Privacy Policy

This privacy policy tells you how Studio Hanselmann (owner is Sven Hanselmann, Haldenhof3, 9000 St. Gallen, Switzerland) processes your personal data. It is based on the revised Swiss Data Protection Act (DSG/FADP) and, where applicable, on the General Data Protection Regulation (GDPR) of the European Union. FADP's transparency obligations require that data subjects receive sufficient information to exercise their rights. In particular, this includes information about the person responsible, the purposes of processing, categories of recipients, transmitted data categories and any international transmissions.

1. Responsible person

Studio Hanselmann
Sven Hanselmann
‍Haldenhof 3
9000 St. Gallen
switzerland

sven@studio-hanselmann.ch

Representation within the EU (if required).  
For processing that falls under the GDPR, an appropriate representative body in the EU is appointed, as required by law.

2. Personal data collected

We only process the data that is necessary for the respective purposes and comply with the principles of earmarking, proportionality and data minimization. Depending on how you interact with us, the following data may be collected:

• Basic data for contract execution. This includes name, address, telephone number, email address, wedding date and event details.
• communication data. Content of inquiries and correspondence.
• specifications. This includes IP address, device identifiers, browser information, usage behavior, log data and location data. These are collected through the use of cookies and analysis tools. The use of cookies for personalized advertising can be a high-risk profiling represent and therefore requires express consent. This is especially true when third parties have access to the data.
• Newsletters and marketing data. This includes email address, opt in and opt out status, interactions with marketing emails, such as opening rates, and preferences.
• Form data and security data. This includes information from contact or booking forms as well as spam filter information (IP address, time stamp, content), which is used to identify misuse.

3. Purposes of data processing and legal bases

3.1 Contract performance and communication

We use your basic data, event details and communication data to prepare, execute and process service contracts, for example planning and carrying out photo and video recordings, as well as for communication. The processing is carried out for contractual reasons or on the basis of a legitimate interest as it is necessary to provide our services.

3.2 Accounting and legal obligations

To fulfill legal obligations, such as storage under the Code of Obligations, we process billing and contract data for ten years. Information on tax and retention periods can be found in Swiss legislation.

3.3 Website operation and optimization

We use various tools to provide and optimize our website (see Section 5) and evaluate usage data. In doing so, we rely on our legitimate interestto make our website technically stable and user-friendly. With tracking and marketing technologies, we also get your consent one. According to the current FDPIC cookie guidelines, consent must be obtained in particular when cookies are used for personalized advertising or when location data is used for profiling purposes.

3.4 Marketing and newsletters

With your voluntary consent, we will occasionally send you information about new services or promotions by email. You can withdraw this consent at any time. You can unsubscribe in every marketing message.

3.5 Security and Misuse Prevention

We use security solutions such as spam filters, firewalls and Google reCAPTCHA one to prevent misuse. The processing is carried out to protect our Overriding interest in the security of our systems and to fulfill legal obligations.

3.6 Legal bases under DSG FADP

The revised FADP does not require a legal basis for all processing. Private controllers only need an express legal basis if the processing violates the principles or sensitive data is disclosed without consent. In individual cases, we rely on Contract performance and pre-contractual measures, legal obligations, preponderant legitimate interest as well as consent for marketing, analysis and tracking cookies or the processing of sensitive data.

4. Transfer and international transfer

4.1 Service Providers

We work with carefully selected service providers. They only process your data within the framework of our instructions and in accordance with order processing contracts. Our service providers include:

• Hosting and infrastructure providers. This includes Hoststar and Webflow. They provide server infrastructure, email hosting, and content management.
• Analysis and marketing service provider. These include Google Analytics, Microsoft Clarity, Google Ads, Google Tag Manager, Google Search Console, CookieScript, and Klaviyo.
• Security and spam filtering services. This includes useBasin, Zapier, and Google reCAPTCHA.
• CDN and font provider. This includes Fontshare.
• Platforms for multimedia content. That includes YouTube.

In addition, we only share data if this is necessary to process the contract, if you have given your consent or if we are legally obliged to do so. In cases where data must be transmitted to authorities or courts, this is done on the basis of legal obligations.

4.2 Transfer to third countries

The FADP only allows the cross-border transfer of personal data under certain conditions. In principle, data may be transferred abroad if the destination country has adequate data protection guaranteed. For states without an adequate level of data protection, such as the USA, appropriate guarantees, for example Standard data protection clauses, must be agreed, or there must be an exception according to Article 17 FADP are available. With every international transfer, we will inform you about the destination country and the guarantees used.

In particular when using US service providers, we use standard data protection clauses or rely on the Swiss US Data Privacy Framework, provided that a provider is certified. These include Google LLC (Analytics, Ads, Tag Manager, reCAPTCHA), Microsoft Corporation (Clarity), Zapier Inc., Klaviyo Inc., UseBasin, and Fontshare. If you do not want your data to be transferred to the USA, you can prevent certain services by rejecting the corresponding cookies.

5. Use of third-party tools in detail

Below, we will inform you about the individual tools that are used on our website. Any use is only made with your consent or on the basis of an overriding interest in improving the website. You can adjust your preferences at any time via our cookie banner (CookieScript).

5.1 Hosting and infrastructure

• Hoststar. Our primary Swiss hosting provider stores website and email data on servers in Switzerland. As a result, there is no international transfer. Hoststar processes connection and communication data, such as IP addresses and log files, to ensure operation.
• Webflow hosting. We use Webflow, a US provider, to design and provide certain pages. Data such as IP address, technical information and any form entries can be transmitted to the USA. Webflow is certified according to the Swiss US Data Privacy Framework or we use standard data protection clauses. The processing is carried out in order to be able to professionally provide our website.

5.2 Analysis and marketing services

• Google Analytics 4. For statistical evaluation of the use of our website, we use Google Analytics 4 from Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Google uses cookies and similar technologies to collect information about your use of our website, in particular IP address, browser type, device information, length of stay, pages visited and interactions. We have activated IP anonymization so that your IP address within Switzerland or the EU is abbreviated. Processing is carried out exclusively on the basis of your consent in accordance with our cookie banner. Google Analytics will not be activated without your consent. The data can be transferred to the USA. Google LLC is certified in accordance with the Swiss US Data Privacy Framework or there are appropriate guarantees such as standard data protection clauses in accordance with Article 16 ff. FADP. For more information, see https://policies.google.com/privacy.
• Google Tag Manager. Google Tag Manager is a service provided by Google Ireland Ltd., Dublin, Ireland, and is used to manage website tags, in particular tracking and marketing scripts. The Tag Manager itself does not store any personal data and does not set cookies, but can load other services that process personal data. The use is based on our legitimate interest in efficiently managing our website services. Information about the individual services loaded via Tag Manager can be found in the respective sections of this privacy policy.
• Google Ads, conversion tracking. We use Google Ads Conversion Tracking from Google Ireland Ltd., Dublin, Ireland to measure the effectiveness of our online advertising. It records whether a user has reached our website via a Google ad and has carried out certain actions, such as contacting us. Cookies and a pseudonymized ID are used for this purpose. Processing is carried out exclusively on the basis of your consent in accordance with our cookie banner. No conversion tracking will be carried out without your consent. The data can be transferred to the USA. Google LLC is certified in accordance with the Swiss US Data Privacy Framework or there are appropriate guarantees such as standard data protection clauses in accordance with Article 16 ff. FADP. For more information, see https://policies.google.com/privacy.
• Google Search Console. With the Google Search Console, we monitor the technical status and visibility of our website in Google Search. Only aggregated search performance data is provided. Google Search Console does not process any personal data from our website visitors.
• Microsoft Clarity We use Microsoft Clarity from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA, to analyze the usability of our website. Clarity creates heat maps and session replays, recording mouse movements, scrolling behavior, clicks, IP address, devices, and browser information. Processing is carried out exclusively on the basis of your consent in accordance with our cookie banner. Microsoft Clarity won't be activated without your consent. The data can be transferred to the USA. Microsoft is certified in accordance with the Swiss US Data Privacy Framework or there are appropriate guarantees such as standard data protection clauses in accordance with Article 16 ff. FADP. For more information, see https://privacy.microsoft.com.
• Meta pixels (Facebook pixels). We use the Meta Pixel from Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland on our website. The meta pixel enables us to understand the behavior of users after they have reached our website via an ad on Facebook or Instagram. This allows us to evaluate and optimize the effectiveness of our advertising measures. Meta uses cookies and similar technologies to collect information about your use of our website, in particular IP address, device information, browser type, pages visited, interactions and, if applicable, conversion data. Meta can link the data to existing user profiles, provided that you are logged in to a Meta service. Processing is carried out exclusively on the basis of your consent in accordance with our cookie banner. The Meta Pixel will not be activated without your consent. The data can be transferred to the USA. Meta Platforms Inc. is certified according to the Swiss US Data Privacy Framework or there are appropriate guarantees such as standard data protection clauses in accordance with Article 16 ff. FADP. For more information, see https://www.facebook.com/privacy/policy.

5.3 Marketing and newsletters

• Klaviyo. We use Klaviyo to send newsletters and marketing campaigns. Klaviyo processes email addresses, names and interaction data such as openings and clicks. The data can be transferred to the USA. To ensure an appropriate level of data protection, with Klaviyo, we have standard contractual clauses agreed, which are included in Klaviyo's data processing addendum and are part of the terms of use. We use the double opt in process and document the time of your consent and the exact wording of the notice that you saw when signing up. If no explicit opt in is verifiable for older profiles, we will not contact you without consulting our legal team. For our forms, we use the DSGVO compliant forms offered by Klaviyo with multiple checkboxes, which allow separate consent for different marketing channels. In the small print, we explain clearly and comprehensibly why we need your data, which third-party providers we use and that you can withdraw your consent at any time.

5.4 Spam filtering and automation

• UseBasin. We use UseBase to submit forms and to detect spam. UseBasin stores form content, IP address and technical information to prevent spam and misuse. The data can be transferred to servers in the USA. The processing is based on our legitimate interest in the security and functionality of the website.
• Zapier. Zapier automates workflows, such as the transfer of form requests to our email or CRM systems, and connects UseBase with other applications. Zapier only processes data in accordance with our instructions and can transfer data to the USA. We have concluded standard data protection clauses.

5.5 Fonts and Design

• Fontshare and fonts. For modern web fonts, we primarily use Fontshare. Fonts can be loaded via a content delivery network, where your IP address is transmitted to the CDN. However, we try to store fonts locally on our server so that no third parties are involved. We refrain from using Google Fonts, as retrieving these fonts from Google servers would require your IP address to Google and IP addresses are personal data in accordance with the GDPR. As an alternative, we use fonts provided by Fontshare or Klaviyo, which do not require transmission of the IP address to Google.

5.6 Cookie banners and consent management

• CookieScript. We use CookieScript to obtain and document your consent to the use of cookies and tracking services. CookieScript stores your choices in a cookie, Consent ID, and can process anonymized usage data. This data is stored on CookieScript servers. Transmission abroad is possible. The basis for processing is our legitimate interest in meeting the legal obligation to obtain consent.

5.7 Video hosting

• youtube. On our website, we include videos via YouTube. When a video is accessed, data such as IP address, device information, interactions and, if applicable, location data are transmitted to Google. We use the extended data protection mode, which only sets cookies upon playback. With your consent, you activate YouTube, which transfers data to the USA.

5.8 Security tools

• Google reCAPTCHA. We use reCAPTCHA to verify that input comes from a natural person. The service analyses your usage behavior, such as mouse movements, scrolling and IP address, and transmits this data to Google. The legal basis is our legitimate interest in protecting the website from automated misuse.

6. Storage periods

We only store personal data for as long as is necessary to fulfill the purposes. The data is then deleted or anonymized. We store business documents and tax-relevant data in accordance with legal obligations, usually for ten years. Usage data for analysis purposes is stored anonymously or pseudonymized and regularly deleted when it is no longer needed.

7. Rights of data subjects

You have the following rights under the revised FADP and, if applicable, under the GDPR:

1. Right to information. You can request information from us at any time as to whether and which personal data we process. The right to information includes information on the purpose of processing, the categories of data, recipients and any international transfers.
2. Right to rectification. Incorrect or incomplete data will be corrected upon your request.
3. Deletion, right to be forgotten. You can request the deletion of your data, provided that there are no legal storage obligations to the contrary.
4. Right to object. You can object to the processing of your data for reasons arising from your particular situation. We will then only process your data if there are compelling reasons.
5. Right to restrict processing. If the accuracy of the data is disputed or the data processing is unlawful, you can request that processing be restricted.
6. Right to data portability. You can request that we send you or another person responsible for the data you have received from us in a standard electronic format.
7. Right to withdraw consent. You can withdraw your consent at any time with effect for the future.
8. Right to object to marketing. You can object to the processing of your data for marketing purposes at any time. For this purpose, we offer a corresponding unsubscribe option in every communication.
9. The right to non-submission when making automated decisions. If we should only make decisions automatically, you have the right to have the decision reviewed by a natural person.
10. Right to lodge a complaint. You can complain to the responsible data protection supervisory authority, in particular to Federal Data Protection and Information Commissioner (FDPÖB).

Requests can be sent in writing to the address given above or by email. For unique identification, we may require additional information.

8. Data security

We take appropriate technical and organizational measuresto protect your data from unauthorized access, loss, and misuse. These measures include in particular:

• encryption. We use SSL/TLS encryption for data transfers via our website.
• access restriction. Only authorized persons who need it for the respective purpose have access to personal data.
• Data economy and logging. We only store necessary data and keep records of data processing, for example log files. The FADP requires controllers and contract processors to ensure an appropriate level of security through appropriate technical and organizational measures.
• Pseudonymization and anonymization. Where possible, personal data is processed pseudonymized or anonymized.

9. Cookie and tracking information

Cookies and similar technologies may be used when you visit our website. Cookies, which are necessary for the operation of the website, are stored based on our legitimate interest. For all other cookies, such as analysis, marketing and personalization, we obtain your consent via the cookie banner. According to the cookie guideline from October 2025 updated by the FDPIC, consent must be obtained in particular if cookies for personalized advertising are used or when location data be processed because this is usually considered high-risk profiling. Our CookieScript solution documents your choices and you can change them at any time.

10. Data transfer during automated decision-making processes and profiling

Automated decision-making with legal effect or significant impairment only takes place with your consent. Profiling for marketing purposes only takes place with consent and is limited to what is necessary. According to FADP, data subjects have the right to express their point of view when making automated decisions and to request an examination by a natural person.

11. Changes to this privacy policy

We reserve the right to change this privacy policy at any time, in particular in the event of new legal requirements or the introduction of new services. The latest version is published on our website. If there are significant changes, we will inform you in an appropriate manner.

12. Contact and supervisory authority

If you have any questions about data protection or to exercise your rights, you can contact us using the contact details provided. For complaints, the Federal Data Protection and Information Commissioner (FDPÖB) responsible. FDPIC. Feldeggweg 1, 3003 Bern, Switzerland (www.edoeb.admin.ch).