Privacy notice

Version: 11 July 2026

This notice explains transparently which personal data we process, for which purposes, with whom we share it and which rights you have. It applies to the public website, shop, customer account, communications, regional-demand requests, newsletter, job applications, bakery and logistics enquiries, and the operational delivery service.

1. Controller

beeVisio AG, Weieracherstrasse 4, CH-8184 Bachenbülach, Switzerland. Privacy enquiries: info@zmorgi.com.

2. Data we process

  • Account and contact data: name, email address, telephone number, authentication information and preferred language.
  • Order and subscription data: products, quantities, delivery dates, delivery and billing address, instructions, order history, discounts and status.
  • Payment data: payment reference, status, amount and limited payment-method metadata; complete card data is handled by Payrexx.
  • Delivery data: recipient, address, telephone number, delivery instructions, assigned route and delivery status.
  • Communication data: messages, support requests, newsletter consent and email-delivery events.
  • Regional-demand data: name, email address, postcode, optional telephone number, town and message, request time, source and processing status.
  • Technical data: IP address, browser and device information, timestamps, requested URLs, security and error logs.
  • Applicant data: name, contact details, place of residence, role applied for, availability, motivation, CV and subsequent recruitment correspondence.
  • Business, bakery and logistics data: business and contact details, production or collection location, operating days and times, capacity, product focus, closure dates, delivery destinations, frequency, temperature requirements, estimated volume, website, enquiry content and subsequent correspondence.

3. Purposes

We process data to provide the website and customer account, check delivery availability, record and evaluate demand for new delivery areas, conclude and fulfil orders and subscriptions, process payments, plan and document deliveries, provide support, assess and respond to job, bakery-partner and zmorgi Logix enquiries, prepare possible employment or commercial relationships, prevent fraud and misuse, meet accounting and legal obligations, improve operational reliability and send communications you have requested.

4. Legal basis and principles

We process personal data in accordance with the Swiss Federal Act on Data Protection. Depending on the situation, processing is necessary for a contract, based on consent, required by law or justified by our legitimate interest in a secure and efficient service. Where the EU or UK GDPR applies, the corresponding legal bases are contract performance, legal obligation, consent and legitimate interests.

5. Recipients and processors

We use the following categories and named providers. Their access is limited to the relevant purpose and governed by contractual and technical safeguards.

Cloudflare, Inc.

Website delivery, caching, DDoS and bot protection; technical connection data such as IP address, request metadata and security signals.

Supabase, Inc.

Authentication, database, server functions and file storage for customer accounts, orders and operational data. The production project is hosted in the Swiss eu-central-2 region; limited global support or subprocessor access may still occur.

Payrexx AG

Payment processing. Payrexx receives the information required for payment; zmorgi does not store complete card numbers.

Shipday, Inc.

Delivery planning and driver operations. Recipient name, address, telephone number, delivery instructions and order reference may be transmitted.

Resend, Inc.

Delivery of transactional, confirmation and consent-based emails, including job applications and partner enquiries. Resend processes sender and recipient addresses, message content, attached CVs and technical delivery data for transmission.

Google Workspace (Google Cloud EMEA Limited and group companies)

Business email mailboxes, including jobs@zmorgi.com and info@zmorgi.com. Messages, contact details and attachments delivered by Resend are stored and processed in the authorised recipient mailboxes.

Federal Office of Topography swisstopo

Swiss address and location lookup. When you use address autocomplete, the search text and technical connection data are sent from your browser to the geo.admin.ch API.

Google LLC and Apple Inc.

Optional social sign-in, only when the feature is enabled and you choose the relevant provider. The provider receives the authentication request and returns the account data you authorise.

Anthropic, PBC and fal.ai

Internal AI-assisted text and media creation in the operations hub. Staff must not enter payment data or unnecessary customer data into prompts.

Regional bakeries and delivery personnel

Order fulfilment. They receive only the order and delivery information needed to prepare and deliver the goods.

6. International transfers

Some providers or their subcontractors are located in the EU/EEA, the United States or other countries. Where the destination does not provide an adequate level of protection under Swiss law, we rely on recognised safeguards such as the revised EU standard contractual clauses adapted for Switzerland, data-processing agreements and supplementary security measures where appropriate.

7. Cookies and local storage

The current website uses only storage and cookies needed for the functions you request and for security. We do not currently run advertising cookies, social-media trackers or third-party audience analytics on the public website. Necessary technologies are always active; the notice records only that you have seen the current information. You can reopen it at any time through «Cookie settings» in the footer.

zmorgi-consent-v1

Local storage
Provider
beeVisio AG
Purpose
Records that you have seen the current cookie information, including the policy version and necessary-only status.
Duration
Six months

zmorgi-plz, zmorgi-cart, zmorgi-cart-plz, zmorgi-delivery-date, zmorgi-order-mode, zmorgi-recurring-delivery-days, zmorgi-delivery-check

Local storage
Provider
beeVisio AG
Purpose
Keeps your delivery area, order type, selected date, basket and the latest delivery-availability result consistent across pages.
Duration
Until changed, consumed or removed in your browser

sb-shop-auth and related sign-in verifier

Local storage
Provider
Supabase, Inc. / beeVisio AG
Purpose
Maintains the customer session or completes a sign-in you explicitly started.
Duration
Until sign-out, session expiry or removal in your browser

Short-lived checkout, subscription and form hand-offs

Session storage
Provider
beeVisio AG
Purpose
Carries a selected job, subscription draft or guest account hand-off safely through the relevant page or payment redirect.
Duration
Browser session; the guest-account hand-off is accepted for no more than 24 hours

__cf_bm, cf_clearance (only if set)

Cookie
Provider
Cloudflare, Inc.
Purpose
Bot, abuse and challenge protection. These cookies are set only when the relevant Cloudflare security feature requires them.
Duration
Short-lived security period, commonly around 30 minutes or as determined by the active challenge

If we add optional analytics, marketing or external-media technologies later, they will remain off by default and will be loaded only after the required information and your active choice. A change of purpose or provider will trigger a new request.

8. Email, forms and newsletter

Transactional messages are necessary to operate your account, order or subscription. A newsletter subscription is a separate choice: after submitting the newsletter form, we send a confirmation link that is valid for 24 hours. That link opens a confirmation page; the newsletter remains inactive until you explicitly confirm on that page. Every newsletter provides an unsubscribe option; you may also contact info@zmorgi.com.

A request for a new delivery area is not a newsletter subscription. We use the submitted postcode and contact details to measure regional demand, plan possible routes and contact you specifically about availability in that area.

When you submit the job application form, your details and CV are delivered through Resend directly to jobs@zmorgi.com as an email attachment. Bakery-partner and zmorgi Logix enquiries are delivered through Resend to info@zmorgi.com and may also be entered in the access-controlled operations hub for follow-up. The receiving mailboxes are operated with Google Workspace, where the message and any attachment are stored for authorised recipients. We also attempt to send a confirmation to the email address you provide. We do not place CVs in a public file repository or make them available through a public file URL.

9. Retention

We retain data only for as long as the relevant purpose, contractual relationship, legitimate evidence need or statutory duty requires.

  • If an application is unsuccessful, we delete the application data when it is no longer required and normally no later than three months after notifying you of our decision. In an individual case, we may retain it for a few additional weeks if this is necessary for the delayed service or defence of a legal claim. We retain it for a talent pool only with your separate consent. If you are hired, the necessary documents become part of your personnel file.
  • We retain partner enquiries while we assess and discuss the proposed collaboration and, if a partnership follows, for the duration of that business relationship. If no partnership is established, we delete the data once it is no longer needed, subject to applicable retention duties and legitimate evidence requirements for business correspondence.
  • Regional-demand requests are retained while the postcode is being assessed or planned and are deleted or anonymised when they are no longer needed for that purpose, unless a legal or evidentiary need requires longer retention. You may ask us to delete your request at any time.
  • A newsletter confirmation link expires after 24 hours. Expired, never-confirmed sign-ups are not included in newsletter mailings and are automatically removed after the configured cleanup period. Confirmed newsletter data is retained until withdrawal or deletion, subject to a minimal suppression record.
  • Minimal form delivery and anti-abuse records, including pseudonymised salted hash values derived from email and IP address, delivery status and provider identifiers, are automatically deleted after 90 days. Form content, original filenames and CV files are not stored in this technical log.
  • Accounting and transaction records may be retained for ten years. Delivery and other technical logs are kept for shorter operational and security periods unless an incident requires longer preservation.

10. Security

We apply proportionate technical and organisational measures, including encrypted transport, role-based access, restricted service credentials, database row-level security, logging, backups and provider controls. No internet service can guarantee absolute security.

11. Your rights

Subject to applicable law, you may request information, correction, deletion, restriction, objection and the release or transfer of data. You may withdraw consent with future effect. We may need to verify your identity and may retain data where a legal duty or overriding interest requires it. Contact info@zmorgi.com. You may also contact the Swiss Federal Data Protection and Information Commissioner.

12. Automated decisions

Delivery availability and order deadlines are calculated automatically from the postcode, date and configured bakery rules. Minimum order values and delivery fees are calculated from the order type, selected date or confirmed subscription frequency and the pricing terms in force at checkout. These calculations implement the service contract; we do not use solely automated decisions that produce comparable significant personal effects.

13. Updates

We update this notice when services, providers or legal requirements change. The version published here is authoritative; material changes will be highlighted where appropriate.