Privacy Policy
Last updated:
This policy describes how REPLAY Studio collects, uses and protects your personal data when you visit this site or use our services. It complies with the revised Swiss Federal Act on Data Protection (nFADP) in force since 1 September 2023, and the EU General Data Protection Regulation (GDPR) for visitors residing in the EU.
1. Data controller
REPLAY Studio – Andrei Mishchenko (sole proprietorship)
Sugiez, 1786 (canton of Fribourg, Switzerland)
UID: CHE-133.229.886
Contact: replaystudio.ch@gmail.com
No Data Protection Officer (DPO) has been appointed, as the nFADP does not require one for businesses of our size and low-risk processing activities.
2. Data collected and purposes
2.1 Contact form
When you fill in the contact form (/contact):
- Data collected: name, email, phone, service requested, free text. For a wedding inquiry: wedding date, desired duration.
- Purpose: respond to your request, prepare a quote, schedule a meeting.
- Legal basis: pre-contractual measures (art. 31 para. 2 nFADP; art. 6 para. 1 lit. b GDPR).
2.2 Web design quote form
When you request a quote (/conception-web):
- Data collected: name, email, phone, package, options, free comment.
- Purpose: prepare a tailored quote and follow up.
- Legal basis: pre-contractual measures.
2.3 Technical data
During your visit, we process:
- IP address (used by our rate-limiting system to protect our forms against bots and spam). The IP is kept for a maximum of 10 minutes (sliding window) and then automatically deleted.
- User-Agent, referer: for technical statistics and security.
- Legal basis: legitimate interest in protecting our services against abuse (art. 31 para. 1 nFADP; art. 6 para. 1 lit. f GDPR).
2.4 Analytics (subject to your consent)
If you accept analytics cookies via our banner, we use Google Analytics 4 and Google Tag Manager to measure site traffic (page views, visit duration, sources, device type).
- Legal basis: consent (art. 31 para. 1 nFADP; art. 6 para. 1 lit. a GDPR).
- You can withdraw this consent at any time via the "Manage cookies" button in the site footer.
2.5 WhatsApp communications
If you contact us via WhatsApp (+41 78 226 09 56), your messages are processed by Meta Platforms Ireland Limited under its own terms. Please refer to WhatsApp's Privacy Policy.
3. Recipients and processors
Your data may be shared with the following processors, selected for their level of protection:
| Processor | Country | Role | Safeguards |
|---|---|---|---|
| Vercel Inc. | USA | Site hosting | DPF certified (EU-US Data Privacy Framework) |
| Google LLC (Workspace) | USA | Receiving contact emails (Gmail SMTP) | DPF certified |
| Google LLC (GA4 / GTM) | USA | Analytics (with consent only) | DPF certified |
| Google LLC (Google Ads) | USA | Advertising conversion tracking (with marketing consent only) | DPF certified |
| Meta Platforms Inc. (Meta Pixel / Facebook) | USA | Meta/Facebook advertising conversion tracking (with marketing consent only) | DPF certified |
| Upstash Inc. | USA | Rate-limiting (Redis) | Standard contractual clauses |
No data is sold, rented or traded for commercial purposes with third parties.
4. Transfers outside Switzerland / EU
Some processors are based in the United States. These transfers are governed by the EU-US Data Privacy Framework (DPF) adopted in July 2023, which provides an adequate level of protection recognized by the European Commission and the Swiss Federal Council. Non-DPF certified processors are bound by Standard Contractual Clauses (SCC).
5. Retention periods
| Data | Duration |
|---|---|
| Contact and quote messages | 12 months after the last exchange |
| Contractual data and invoices | 10 years (Swiss accounting obligation, art. 958f CO) |
| Client photos and videos (all services: wedding, real estate, corporate, web) | 1 year after delivery, then permanent deletion |
| IP address (rate-limit) | 10 minutes (sliding window) |
Analytics cookies (_ga, _ga_*) | 24 months |
Marketing cookies (Google Ads _gcl_*/_gac_*, Meta Pixel _fbp/_fbc) | 90 days |
| Consent cookie | 13 months (automatic renewal beyond that) |
6. Your rights
Under the nFADP and GDPR, you have the following rights:
- Access: confirmation that data concerning you is processed, and a copy.
- Rectification: correction of inaccurate or incomplete data.
- Erasure ("right to be forgotten"): deletion of your data, subject to legal retention obligations.
- Objection: object to processing on legitimate grounds.
- Restriction: restrict processing in certain cases.
- Portability (GDPR only): receive your data in a structured, machine-readable format.
- Withdrawal of consent: at any time, without affecting the lawfulness of processing carried out beforehand.
To exercise these rights, contact us at [replaystudio.ch@gmail.com](mailto:replaystudio.ch@gmail.com). We will respond within 30 days.
If you believe your rights are not respected, you may lodge a complaint with:
- In Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — www.edoeb.admin.ch
- In the EU: the supervisory authority of your country of residence
7. Security
We implement appropriate technical and organizational measures: HTTPS (TLS) encryption across the site, strict form validation (Zod), abuse protection (rate-limiting), escaping of user content in our internal communications, strong passwords for our admin accounts.
8. Changes to this policy
This policy may be updated to reflect legal, technical or organizational changes. The "Last updated" date appears at the top. We encourage regular review.