Privacy Policy

1. Data Controller

The controller for personal data collected via this website is:

Anthony Chavez · ACiD Studio
Lausanne, Switzerland
Email: contact@acidstudio.ch

2. Legal framework

This policy complies with the Swiss Federal Act on Data Protection (revised FADP), in force since September 1^st, 2023, and the EU General Data Protection Regulation (GDPR — 2016/679) for visitors residing in the European Economic Area.

3. Data collected

We collect the following categories of data:

• Voluntarily provided data via contact, quote and checkout forms: name, first name, email, phone (optional), project description, type and approximate budget.
• Technical data via Google Analytics 4 (only after explicit consent on the cookie banner): anonymised IP, browser type, pages visited, visit duration, referrer.
• Payment data via Stripe for orders: card number and expiry, cardholder name. This data never transits through our servers — it is collected and stored directly by Stripe (PCI-DSS Level 1).
• Session technical data for clients logged into the portal: authentication tokens, session identifiers.

4. Legal bases and purposes

• Contract performance (GDPR art. 6.1.b): order management, invoicing, delivery, customer support.
• Legitimate interest (GDPR art. 6.1.f): responding to your contact requests, improving our services.
• Consent (GDPR art. 6.1.a): audience analytics via Google Analytics, marketing communications (newsletter — not active to date).
• Legal obligation (GDPR art. 6.1.c): invoice retention (10 years in Switzerland, art. 962 CO).

5. Retention period

• Leads and unconverted contact requests: 3 years from last contact.
• Client data (orders, invoices): 10 years (Swiss accounting obligation, art. 958f CO).
• Technical logs (sessions, IP): 90 days.
• Google Analytics data: 14 months (GA4 default).
• Consent cookies: 12 months or until revocation.

6. Subprocessors and international transfers

To operate our service, we use the following subprocessors (within the meaning of GDPR art. 28 / FADP art. 9):

• Infomaniak (Switzerland) — web hosting, emails, database. Data stored in Switzerland.
• Stripe Payments Europe Ltd (Ireland, with transfers to Stripe Inc. in the United States) — payment processing. Stripe is certified under the EU-US Data Privacy Framework.
• Google Ireland Limited / Google LLC — Google Analytics. Pseudonymised data (truncated IP). Transfers to the United States covered by Standard Contractual Clauses and the Data Privacy Framework.

7. Cookies

Our site uses cookies essential to its operation (session, preferences) and, only after your explicit consent, Google Analytics cookies. You can accept, refuse or change your choice at any time via the consent banner (clear your local storage to display it again).

8. Security

We implement appropriate technical and organisational security measures: HTTPS encryption (TLS 1.3), AES-256-CBC encryption of sensitive client access data, prepared SQL statements (anti-injection), rate limiting on sensitive endpoints, signature verification on Stripe webhooks, bcrypt-hashed passwords.

9. Your rights

Under the FADP and GDPR, you have the following rights over your personal data:

• Right of access to your data.
• Right to rectification of inaccurate data.
• Right to erasure ("right to be forgotten").
• Right to restriction of processing.
• Right to portability of your data.
• Right to object to processing based on legitimate interest.
• Right to withdraw consent at any time, without retroactive effect.

To exercise these rights, contact us at contact@acidstudio.ch. We respond within 30 days maximum.

10. Complaints

If you believe your rights are not respected, you may lodge a complaint with:

• Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
• EU: your national data protection authority (list at edpb.europa.eu).

11. Changes

This policy may evolve. The version in force is always the one published on this page, dated above. For substantial changes, we will notify active clients by email.