Skip to Content

Personal Data Protection Policy

Last updated: December 2025



Bonne Maman (hereinafter “we”) places great importance on the protection of your personal data. This statement explains how we collect, use, store, and protect your data when you visit our website or use our services, including our online store.


1. Who is responsible for processing your data?

Andros (Switzerland) SA – Route de Champ Colin 12-16, 1260 Nyon and Cupcake Affair GmbH – Bonne Maman Boutiques & Cafés, Spitalgasse 10, 8001 Zürich, are joint controllers of the data processing described in this privacy statement, unless otherwise specified in a particular case.

You can contact us as follows for your data protection requests and to exercise your rights in accordance with section 11:

Cupcake Affair GmbH  - Bonne Maman Boutiques & Cafés
Spitalgasse 10
8001 Zürich
info@bonnemaman.ch


2.  What data do we process and for what purposes?

  1. Technical data

We collect and store technical information that your browser automatically transmits to us in “server log files” when you visit our website or our online store. This includes, among other things, the following data:

  • Browser type and version;
  • Operating system used;
  • Referrer URL (the previously visited website);
  • Host name of the computer accessing the site;
  • Date and time of the server request;
  • IP (Internet Protocol) address;
  • Amount of data transmitted;
  • Other similar data and information used to prevent risks in the event of attacks on our computer systems.

To ensure the functionality of our website and online store, we may also assign you or your device an individual code (e.g., in the form of a cookie; see our Cookie Policy for more details). Technical data alone generally does not allow us to draw conclusions about your identity. This data is deleted by us no later than 3 to 6 (three to six) months after collection.

The English translation is: We use technical data for the following purposes:

  • enable the display, operation, and proper functioning of the website and the online store;
  • ensure the stability and security of the system;
  • improve and protect our services and products;
  • for statistical purposes and in the event of an attack on the network infrastructure on which the website is hosted.


    b. Personal data you provide to us

We collect and process the data that you voluntarily provide to us via an online form directly on the website or online store, through our contact email address, as part of contests, via any other applications linked to the portal, by telephone, or in another way. This information includes the following personal data:

  • Via the "online Merci form": first name, last name, postal address, email address, product tasted and reviewed, the channel through which it was received, as well as your feedback on it and your purchasing habits (e.g., in which types of stores you make most of your purchases);
  • Via the contact form: first name, last name, postal address, email address, telephone number;
  • Contests: first name, last name, postal address, email address, telephone number;
  • Online store: information required for ordering and delivery (first name, last name, postal address, email address, telephone number, date of birth), payment information (via secure providers), order history.

 As a general rule, we retain your data for a maximum of three (3) years from our last contact with you, and at least until the end of the contract, except in cases of interaction via the online store. This period may be extended when necessary, particularly for evidentiary purposes, to comply with legal or contractual obligations, or for technical reasons.

We use the data you voluntarily provide to us for the following purposes:

  • to offer you our services and/or products in the best possible way and provide you with information about them;
  • to establish, manage, and execute contractual relationships (for example, when purchasing products via the online store);
  • to handle your complaints and provide you with satisfactory responses;
  • for marketing and customer relationship management purposes (newsletter, advertising campaigns, contests, prize draws, etc.);
  • to offer you new services and personalized information that may be of interest to you;
  • if you have shared your date of birth, to send you a message on your birthday, for example;
  • to conduct market research, improve our services or products, and develop new products;
  • to comply with legal or other regulatory requirements and internal rules;
  • to establish, exercise, and/or defend actual or potential legal rights, investigations, or similar proceedings;
  • à d'autres fins légitimes, si ce traitement résulte des circonstances ou était indiqué au moment de la collecte.


3.  On what basis do we process your data?

 The processing of personal data mentioned in point 3 is based on the following legal grounds:

  • Your consent (for example, when you subscribe to our newsletter or other marketing communications). You may withdraw your consent at any time with effect for the future by sending us a written communication (by post) or, unless otherwise indicated or agreed, by email; you will find our contact details in point 1. Upon receipt of your withdrawal, we will no longer process your data for the purposes to which you had consented, unless another legal basis applies. The withdrawal of your consent does not affect the lawfulness of processing carried out before such withdrawal.
  • For the establishment, management, or performance of a contract with you, or for the intention to conclude a contract with you (for example, when purchasing a product via our online shop);
  • To protect our legitimate interests (for example, the marketing of our products and services; the interest in better understanding our markets and in managing and developing our business, including its operations, in a safe and efficient manner; the protection and security of our services, systems, and assets; compliance with legal, regulatory, and contractual obligations; the establishment, exercise, or defense of legal claims);
  • To comply with obligations imposed by law or by authorities (for example, in the context of investigations or legal proceedings, requests from tax or customs authorities, etc.).

 

4.  No profiling

 We do not make any decisions about you that are based on automated processing of your data and that produce legal effects concerning you.


5.  To whom do we disclose your data?

We may disclose your data, in accordance with the purposes and legal bases described above, to the following categories of recipients:

  • Service providers: who process personal data on our behalf and according to our instructions (e.g., IT providers, hosting and support, shipping companies, advertising service providers, online shop management, etc.);
  • Clients, contractual partners, suppliers
  • Public authorities: We may disclose personal data to offices, courts, and other authorities in Switzerland and abroad if we are legally required or permitted to do so, or if this appears necessary to safeguard our interests;
  • Acquirers or parties interested in acquiring business units, companies, or other parts of the ANDROS group, within the limits of the law;
  • Other parties: These are other cases where the involvement of third parties arises from the purposes described in point 2, for example beneficiaries of services, media and associations in which we participate, or if you are featured in one of our publications.

All these categories of recipients may in turn engage third parties, so your data may also be accessible to them. We may restrict processing by certain third parties (e.g., IT service providers or providers related to the e-shop or in-store operations), but not by others (e.g., authorities, banks, etc.).


6.  How long do we process your data?

 We process your data for as long as our processing purposes, statutory retention periods, and our legitimate interests in processing for documentation and evidence purposes require, or as long as storage is technically necessary. You can find more information on the respective storage and processing periods for the different categories of data in point 3 or for cookie categories in our Cookie Policy. If there are no legal or contractual obligations to the contrary, we delete or anonymize your data after the expiration of the storage or processing period as part of our standard procedures.


7.  Security

The data controllers have implemented both organizational and technical measures to ensure the security of your data. These data must be protected against unauthorized or unlawful processing, accidental loss, alteration, disclosure, or unauthorized access. For the collection and processing of your data, we may use external service providers who are strictly required to process your data in accordance with our instructions. In addition, they are legally obliged to take strict security measures when processing personal data.

However, it is important to note that the transmission of data and information over the Internet is not entirely risk-free. Despite all our efforts to protect your data, we cannot fully guarantee the security of data transmission to our website. Any transmission is therefore at your own risk. For this reason, you have the option to provide your data to us by other means, such as by telephone. Once we have received your data, we apply strict procedures and comprehensive security measures to prevent any unauthorized access.


8.  Other information about the newsletter and email communication for advertising purposes

If you subscribe to our newsletter, we will use your email address to send you information about our services and products as well as other commercial communications (for example, announcements of events, contests, promotions, and surveys) that may be of interest to you.


9.   Privacy statements of third-party providers

Please note that by clicking on a link to a third-party site (such as Google, social media, or other websites), you will be redirected to a site that we do not control. In such cases, our privacy statement no longer applies. Your activities and interactions on another website are subject to the individual terms of use, privacy statements, and policies of the respective third-party provider. Furthermore, we cannot guarantee the accuracy or timeliness of these external links.


10.    Children’s data

Our website is primarily designed and intended for adults. We do not knowingly collect personal data from children under the age of 16 unless the express consent of their parents has been obtained beforehand.


11.     What are your rights?

The applicable data protection legislation grants you, under certain circumstances, the right to object to the processing of your data or to request its restriction. To make it easier for you to control the processing of your personal data, you have the following rights in relation to our data processing:

- the right to ask us whether we process any data concerning you and, if so, which data;

- the right to ask us to correct any data if it is inaccurate;

 -the right to request the deletion of data;

- the right to ask us to provide certain data in a commonly used electronic format or to transfer it to another data controller (the so-called right to data portability);

- the right to withdraw consent insofar as our processing is carried out by a third party.

- the right to receive, upon request, additional information necessary to exercise these rights;

If you wish to exercise the aforementioned rights with respect to us, please contact us in writing or by email; you will find our contact details in section 1. To prevent any misuse, however, we must verify your identity (e.g., by means of a copy of your ID card, insofar as this is not possible otherwise). ​

Please note that these rights are subject to conditions, exceptions, or restrictions under the applicable data protection legislation (e.g., for the protection of trade secrets).

If you disagree with or are dissatisfied with the way we handle your rights or data protection, please let us know. You also have the right to lodge a complaint with the competent data protection supervisory authority. In Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC) in Bern (http://www.edoeb.admin.ch).


10.     Changes to Our Privacy Policy

We reserve the right to adapt this privacy policy at any time as needed. The version published on this website is always considered the current version.