Skip to Content

Privacy Policy

Last updated: July 7, 2025

Tropical Heritage GmbH ("we," "us," or "our") operates the website tropicalheritage.ch (the "Website"). This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you visit our Website, make purchases, and interact with our services.2

We are committed to protecting your privacy and handling your personal data in accordance with the Swiss Federal Act on Data Protection (FADP), the EU General Data Protection Regulation (GDPR), and other applicable data protection laws.

1. Data Controller

The data controller responsible for the processing of your personal data described in this Privacy Policy is:

Tropical Heritage GmbH
Emmentalstrasse 171
3400 Oberburg, Switzerland
 [email protected]

2. What Information Do We Collect?

We may collect various types of personal data from you, depending on your interaction with our Website and services:

  • Contact and Identification Data: Name, address, email address, phone number, and other similar contact details when you register for an account, subscribe to our newsletter, or contact us.
  • Payment Data: If you make purchases on our Website, we collect data necessary to process your payment, such as your billing address. Please note: We do not directly store your full credit card details (e.g., full card number, CVC/CVV code) on our servers. All payment transactions are processed securely by our PCI DSS compliant third-party payment gateway, Worldline.
  • Order and Transaction Data: Information related to your purchases, including products ordered, order history, and delivery details.
  • Usage Data: Information about how you access and use our Website, including your IP address, browser type, operating system, referring URLs, pages viewed, time spent on pages, and clickstream data. This is typically collected through cookies and similar technologies (see Section 6).
  • Communication Data: Content of your communications with us, such as emails, chat messages, or customer service inquiries.
  • Marketing Data: Your preferences for receiving marketing communications from us.

3. How Do We Process Your Information and What are the Legal Bases?

We process your personal data for the following purposes and rely on the indicated legal bases:

  • To provide and manage our services, including processing orders and payments:
    • Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR / Art. 31(2)(a) FADP). This includes processing your purchases, managing your account, and delivering products. For credit card payments, the processing by Worldline is necessary to complete the transaction you initiated.
  • To communicate with you:
    • Legal Basis: Performance of a contract (for service-related communications like order confirmations) or legitimate interests (Art. 6(1)(f) GDPR / Art. 31(2)(b) FADP) (for responding to inquiries and providing customer support).
  • To send you marketing and promotional communications (with your consent):
    • Legal Basis: Your explicit consent (Art. 6(1)(a) GDPR / Art. 31(2)(a) FADP). You can withdraw your consent at any time.
  • To improve and optimize our Website and services:
    • Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR / Art. 31(2)(b) FADP). This includes analyzing usage patterns, troubleshooting, and enhancing user experience.
  • To ensure the security and integrity of our Website and prevent fraud:
    • Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR / Art. 31(2)(b) FADP) and compliance with legal obligations (Art. 6(1)(c) GDPR / Art. 31(2)(c) FADP). This includes monitoring for suspicious activity and protecting against unauthorized access.
  • To comply with legal obligations:
    • Legal Basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR / Art. 31(2)(c) FADP). This includes obligations related to accounting, tax, and consumer protection laws.

4. When and With Whom Do We Share Your Personal Information?

We may share your personal data with the following categories of recipients:

  • Payment Processors (Worldline): We utilize Worldline to securely process your payment transactions. When you make a payment on our Website, certain personal data, including your payment details (which are securely transmitted and tokenized by Worldline) and billing information, is shared directly with or processed by Worldline. Worldline is a major payment service provider that adheres to strict industry standards, including the Payment Card Industry Data Security Standard (PCI DSS).3 For more information on how Worldline processes personal data, please refer to their privacy policy [[Insert Link to Worldline's Privacy Policy for Merchants/Customers if Available and Relevant, e.g., Worldline Switzerland Privacy Notice]].
  • Service Providers: We engage other third-party service providers who assist us with various business operations, such as website hosting, analytics, email delivery, customer support, and shipping. These providers are contractually bound to protect your data and only process it according to our instructions and applicable data protection laws.
  • Legal and Regulatory Authorities: We may disclose your personal data if required by law, court order, or in response to a legitimate request from a government or regulatory authority.4
  • Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will ensure appropriate safeguards are in place.

5. International Data Transfers

As Tropical Heritage GmbH is based in Switzerland, and we may utilize service providers or have customers in the EU, your data processing may involve transfers between Switzerland and the EU/EEA. Both Switzerland and the EU generally recognize each other's data protection laws as providing an adequate level of protection.

If we transfer your personal data to countries outside of Switzerland or the EU/EEA that do not offer an adequate level of data protection, we will ensure that appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission or the FDPIC.
  • Binding Corporate Rules (BCRs).
  • Your explicit consent for the specific transfer, where appropriate.

Worldline, as a global payment processor, may process data in various locations. Worldline itself implements robust measures for international data transfers, often relying on adequacy decisions or SCCs for transfers outside of the EU/EEA and Switzerland.

6. Cookies and Other Tracking Technologies

Our Website uses cookies and similar tracking technologies (e.g., pixels, web beacons) to enhance your Browse experience, analyze Website usage, and for marketing purposes.

  • What are cookies? Cookies are small text files placed on your device by websites you visit.5 They are widely used to make websites work more efficiently and to provide information to the website owners.
  • Types of cookies we use:
    • Strictly Necessary Cookies: Essential for the Website to function correctly (e.g., to enable navigation, add items to your cart, or process payments).6 These cannot be opted out of.
    • Analytical/Performance Cookies: Help us understand how visitors interact with our Website by collecting information about traffic sources, page visits, etc.7 This helps us improve the Website's performance.
    • Functionality Cookies: Enable the Website to remember choices you make (e.g., language preferences) and provide enhanced, more personalized features.8
    • Marketing/Targeting Cookies: Used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement and help measure the effectiveness of advertising campaigns.
  • Your Cookie Choices:
    You can manage your cookie preferences through our cookie consent banner. Most web browsers allow you to control cookies through their settings.9 You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies.10 Please note that if you disable or refuse cookies, some parts of this Website may become inaccessible or not function properly.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data from unauthorized access, accidental loss, destruction, alteration, or disclosure. These measures include:

  • Encryption: Using SSL/TLS encryption for data transmission (HTTPS).
  • Access Controls: Restricting access to personal data to authorized personnel only.
  • Regular Security Audits: Conducting periodic security assessments to identify and address vulnerabilities.
  • Data Minimization: Collecting only the personal data that is necessary for the stated purposes.
  • Data Storage: Storing data on secure servers.
  • PCI DSS Compliance: Ensuring that our payment processing partner, Worldline, complies with the Payment Card Industry Data Security Standard (PCI DSS). As a merchant, we also strive to meet our own PCI DSS compliance obligations, which Worldline supports.

Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. Therefore, we cannot guarantee absolute security of your data.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

9. Your Data Protection Rights

Under Swiss and EU data protection laws, you have the following rights regarding your personal data:

  • Right to Information/Access (Art. 15 GDPR / Art. 25 FADP): You have the right to request information about whether we are processing your personal data and, if so, to access that data and receive a copy of it.11
  • Right to Rectification (Art. 16 GDPR / Art. 32 FADP): You have the right to request the correction of inaccurate or incomplete personal data we hold about you.12
  • Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR / Art. 32 FADP): You have the right to request the deletion of your personal data under certain circumstances (e.g., if the data is no longer necessary for the purposes for which it was collected, or if you withdraw consent and there is no other legal basis for processing).
  • Right to Restriction of Processing (Art. 18 GDPR / Art. 32 FADP): You have the right to request that we restrict the processing of your personal data under certain conditions (e.g., if you dispute the accuracy of the data, for a period enabling us to verify its accuracy).13
  • Right to Data Portability (Art. 20 GDPR / Art. 28 FADP): You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where technically feasible.14
  • Right to Object (Art. 21 GDPR / Art. 32 FADP): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.15
  • Right to Withdraw Consent (Art. 7(3) GDPR / Art. 30 FADP): If we are relying on your consent to process your personal data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.16
  • Right to Lodge a Complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority:
    • In Switzerland: Federal Data Protection and Information Commissioner (FDPIC) (www.edoeb.admin.ch)17
    • In the EU: The data protection authority in your country of residence within the EU/EEA.

To exercise any of these rights, please contact us using the details provided in Section 1. We may require you to verify your identity before processing your request.

10. Third-Party Websites

Our Website may contain links to third-party websites. This Privacy Policy does not apply to those websites. We encourage you to review the privacy policies of any third-party websites you visit.

11. Children's Privacy

Our Website is not intended for children under the age of [e.g., 16]. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent, we will take steps to remove that information from our servers.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top. We encourage you to review this Privacy Policy periodically.

Specific Adjustments and Important Notes for Worldline:

  • Clarity on Data Storage (Section 2): I've rephrased "We do not directly store your full credit card details on our servers" to emphasize that Worldline is the entity handling the sensitive card data, and that you receive only certain necessary transaction data (like order ID, amount, and possibly tokenized card details if your integration uses tokens).
  • Explicitly Naming Worldline (Section 4): I've specifically named "Worldline" as the payment processor and included a placeholder to link to their relevant privacy policy.
    • Action for you: Find the direct link to Worldline's Privacy Policy that applies to merchants or end-users of their payment services. Worldline has various privacy notices depending on the specific service and region.18 For Switzerland, you might look for something like their "Privacy Notice Worldline Switzerland Ltd." or a general merchant services privacy policy. A good starting point could be the "Data Protection Information on Products and Services | Worldline Switzerland" page (which you can find by searching "Worldline Switzerland privacy policy"). You'll want to ensure you link to the most appropriate and up-to-date document.
  • Worldline's Role as "Co-Controller": Worldline often considers itself a "Co-Controller" rather than just a "Processor" for payment data, as they determine the purposes and means of processing for aspects like fraud prevention, reporting, and compliance (e.g., PCI DSS). This is a complex legal distinction. For your privacy policy, it's generally sufficient to state that they "process your payment transactions" and point to their policy for more details. Your direct contractual agreement with Worldline will govern this relationship more precisely.
  • PCI DSS Obligations: Reinforce that both you and Worldline have PCI DSS obligations. Worldline handles the highly sensitive card data, but as a merchant, you still have responsibilities, especially regarding how you integrate with them and if you ever handle any cardholder data (even if only momentarily). Worldline provides resources to help merchants achieve and maintain their PCI DSS compliance.19
  • International Transfers with Worldline (Section 5): Added a note that Worldline, as a global entity, handles international transfers and has its own mechanisms for this (e.g., SCCs). This provides more transparency.

Remember, while this template is comprehensive, legal review by a professional is always the safest approach to ensure full compliance with the evolving landscape of data protection laws.