Privacy
Policy
Last updated: April 8, 2026
This page describes how we process personal data for the contact form and live chat. Add controller details and contact information before publishing.
1. Purpose of processing
The following overview describes which personal data we process in connection with the contact form and live chat, and for what purposes.
Contact form
- Handling project inquiries and follow-up questions
- Creating internal tickets for tracking
- Communicating with requesters via email
Live chat
- Real-time communication between visitors and support or admin
- Traceability of support threads within the session
- Quality assurance and operational handling of open requests
2. Categories of personal data
Contact form
- Name
- Email address
- Free-text message
- optional: service selection
- technical metadata for abuse prevention (e.g. nonce, timing honeypot)
Live chat
The following categories may arise in live chat or the form:
- Chat content (messages)
- Session ID (pseudonymous technical identifier)
- Message timestamps
- typing status (short-lived)
3. Legal basis (typical)
- Art. 6(1)(b) GDPR: pre-contractual communication upon request
- Art. 6(1)(f) GDPR: legitimate interest in secure and stable operation (abuse protection, logging, rate limits)
Note: Final legal bases should be aligned with your controller and, if applicable, your DPO.
4. Retention and erasure of personal data
We process and store personal data only for as long as necessary to fulfil the respective purpose or where statutory retention obligations apply.
General deletion periods
- Contact requests / support tickets: 12 months after the request is closed, then deletion or anonymisation
- Live chat messages: 3 months, then deletion or anonymisation
- Technical status data (e.g. typing status): processed only temporarily and not stored permanently
- Login and security logs: 6–12 months, depending on security-related requirements
Order-related data (e.g. video production)
Data processed under contracts (e.g. video editing), such as source material and final files, is fully deleted no later than 30 days after successful delivery.
After deletion, access or recovery by us is no longer possible.
Longer storage occurs only if expressly agreed with the client.
Statutory retention obligations
Certain data is subject to statutory retention obligations. These include in particular:
- Invoices
- Payment records
- Tax-relevant documents
This data is retained for the legally prescribed period of up to 10 years on the basis of Art. 6(1)(c) GDPR in conjunction with applicable tax and commercial law (e.g. tax legislation or the Swiss Code of Obligations).
During this period, the data is stored solely to comply with legal obligations and is not processed for other purposes.
Erasure after the purpose ceases
As soon as the purpose of processing no longer applies and no statutory retention obligations remain, the relevant data is erased without delay.
5. Access, rectification, erasure (data subject rights)
Access
You may request information on the origin, recipients and purpose of stored personal data, where applicable.
Rectification
Where applicable by law, you may request rectification or erasure — contact us at [email protected].
Withdrawal
You may withdraw consent where processing is based on it; technical data arises when using the form and chat.
Deletion of user accounts
Users have the right to request deletion of their account and the personal data associated with it.
If deletion is carried out, all of the user's personal data is removed unless statutory retention obligations prevent this.
Data that must be retained due to legal obligations (in particular under tax and commercial law) is blocked for other purposes and deleted after the statutory periods expire.
Suggested workflow:
- Verify the requester’s identity (at least email verification)
- Locate relevant records (tickets, chat transcripts, metadata)
- Provide information in a structured form
- Where permitted: rectify, erase, or anonymise data
- Document outcome and timing internally
Suggested timelines: first response promptly; full handling typically within 30 days.
Questions about privacy?
We are happy to answer questions about your data and the technical and organisational measures on this site — easiest via the contact page or live chat.
6. Technical and organisational measures (TOMs)
Already implemented in this project:
- Authentication and role-based access in admin
- CSRF protection for admin write actions
- Parameterized SQL queries (SQL injection mitigation)
- Rate limits on public API endpoints
- Input validation and length limits
Recommended additions:
- Security headers (especially Content-Security-Policy)
- Centralised audit and error logs without sensitive payloads
- Regular backup and restore tests
- Least-privilege database users
- Regular dependency and security updates
Hosting & APIs
Public endpoints are rate-limited; admin actions are authenticated and CSRF-protected.
Fonts (local)
Headline and body fonts are loaded via next/font locally — no Google Fonts at runtime.
7. Transfers and third countries
- No transfers to third parties without a legal basis or agreement
- If hosting or subprocessors are outside CH/EU: assess appropriate safeguards (e.g. SCCs)
8. Controller and contact
Add the legally required details: controller, contact channel, and optionally a DPO. General contact: [email protected]