With this Privacy Policy, we provide information about the processing of personal data in connection with our activities and operations, including our app «HiddenWines» and our website. We specifically provide information about the purposes, methods, and locations where we process personal data. Additionally, we provide information about the rights of individuals whose data we process.
For additional or specific activities and operations, we may publish further privacy policies or other data protection information.
We are subject to Swiss data protection law as well as, where applicable, foreign data protection laws, such as the European General Data Protection Regulation (GDPR).
On July 26, 2000, the European Commission decided that Swiss data protection law ensures an adequate level of data protection. In its report of January 15, 2024, the European Commission confirmed this adequacy decision.
Responsible for the processing of personal data:
Winfora AG
Limmatquai 112
8001 Zürich
Switzerland
In individual cases, third parties may be responsible for processing personal data, or there may be joint responsibility with third parties.
We have designated the following Data Protection Representative in the European Economic Areea (EEA):
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
The Data Protection Representative serves as an additional contact point for data subjects and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) for inquiries related to the GDPR.
Data Subject: A natural person whose personal data we process.
Personal Data: All information related to an identified or identifiable natural person.
Processing: Any handling of personal data, regardless of the means and procedures used, including acquiring, adapting, archiving, arranging, collecting, deleting, destroying, disclosing, disseminating, linking, matching, modifying, organizing, querying, recording, retrieving, revealing, storing, and using personal data.
European Economic Area (EEA): Member states of the European Union (EU) as well Iceland, Norway, and the Principality of Liechtenstein.
We process personal data in accordance with Swiss data protection law, especially the Federal Act on Data Protection (Data Protection Act, FADP) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).
If and to the extent that the European General Data Protection Regulation (GDPR) is applicable, we process personal data in accordance with at least one of the following legal bases:
We process the personal data that is necessary to carry out our activities and operations sustainably, humanely, securely, and reliably. The personal data processed may fall particularly into categories such as browser and device data, communication data, content data, contract data, location data, master data including inventory and contact data, metadata, payment data, transaction data, and usage data.
We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect in the course of our activities, provided that such processing is legally permissible.
We process personal data as necessary, with the consent of the data subjects. In many cases, we may process personal data without consent, for example, to comply with legal obligations or to safeguard overriding interests. We may also seek consent from data subjects when it is not strictly necessary.
We process personal data for the duration required for the respective purpose. We anonymize or delete personal data particularly in accordance with statutory retention and limitation periods.
We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties include specialized service providers whose services we utilize.
We may disclose personal data, for example, to authorities, banks and other financial service providers, consultants and lawyers, cooperation partners, credit and business information agencies, educational and research institutions, insurers, interest groups, IT service providers, logistics and shipping companies, marketing and advertising agencies, media, organizations and associations, social institutions, and telecommunications companies.
We process personal data to communicate with third parties. In this context, we particularly process data provided by a data subject when contacting us, for example, by postal mail or email. We may store such data in an address book or similar tools.
Third parties who transmit data about other individuals are obligated to ensure data protection for those individuals. This includes, among other things, ensuring the accuracy of the transmitted personal data.
We implement appropriate technical and organizational measures to ensure data security commensurate with the respective risks. Our measures particularly ensure the confidentiality, availability, traceability, and integrity of the processed personal data, although we cannot guarantee absolute data security.
Access to our app, our website, and other online presence occurs via transport encryption (SSL / TLS, particularly with Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn against visiting websites without transport encryption.
Our digital communication is subject – as virtually all digital communication – to mass surveillance without cause or suspicion by security authorities in Switzerland, other parts of Europe, the United States of America (USA), and other countries. We have no direct influence over the processing of personal data by intelligence agencies, police, and other security authorities. We also cannot rule out targeted surveillance of a specific data subject.
We primarily process personal data in Switzerland and the European Economic Area (EEA). However, we may export or transfer personal data to other countries, particularly to process it or have it processed there.
We may export personal data to any country on earth and elsewhere in the universe, provided that the respective legal framework ensures an adequate level of data protection according to a decision by the Swiss Federal Council and – if and to the extent that the General Data Protection Regulation (GDPR) applies – also according to a decision by the European Commission guaranteeing adequate data protection.
We may transfer personal data to countries that do not provide an adequate level of data protection, provided that data protection is ensured for other reasons, particularly on the basis of standard contractual clauses or other suitable safeguards. In exceptional cases, we may export personal data to countries without adequate or appropriate data protection if the specific data protection requirements are met, such as the explicit consent of the data subjects or a direct connection to the conclusion or performance of a contract. We are happy to provide data subjects with information on request regarding any guarantees or provide a copy of any guarantees.
We grant data subjects all claims in accordance with applicable data protection law. Data subjects have, in particular, the following rights:
We may delay, limit, or deny the exercise of data subject rights to the extent permitted by law. We may inform data subjects of any requirements they must fulfill to exercise their data protection rights. For example, we may deny access in whole or in part by citing confidentiality obligations, overriding interests, or the protection of others. We may also refuse the deletion of personal data, particularly by citing statutory retention requirements.
We may exceptionally charge costs for the exercise of rights. We inform data subjects in advance of any potential costs.
We are required to reasonably identify data subjects who request information or assert other rights. Data subjects are obliged to cooperate in this process.
Data subjects have the right to enforce their data protection claims through legal action or to file a report or complaint with a data protection supervisory authority.
The data protection supervisory authority for private controllers and federal agencies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
European data protection supervisory authorities are organized as members of the European Data Protection Board (EDPB). In some EEA member states, data protection supervisory authorities are organized federally, particularly in Germany.
Notifications and communications may include weblinks or tracking pixels that record whether a particular communication has been opened and which weblinks were clicked. Such weblinks and tracking pixels can also record the usage of notifications and communications on a personal basis. We need this statistical tracking of usage for performance and reach measurement to send notifications and communications effectively and humanely, as well as sustainably, securely, and reliably, according to the needs and reading habits of the recipients.
You must generally consent to the use of your email address and other contact details unless their use is permissible for other legal reasons. We may use the "double opt-in" procedure to obtain consent, if necessary, where you receive a notification with instructions for double confirmation. We may log the obtained consent, including IP address and timestamp, for evidence and security purposes.
You can generally object to receiving notifications and communications, such as newsletters, at any time. With such an objection, you can also object to the statistical tracking of usage for performance and reach measurement. Required notifications and communications related to our activities and operations remain reserved.
We maintain a presence on social media platforms and other online platforms to communicate with interested individuals and inform them about our activities and operations. In connection with such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).
The general terms and conditions (GTC), terms of use, privacy policies, and other provisions of the individual operators of such platforms are applicable. These provisions specifically inform data subjects about their rights directly vis-à-vis the respective platform, including, for example, the right to access.
We use services from specialized third parties to carry out our activities and operations sustainably, humanely, securely, and reliably.
For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in aggregated, anonymized, or pseudonymized form. This includes, for example, performance or usage data needed to provide the respective service.
We may update this Privacy Policy at any time. We will inform about updates in an appropriate manner, particularly by publishing the current Privacy Policy in our app and on our website.