Legal Basis for Processing Personal Information

When we process your personal data, we will only do so in accordance with applicable data protection regulations and only in the following situations:  

  • We need to use your personal data to perform our responsibilities under a contract with you (e.g., processing payments for and providing the products and services you have requested).
  • We have a legitimate interest in processing your personal data. For example, we may process your personal data to send you marketing communications, to communicate with you about changes to our products and services, and to provide, secure, and improve our products and services.
  • We find such processing is necessary to comply with our legal obligations.
  • We have your consent to do so. When consent is the legal basis for our processing, you may withdraw such consent at any time by contacting us at

Data Retention

We store the information we collect on you only for as long as is necessary for the purpose(s) for which we originally collected it, or for other legitimate business purposes, including to meet our legal, regulatory, or other compliance obligations.  The criteria used to determine the appropriate retention period for personal information include:  (1) the amount, nature and sensitivity of the personal information; (2) the length of time we have an ongoing relationship with you and provide services to you; (3) the purposes for which we process the personal information; (4) the potential risk of harm from unauthorized use and disclosure of your personal information; (5) whether there are legal obligations or requirements to which we are subject; and (6) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitation, litigation or regulatory investigations).  After the expiry of the aforementioned retention periods, we will delete or anonymize your personal information.

Transfer of Personal Information

DuVine is based in the United States, and we process and may store information in the United States and other countries.  If your personal information is transferred to the United States or other jurisdictions located outside of the European Economic Area, the United Kingdom or Switzerland, we will ensure that appropriate safeguards exist and are taken, including:

  • the recipient of the information being located within a country that benefits from an “adequacy” decision of the European Commission;
  • the recipient having signed a contract based on the standard contractual clauses approved by the European Commission, obliging them to protect your personal information;
  • or in the absence of the above appropriate safeguards, we may ask for your consent for the cross-border transfer of your personal information or take any other measures that provide sufficient level of protection for your personal information.

Please be advised that U.S. law has not yet been recognized as providing for a data protection standard that is adequate to the ones within your jurisdiction.

Data Subject Requests

You have the right to access personal data that we maintain about you and to ask that your personal data be corrected, erased, or transferred.  You may also have the right to object to, or request that we restrict, certain processing of your information.  If you would like to exercise any of these rights, you may contact us  by sending an email to  Please be advised that our ability to honor these rights may depend upon our obligations to process personal information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, or because processing is necessary to deliver the services you have requested.  If we are not able to honor your request(s), we will inform you of the specific reasons in our response to your request.

Questions or Complaints

You may contact us at if you have any questions about these Additional Disclosures.  If you have a concern about our processing of personal data that we are not able to resolve, you have the right to lodge a complaint with the competent data protection supervisory authority.  Information about how to contact your local data protection supervisory authority is available from the European Data Protection Board.