Iris Foto Schweiz Logo

    Legal

    Privacy Policy

    As of: April 2026

    We take the protection of your personal data seriously and comply with the Swiss Federal Act on Data Protection (revFADP) and, where applicable, the EU General Data Protection Regulation (GDPR). This privacy policy informs you about the data we collect, how we use it, and the rights you have.

    1. Controller

    one idea gmbh Bertiswilstrasse 2 6023 Rothenburg Switzerland

    Phone: +41 41 449 05 57 Email: hello@oneidea.ch Commercial Register No.: CHE-244.060.126 VAT No.: CHE-244.060.126 MWST

    For all questions regarding data protection, the exercise of your rights, or complaints, you can reach us via the contact details above.

    2. What data we process

    2.1 Server logs (automatically collected)

    When you visit our website, technical information is automatically recorded: IP address (truncated/anonymised after 30 days), date and time of access, pages visited, referrer URL, browser type, operating system, device type. Purpose: secure operation of the website, abuse detection, statistical analysis. Legal basis: legitimate interest (Art. 31 para. 2 lit. c revFADP, Art. 6 para. 1 lit. f GDPR). Retention period: 30 days.

    2.2 Booking process

    When you book an appointment or order a voucher, we process first name, last name, email address, phone number, billing and delivery address, requested appointment/location/service, and payment information (see section 5). Purpose: handling the booking, invoicing, appointment confirmation, customer communication. Legal basis: contract performance (Art. 31 para. 2 lit. a revFADP, Art. 6 para. 1 lit. b GDPR). Retention period: 10 years (statutory retention obligation, Art. 958f Swiss Code of Obligations).

    2.3 Contact (email, contact form, phone)

    When you contact us, we process the information you provide (name, contact details, content of your enquiry). Purpose: handling your request. Legal basis: pre-contractual measures / legitimate interest (Art. 31 para. 2 revFADP, Art. 6 para. 1 lit. b/f GDPR). Retention period: until the correspondence is concluded, maximum 2 years.

    2.4 Newsletter

    If you subscribe to our newsletter, we process first name, last name, email address, phone number (optional), date of subscription, and IP address (abuse protection). Purpose: sending information about news, offers, events, and prize draws by Iris Foto Schweiz. Legal basis: your consent (Art. 31 para. 1 revFADP, Art. 6 para. 1 lit. a GDPR). Retention period: until you unsubscribe. Unsubscription: anytime via the unsubscribe link in every newsletter email or informally to hello@oneidea.ch.

    2.5 Prize draws

    When you take part in prize draws, we process first name, last name, email address, phone number (optional), time of participation, IP address, and browser identifier (abuse protection). Purpose: running the prize draw, determining winners, notifying winners. Legal basis: contract performance (terms of participation) and consent. Retention period: at the latest 3 months after the end of the prize draw, unless newsletter consent has been given. Details: see Terms of Participation.

    3. Cookies and tracking

    We use cookies and similar technologies (e.g. pixel tags, local storage). They fall into three categories; you can manage them via our cookie banner or at any time via the "Cookie settings" link in the footer.

    We use Google Consent Mode v2: before you decide, all non-essential trackers are set to "denied" and do not transmit personal data. Categories are activated only after your active consent.

    3.1 Strictly necessary cookies

    These cookies are required for the operation of the website (session management, authentication, storage of your cookie consent status). They are set without consent. Legal basis: legitimate interest (Art. 31 para. 2 lit. c revFADP, Art. 6 para. 1 lit. f GDPR). Retention period: session up to 12 months.

    3.2 Analytics — Google Analytics 4

    Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company Google LLC, USA). We collect anonymised IP address (anonymize_ip: true), pages visited, time spent, referrer, device type, browser. No linking to other Google services for advertising purposes occurs unless you also consent to the marketing category. Note on Google Ads conversion tracking: through the automatic GA4 link with our Google Ads account, a Google Ads conversion tag (tag ID AW-677405673) is additionally loaded. This tag respects Consent Mode v2 and fires only with consent to the marketing category. Retention period and third-country transfer (USA) are identical to GA4. Data transfer: USA possible. Basis: EU-US Data Privacy Framework (Google is certified) and EU Commission Standard Contractual Clauses. Legal basis: your consent (Art. 31 para. 1 revFADP, Art. 6 para. 1 lit. a GDPR). Retention period: 14 months. Withdrawal: anytime via "Cookie settings" in the footer or via the Google add-on at tools.google.com/dlpage/gaoptout.

    3.3 Marketing — Facebook Pixel and TikTok Pixel

    Facebook Pixel — Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (parent company Meta Platforms, Inc., USA). Page views and conversion events are recorded to measure ad performance on Facebook and Instagram and to build audiences. Data transfer to the USA is possible (EU-US Data Privacy Framework, Standard Contractual Clauses).

    TikTok Pixel — Provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin 2, Ireland (for EU users; group: ByteDance Ltd.). Page views and conversion events are recorded to measure ad performance on TikTok. Important note: data is transferred to third countries outside the EU/Switzerland, in particular to the People's Republic of China and the USA, where the level of data protection is not equivalent to that of the EU/Switzerland. We rely on Standard Contractual Clauses and additional safeguards; a residual risk remains.

    Legal basis (both): your explicit consent (Art. 31 para. 1 revFADP, Art. 6 para. 1 lit. a GDPR). Retention period: up to 13 months. Withdrawal: anytime via "Cookie settings" in the footer.

    3.4 No profiling

    We do not carry out automated individual decisions (including profiling) that have legal effects on you.

    4. Data sharing and processors

    We only share your data when necessary to perform the contract, when you have consented, or when we are legally obliged to do so.

    Processors:

    • Lovable.dev / Supabase (USA/EU) — application platform, hosting
    • SumUp Payments Limited (UK) — credit card payment processing
    • Stripe Payments Europe Ltd. (Ireland) — TWINT payment processing (in preparation)
    • Nylas, Inc. (USA) — calendar synchronisation
    • Google Ireland Limited / Google LLC (Ireland/USA) — Google Analytics 4 and Google Ads conversion tracking (via automatic GA4 link)
    • Meta Platforms Ireland Limited / Meta Platforms, Inc. (Ireland/USA) — Facebook Pixel
    • TikTok Technology Limited / ByteDance Ltd. (Ireland/USA/China) — TikTok Pixel
    • Swiss Post, print partners — shipping

    Transfers to third countries: some service providers are based in the USA, the United Kingdom, or transfers occur to additional third countries (in particular China for TikTok). We rely on the EU Commission's Standard Contractual Clauses, the EU-US Data Privacy Framework (where certified), adequacy decisions (UK), and additional technical and organisational measures (encryption, pseudonymisation).

    5. Payment processing

    Payment is processed via our payment service providers (SumUp for credit cards, Stripe for TWINT). Your payment data is processed exclusively by the payment service providers and is not stored by us. We only receive the payment status and the information required for invoicing.

    6. Data security

    We take appropriate technical and organisational measures to protect your data: encryption of data transmission (SSL/TLS), access controls, regular backups, staff training on data protection.

    7. Retention period

    We store your data only as long as you wish (e.g. newsletter subscription), as long as we need it to provide our services, or as long as statutory retention obligations apply (e.g. 10 years, Art. 958f Swiss Code of Obligations). After expiry, data is deleted or anonymised.

    8. Your rights

    Under the revFADP and GDPR, you have the right to: information, rectification, deletion, restriction of processing, data portability, objection, withdrawal of consent. You can withdraw consent for tracking cookies at any time via the "Cookie settings" link in the footer. For any other exercise: hello@oneidea.ch.

    Right to lodge a complaint: Switzerland → FDPIC (www.edoeb.admin.ch), Germany → state data protection authority, Austria → dsb.gv.at.

    9. Social media

    We link to Instagram, Facebook, LinkedIn, YouTube, TikTok. A click opens the respective platform, where their privacy terms apply. We do not use active social-media plug-ins that transmit data before clicking.

    10. Changes to this privacy policy

    We reserve the right to amend this privacy policy. The current version is always available on this page.