Privacy Policy
Rhein 1905 SA places great importance on the protection of your privacy and on the transparent processing of the personal data you entrust to us when using rhein1905.ch. This policy informs you, in accordance with Art. 19 of the revised Swiss Federal Act on Data Protection (FADP) of 25 September 2020, of the data we collect, the purposes of processing, retention periods and the rights available to you.
1. Data Controller
Rhein 1905 SA
Rue du Mont-Blanc 3, CH-1201 Geneva, Switzerland
UID: CHE-499.589.727
Email: info@rhein1905.ch
Phone: +41 22 731 88 56
Rhein 1905 SA acts as the data controller within the meaning of Art. 5 lit. j FADP for all personal data collected via the website.
2. Personal Data Collected
Depending on the services you use on the website, we collect and process the following categories of data:
| Category | Data concerned | Source |
|---|---|---|
| Customer account | Title, surname, first name, email address, password (hashed), date of birth, preferred language | Registration form |
| Addresses | Delivery and billing addresses, phone number, country | Order form |
| Orders | Order history, products, amounts, status, invoices, after-sales correspondence | Activity on the website |
| Payment | Method used (PayPal, TWINT, etc.), last 4 digits of card, status. Rhein 1905 SA never stores complete banking data. | Payment service provider |
| Age verification (tobacco KYC) | Encrypted copy of an official identity document, date of birth, extracted name, verification status | First tobacco product order |
| Newsletter | Email address, first name, language, subscription status, signup / unsubscribe date | Newsletter form (consent) |
| Technical data | IP address, browser type, operating system, pages visited, date and time | Server logs, cookies |
| Cookies | Browsing preferences, session identifiers, consent to analytics cookies | See Cookie Policy |
3. Purposes of Processing
The data collected is processed exclusively for the following purposes:
- Performance of the sales contract: receipt and confirmation of orders, preparation, dispatch, invoicing, delivery tracking, after-sales service, returns and warranty;
- Customer account management: creation, authentication, preference management, purchase history;
- Legal compliance: bookkeeping (Art. 957 et seq. CO), age verification for the sale of tobacco products (LPTab), retention of supporting documents;
- Fraud prevention: detection of suspicious payments, identity verification, prevention of impersonation;
- Marketing communication, subject to your explicit consent: newsletter mailings, information on new arrivals and limited editions;
- Site improvement: anonymised traffic analysis, audience measurement, optimisation of user experience;
- Security: prevention of intrusions, traceability of accesses, backups.
4. Legal Basis for Processing
In accordance with the FADP, the above processing operations rely, depending on the case, on:
- contractual necessity (performance of the sales contract, Art. 31 para. 2 lit. a FADP);
- a legal obligation (bookkeeping, age verification, anti-money-laundering);
- your free, informed and unambiguous consent (newsletter, analytics cookies);
- the overriding legitimate interest of the controller (site security, fraud prevention, service improvement).
5. Recipients and Processors
Your data is never sold to third parties. It is communicated solely to processors required to perform services, in strict compliance with professional secrecy and under contracts compliant with Art. 9 FADP:
| Recipient | Role | Country |
|---|---|---|
| OVHcloud SAS | Website hosting | France (EU — adequate level of protection) |
| PayPal (Europe) S.à r.l. et Cie, S.C.A. | Processing of card and PayPal payments | Luxembourg (EU) |
| TWINT SA | Processing of TWINT payments | Switzerland |
| Swiss Post Ltd | Parcel dispatch and tracking | Switzerland |
| Sendinblue SAS (Brevo) | Newsletter delivery | France (EU) |
| Google Ireland Ltd. / Google LLC | Anonymised audience measurement of the website (Google Analytics 4) with IP-anonymisation enabled. No targeted advertising is broadcast from this site, in accordance with the LPTab restrictions applicable to tobacco products. | Ireland (EU) and United States |
| Public authorities (FOPH, FTA, judiciary) | Solely upon legal request | Switzerland |
6. International Data Transfers
When the communication of your data involves a transfer outside Switzerland, Rhein 1905 SA ensures that:
- the destination country offers an adequate level of protection recognised by the Swiss Federal Council (notably the European Economic Area); or
- failing that, appropriate contractual safeguards are in place (standard contractual clauses, certification or binding corporate rules), in accordance with Art. 16 et seq. FADP.
With specific regard to Google Analytics, certain anonymised technical data (truncated IP address, session identifier, navigation behaviour) may be transferred to Google LLC servers in the United States. This transfer is governed by the standard contractual clauses adopted by the European Commission and recognised by Switzerland, as well as by the Swiss Federal Council decision of 14 August 2024, in force since 15 September 2024, recognising the adequacy of the Swiss–U.S. Data Privacy Framework for U.S. companies certified under that framework.
No data is transferred to recipients located in countries without an equivalent level of protection unless such a safeguard has been formalised beforehand.
7. Retention Periods
| Data | Period |
|---|---|
| Customer account (inactive) | 3 years from the last login, then automatic deletion or anonymisation |
| Orders and invoices | 10 years from the end of the financial year (accounting obligation, Art. 958f CO) |
| Tobacco KYC identity documents | Retention of 5 years from the last tobacco product order — as an internal Rhein 1905 SA policy aligned with the customary timeframes applicable to the traceability obligations under the LPTab. Beyond that, the documents are securely destroyed. |
| Payment data (last 4, status) | 10 years (aligned with accounting retention) |
| Newsletter | For as long as you remain subscribed, plus 12 months after unsubscription (proof of consent) |
| Connection / server logs | 12 months |
| Analytics cookies | 13 months maximum |
Beyond the periods indicated, data is irreversibly deleted or anonymised.
8. Data Security
Rhein 1905 SA implements appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration or disclosure, in accordance with Art. 8 FADP and the Data Protection Ordinance (DPO). These measures include in particular:
- encryption of website connections via TLS / HTTPS;
- encryption at rest of KYC identity documents;
- strict access controls to servers and databases;
- logging of access to sensitive data;
- regular encrypted backups;
- strong-password policy and prompt revocation of access upon a staff member's departure.
9. Your Rights
Pursuant to Art. 25 et seq. FADP, you have at any time the following rights:
- Right of access: obtain confirmation that data concerning you is being processed and receive a copy thereof (Art. 25 FADP);
- Right of rectification: have inaccurate or incomplete data corrected;
- Right to erasure: have your data deleted when it is no longer necessary for the purposes provided, subject to legal retention obligations;
- Right to data portability: receive your data in a structured, commonly used and machine-readable format, or request its direct transmission to another controller where this is technically feasible (Art. 28 FADP);
- Right to object: object, on grounds relating to your particular situation, to processing based on legitimate interest;
- Right to withdraw consent, at any time and free of charge, where processing is based on it.
To exercise any of these rights, write to info@rhein1905.ch, attaching a copy of an identification document. A reasoned reply will be provided within 30 days of receipt of your request.
10. Complaint to the Supervisory Authority
If you consider that the processing of your data by Rhein 1905 SA does not comply with Swiss legislation, you may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC):
Feldeggweg 1, CH-3003 Bern, Switzerland
www.edoeb.admin.ch
11. Cookies
The website rhein1905.ch uses technical cookies necessary for its operation and, subject to your consent, cookies for audience measurement and user-experience optimisation. For details of the cookies used, their duration and how to manage them, please refer to our Cookie Policy.
12. Amendments
This policy may be amended at any time to reflect legal, technical or operational developments. The applicable version is always the one published as of the date of your interaction with the website. The date of last update is indicated below.