Privacy policy

Last updated: May 2026

Scope

OplaBio SA (UglyFruits) | Moosgasse 34 - 3210 Kerzers | pro@uglyfruits.ch

This policy applies to all collection of personal data carried out via pro.uglyfruits.ch and its subdomains, during sign-up, ordering, payment, and statistical or advertising tracking.

Section 1

Data controller

OplaBio SA, Avenue du Mail 18, 2000 Neuchâtel (registered office in the process of being moved to Cressier). Personal data contact: pro@uglyfruits.ch

Section 2

Legal bases and principles (revFADP)

  • Lawfulness / transparency — Detailed information below and via the cookie banner

  • Specific purpose — Objectives listed in Article 4

  • Proportionality — Limited to strictly necessary data

  • Security — Technical and organizational measures — Art. 8

  • Privacy by design/default — Non-essential cookies disabled by default

  • Records of processing — Maintained internally (Art. 12 revFADP)

  • Data protection impact assessment (DPIA) — Carried out for advertising profiling (heightened risk)

Legal bases relied upon (Art. 31–32 revFADP): performance of the contract, overriding legitimate interests, explicit consent, legal obligation.

Section 3

Data collected

  • Identification data: last name, first name, role, work email, phone

  • Company data: business name, delivery and billing address

  • Order and billing data: history, amounts, payment status

  • Browsing data: IP address, device, pages viewed (Google Analytics 4)

  • Marketing data: advertising identifiers (Google Ads, LinkedIn)

  • Support data: email and form content, timestamps

  • Technical data: server logs, application errors (RoRvsWild)

Section 4

Purposes and legal bases

  • Site operation and customer area — Essential cookies, Odoo (Legitimate interest)

  • Order and Subscription management — Odoo (Performance of the contract)

  • Billing and accounting — Bexio AG (Legal obligation)

  • Audience measurement — Google Analytics 4 + GTM (anonymized IP) (Consent — opt-in)

  • Advertising / Remarketing — Google Ads, LinkedIn Insight Tag (Explicit consent)

  • Marketing emails — Mailchimp (Intuit) (Consent)

  • Support — Web forms, email (Legitimate interest)

  • Hosting and infrastructure — Hetzner Online GmbH (DE/EU) (Legitimate interest)

  • Monitoring and performance — RoRvsWild (Legitimate interest)

  • Shipment processing — Swiss Post + local carriers (Performance of the contract)

Section 5

Recipients and international transfers

  • Hetzner Online GmbH (Germany / EU) — No transfer outside the EU — ISO 27001

  • Google LLC / Google Ireland (GA4, Ads) (USA / Ireland) — Swiss-US DPF or Swiss SCCs

  • LinkedIn Ireland (EU / USA) — Swiss SCCs adapted

  • Mailchimp / Intuit (USA) — Swiss SCCs adapted

  • RoRvsWild (EU) — Privacy policy published

  • Bexio AG (Switzerland) — No transfer — CH servers

  • Swiss Post Ltd + local carriers (Switzerland) — No transfer — Swiss entity

Any transfer to a country without an adequate level of protection is covered by Swiss standard contractual clauses and, where applicable, a transfer impact assessment (TIA).

Section 6

Cookies and similar technologies

A consent banner compliant with FDPIC guidance is shown to every visitor: “Accept all,” “Reject all,” “Customize.” Non-essential cookies are only set after an explicit choice (opt-in). Preferences can be changed at any time via the “Cookie settings” link in the footer.

  • Session cookies (authentication) (Session) — Customer area functionality

  • Google Analytics 4 (_ga, _ga_*) (13 months) — Anonymized audience measurement

  • Google Ads (conversion) (90 days) — Ad conversion tracking

  • LinkedIn Insight Tag (90 days) — LinkedIn conversions and retargeting

  • Consent banner (1 year) — Storage of cookie preferences

Section 7

Retention periods

  • Order and billing data: 10 years (Art. 958f CO — accounting obligations)

  • Inactive customer accounts: anonymized after 10 years

  • Server logs (Hetzner / RoRvsWild): 12 months maximum

  • GA4 analytics cookies: 13 months maximum

  • Mailchimp data: until consent is withdrawn or 2 years of inactivity

  • Support emails: 3 years

Section 8

Data security

Measures in place: SSL/TLS, encryption of data at rest, firewalls, offline backups, role-based access control, network monitoring, ISO 27001 hosting (Hetzner, DE/EU).

Any data breach likely to result in a high risk will be reported promptly to the FDPIC (Art. 24 revFADP) and, where necessary, to the individuals concerned.

Section 9

Rights of data subjects

In accordance with the revFADP (in force since September 1, 2023) and, where applicable, the GDPR, you have the following rights:

  • Right of access to your data (Art. 25 revFADP)

  • Right to rectification in case of inaccuracy (Art. 32 revFADP)

  • Right to erasure (“right to be forgotten”)

  • Right to restriction of processing

  • Right to object

  • Right to data portability

  • Right to withdraw your consent at any time, without retroactive effect

To exercise these rights: pro@uglyfruits.ch or OplaBio SA, Avenue du Mail 18, 2000 Neuchâtel.

Section 10

Changes

This policy may be updated. The revision date appears at the top. Substantial changes are notified by email and on the website at least 14 days before they take effect.

Section 11

Contact and recourse

Contact: pro@uglyfruits.ch

Supervisory authority: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern — www.edoeb.admin.ch

OplaBio SA — UglyFruits | Moosgasse 34 - 3210 Kerzers | CHE-140.486.678 | pro@uglyfruits.ch