privacy policy

Last updated: 4 March 2026

This Privacy Policy explains how Wawawines AB (“Wawawines”, “we”, “us”, “our”) collects, uses, and protects personal data in connection with our website, our B2B customer relationships (restaurants and HORECA clients), and our marketing communications including newsletters. We are committed to processing personal data in a lawful, fair, and transparent manner in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Swedish data protection legislation.


1. Data Controller

The data controller responsible for your personal data is:

Wawawines AB

Kungsportsavenyn 21, 411 36 Göteborg, Sweden

Organisation number: 559564-3908

Email: contact@wawawines.com

Website: www.wawawines.com

If you have any questions about how we handle your personal data, please contact us at the email address above.


2. Personal Data We Collect

2.1 Website Visitors

When you visit our website, we may collect the following data automatically:

  • IP address (anonymised where technically possible)

  • Browser type and version

  • Device type and operating system

  • Pages visited, time spent, and referral source

  • Cookie identifiers (see Section 7 on Cookies)

This data is collected through Google Analytics and is used solely for the purpose of understanding how our website is used and improving user experience.

2.2 B2B Customers – Restaurants and HORECA

When you enter into a business relationship with us as a restaurant or HORECA operator, we collect and process the following categories of personal data:

  • Contact person name, title, and business email address

  • Phone number

  • Company name, organisation number, and delivery address

  • Order history and invoicing details

  • Payment information (we do not store full payment card data)

  • Communication history (emails, notes from calls or visits)

2.3 Newsletter Subscribers

When you sign up for our newsletter, we collect:

  • Email address

  • First name (optional, used for personalisation)

  • Subscription preferences and engagement data (opens, clicks)


3. Purposes and Legal Bases for Processing

We only process personal data where we have a valid legal basis under Article 6 of the GDPR. The table below sets out our purposes and corresponding legal bases:


Managing orders, deliveries, and invoicing for B2B customers — Legal basis: Performance of a contract (Art. 6(1)(b))

Communicating with B2B customers about products, pricing, and account matters — Legal basis: Legitimate interest (Art. 6(1)(f))

Sending newsletters and marketing emails to subscribers — Legal basis: Consent (Art. 6(1)(a))

Analysing website traffic via Google Analytics — Legal basis: Consent via cookie banner (Art. 6(1)(a))

Complying with legal obligations (accounting, tax) — Legal basis: Legal obligation (Art. 6(1)(c))

Recovering unpaid debts and enforcing contractual rights — Legal basis: Legitimate interest (Art. 6(1)(f))


4. How We Share Your Data

We do not sell personal data to third parties. We may share data with the following categories of recipients where necessary to fulfil the purposes described above:

  • Logistics and 3PL partners – for order fulfilment and delivery

  • Accounting and invoicing software providers – for financial record-keeping

  • Email marketing platforms – for sending newsletters (e.g. Mailchimp or equivalent)

  • Google LLC – for website analytics via Google Analytics (data may be processed in the US; Google is certified under the EU–US Data Privacy Framework)

  • Legal or regulatory authorities – where required by law or court order

All third-party processors are bound by data processing agreements ensuring an equivalent level of data protection.


5. International Transfers

Some of our service providers, including Google Analytics, may process data outside the European Economic Area (EEA). Where such transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on an adequacy decision. You can request details of the safeguards applicable to any specific transfer by contacting us.


6. Retention Periods

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law:

  • B2B customer data (orders, invoices, contacts): 7 years from the end of the financial year in which the transaction occurred, in accordance with the Swedish Accounting Act (bokföringslagen 1999:1078)

  • Newsletter subscriber data: until you unsubscribe or withdraw consent, plus 12 months thereafter for audit purposes

  • Website analytics data: 14 months (Google Analytics default retention period)

  • Enquiry and communication data: 2 years from last contact


When data is no longer required, it is securely deleted or anonymised.

7. Cookies and Tracking

Our website uses cookies to improve functionality and analyse usage. We use the following categories of cookies:

  • Strictly necessary cookies – required for the website to function; no consent needed

  • Analytics cookies – Google Analytics, used to collect anonymised data on how visitors interact with the website; activated only upon your consent via our cookie banner

You can withdraw your consent to analytics cookies at any time by adjusting your cookie preferences via the cookie settings link in our website footer, or by using your browser’s cookie management tools. For more information about Google Analytics and how to opt out, visit: https://tools.google.com/dlpage/gaoptout


8. Your Rights

Under the GDPR, you have the following rights in relation to your personal data:

  • Right of access – you may request a copy of the personal data we hold about you

  • Right to rectification – you may ask us to correct inaccurate or incomplete data

  • Right to erasure – you may ask us to delete your data, subject to legal retention obligations

  • Right to restriction of processing – you may ask us to limit how we use your data in certain circumstances

  • Right to data portability – you may request your data in a structured, machine-readable format where processing is based on consent or contract

  • Right to object – you may object to processing based on legitimate interest

  • Right to withdraw consent – where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing


To exercise any of these rights, please contact us at [contact email]. We will respond within one (1) month of receiving your request. If you are unsatisfied with our response, you have the right to lodge a complaint with the Swedish supervisory authority:


Integritetsskyddsmyndigheten (IMY)

Box 8114, 104 20 Stockholm

imy.se · +46 8-657 61 00


9. Newsletter Unsubscribe

You may unsubscribe from our newsletter at any time by clicking the unsubscribe link included in every email, or by contacting us directly at [contact email]. Upon unsubscription, we will cease sending marketing communications promptly and remove your data in accordance with the retention schedule in Section 6.


10. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These measures include encrypted data transmission (HTTPS), access controls, and regular reviews of our data handling practices. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected individuals in accordance with GDPR obligations.


11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The “Last updated” date at the top of this document will indicate when the most recent changes were made. For significant changes, we will notify active customers and newsletter subscribers by email.