Privacy Policy
Last updated: June 2026
1. Controller
Responsible for data processing on this service is:
independent.ch Sàrl (represented by Johannes Hubrich), Route du Port 19, 1009 Pully, Switzerland.
Email: privacy@winecall.app
This policy applies to winecall, including all subdomains and any connected APIs. It complies with the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR).
2. Data we process
Account data
- Email address (used for login and essential service communication)
- Hashed password (via bcrypt; we cannot see the original)
- Display name
- Organization name
Usage data
- Number of newsletters and social posts created per month (to enforce plan limits)
- Number of recipients and emails sent
- Session logs (timestamps, IP address at login, retained up to 30 days)
Content and contacts you provide
- Newsletters and social posts you write, and any drafts
- Your contact list: names and email addresses of the recipients you add or import. You are responsible for having a lawful basis to contact them.
- Images you upload for newsletters or social posts
- Connected social accounts: if you connect Facebook or Instagram via Meta, we store access tokens so the app can publish on your behalf
AI generation
When you use AI assistance to draft or translate text, the content you submit for that request is sent to our AI provider to produce the result. It is processed only to generate your output and is not used to train models.
Payment data
If you subscribe to a paid plan, payment is processed by Stripe. We receive a customer ID, subscription status, and masked card identifier. We never see or store your full card details. See section 5 for Stripe's role.
3. Legal basis (GDPR Art. 6)
- Contract (Art. 6(1)(b)): account operation, newsletter delivery, contact storage, payment processing.
- Legitimate interest (Art. 6(1)(f)): security logs, abuse prevention, service quality.
- Consent (Art. 6(1)(a)): only if you explicitly opt in to anything beyond essential service operation (currently: nothing beyond essential).
- Legal obligation (Art. 6(1)(c)): tax records retained for 10 years per Swiss law.
4. Where your data is stored
All operational data (accounts, contacts, newsletters, and uploaded images) is hosted in the European Union (Germany). Your data never leaves the European Economic Area for core operations.
Backups are retained for 30 days within the EU.
5. Subprocessors
We rely on a small set of EU-based subprocessors for hosting, payment processing, and transactional email delivery. All have signed Data Processing Agreements (Art. 28 GDPR) and operate within the European Economic Area. No usage analytics providers (Google Analytics, etc.) are used.
The current list of named subprocessors is available upon request via privacy@winecall.app. Material changes are communicated to registered users before they take effect.
6. Retention
- Account data: until you delete your account.
- Contacts, newsletters, and posts: retained until you delete them or close the account.
- Uploaded images: retained until you delete them or close the account.
- Session logs: 30 days.
- Backups: 30 days rolling.
- Invoices and tax records: 10 years (Swiss obligation).
7. Your rights
Under GDPR and Swiss FADP, you have the right to:
- Access your personal data
- Rectify incorrect data
- Erase your data (“right to be forgotten”)
- Restrict processing
- Data portability (export in machine-readable format)
- Object to processing based on legitimate interest
- Withdraw any consent at any time
To exercise any right, email privacy@winecall.app. We respond within 30 days.
You can lodge a complaint with your local supervisory authority: in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC); in the EU, your national Data Protection Authority.
8. Cookies and tracking
We use only essential session cookies required for authentication. No analytics cookies, no advertising cookies, no cross-site tracking. No consent banner needed.
9. AI training
We do not use your newsletters, contacts, or any other user data to train AI or machine learning models, and we do not share your content with third parties for AI training purposes. The AI provider that powers text generation processes your input only to return your result.
10. Security
All data is transmitted over TLS 1.3 encryption. Passwords are hashed with bcrypt. Database access requires service-role keys; direct DB access is not exposed to the public internet. Production servers run with restricted SSH access and automatic security updates.
11. Changes to this policy
We may update this policy to reflect changes to our service or legal obligations. If we make substantive changes, we will notify registered users via email at least 30 days before the changes take effect.
12. Contact
For any privacy-related questions: privacy@winecall.app