Privacy Policy

Controller
GASTROLET Vin Fins, L. Hurni
Hurdäckerstrasse 5, 8049 Zürich, Switzerland
Email: info@morethanspecialwine.com

This Privacy Policy explains how we process personal data when you use morethanspecialwine.com, including account access, age verification, checkout, shipping, and analytics. Please also see our Cookie Policy and Imprint.

1. Scope of This Policy

Our online shop is currently intended for customers in Switzerland (CH) and Liechtenstein (LI). We may expand to additional countries later and will update this policy when needed.

Our current age rule for access to age-restricted products is:

  • Switzerland (CH): minimum age 16
  • Liechtenstein (LI): minimum age 16

2. What Data We Process

Depending on your interaction with the shop, we process:

  • Account and contact data: email address, phone number, account status, login/session data.
  • Address data: first/last name, company (optional), address lines, postcode, city, country.
  • Age and identity verification data: Stripe Identity verification session/report identifiers, verification status, verified first/last name, date-of-birth fields, issuing country, risk indicators/messages, and manual review status.
  • Order and payment data: products, order totals, billing/shipping details, transaction status, payment metadata.
  • Shipping and tracking data: tracking number metadata and shipment status lookups via Swiss Post links.
  • Technical/security data: IP address and similar metadata for security, abuse prevention, and server operation.
  • Analytics/marketing data (with consent): website and commerce measurement data through Google integrations.

3. How We Use Your Data

3.1 Account Access (Passwordless Magic Link)

We use a passwordless login flow. When you request sign-in, we send a one-time magic link by email. For security, one-time tokens are stored hashed, have a short validity window (default 15 minutes), and are single-use. We apply anti-abuse rate limits per email/IP.

3.2 Address and Phone Verification

Before ordering, we collect and verify customer address and phone information. In specific situations (for example, mismatch indicators), manual review may be required before ordering can continue.

3.3 Identity and Age Verification (Stripe Identity)

To comply with age restrictions, we initiate Stripe Identity verification sessions and send required session data (including email/phone and technical references). Stripe performs identity checks and returns verification outcomes. We store only the data required for compliance and decisioning in our systems, while the full verification process is carried out by Stripe.

Authorized administrators can access relevant verification data where necessary for manual age checks, compliance checks, case review, and support handling.

If automatic checks cannot verify your case, your account is moved to a decision/manual-review step. You can request human review. This means no final refusal is enforced without a path to manual intervention.

3.4 Checkout, Payment, Delivery, and Tracking

We process personal data to accept orders, prevent unauthorized checkout, process payments via Stripe Payments, fulfill shipments, and provide tracking updates. Tracking links may direct you to Swiss Post (post.ch/swisspost.ch) using shipment reference codes.

3.5 Customer Communication

We send operational emails (for example, magic links, verification updates, order messages) through Infomaniak Mail.

3.6 Analytics and Commerce Measurement

We use Google services through Site Kit and Google for WooCommerce (including product feed sync and conversion-related measurement). Analytics/marketing tags are controlled by our consent setup (Complianz), and non-essential tracking is intended to run only after consent where required.

4. Legal Bases

Depending on the processing activity, we rely on one or more of the following legal bases:

  • Contract performance / pre-contractual steps: account handling, checkout, payment, shipping, customer communication.
  • Legal obligations: age-control and compliance duties for regulated goods, accounting/tax record retention.
  • Legitimate interests: fraud prevention, shop security, service quality, enforcing verification workflow integrity.
  • Consent: non-essential cookies and analytics/marketing tracking (managed via consent banner/settings).

5. Cookies and Consent

Our cookie handling and consent preferences are managed through Complianz. You can review and change your choices at any time via the cookie settings controls and on our dedicated Cookie Policy page.

Strictly necessary cookies (for example, login/session, cart, checkout, and security functions) may run without opt-in because they are required to operate the shop.

6. Recipients and Processors

We share personal data only when required for the services described above, including with:

  • Infomaniak (Switzerland): hosting and email infrastructure.
  • Stripe (Payments and Identity): payment processing and identity/age verification workflows.
  • Swiss Post: shipment tracking lookups when tracking links are used.
  • Google services: Site Kit and Google for WooCommerce integrations for analytics/measurement and product feed/Google channel features.
  • Technical service providers: plugin and infrastructure providers required to operate WordPress/WooCommerce securely.

7. International Transfers

Some processors (notably Stripe and Google) may process data outside Switzerland and/or the EEA. Where required, transfers are based on recognized safeguards, such as contractual transfer clauses and/or applicable transfer frameworks used by the provider.

8. Retention and Deletion

We keep personal data only as long as needed for the stated purposes or as required by law. Key periods in our current setup include:

  • Magic-link token validity: 15 minutes (single-use; expired/used tokens are removed by cleanup routines).
  • Decision window in verification flow: 7 days (with reminders and state-based handling).
  • Cleanup of abandoned, non-active verification cases: 30 days (state-dependent automated cleanup).
  • Server/security logs (hosting): 10 days.
  • Order, invoice, tax, and transaction records: at least 10 years.

Stripe Identity stores verification records under Stripe’s standard retention rules until redaction is requested. When a verification case/account is deleted, we delete relevant local WCAV records and request Stripe Identity redaction of linked verification sessions. Stripe redaction can take up to 4 days. This does not override mandatory retention of accounting/transaction records in our systems and with payment providers where legally required.

9. Automated Decision-Making and Manual Review

We use rule-based and partially automated checks in the verification process (for example, age threshold checks, verification status/risk outcomes, and checkout eligibility controls). If a case cannot be approved automatically, it is routed to a manual review path. You may request human review and contact us for intervention.

10. Your Rights

Subject to applicable law (Swiss FADP and, where applicable, GDPR), you may have the right to:

  • request access to your personal data;
  • request correction of inaccurate data;
  • request deletion or restriction of processing;
  • object to processing based on legitimate interests;
  • withdraw consent at any time (for consent-based processing);
  • receive data portability where applicable.

To exercise your rights, contact us at info@morethanspecialwine.com.

You also have the right to lodge a complaint with a competent supervisory authority, including:

  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC) (edoeb.admin.ch).
  • EEA: your local data protection supervisory authority.

11. Data Security

We implement technical and organizational measures appropriate to risk, including access controls, verification controls, and transport security, and we work with providers that maintain security standards suitable for e-commerce processing.

12. Minors

Our shop is not intended for persons below the legal minimum age for our products in their jurisdiction. For CH and LI, our current minimum age rule is 16 years.

13. Related Policies and Terms

14. Changes to This Policy

We may update this Privacy Policy from time to time, for example when our services, legal obligations, or processors change. The latest version is published on this page.