
  • Billing records are retained for 7 years to comply with financial regulations
  • Anonymized behavioral data may be retained for research and aggregate reporting purposes after your account is closed or anonymized. This data is not linked to you and cannot identify you.
  • Server logs are retained for 30 days
  • Database backups are retained for 30 days before being purged

Your rights

Depending on where you live, you may have the following rights regarding your personal information:

  • Right to access — request a copy of all personal data we hold about you
  • Right to correction — update inaccurate or incomplete information
  • Right to anonymization — remove the link between your identity and your behavioral data while preserving aggregate research value
  • Right to deletion — request complete deletion of your account and all associated personal data (subject to our legal retention obligations for billing records)
  • Right to portability — receive your personal data in a machine-readable format
  • Right to opt out of CPG reporting — opt out of having your anonymized behavioral data included in reports shared with brand partners
  • Right to opt out of marketing communications — unsubscribe from marketing emails at any time via the unsubscribe link or your account settings

To exercise any of these rights, email us at hello@palateparty.net or visit your account settings at palateparty.net/account. We will respond within 30 days (or within 45 days if we notify you that additional time is needed).

California residentshave additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know, the right to delete, the right to correct, the right to limit use of sensitive personal information, and the right to opt out of the “sale” or “sharing” of personal information. We do not sell or share personal information as defined under California law. To submit a request, contact us at hello@palateparty.net.

Residents of Virginia, Colorado, Connecticut, Texas, and other US states with comprehensive privacy laws may have similar rights under their applicable state law. Contact us at hello@palateparty.net to exercise any such rights.

We will not discriminate against you for exercising any of your privacy rights.

Cookies and tracking

We use cookies and similar technologies to:

  • Keep you signed in (authentication cookies)
  • Remember your preferences across sessions
  • Understand how users navigate the site via Amplitude analytics
  • Monitor service health and detect errors via Sentry

We do not use advertising cookies or third-party tracking pixels for ad targeting. You can disable cookies in your browser settings, but doing so may affect your ability to sign in or use the Service.

Security

We take security seriously. Measures we have in place include:

  • All data transmitted over HTTPS / TLS
  • Payment data handled entirely by Stripe (PCI DSS compliant via SAQ A)
  • Primary authentication via passwordless magic links (single-use, 15-minute expiry). Users who choose to set a password have their credentials stored using industry-standard hashing (bcrypt or Argon2) — we never store passwords in plain text
  • Database access protected by row-level security policies on every table
  • API keys and credentials managed via environment variables, never committed to code
  • Regular automated backups with point-in-time recovery
  • Rate limiting on authentication and signup endpoints to protect against brute-force attacks

No system is completely secure. If you believe your account has been compromised, contact us immediately at hello@palateparty.net.

Children's privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will delete it promptly. If you believe we have inadvertently collected such information, please contact us at hello@palateparty.net.

Users between the ages of 13 and 17 may use the app to participate as guests in a tasting party. Users must be 18 or older (or have parental consent) to purchase a subscription.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the “Last updated” date at the top of this page at least 14 days before the changes take effect. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.

For changes that materially expand how we use your personal information, we will seek your affirmative consent where required by applicable law.

Contact us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

← Back to Palate Party
Privacy PolicyTerms of Service