Data Protection Policy

Last updated: 21 September 2025

1. Introduction

Winebutler.info is operated by GAPAS AG, a Swiss company. We are committed to protecting your privacy and processing your personal data in compliance with the Swiss Federal Data Protection Act (nDSG) and the European General Data Protection Regulation (GDPR).

This policy explains what data we collect, how we use it, and what rights you have.

2. Controller and Contact Details

The controller of your personal data is:

GAPAS AG
Rainweg 4b
6313 Menzingen
Switzerland

Data Protection Officer: Stefan Gabriel

Email: contact [at] winebutler.info

3. Scope of this Policy

This policy applies to:

• The marketing website (winebutler.info)
• The web application (app.winebutler.info / login.winebutler.info)
• The partner program (sponsors and affiliates)

It applies to all users worldwide.

4. Categories of Personal Data We Collect

• Marketing website forms
  User contact form: name, first name, email (mandatory), message, IP address, checkbox for consent
  Partner form: company, website, logo, name, email, phone (optional), message, IP address, checkbox for consent
• Authentication and account management (Auth0 EU)
  Email (mandatory), password hash, name (optional)
  Managed by Auth0 (data hosted in the EU).
  Auth0 may process personal data in accordance with its own Privacy Policy: https://auth0.com/privacy (external link).
  Third-party login providers (i.E. “Login with Google” or “Login with Facebook”) may process personal data in accordance with their own Privacy Policy:
  https://www.facebook.com/privacy/policy/ (external link)
  https://policies.google.com/privacy (external link)
• Winebutler Core (Q&A logs and OpenAI API)
  Pseudonymous user identifier (not directly identifiable to the QA team), Question and answer text, Processing of user questions is performed through the OpenAI API, which receives the text of the question and returns an answer.
  OpenAI may process this text in accordance with its own Privacy Policy: https://openai.com/policies/privacy-policy (external link)
  Data stored for max. 12 months for quality assurance
• Technical data
  Server logs (IP addresses, timestamps, error logs, system performance) may be collected through internet service providers such as Amazon Web Services, Azure or Host Europe according to their own privacy policies:
  https://www.hosteurope.de/en/terms-and-conditions/privacy/ (external link)
  https://www.hoststar.ch/de/datenschutz (external link)
  https://azure.microsoft.com/en-us/explore/trusted-cloud/privacy (external link)
  https://aws.amazon.com/compliance/data-protection/ (external link)

External Links to Third-Party Policies:
We provide links to external privacy policies of third-party providers (e.g. Auth0, OpenAI, Meta, Google). Please note that we have no control over the content of these external sites. If a link does not work, you can always access the current version directly on the provider’s website.

5. Purposes and Legal Bases

We process data for the following purposes:

• Provision of our services (contract necessity)
• Security and fraud prevention (legitimate interest)
• Quality assurance and service improvement (legitimate interest, limited storage)
• Marketing and partner program (logos, sponsor messages; consent or legitimate interest)

We do not perform profiling or automated decision-making.

6. Use of Partner Data and Sponsorships

Partner logos, descriptions, and links are displayed publicly on our website.

Sponsorship messages are displayed at the end of Winebutler answers in sequential order (no targeting, no profiling).

7. Disclosure of Data to Third Parties

We do not sell your personal data. Data is not shared with third parties except as required for service provision:

• Auth0 (authentication provider, EU data center) – for login and account management.
• OpenAI (AI service provider, global) – for interpreting questions and formulating the answers via the API.
• Hosting providers (e.g., Azure, AWS, Host Europe, Hoststar) – for technical operation.
• Service contractors – for maintenance and support.

Where external services are used, we always choose privacy-friendly settings. In particular, we opt out of providers using our data for their own product improvement or analytics purposes whenever possible.

8. International Data Transfers

Data is generally processed in Switzerland and the EU.

If data is transferred outside of Switzerland or the EU/EEA, we ensure adequate protection through:

• Adequacy decisions, or
• Standard contractual clauses (SCCs).

9. Data Retention

• Q&A logs: Q&A logs are stored for a maximum of 12 months. This period is necessary to identify recurring quality issues and ensure long-term service improvements. After this period, the data is automatically deleted.
• Contact form submissions: as long as necessary to respond, then deleted
• Partner data: stored for the duration of the partnership and statutory retention periods
• Server logs: typically 30–90 days

10. Data Subject Rights

You have the following rights under applicable law:

• Access to your data
• Rectification of inaccurate data
• Deletion (“right to be forgotten”)
• Restriction of processing
• Objection to processing
• Data portability
• Withdrawal of consent at any time

To exercise your rights, contact us at contact [at] winebutler.info. We respond to requests regarding data subject rights without undue delay, and generally within 30 days.

11. Security Measures

Principle of data minimization

Hosting with data protection friendly service providers

Strict access control for authorized and authenticated staff only

Regular security updates and monitoring

12. Cookies and Analytics

We do not use cookies or tracking technologies, except those technically necessary (e.g., for Auth0 login).

The marketing website uses Koko Analytics, which does not track personal data.

13. Changes to this Policy

We may update this policy from time to time. If we make significant changes to this policy, we will actively notify registered users by email at least 30 days before the changes take effect. The latest version is always available on winebutler.info.

14. Supervisory Authority and Complaints

If you have concerns about how we process your personal data, please contact us first at contact [at] winebutler.info so we can address the matter directly.

You also have the right to lodge a complaint with a supervisory authority:

• In Switzerland: the Federal Data Protection and Information Commissioner (FDPIC)
• In the EU/EEA: your local data protection authority