Privacy Policy

1. Privacy at a glance

General information

The following information provides a simple overview of what happens to your personal data when you visit this online shop or make a purchase. Personal data is any data that can be used to personally identify you. For detailed information on the subject of data protection, please refer to the privacy policy listed below this text.

Who is responsible?

The entity responsible for data processing in this online shop is Weingut Viermorgenhof. Full contact details can be found in section 3 under “Information on the responsible entity”.

What data is collected?

When visiting and using this shop, the following data is essentially processed:

• Data that you actively provide (e.g., when placing an order, subscribing to the newsletter, or using the AI sommelier chat),

• Data that arises in the context of contract processing (e.g., order history),

• Technical data that is automatically collected when visiting the website (e.g., IP address, browser type).

Why is your data processed?

Data processing is carried out primarily for contract fulfillment (ordering, shipping, payment), for providing the online shop, for fulfilling legal obligations (e.g., accounting, taxes, protection of minors), and based on your consent (e.g., for the newsletter).

What are your rights?

You have the right at any time to request information free of charge regarding your stored data, its origin, its recipients, and the purpose of its collection. You also have the right to request the correction, deletion, or restriction of the processing of your data, the right to data portability, and the right to lodge a complaint with a supervisory authority. Details can be found in section 3.

Who processes your data technically?

This online shop is operated via the platform of Vinolin UG (haftungsbeschränkt). Vinolin processes a portion of your data as a processor on behalf of the aforementioned controller. For certain functions (in particular the central login service and the AI sommelier, for which Vinolin is independently responsible), Vinolin acts as the controller; details on this can be found in sections 5, 6, and 7.

2. Hosting and technical provision

The online shop is operated on the “Vinolin Suite” SaaS platform by Vinolin UG (haftungsbeschränkt), Bildungscampus 11, 74076 Heilbronn. Vinolin processes the personal data generated in this shop as a processor on behalf of the shop operator. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Vinolin.

Vinolin uses the following sub-processors for the technical provision of the platform:

• Vercel Inc. (USA, with global CDN) — Web hosting and delivery of static content

• Neon Inc. (USA, data processing in Frankfurt am Main) — Database hosting

• Inngest, Inc. (USA) — Background job processing

• Amazon Web Services EMEA SARL (Luxembourg, data processing in Frankfurt am Main) — Sending of transactional emails (e.g., order confirmations)

• Google Ireland Ltd. (Ireland, data processing in Frankfurt am Main) — AI functions for the sommelier (see section 7)

For sub-processors based outside the EU, EU Standard Contractual Clauses (SCCs) are used in accordance with Art. 46 (2) (c) GDPR; in some cases, there is additional self-certification under the EU-US Data Privacy Framework.

Processing is carried out for the fulfillment of contracts with our customers (Art. 6 (1) (b) GDPR) as well as on the basis of our legitimate interest in the secure, fast, and efficient provision of the online shop by professional providers (Art. 6 (1) (f) GDPR).

3. General information and mandatory information

Data protection

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

Please note that data transmission on the Internet (e.g., when communicating by email) may have security vulnerabilities. A complete protection of data against unauthorized access by third parties is not possible.

Information on the responsible entity

The responsible entity for data processing in this online shop is:

Weingut Viermorgenhof
In den Viermorgen 8
54538 Kinheim-Kindel
Phone: 0179 70 19 436
Email: wine@stairsandroses.de

VAT ID: DE331725435

Data Protection Officer

We have not appointed a data protection officer, as we are not required to do so. If you have any questions regarding data protection, please contact us using the contact details provided under “Information on the responsible entity”.

Retention period

Unless a more specific retention period is specified in this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or revoke consent for data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial law retention periods pursuant to § 257 HGB / § 147 AO; as a rule, ten years); in the latter case, deletion will occur after these reasons cease to exist.

General information on the legal bases for data processing

If you have consented to data processing, we process your personal data on the basis of Art. 6 (1) (a) GDPR. If your data is required for the fulfillment of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Art. 6 (1) (b) GDPR. Furthermore, we process your data if it is necessary to fulfill a legal obligation, on the basis of Art. 6 (1) (c) GDPR. Data processing can also occur on the basis of our legitimate interest pursuant to Art. 6 (1) (f) GDPR. The specific legal bases relevant in individual cases are informed in the following paragraphs of this privacy policy.

Recipients of personal data

As part of our business activities, we work with various external bodies. In some cases, it is necessary to transmit personal data to these external bodies. We only share personal data with external bodies if it is necessary for the fulfillment of a contract, if we are legally obligated to do so, if we have a legitimate interest in the disclosure pursuant to Art. 6 (1) (f) GDPR, or if another legal basis allows the data transfer. When using processors, we only pass on personal data on the basis of a valid data processing agreement.

Revocation of your consent to data processing

Many data processing operations are only possible with your express consent. You can revoke any consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

Right to object (Art. 21 GDPR)

Where data processing is based on Art. 6 (1) (e) or (f) GDPR, you have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data; this also applies to profiling based on these provisions. If you file an objection, we will no longer process your affected personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purposes of such advertising. If you object, your personal data will subsequently no longer be used for direct marketing purposes.

Right to lodge a complaint with the competent supervisory authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the member state of their habitual residence, place of work, or the place of the alleged infringement. The right to lodge a complaint exists without prejudice to other administrative or judicial remedies. The State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate, Hintere Bleiche 34, 55116 Mainz.

Right to data portability

You have the right to have data that we process automatically based on your consent or in fulfillment of a contract handed over to you or to a third party in a standard, machine-readable format. Insofar as you request the direct transfer of data to another controller, this will only take place to the extent that it is technically feasible.

Information, correction, and deletion

Within the scope of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin, and the recipients and purpose of the data processing and, if applicable, a right to correction or deletion of this data.

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. You can contact us at any time for this purpose.

SSL or TLS encryption

For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

Objection to promotional emails

The use of contact data published within the scope of the imprint obligation for the purpose of sending advertising and information materials that have not been expressly requested is hereby objected to. The operators of the pages expressly reserve the right to take legal action in the event of unsolicited sending of advertising information, such as spam emails.

4. Data collection when visiting this shop

4.1 Cookies

We use only technically necessary cookies in this online shop. These cookies are required for the shop to function — in particular for:

• managing your login session (if you have logged in via the Vinolin login),

• managing your shopping cart,

• the secure processing of the ordering and payment process,

• a technical identification of your session during the AI sommelier chat (Conversation-ID).

These cookies are set on the basis of § 25 (2) No. 2 TDDDG without consent, as they are absolutely necessary for the provision of the services you have expressly requested. The legal basis for the associated data processing is Art. 6 (1) (b) GDPR (contract fulfillment) or Art. 6 (1) (f) GDPR (legitimate interest in secure and functional operation).

We do not use cookies for tracking, analysis, or marketing. We therefore do not use a cookie banner.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases or exclude them in general. If technically necessary cookies are deactivated, the functionality of this shop is restricted.

4.2 Server log files

When you call up this online shop, information is automatically recorded in so-called server log files, which your browser automatically transmits, via the infrastructure of our platform provider Vinolin (see section 2). These are: browser type and browser version, operating system used, referrer URL, hostname of the accessing computer, time of the server request, IP address.

A merger of this data with other data sources is not performed. This data is collected on the basis of Art. 6 (1) (f) GDPR. We have a legitimate interest in the technically error-free provision of this shop and in the security of our systems. The logs are generally deleted automatically after 30 days.

5. End-customer account and login (account.vinolin.com)

5.1 Central login service

For logging in to this shop, we use the central login service of Vinolin UG (haftungsbeschränkt) under the domain account.vinolin.com. This service allows you to make purchases in all Vinolin shops with a single account without having to create a separate account in every shop.

The Vinolin UG (haftungsbeschränkt), Bildungscampus 11, 74076 Heilbronn, is responsible for the processing of your account data within the scope of this login service. The applicable privacy policy can be found at https://vinolin.com/datenschutz.

5.2 What data is processed?

When registering and logging in via the Vinolin account, the following data is processed in particular:

• First name, last name (optionally gender and profile picture)

• Email address and email verification status

• Phone number (optional)

• Date of birth (within the scope of age declaration)

• Password hash, session token, OAuth tokens

• IP address and user agent at the time of login

5.3 When is your data passed on to us?

Only once you make a purchase in our shop or subscribe to our newsletter, the data necessary for these purposes is transmitted by Vinolin to us as the shop operator. From this point on, we are the controller for the processing of the data associated with the order or the newsletter (see sections 6 and 8).

6. Order processing in the shop

6.1 What data is processed during an order?

Within the scope of an order, we process the data required for contract fulfillment. This is partly collected directly from you, partly provided via the Vinolin account or via the payment service provider:

Master and contact data (via Vinolin account):

• First and last name, email address, if applicable, phone number

• Date of birth (for age verification according to the protection of minors)

Address and payment data (via the payment service provider Stripe, see section 6.3):

• Delivery and billing address

• Payment data (e.g., credit card token; complete card data is not stored by us)

Order data:

• Order number, order items, quantities, prices

• Order status, shipping status

• Invoice documents

6.2 Legal basis and retention period

The processing of order data is carried out on the basis of Art. 6 (1) (b) GDPR (contract fulfillment). Order data that is relevant for accounting (in particular invoices) is stored for ten (10) years in accordance with § 257 HGB / § 147 AO. The legal basis for this is Art. 6 (1) (c) GDPR (legal obligation).

6.3 Payment processing via Stripe

Payment processing in this shop is handled by the payment service provider Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland. Via Stripe, you can pay with credit card, Apple Pay, Google Pay, or Wero, among other methods.

Stripe is independently responsible within the meaning of Art. 4 No. 7 GDPR in the context of payment processing. You enter your payment data (in particular card and bank account data, delivery and billing address) directly at Stripe. Stripe processes this data under its own responsibility for payment processing as well as for the fulfillment of legal obligations (in particular in the area of anti-money laundering).

We only transmit your email address to Stripe to enable Stripe to identify your order. We receive status information about the payment as well as the delivery address required for shipping back from Stripe.

Further information can be found in Stripe's privacy policy at https://stripe.com/de/privacy.

6.4 Payment processing via PayPal

If you opt for payment with PayPal, payment processing is handled by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg, Luxembourg.

PayPal is independently responsible in the context of payment processing. You enter your payment data directly at PayPal. PayPal processes this data under its own responsibility. Further information can be found in PayPal's privacy policy at https://www.paypal.com/de/legalhub/privacy-full.

6.5 Shipping of goods

We handle the shipping ourselves via a shipping service provider commissioned by us (DPD, UPS, and DHL). For this purpose, we transmit your delivery and, if applicable, contact data (email address, phone number) to the shipping service provider. The legal basis is Art. 6 (1) (b) GDPR. As part of age verification, the shipping service provider hands over the goods to you personally only after successful identity and age verification.

6.6 Sending of order confirmations and status emails

Within the scope of order processing, you will receive automated emails (order confirmation, shipping confirmation, status information). The technical transmission is carried out via the infrastructure of our platform provider Vinolin and is handled via the sub-processor Amazon Web Services EMEA SARL (see section 2).

7. AI Sommelier

In this shop, an AI-supported sommelier is available to recommend suitable wines from our range based on your taste preferences.

7.1 Anonymous use

You can also use the AI sommelier without registering. Before the first use, you must agree to the processing of your inputs. In the case of anonymous use, the conversation history is stored; an IP address is not recorded, so that a recognition of your person across multiple sessions is not possible.

7.2 Use with a logged-in account

If you are logged in via your Vinolin account, your name will also be transmitted to enable more personalized advice. In the future, a shop-spanning taste profile managed via the Vinolin account may also be included, provided you have consented to the creation and use of such a profile.

7.3 Controller

The entity responsible for the provision of the AI sommelier within the scope of this shop is Weingut Viermorgenhof as the shop operator. Vinolin processes the data generated in the sommelier dialog as a processor on behalf of the shop operator (see section 2). The processing of the shop-spanning taste profile is carried out by Vinolin under its own responsibility; details and the option for consent or revocation can be found in the privacy policy of Vinolin.

7.4 AI processing via Google Vertex AI

To generate the AI responses, your inputs as well as, if applicable, your name are transmitted to Google Ireland Ltd. (Google Vertex AI). Processing takes place in a data center in Frankfurt am Main (Germany). According to Google, the transmitted data is processed exclusively for the generation of the respective response, is not stored permanently, and is not used for training purposes.

7.5 Legal basis and retention period

Processing is carried out on the basis of your consent pursuant to Art. 6 (1) (a) GDPR, which you give before starting the chat. You can revoke your consent at any time with effect for the future.

8. Newsletter

8.1 Registration with Double-Opt-In

On the website of this shop, you can subscribe to our newsletter. Registration takes place via the double-opt-in process: After entering your email address, you will receive a confirmation email with a confirmation link. Only after clicking on the link will you be added to our distribution list.

8.2 What data is processed?

Within the scope of the newsletter registration, we process:

• Your email address

• Confirmation status (Pending / Verified / Unsubscribed)

• Confirmation and unsubscribe tokens

• Timestamp of registration and confirmation

8.3 Shipping and technical provision

We handle the technical transmission of the newsletter via the infrastructure of our platform provider Vinolin. For this purpose, Amazon Web Services EMEA SARL (see section 2) is used as a sub-processor. We remain the controller in this respect; Vinolin and AWS are involved exclusively as processors.

8.4 Legal basis and revocation

Processing is carried out on the basis of your consent pursuant to Art. 6 (1) (a) GDPR. You can revoke your consent at any time by clicking the unsubscribe link in each newsletter or by sending us a corresponding notification at wine@stairsandroses.de. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

After revocation, your data will be removed from the active newsletter distribution list. We may store proof of your consent and revocation in order to fulfill our burden of proof (Art. 6 (1) (f) GDPR — legitimate interest in provability).

9. Topicality of this privacy policy

We reserve the right to adapt this privacy policy in the event of significant changes. The current version is available on our website.

Status: 04.05.2026