Privacy and Cookie Policy

This policy applies to the MerchandAise marketplace at www.MerchandAise.com, including localised /privacyandcookie routes, mobile experiences, support channels, and assistant-enabled design-session flows.

It applies to buyers, suppliers, designers, and visitors interacting with accounts, orders, AI configurators, uploads, and sustainability insights.

We adhere to the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), the ePrivacy Directive, and the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA).

Data controller: Hutter Products GmbH, Fortunastrasse 5, 9437 Marbach, Switzerland.

Swiss VAT registration number: CHE-284.907.929.

Primary contact: privacy@merchandaise.com | Phone: +41 71 723 12 18.

Data Protection Officer (DPO): privacy@merchandaise.com.

MerchandAise is currently operated by Hutter Products GmbH. If the legal entity changes, we will update this policy before that change takes effect.

We collect only the data we need to operate the marketplace responsibly and lawfully.

Personal and account data: names, job titles, company details, billing and shipping addresses, emails, phone numbers, login credentials (hashed), marketing preferences.

Transaction and logistics data: orders, invoices, payment confirmations, refund history, customs declarations, carrier tracking updates, proof of delivery.

Design and upload content: user-generated logos, artwork, fonts, brand guidelines, AI prompts, real-time 3D previews, version history, annotations, and moderation flags.

Sustainability metrics: carbon footprint calculations, recycled content scores, certification evidence, aggregated eco-impact dashboards.

Device and usage data: IP addresses (shortened where feasible), browser and OS details, session logs, error reports, interaction data within AI configurators, support chats, and feedback forms.

External AI assistant session data: design-session identifiers, short-lived launch/session/resume tokens, assistant provider linkage metadata, action/version history, and tool-call audit records needed to authorize and restore ChatGPT-assisted design sessions.

Consent and compliance data: cookie choices, marketing opt-ins or opt-outs, Terms acceptance, fraud and sanctions screening results.

We do not intentionally collect sensitive personal data (e.g., health information, biometric identifiers). Please avoid uploading it.

We collect only the data necessary to operate the marketplace responsibly and in compliance with the law.

Personal and account data: names, job titles, company details, billing and shipping addresses, email addresses, phone numbers, login credentials (hashed), marketing preferences.

Consent and compliance data: cookie choices, marketing opt-ins or opt-outs, acceptance of Terms, fraud and sanctions screening results.

We do not intentionally collect sensitive personal data (e.g., health information, biometric identifiers). Please refrain from uploading such data.

Our AI 3D configurators process prompts, design selections, and uploads to generate previews, recommend materials, and streamline approvals.

When you choose external assistant mode, we exchange the minimum data required to complete your request with OpenAI/ChatGPT, including prompts, selected product references, design-session tokens, design-state updates, and return/resume metadata.

Automated checks flag potential infringements (e.g., offensive or trademarked content) and route them to a human review team before any decision impacts your order.

We complete and review Data Protection Impact Assessments (DPIAs) for AI features, test for bias, and document mitigation steps.

You can request human review of an AI-driven outcome or ask for an explanation of how your data influenced a recommendation by emailing privacy@merchandaise.com.

Automated checks identify potential infringements (e.g., offensive or trademarked content) and forward them to a human review team before any decision affects your order.

To deliver core services: register accounts, verify suppliers, manage catalogues, fulfil orders, arrange shipping, process payments, and handle returns (contract necessity).

To enable collaboration: share design briefs, sustainability metrics, and status updates between buyers and suppliers (contract + legitimate interest).

To power AI personalization: remember configurations, render previews, store approved assets, and recommend eco-friendly alternatives (legitimate interest; consent where local law requires).

To run external AI assistant sessions: issue short-lived launch/session/resume tokens, verify that tool calls belong to the correct user and design session, sync design changes made in ChatGPT, and return you safely to checkout or manual editing (contract necessity + legitimate interest).

To provide sustainability tracking: calculate emissions, produce eco-impact dashboards, and create anonymised environmental reports (legitimate interest + consent for optional analytics cookies).

To secure the platform: authenticate sessions, detect fraud, enforce Terms, monitor for misuse, and keep audit logs for assistant tool calls and critical design-session events (legitimate interest and legal obligation).

To communicate: send order updates, service notices, surveys, and marketing emails. Marketing to EU/Swiss users relies on consent; all users can opt out at any time.

To meet legal and regulatory obligations: maintain tax and accounting records, comply with customs and product safety rules, and respond to lawful requests (legal obligation).

To provide core services: register accounts, verify suppliers, manage catalogues, fulfil orders, arrange shipping, process payments, and handle returns (contract necessity).

To facilitate collaboration: share design briefs, sustainability metrics, and status updates between buyers and suppliers (contract + legitimate interest).

To facilitate sustainability tracking: calculate emissions, generate eco-impact dashboards, and produce anonymised environmental reports (legitimate interest + consent for optional analytics cookies).

To secure the platform: authenticate sessions, detect fraud, enforce Terms, monitor for misuse, and maintain audit logs for assistant tool calls and critical design-session events (legitimate interest and legal obligation).

To communicate: send order updates, service notices, surveys, and marketing emails. Marketing to EU/Swiss users is based on consent; all users can opt out at any time.

To fulfil legal and regulatory obligations: maintain tax and accounting records, comply with customs and product safety regulations, and respond to lawful requests (legal obligation).

Contract necessity encompasses account management, order processing, supplier onboarding, and delivery workflows.

Legitimate interests include platform security, product enhancement, sustainability analytics, and responsible marketing to existing customers. We assess these interests against your rights.

Consent applies to email and SMS marketing in the EU/EEA/Switzerland, optional profile data, and non-essential cookies or trackers. Withdraw consent anytime without affecting prior lawful processing.

Legal obligations include tax, accounting, customs compliance, sanctions screening, and responding to regulatory authorities.

Our cookie banner captures detailed consent for analytics, personalisation, advertising, and sustainability tracking cookies in accordance with GDPR and the ePrivacy Directive.

We use cookies, local storage, pixels, and device identifiers to operate the site, enhance performance, personalise experiences, and report sustainability metrics.

Essential cookies load automatically. Analytics, personalisation, advertising, and sustainability cookies only load after you provide consent via the banner or preferences centre.

We utilise privacy-focused analytics providers (e.g., Matomo, Plausible) configured with IP masking and limited data retention.

Cookie Type | Purpose | Examples | Retention | Consent Required

Essential (Strictly Necessary) | Maintain sessions, security, accessibility, cookie preferences | session_id, csrf_token | Session to 12 months | No (legitimate interest)

Analytics and Performance | Measure visits, detect errors, improve user experience | Matomo visitor_id, Plausible metrics | Up to 13 months | Yes

Personalisation | Save configurator settings, remember recent designs, tailor dashboards | design_pref, ai_material_choice | Up to 12 months | Yes

Advertising and Social | Measure campaign reach, prevent duplication, manage retargeting | LinkedIn Insight tag, Google Ads conversion | 3 to 6 months | Yes

Sustainability Tracking | Aggregate carbon savings and recycled content metrics | eco_dashboard, impact_session | Up to 24 months | Yes

You can update your consent preferences at any time via the "Manage cookies" link in the footer of the site.

Most browsers allow you to block or delete cookies; instructions may vary by provider. Blocking essential cookies could restrict access to secure areas or configurator features.

Opt out of advertising trackers through industry portals such as Your Online Choices (EU) and the Network Advertising Initiative (US).

We share personal data only with vetted partners who need it to provide services on our behalf.

Key recipients: certified suppliers and manufacturers, logistics and warehousing partners, payment processors, cloud hosting and AI infrastructure providers, sustainability analytics vendors, professional advisors, and auditors.

For external assistant mode, OpenAI acts as a separate provider that receives the prompts, tool inputs, and session metadata needed to generate designs and operate the ChatGPT handoff you requested.

We require written data processing agreements, confidentiality, and security standards that meet GDPR and Swiss FADP expectations.

If data leaves Switzerland or the EU/EEA, we rely on adequacy decisions where available or the EU Standard Contractual Clauses with Swiss addenda and supplementary safeguards (encryption, access controls, transfer risk assessments).

You can request copies of transfer safeguards by contacting privacy@merchandaise.com.

We share personal data only with trusted partners who require it to deliver services on our behalf.

We encrypt data in transit (TLS 1.2+) and at rest, operate on hardened infrastructure, and implement role-based access controls with multi-factor authentication for team members.

We conduct regular penetration tests, vendor security reviews, and incident response simulations for AI and marketplace systems.

In the event of a personal data breach, we will inform affected individuals and relevant supervisory authorities without undue delay, in accordance with GDPR Articles 33 and 34, the Swiss FADP, and applicable US state laws.

Account, order, and financial records: retained for the duration of the business relationship plus up to 10 years to meet Swiss and EU statutory requirements.

Design files, AI prompts, and previews: stored for the active project lifecycle plus 24 months unless you delete them sooner or request removal.

External AI assistant session identifiers, short-lived tokens, and tool-call audit records: retained only for the period needed to authorize the session, investigate abuse, and support replay-safe recovery; launch/session tokens expire automatically, and audit records are retained for up to 24 months unless a longer legal hold applies.

Sustainability analytics containing identifiable data: retained for 36 months; aggregated or anonymised metrics may be kept longer.

Support tickets, chat transcripts, and audit logs: retained for up to 24 months unless legal obligations require longer storage.

Marketing consent records: retained for five years from the last interaction to prove compliance.

Account, order, and financial records: retained for the duration of the business relationship plus up to 10 years to comply with Swiss and EU statutory requirements.

Sustainability analytics containing identifiable data are retained for 36 months; aggregated or anonymised metrics may be retained for a longer period.

Support tickets, chat transcripts, and audit logs are retained for up to 24 months unless legal obligations necessitate longer storage.

Marketing consent records are retained for five years from the last interaction to demonstrate compliance.

You can exercise these rights by emailing privacy@merchandaise.com or using your account settings.

• Access: request a copy of the personal data we hold about you.

• Rectification: correct any inaccurate or incomplete data.

• Erasure: request the deletion of data when it is no longer necessary or when you withdraw consent.

• Restriction: limit the processing of your data in specific circumstances.

• Objection: you have the right to object to processing based on legitimate interests, including profiling for personalisation or analytics.

• Portability: you can request your data in a structured, commonly used, machine-readable format or ask us to transfer it to another controller.

• Withdraw consent: you can change your marketing and cookie preferences at any time.

We will respond within one month (extendable by two months for complex requests) and may ask for proof of identity before proceeding.

If you disagree with our response, you may lodge a complaint with the Swiss FDPIC or your local EU supervisory authority.

Residents of California can request details about the categories and specific pieces of personal information that have been collected, used, disclosed, or shared in the past 12 months.

You may request the deletion of personal information, subject to legal exceptions such as completing transactions or addressing security incidents.

You can opt out of any sale or sharing of personal information for cross-context behavioural advertising; use our cookie preferences or email privacy@merchandaise.com.

We do not sell personal information for monetary gain and do not knowingly process sensitive personal information for purposes beyond those that are limited and permitted.

We will not discriminate against you for exercising your rights under CCPA/CPRA.

We design data flows to support transparent sustainability claims while collecting only the metrics necessary to validate eco-impact (e.g., percentages of recycled materials, lifecycle savings).

User-generated content is stored in organised workspaces with access controls, allowing teams to retain only relevant artwork and easily delete outdated files.

We routinely anonymise or aggregate sustainability analytics before sharing externally, ensuring that individual buyers or suppliers cannot be re-identified.

The marketplace is aimed at professionals and is not intended for children under 16 or the minimum age specified by local law.

We do not knowingly collect personal data from children. If you believe a minor has provided data, please contact us so we can delete it promptly.

We update this policy to reflect new services, legal requirements, or feedback received.

Significant changes will trigger email or in-platform notifications at least 14 days before they take effect, unless the law requires quicker updates.

We keep previous versions available upon request, allowing you to track the evolution of our practices.

Email: privacy@merchandaise.com (preferred channel for privacy rights and cookie preferences).

Postal: Data Protection Officer, Hutter Products GmbH, Fortunastrasse 5, 9437 Marbach, Switzerland.

Online: use the contact form at https://www.merchandaise.com/contact for secure submissions.

Regulatory queries: authorities may reach our DPO at privacy@merchandaise.com or call +41 71 723 12 18.

• Q: Can I delete AI designs or uploaded artwork? A: Yes. Remove files in your dashboard or ask us to delete artwork, prompts, or design-session records via privacy@merchandaise.com; backups are purged on our retention schedule unless a legal hold applies.

• Q: How do I opt out of marketing or change cookie settings? A: Use the unsubscribe link in any marketing message, update profile preferences, or open the footer Manage cookies link to review consent choices at any time. Transactional emails still send when needed for orders or security.

• Q: Do you transfer personal data outside Switzerland or the EU/EEA? A: Yes. When suppliers, cloud services, AI providers, or other processors operate in other countries, we rely on adequacy decisions where available or Standard Contractual Clauses with Swiss addenda and supplementary safeguards.

• Q: How do I exercise privacy rights or contact the DPO? A: Email privacy@merchandaise.com to request access, correction, deletion, restriction, portability, or human review, or to contact our Data Protection Officer. We may ask for proof of identity before acting.

• Q: What happens to sustainability data? A: Identifiable metrics stay within our secure systems and processors; any external sustainability reporting relies on aggregated or anonymised insights only.

• Q: What happens if there is a data breach? A: We follow a tested incident response plan, contain the issue, investigate affected systems, and notify impacted users and regulators without undue delay when the law requires it.