Privacy Policy

1. Privacy at a Glance

The following information provides a simple overview of what happens to your personal data when you visit this website.

2. Responsible Party

BB Internet GmbH, Alte Steinhauserstrasse 19, 6330 Cham, Switzerland. Email: datenschutz@hempwholesales.com

3. Data Collection on This Website

Cookies and Consent Management

Our website uses cookies. We distinguish between essential cookies (login session, cart, security tokens) and optional cookies (statistics, marketing). Before setting optional cookies we ask for your consent via our Consent Management banner (legal basis: § 25 TTDSG / ECJ C-673/17 Planet49). You can withdraw your consent any time via the Cookie settings link in the footer. The consent decision is stored for 12 months.

Contact Form

If you send us inquiries via the contact form, your details will be stored for processing the inquiry and for possible follow-up questions. We will not share this data without your consent.

4. Your Rights

You have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of data processing, as well as the right to rectification or deletion of this data.

5. Analytics Tools (consent-based only)

If you accept the statistics category in the cookie banner, we load Google Analytics (Google Ireland Ltd., Google LLC) with IP anonymisation enabled (anonymize_ip). Without your consent, no analytics scripts are loaded and no analytics cookies are set. You can withdraw your consent any time.

6. Processing of Business Data

As part of our B2B business activities, we process the following business-related data of our customers:

• VAT ID (Value Added Tax Identification Number) — Legal basis: Art. 6 (1) lit. b GDPR (contract fulfillment) and tax law obligations
• Commercial register number and responsible commercial register office — for identity verification of business partners
• Trade license data — to verify the business operator status, particularly relevant for B2B trade in CBD products

This data is processed exclusively for contract initiation, contract fulfillment and compliance with legal obligations.

7. COA and Batch Data

For quality assurance and traceability, we store the following for each order:

• Certificates of Analysis (COA) — laboratory reports from external, accredited labs with information on cannabinoid profile, heavy metals, pesticides and microbiological purity
• Batch numbers — for unique identification and traceability of each product batch
• Supplier information — to ensure supply chain transparency

Storage is based on our legal obligations (Art. 6 (1) lit. c GDPR) and our legitimate interest in quality assurance (Art. 6 (1) lit. f GDPR).

8. Data Transmission

To fulfill our contractual and legal obligations, we transmit personal and business data to the following recipients:

• Shipping providers (DHL, DPD): receive delivery address and contact data for goods delivery.
• Payment provider (Komfortkasse, DE): receives name, IBAN, payment reference and amount for bank-transfer payments. DPA in place.
• EU VIES (European Commission): For VAT ID validation, the number is transmitted to the VIES system. No additional personal data is transferred.
• Brevo / Sendinblue (FR): sends transactional emails (order confirmation, welcome, newsletter confirmation). Receives email, name and order number. DPA in place.
• Hostinger International (LT/CY): hosts the backend, database and file storage. Receives all data technically required to provide the service. DPA in place.
• Google Ireland Ltd. / Google LLC (Analytics): only loaded after consent to the statistics category. IP address is anonymised. Data transfer to the US is based on EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
• Anthropic PBC (US): AI assistance preparing internal answer drafts in our WhatsApp inbox (see section 13). No direct end-customer contact. DPA with EU Standard Contractual Clauses in place.

9. Retention Periods

We store your data only as long as necessary for the respective purposes or as required by legal retention obligations:

• Accounting records and vouchers: 10 years pursuant to Art. 958f of the Swiss Code of Obligations (OR)
• Tax-relevant documents: 10 years pursuant to Art. 70 Swiss VAT Act (MWSTG)
• COA and batch data: At least 10 years to ensure traceability
• Contract data: 10 years after contract end (general limitation period pursuant to Art. 127 OR)

After the retention periods expire, your data will be deleted or anonymized.

10. Data Processing Outside the EU

In the course of our business activities, data may be transferred to the following third countries:

• Switzerland: The European Commission has issued an adequacy decision for Switzerland (Art. 45 GDPR). Your data enjoys a comparable level of protection there as in the EU.
• United Kingdom (UK): An adequacy decision exists for the UK from the European Commission. Data transfer occurs on this basis without additional safeguards.

Should data transfer to additional third countries become necessary, we ensure an adequate level of data protection through appropriate safeguards (e.g., EU standard contractual clauses).

11. Newsletter (Double-Opt-In)

You can sign up for our newsletter via the footer form. We use a double opt-in flow: after signing up, you receive a confirmation email with a link you must activate before the subscription becomes effective. Only after your active confirmation are you added to our list. Brevo sends the confirmation email on our behalf. You can unsubscribe any time via the unsubscribe link in every newsletter. Legal basis: consent (Art. 6 (1) (a) GDPR).

12. WhatsApp communication

If you contact us via our WhatsApp Business number, we process the message content to answer your enquiry. Incoming messages are stored in our internal CRM. For efficiency we may use the Anthropic API (see section 8) to prepare answer drafts for our sales team. Every answer is reviewed and approved by a human before sending — there is no fully automated communication. Retention: 24 months after last activity.