Privacy and Cookie Policy

Privacy Notice of GRAPL

In this Privacy Notice, we describe what we do with your data when you use our website www.grapl.com and app (collectively «website»), obtain services or products from us, interact with us in relation to a contract, communicate with us or otherwise deal with us, and how you can exercise your data protection rights. We use the word «data» here interchangeably with «personal data». Personal data means any information relating to an identified or identifiable natural person. 
If you provide data to us about other individuals (e.g., family members, contact persons), we assume that you are authorized to do so and that the relevant data is accurate. Please make sure that these individuals have been informed about this Privacy Notice.
This Privacy Notice is aligned with the current and revised Swiss Federal Act on Data Protection («DPA») and the EU General Data Protection Regulation («GDPR»). However, the application of these laws depends on each individual case.

1. Who is the controller for processing your data?

GRAPL SA, Passage Saint-François 9, CH-1003 Lausanne («GRAPL», «we» or «us»), is the controller of the processing of your personal data according to this Privacy Notice.
If you have any questions about this Privacy Notice or our processing of your personal data or wish to exercise your rights under Section 13, please write to us at the following email address: privacy@grapl.com.

2. What data do we process?

 We process different categories of personal data about you. The main categories are as follows: 

  • Master data: Master data is the basic data about you, such as your title, name, contact details and date of birth. It also includes registration data (e.g., user name and password), payment information (e.g., bank details and invoice address), information about your subscription to our newsletter, as well as information about third parties involved (e.g., contact persons, representatives). We collect master data in particular when you create a GRAPL account or subscribe to our newsletter.
  • Contract data: Contract data is personal data collected in the context of the conclusion and performance of contracts, such as information on the relevant contracts (e.g., type and duration), information on the administration of contracts (e.g., contact details, delivery addresses, successful or unsuccessful deliveries, and information about payment methods), information about acquired claims and receivables, information about financial matters (e.g., reminders), information about defects and complaints, and information about customer satisfaction. We primarily conclude contracts with winemakers, contractual partners and business partners. 
  • Communication data: When you communicate with us, such as when you write to us, contact our customer service, or call us, we process the content of the communication (e.g., the content of emails, written correspondence, telephone conversations, and responses to customer surveys), as well as the metadata of those communications (e.g., the type, time, and place of the communication). This data may also include information about third parties. In some situations, we may also ask you to provide proof of your identity.
  • Technical data: When you use our website, we collect certain technical data, such as the IP address of your device, protocols in which we record the use of our systems (log files), information about your device and its configuration (e.g., operating systems and language settings), information about the browser with which you access our offerings and its configuration, your approximate location and time of use of our website, information about your actions on our website, and information about your Internet service provider. In some cases, we may also assign your device (PC, tablet, smartphone, etc.) a unique identifier (ID), for example by using cookies or similar technologies, so that we can recognize it. You can find more information on cookies and similar technologies in Section 11. Technical data generally does not allow us to infer who you are. However, technical data may be linked to other categories of data (and potentially to you), for example when you create a GRAPL account.
  • Behavioral and Preference Data: Depending on our relationship with you, we try to get to know you better and tailor our products and services to your needs. We therefore also process behavioral and preference data, such as information about your behavior on our website, including your shopping behavior (e.g., search items and results, ratings and comments submitted, shopping carts ordered and canceled, wish lists), information about your use of electronic communications (e.g., if and when you opened an email or clicked on a link), and your interactions on our social media pages. You can find more information about how we process your data on our social media pages in Section 12 and how tracking works on our website in Section 11.
  • Other data: We also collect data about you in other situations. For example, we process data that may relate to you in administrative or judicial proceedings (e.g., evidence). We may obtain or make photographs, videos and sound recordings in which you may be identifiable (e.g. with security cameras, at events, etc.). We may also collect data about who enters certain buildings and when, or who has access rights (including in connection with access controls) and who uses our infrastructure and systems and when. 
    Most of the data mentioned in this Section 2 is provided to us directly by you (e.g., when you contact us or create a GRAPL account). We may also collect data ourselves (e.g., technical data when you use our website). To the extent permitted, we may also collect data from publicly available sources (e.g., debt collection registers) or obtain data from authorities or other third parties (e.g. winemakers). 

As far as it is not unlawful we also collect data from public sources (for example debt collection registers, land registers, commercial registers, the media, or the internet including social media) or receive data from public authorities and from other third parties (such as credit agencies, contractual partners, internet analytics services, etc.). 

3. For what purposes do we process your data?

 We process your data for the following purposes:

  • Communication: We process your data for the purpose of communicating with you, e.g. to respond to your requests, to contact you in case of questions and to provide customer service. For this purpose, we use, among other things, communication data and master data. Our communication with you usually takes place in connection with other processing purposes, for example so that we can provide services or perform a contract.
  • Performance of contracts: We process your data in connection with the conclusion, administration and performance of contracts, e.g. to decide whether and how we conclude a contract with you, to deliver goods, to provide customer service and evaluate customer satisfaction and, if necessary, to assert claims arising from the contracts (debt collection, legal proceedings, etc.). For this purpose, we use master data, contract data, communication data, and behavioral and preference data, among others.
  • Market research, service improvement and product development: We seek to continually improve our products and services (including our website) and to respond quickly to changing needs. We therefore process personal data to conduct market research, improve our services and develop our products. For this purpose, we process in particular master data, behavioral and preference data, communication data, as well as information from customer surveys. As far as possible, we use pseudonymized or anonymized data for these purposes.
  • Marketing and relationship management: We process your data for marketing and relationship management purposes, for example to send you written or electronic communications and offers, and to conduct marketing campaigns. This may include our own offers or offers from our advertising partners. Like most companies, we personalize communications so that we can provide you with information and offers that are tailored to your needs and interests. For this purpose, we use in particular master data, contract data, communication data, and behavioral and preference data.
  • Compliance with legal requirements: We want to lay the foundations for compliance with legal requirements. We therefore also process personal data to comply with legal requirements, and to prevent and detect violations. This includes, for example, receiving and processing complaints, complying with judicial or administrative decisions, and detecting and investigating abuse. This may involve all categories of personal data mentioned in Section 2.
  • Other purposes: We may process your data for other purposes, for example for security and prevention purposes (e.g. to ensure IT security, prevent theft, fraud and abuse) and for quality assurance and training purposes. We may also process your data to protect our rights and defend ourselves against third parties claims. This may involve all categories of personal data mentioned in Section 2.

4. On what basis do we process your data?

 To the extent that the GDPR applies and we need a legal basis to process personal data, we generally rely on one or more of the following legal bases depending on the purpose of the processing:

  • Initiation or performance of a contract: Processing is necessary to initiate or perform a contract with you or the entity you represent.
  • Legitimate Interests: Processing is necessary for our or a third party's legitimate interests, including to carry out processing for the purposes described in Section 3 and to disclose data in accordance with Sections 7 and 8, as well as to carry out the purposes related to them. Our legitimate interests also include compliance with legal regulations, insofar as this is not already recognized as a legal basis by applicable data protection legislation (e.g. laws in the EEA). This also includes the marketing of our products and services, the desire to better understand our markets and to manage and develop our business, including its operations, safely and efficiently.
  • Consent: The processing is based on your consent. In these cases, we will inform you separately about the purposes of the processing at issue. You may withdraw your consent at any time with effect for the future by sending us written notice; you will find our contact details in Section 1. To withdraw your consent to online tracking, please see Section 11. Once we receive notice of withdrawal of consent, we will no longer process your information for the purpose(s) to which you consented, unless we have another legal basis for doing so. Withdrawal of consent does not, however, affect the lawfulness of the processing based on the consent prior to the withdrawal. 

In some cases, other legal bases may apply and, if so, we will inform you separately.

5. How do we conduct profiling?

«Profiling» refers to a procedure in which personal data is processed in an automated way in order to analyze personal aspects or to make predictions (e.g. to analyze an individual's personal interests, preferences, and affinities or to predict likely behavior).

We conduct profiling, for example, in connection with orders placed on our website (e.g. to determine what other products might be of interest to you based on your purchases), behavioral and preference data as well as technical data in connection with our website, and communication data (e.g. your reaction to advertisements and other messages).

Profiling helps us to continually improve our offerings and better tailor them to individual needs, to plan our business activities, to determine the likelihood that a transaction is fraudulent, and to better assist you with customer service.

In order to improve the quality of our analyses and forecasts, we may also create profiles for these purposes, i.e. linking personal data from different sources to better understand you as a person with your different interests and characteristics.

In both cases, we ensure the proportionality and reliability of the results and take measures against the misuse of these profiles or profiling.

6. Do we use automated individual decision-making?

«Automated individual decision-making» are decisions that are made on a fully automated basis, i.e. without relevant human influence, and that have legal consequences for the data subjects concerned or otherwise significantly affect them. We generally do not do this, but we will inform you separately if we are required to make automated individual decisions in individual cases. In such cases, you have the opportunity to have the decision reviewed by a human being if you do not agree with it.

7. With whom do we share your data?

 In the context of our processing activities, we may disclose your personal data to third parties, in particular to the following categories of recipients:

  • Service providers: We work with service providers in Switzerland and abroad. These service providers generally process your personal data on our behalf as "processors". Our processors are obliged to process personal data in accordance with our instructions and to take appropriate measures for data security. Some service providers are also responsible jointly with us or independently (e.g. collection agencies).
  • Contractual partners: We disclose your data to our contractual partners insofar as the disclosure of your data is based on the relevant contracts. These recipients also include contractual partners with whom we cooperate (e.g. winemakers) or who advertise on our behalf and to whom we may therefore disclose your data for analysis and marketing purposes. You will find more information on this subject in Section 11. These contractual partners may act as separate controllers and process your data for their own purposes. If you have concerns or wish to exercise your data protection rights, please contact these contractual partners directly.
  • Authorities: We may disclose your personal data to authorities when we are legally required to do so or when it appears necessary to protect our interests. These authorities act as separate controllers. 
  • Other persons: We may also share your data with other persons, such as service recipients and third-party debtors specified by you.

8. Is your data shared abroad?

We process and store personal data primarily in Switzerland and the European Economic Area (EEA). In some cases, however, we may also disclose personal data to service providers and other recipients (see Section 9) who are located outside this area or who process personal data outside this area, in principle in any country in the world. These countries may not have laws that protect your personal data to the same extent as in Switzerland or the EEA. If we transfer your personal data to such a country, we will ensure the protection of your personal data in an appropriate manner. In particular, we use the European Commission's standard contractual clauses for this purpose, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj? unless the recipient is already subject to a legally accepted set of rules to ensure data protection or we can invoke an exception. We would like to emphasize that these contractual measures partly compensate for less or no legal protection, but do not completely exclude all risks (e.g. the risk of data being accessed by governments abroad). In exceptional cases, we may allow the transfer of your personal data to countries without adequate protection in other cases, for example if you consent, in the context of legal proceedings abroad or if it is necessary for the performance of a contract.

Please note that data exchanged via the internet is often routed through third countries. Your data may therefore be sent abroad even if the sender and recipient are in the same country. 

9. How long do we process your data?

 We process your data for as long as our processing purposes (see Section 3), legal retention periods and our legitimate interests in documentation and keeping evidence require it or storage is a technical requirement. After the expiration of these periods, we will delete or anonymize your data insofar as there are no legal or contractual obligations to the contrary.

For example, we adhere to the following retention periods, which we may waive on a case-by-case basis:

  • GRAPL Account: Personal data associated with your GRAPL account is retained for as long as your account exists. If you request that we delete your account, we will delete your data within 90 days.
  • Master and contract data: We generally store master and contract data for ten years from the last contractual activity or the end of the contract. However, this period may be longer if necessary for evidentiary purposes, due to legal or contractual provisions or for technical reasons. Transaction data related to contracts (e.g. invoices) are generally stored for ten years.
  • Communication data: E-mails and written correspondence are generally kept for ten years. However, this period may be longer if necessary for evidentiary purposes, due to legal or contractual provisions or for technical reasons.
  • Technical Data: We generally retain technical data for between six months and one year. Cookies and similar technologies (see Section 11) are generally retained from a few days to three years if not deleted immediately at the end of the session.
  • Behavioral and Preference Data: We generally retain behavioral and preference data for between sixmonths and one year.
  • Other data: The retention period for other data depends on the purpose of the processing and is limited to what is necessary. It ranges from a few days for many security cameras to several years for event reports containing images.

10. How do we protect your data?

We take appropriate technical and organizational security measures to maintain the required security of your data and to ensure the confidentiality, integrity and availability of your data, to protect it against unjustified or unlawful processing and to mitigate the risk of loss, accidental alteration, unauthorized disclosure or access. Like all companies, however, we cannot exclude with certainty any data protection breach; some residual risks are unavoidable.

11. What cookies and similar technologies do we use and how can they be disabled?

 We use various techniques on our website that allow us or third parties we hire to recognize you when you visit our website and potentially track you over multiple visits. This section informs you about these techniques.

Cookies are files that your browser automatically stores on your device when you visit our website. Cookies contain a unique identifier (ID) that allows us to distinguish individual visitors from others, generally without identifying them. Depending on their intended use, cookies may contain further information, such as the pages visited and the time spent on the pages. We use both session cookies, which are deleted as soon as the browser is closed, and persistent cookies, which remain stored for a certain period of time after the browser is closed (usually from a few days to three years) and are used to recognize visitors on subsequent visits.

We may also use similar technologies such as pixel tags, fingerprints and other technologies to store data in the browser. Pixel tags are small, usually invisible images or program codes uploaded by a server that provide the server operator with specific information such as whether and when a website was visited. Fingerprints are information about the configuration of your device or browser that are collected when you visit a website and that can be used to differentiate your device from other devices. Most browsers also use other data storage technologies in browsers that are similar to cookies and that we may also use (e.g. web storage).

We use the following types of cookies and similar technologies:

  • Strictly necessary cookies: Some cookies are essential to the use of the website and its features. These cookies ensure the essential functionality of the website, for example, to be able to navigate from page to page without the products placed in the basket disappearing. They also ensure that you remain connected. These cookies have an expiration period of up to 12 months.
  • Performance Cookies: Performance cookies collect information about how our website is used and allow us to perform analyses of its use, such as which pages are viewed most often and how visitors navigate our website. These cookies are used to make visiting the website easier and faster and, in general, to improve the user experience and comfort. We use third-party analytics services for this purpose. These cookies have an expiration period of up to 24 months.
  • Marketing Cookies: Marketing cookies help us and our advertising partners to provide you with advertisements on our website for offers or services that may be of interest to you or to display our advertisements when you continue to browse the Internet after leaving our website, i.e., to provide you with targeted advertising. These cookies have an expiration period ranging from a few days to three years, depending on the circumstances.

In particular, we use the offers of the following service provider:

  • Google Analytics: Google Ireland Ltd. (located in Ireland) is the provider of the service «Google Analytics» and acts as our processor. Google Ireland relies on Google LLC (located in the United States) as its sub-processor (both «Google»). Google collects information about the behavior of visitors to our website (duration, page views, geographic region of access, etc.) through performance cookies (see above) and on this basis creates reports for us about the use of our website. We have configured the service so that the IP addresses of visitors are truncated by Google in Europe before forwarding them to the United States and then cannot be traced back. We have turned off the «Data sharing» option and the «Signals option». While we may assume that the information we share with Google is not personal data for Google, it is possible that Google may be able to draw conclusions about the identity of visitors based on the data collected, create personal profiles, and link this data with the Google accounts of these individuals for its own purposes. In any event, if you consent to the use of Google Analytics, you expressly consent to any such processing, including the transfer of your personal data (in particular website and app usage, device information and unique IDs) to the United States and other countries. Information about data protection with Google Analytics can be found here https://support. google. com/analytics/answer/6004245 and if you have a Google account, you can find more details about Google's processing here https://policies. google. com/technologies/partner-sites? hl=en.


Details about our third-party vendors and advertising partners can be found in the privacy settings available here. In these privacy settings, you also have the option to disable certain categories of cookies by making the appropriate settings. 

When you consent to the use of cookies, you accept that your data may be transferred to a country that does not have adequate level of data protection and accept the risks that your data may potentially be subject to government lawful access in the recipient's country, despite the safeguards we put in place. You can withdraw your consent to cookies at any time, as explained above.

In addition, you can configure your browser settings so that it blocks certain cookies or similar technologies or deletes existing cookies and other data it has stored. You can also integrate software ("plugins") into your browser that blocks the tracking of certain third parties. You can find further information on this subject on the help pages of your browser (usually with the keyword "data protection"). Please note that the functioning of our website may be restricted if you block cookies and similar technologies.

12. What data do we process on our social network pages?

We operate our own pages on social networks and other similar third-party platforms (e.g. LinkedIn, Instagram and Facebook). If you communicate with us through these pages or comment on or share our content, we collect the relevant information and process it for the purposes set out in Section 3, in particular for communication, marketing and market research purposes.

When you visit our pages on social networks, data (e.g. about your user behavior) may also be transmitted directly to the respective service provider or collected by the latter and processed together with other data already known to it, in particular for its own marketing and market research purposes and to customize its platform. In some cases, some of your data will be transferred to the United States. You can find more information about the processing of data by social network providers in the privacy policies of the respective social networks.  

13. What are your rights?

 Applicable data protection laws give you the right to object to the processing of your data in certain circumstances, including processing for direct marketing purposes, profiling for direct marketing purposes, and other legitimate interests in processing.

To help you control the processing of your personal data, you have the following rights with respect to our processing of your data in accordance with data protection laws:

  • The right to request access to the data stored by us concerning you;
  • The right to have inaccurate or incomplete personal data corrected;
  • The right to request the deletion of your data;
  • The right to receive the personal data you have made available to us in a commonly used, machine-readable structured format or to have this data transferred to another controller;
  • The right to withdraw your consent with effect for the future, to the extent that our processing is based on your consent;
  • The right to receive, upon request, other information, relevant to the exercise of these rights;
  • The right to express your views in the case of automated individual decisions (Section 6) and to request that the decision be reviewed by a human being. 

If you wish to exercise your rights, you can contact us in writing at the email address mentioned in Section 2. In order to prevent abuse, we need to identify you (e.g. by means of a copy of your identity card, if identification is not otherwise possible).

Please note that these rights may in some cases be limited, excluded or subject to the fulfilment of certain conditions. We will inform you accordingly where applicable.

You may also file a complaint with the competent supervisory authority if you have any doubts about the lawfulness of the processing of your personal data. The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC), who can be contacted here: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html. The competent supervisory authority in the Principality of Liechtenstein is the Data Protection Authority of the Principality of Liechtenstein, which can be contacted here: https://www.datenschutzstelle.li/datenschutz. You can find a list of authorities in the EEA here: https://edpb.europa.eu/about-edpb/board/members_en. You can reach the UK supervisory authority here: https://ico.org.uk/global/contact-us/.