Privacy and Cookie Policy

This policy covers the MerchandAise marketplace at www.merchandaise.com, including localized /privacyandcookie routes, mobile experiences, support channels, and assistant-enabled design-session flows.

It applies to buyers, suppliers, designers, and visitors interacting with accounts, orders, AI configurators, uploads, and sustainability insights.

We follow the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), the ePrivacy Directive, and the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA).

Data controller: Hutter Products GmbH, Fortunastrasse 5, 9437 Marbach, Switzerland.

Swiss VAT registration number: CHE-284.907.929.

Primary contact: privacy@merchandaise.com | Phone: +41 71 723 12 18.

Data Protection Officer (DPO): privacy@merchandaise.com.

MerchandAise is currently operated by Hutter Products GmbH. If the legal entity changes, we will update this policy before that change takes effect.

We collect only the data we need to operate the marketplace responsibly and lawfully.

Personal and account data: names, job titles, company details, billing and shipping addresses, emails, phone numbers, login credentials (hashed), marketing preferences.

Transaction and logistics data: orders, invoices, payment confirmations, refund history, customs declarations, carrier tracking updates, proof of delivery.

Design and upload content: user-generated logos, artwork, fonts, brand guidelines, AI prompts, real-time 3D previews, version history, annotations, and moderation flags.

Sustainability metrics: carbon footprint calculations, recycled content scores, certification evidence, aggregated eco-impact dashboards.

Device and usage data: IP addresses (shortened where feasible), browser and OS details, session logs, error reports, interaction data within AI configurators, support chats, and feedback forms.

External AI assistant session data: design-session identifiers, short-lived launch/session/resume tokens, assistant provider linkage metadata, action/version history, and tool-call audit records needed to authorize and restore ChatGPT-assisted design sessions.

Consent and compliance data: cookie choices, marketing opt-ins or opt-outs, Terms acceptance, fraud and sanctions screening results.

We do not intentionally collect sensitive personal data (e.g., health information, biometric identifiers). Please avoid uploading it.

Our AI 3D configurators process prompts, design selections, and uploads to generate previews, recommend materials, and streamline approvals.

When you choose external assistant mode, we exchange the minimum data required to complete your request with OpenAI/ChatGPT, including prompts, selected product references, design-session tokens, design-state updates, and return/resume metadata.

Automated checks flag potential infringements (e.g., offensive or trademarked content) and route them to a human review team before any decision impacts your order.

We complete and review Data Protection Impact Assessments (DPIAs) for AI features, test for bias, and document mitigation steps.

You can request human review of an AI-driven outcome or ask for an explanation of how your data influenced a recommendation by emailing privacy@merchandaise.com.

To deliver core services: register accounts, verify suppliers, manage catalogues, fulfil orders, arrange shipping, process payments, and handle returns (contract necessity).

To enable collaboration: share design briefs, sustainability metrics, and status updates between buyers and suppliers (contract + legitimate interest).

To power AI personalization: remember configurations, render previews, store approved assets, and recommend eco-friendly alternatives (legitimate interest; consent where local law requires).

To run external AI assistant sessions: issue short-lived launch/session/resume tokens, verify that tool calls belong to the correct user and design session, sync design changes made in ChatGPT, and return you safely to checkout or manual editing (contract necessity + legitimate interest).

To provide sustainability tracking: calculate emissions, produce eco-impact dashboards, and create anonymised environmental reports (legitimate interest + consent for optional analytics cookies).

To secure the platform: authenticate sessions, detect fraud, enforce Terms, monitor for misuse, and keep audit logs for assistant tool calls and critical design-session events (legitimate interest and legal obligation).

To communicate: send order updates, service notices, surveys, and marketing emails. Marketing to EU/Swiss users relies on consent; all users can opt out at any time.

To meet legal and regulatory obligations: maintain tax and accounting records, comply with customs and product safety rules, and respond to lawful requests (legal obligation).

Contract necessity covers account management, orders, supplier onboarding, and delivery workflows.

Legitimate interests include platform security, product improvement, sustainability analytics, and responsible marketing to existing customers. We balance these interests against your rights.

Consent applies to email and SMS marketing in the EU/EEA/Switzerland, optional profile data, and non-essential cookies or trackers. Withdraw consent anytime without affecting prior lawful processing.

Legal obligations include tax, accounting, customs compliance, sanctions screening, and responding to regulators.

Our cookie banner captures granular consent for analytics, personalization, advertising, and sustainability tracking cookies in line with GDPR and the ePrivacy Directive.

We use cookies, local storage, pixels, and device identifiers to operate the site, improve performance, personalise experiences, and report sustainability metrics.

Essential cookies load automatically. Analytics, personalization, advertising, and sustainability cookies load only after you provide consent via the banner or preferences centre.

We rely on privacy-focused analytics providers (e.g., Matomo, Plausible) configured with IP masking and limited data retention.

Cookie Type | Purpose | Examples | Retention | Consent Required

Essential (Strictly Necessary) | Maintain sessions, security, accessibility, cookie preferences | session_id, csrf_token | Session to 12 months | No (legitimate interest)

Analytics and Performance | Measure visits, detect errors, improve UX | Matomo visitor_id, Plausible metrics | Up to 13 months | Yes

Personalization | Save configurator settings, remember recent designs, tailor dashboards | design_pref, ai_material_choice | Up to 12 months | Yes

Advertising and Social | Measure campaign reach, prevent duplication, manage retargeting | LinkedIn Insight tag, Google Ads conversion | 3 to 6 months | Yes

Sustainability Tracking | Aggregate carbon savings and recycled content metrics | eco_dashboard, impact_session | Up to 24 months | Yes

Update your consent choices anytime through the "Manage cookies" link in the site footer.

Most browsers let you block or delete cookies; instructions vary by provider. Blocking essential cookies may limit access to secure areas or configurator features.

Opt out of advertising trackers via industry portals such as Your Online Choices (EU) and the Network Advertising Initiative (US).

We share personal data only with vetted partners who need it to provide services on our behalf.

Key recipients: certified suppliers and manufacturers, logistics and warehousing partners, payment processors, cloud hosting and AI infrastructure providers, sustainability analytics vendors, professional advisors, and auditors.

For external assistant mode, OpenAI acts as a separate provider that receives the prompts, tool inputs, and session metadata needed to generate designs and operate the ChatGPT handoff you requested.

We require written data processing agreements, confidentiality, and security standards that meet GDPR and Swiss FADP expectations.

If data leaves Switzerland or the EU/EEA, we rely on adequacy decisions where available or the EU Standard Contractual Clauses with Swiss addenda and supplementary safeguards (encryption, access controls, transfer risk assessments).

You can request copies of transfer safeguards by contacting privacy@merchandaise.com.

We encrypt data in transit (TLS 1.2+) and at rest, operate on hardened infrastructure, and implement role-based access controls with multi-factor authentication for team members.

We conduct regular penetration tests, vendor security reviews, and incident response simulations for AI and marketplace systems.

If a personal data breach occurs, we notify affected individuals and relevant supervisory authorities without undue delay in line with GDPR Articles 33 and 34, the Swiss FADP, and applicable US state laws.

Account, order, and financial records: retained for the duration of the business relationship plus up to 10 years to meet Swiss and EU statutory requirements.

Design files, AI prompts, and previews: stored for the active project lifecycle plus 24 months unless you delete them sooner or request removal.

External AI assistant session identifiers, short-lived tokens, and tool-call audit records: retained only for the period needed to authorize the session, investigate abuse, and support replay-safe recovery; launch/session tokens expire automatically, and audit records are retained for up to 24 months unless a longer legal hold applies.

Sustainability analytics containing identifiable data: retained for 36 months; aggregated or anonymised metrics may be kept longer.

Support tickets, chat transcripts, and audit logs: retained for up to 24 months unless legal obligations require longer storage.

Marketing consent records: retained for five years from the last interaction to prove compliance.

You can exercise these rights by emailing privacy@merchandaise.com or using your account settings.

• Access: request a copy of personal data we hold about you.

• Rectification: correct inaccurate or incomplete data.

• Erasure: ask us to delete data when it is no longer needed or when you withdraw consent.

• Restriction: limit how we process data in specific circumstances.

• Objection: object to processing based on legitimate interests, including profiling for personalization or analytics.

• Portability: receive data in a structured, commonly used, machine-readable format or ask us to transfer it to another controller.

• Withdraw consent: change marketing and cookie preferences at any time.

We respond within one month (extendable by two months for complex requests) and may ask for proof of identity before acting.

You may lodge a complaint with the Swiss FDPIC or your local EU supervisory authority if you disagree with our response.

California residents can request disclosure of the categories and specific pieces of personal information collected, used, disclosed, or shared in the past 12 months.

You may request deletion of personal information, subject to legal exceptions such as completing transactions or detecting security incidents.

You can opt out of any sale or sharing of personal information for cross-context behavioural advertising; use our cookie preferences or email privacy@merchandaise.com.

We do not sell personal information for monetary consideration and do not knowingly process sensitive personal information for purposes beyond limited, permitted uses.

We will not discriminate against you for exercising CCPA/CPRA rights.

We design data flows to support transparent sustainability claims while collecting only the metrics required to validate eco-impact (e.g., recycled material percentages, lifecycle savings).

User-generated content is stored in organised workspaces with access controls so teams keep only relevant artwork and delete outdated files easily.

We routinely anonymise or aggregate sustainability analytics before sharing externally, ensuring individual buyers or suppliers cannot be re-identified.

The marketplace targets professionals and is not intended for children under 16 or the minimum age defined by local law.

We do not knowingly collect personal data from children. If you believe a minor has provided data, contact us so we can delete it promptly.

We update this policy to reflect new services, legal requirements, or feedback.

Material changes trigger email or in-platform notifications at least 14 days before they take effect unless law requires faster updates.

We maintain previous versions on request so you can track how our practices evolve.

Email: privacy@merchandaise.com (preferred channel for privacy rights and cookie preferences).

Postal: Data Protection Officer, Hutter Products GmbH, Fortunastrasse 5, 9437 Marbach, Switzerland.

Online: use the contact form at https://www.merchandaise.com/contact for secure submissions.

Regulatory queries: authorities may reach our DPO at privacy@merchandaise.com or call +41 71 723 12 18.

• Q: Can I delete AI designs or uploaded artwork? A: Yes. Remove files in your dashboard or ask us to delete artwork, prompts, or design-session records via privacy@merchandaise.com; backups are purged on our retention schedule unless a legal hold applies.

• Q: How do I opt out of marketing or change cookie settings? A: Use the unsubscribe link in any marketing message, update profile preferences, or open the footer Manage cookies link to review consent choices at any time. Transactional emails still send when needed for orders or security.

• Q: Do you transfer personal data outside Switzerland or the EU/EEA? A: Yes. When suppliers, cloud services, AI providers, or other processors operate in other countries, we rely on adequacy decisions where available or Standard Contractual Clauses with Swiss addenda and supplementary safeguards.

• Q: How do I exercise privacy rights or contact the DPO? A: Email privacy@merchandaise.com to request access, correction, deletion, restriction, portability, or human review, or to contact our Data Protection Officer. We may ask for proof of identity before acting.

• Q: What happens to sustainability data? A: Identifiable metrics stay within our secure systems and processors; any external sustainability reporting relies on aggregated or anonymised insights only.

• Q: What happens if there is a data breach? A: We follow a tested incident response plan, contain the issue, investigate affected systems, and notify impacted users and regulators without undue delay when the law requires it.