Privacy policy

Which personal data we process

We only process data that you give us, together with the minimum technical metadata needed to deliver and secure the website. We do not buy visitor data from third parties.

Contact-form data

When you submit the form on the contact page, we receive your name, email address, message subject, message body, and the optional fields you choose to fill in (typically company name and country of interest).

Technical metadata at submission

Each submission carries standard technical metadata, specifically the source IP address, User-Agent string, submission timestamp, and the result of the Cloudflare Turnstile challenge. We also check a hidden honeypot field that real visitors leave empty. This metadata is used to validate the request and block automated abuse.

Rate-limit metadata

To prevent abuse, the backend stores a short-lived token tied to a hashed IP address in Cloudflare KV, with an expiry of no more than ten minutes per the rate-limit window. No long-term IP storage takes place on our side.

Email-routing data

Our custom-domain addresses (*@business-in-switzerland.com) are forwarded through Cloudflare Email Routing to the publisher's internal mailbox. Email Routing only sees whatever you place into the email you send.

Server logs

Standard web-request metadata is logged by our edge provider (Cloudflare) as part of its infrastructure operations. Retention is governed by Cloudflare's own policy, referenced rather than duplicated here; see Cloudflare's privacy policy for current periods.

What we do not collect

• No web analytics. No Google Analytics, no Plausible, no Matomo, no Mixpanel, no Heap, no Hotjar, no Mouseflow, no Microsoft Clarity.
• No behavioural advertising data, no retargeting pixels, no cross-site tracking.
• No profiling or automated decision-making.
• No children's data is solicited. The site is a business-to-business professional-services site and is not directed at children.
• No biometric, health or religious data.

If we ever introduce analytics, a cookie-consent banner will appear and this policy will be updated before the new processing starts.

Purposes and legal bases

Each processing activity rests on a nFADP justification for Swiss visitors and, where relevant, a GDPR lawful ground for EEA visitors.

Responding to your enquiry

We use your contact-form submission to reply to your message, to understand your situation, and, if you decide to retain us, to prepare an engagement letter. Legal grounds: pre-contractual measures and performance of a prospective contract (GDPR art. 6(1)(b)); private-law justification under nFADP.

Security and spam prevention

We use the Cloudflare Turnstile challenge, a honeypot field, and a short-lived IP-based rate limit to keep the site safe from automated abuse. Legal grounds: legitimate interest (GDPR art. 6(1)(f)); private-law justification under nFADP.

Record-keeping, if an engagement results

If your enquiry becomes a paid engagement, we retain correspondence and engagement documents to comply with Swiss bookkeeping duties. Legal grounds: legal obligation (GDPR art. 6(1)(c)); statutory record-keeping under OR art. 958f, which sets a ten-year retention rule for accounting records.

Who we share your data with (recipients and processors)

We use a small number of named service providers to host the site, deliver email, and receive backend alerts. Each provider acts as a processor under a written agreement.

Cloudflare, Inc.

Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, United States, provides our hosting (Cloudflare Pages), our content-delivery and security edge (including the Turnstile challenge that protects the contact form), our email-routing forwarder, and the KV store that backs rate-limiting. Cloudflare offers an EU/UK representative through Cloudflare Germany GmbH. Sub-processors are listed on Cloudflare's public sub-processors page. See the Cloudflare privacy policy.

Resend, Inc.

Resend, Inc., 2261 Market Street, STE 22149, San Francisco, CA 94114, United States, delivers transactional email on our behalf (submissions from the website are relayed into our internal mailbox through Resend). Our domain is configured in Resend's European region (eu-west-1). See the Resend privacy policy.

Telegram (Bot API)

We use the Telegram Bot API to mirror inbound enquiries into an internal team chat for routing and response coordination. The message content is limited to the details the visitor submits through the contact form, plus the technical metadata described above. See the Telegram privacy policy.

Professional advisors and authorities

Where required by law, or where necessary to establish, exercise or defend legal claims, we may share relevant information with our professional advisors (for example, external counsel) or with competent authorities.

No sale, no monetisation, no ad networks

We do not sell personal data, trade it with ad networks, or share it with data brokers. The website does not run advertising.

International data transfers

Cloudflare and Resend are US-headquartered. Processing therefore involves transfers to the United States. Under nFADP, the United States is currently not on the FDPIC adequacy list, so transfers rely on the Swiss-US Data Privacy Framework for participating US entities and on Standard Contractual Clauses approved by the Swiss Federal Data Protection and Information Commissioner.

United States (Cloudflare, Resend)

We rely on the Swiss-US Data Privacy Framework where the processor participates and is active under the Framework at the time of transfer, and on FDPIC-approved Standard Contractual Clauses where the Framework does not cover the flow.

Safeguards in place

• Swiss-US Data Privacy Framework certifications, verified on the dataprivacyframework.gov portal.
• FDPIC-approved Standard Contractual Clauses where the Framework does not apply.
• Processor data processing agreements covering confidentiality, sub-processor lists and security controls.

FDPIC adequacy guidance

The current Swiss adequacy list and related guidance are published by the Swiss Federal Data Protection and Information Commissioner. See the FDPIC website.

How long we keep your data

Enquiry mailbox records

Enquiry correspondence is retained for the duration of the enquiry lifecycle. For business-to-business enquiries this is typically up to 36 months. If the enquiry becomes a paid engagement, the correspondence tied to that engagement is retained for ten years after the end of the engagement, in line with OR art. 958f bookkeeping rules.

Telegram messages

Messages routed to the internal team chat are retained per Telegram's default retention. We do not force deletion on our side.

Rate-limit tokens

Rate-limit tokens held in Cloudflare KV expire within no more than ten minutes.

Server logs

Edge server logs are retained per Cloudflare's policy, which we reference rather than duplicate.

Your rights under nFADP and GDPR

The following rights apply, combining the Swiss and EU regimes. Where a right is specific to one regime, we note it. We exercise these rights free of charge, except for manifestly unfounded or excessive requests.

• Right of access (nFADP art. 25, GDPR art. 15). Ask us what we process about you.
• Right to rectification (nFADP art. 32(1), GDPR art. 16). Correct inaccurate or incomplete data.
• Right to erasure (nFADP art. 32(2), GDPR art. 17). Ask us to delete, subject to bookkeeping obligations under OR art. 958f for engagement records.
• Right to restriction of processing (GDPR art. 18). No direct nFADP equivalent; we honour it for EEA visitors.
• Right to data portability (GDPR art. 20). No direct nFADP equivalent; we provide an export on request as a goodwill measure.
• Right to object (GDPR art. 21) to processing based on legitimate interest.
• Right to lodge a complaint with the Swiss FDPIC (edoeb.admin.ch) or with your local EU supervisory authority.

To exercise any of these rights, email info@business-in-switzerland.com. We aim to respond within 30 days under nFADP, one month under GDPR, and will explain any extension before the deadline lapses.

Automated decision-making and profiling

We do not make any decision about you by automated means, and we do not profile you. All replies to enquiries are written by a human.

Cookies and browser storage

Cookies and related storage technologies are described on the separate cookie policy. At launch the site sets strictly-essential cookies only.

Children's data

The website is a business-to-business professional-services publication. We do not knowingly solicit or collect data from children. If you believe a child has submitted data to us in error, please email info@business-in-switzerland.com so we can delete it.

Changes to this privacy policy

We update this policy whenever our processing, processors, or legal obligations change. Material changes are announced through the "Last updated" date at the top of this page. Prior versions are retained internally and available on request.

Questions or complaints

Email the controller at info@business-in-switzerland.com. You can also lodge a complaint directly with the Swiss FDPIC at edoeb.admin.ch or with your local EU supervisory authority.