Privacy Policy

1. Controller

The data controller responsible for your personal data is:

2. Data We Collect

We collect and process the following categories of personal data:

• Account data: Email address, name, and profile image (via Google OAuth or email sign-in)
• Purchase data: Purchase history, template IDs, payment confirmation (processed via Stripe — we do not store card details)
• Customisation data: Business name, tagline, colours, and other template setup inputs you provide
• Newsletter data: Email address and consent timestamp (only if you subscribed)
• Usage data: Pages visited, browser type, device type, and referring URLs (collected via anonymised analytics)
• Cookie data: Session cookies required for authentication; preference cookies if you accept optional cookies

3. Why We Process Your Data

We process your data for the following purposes:

• To create and manage your account (legal basis: contract performance)
• To process payments and deliver purchased products (legal basis: contract performance)
• To send order confirmations and service-related communications (legal basis: contract performance)
• To send newsletters and updates, where you have opted in (legal basis: consent)
• To improve our website and services through anonymised analytics (legal basis: legitimate interest)
• To comply with legal obligations under Swiss and EU law (legal basis: legal obligation)

4. Third-Party Services

We use the following third-party processors who may process your data on our behalf:

• Stripe: Payment processing. Stripe processes payment card data directly and is PCI-DSS compliant. See stripe.com/privacy.
• Google: Authentication via Google OAuth. See Google's Privacy Policy.
• Vercel / Hosting: Infrastructure and hosting services. Data may be processed in data centres within the EU/EEA.

5. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes outlined in this policy, or as required by applicable law. Account data is retained for the duration of the account. Purchase records are retained for 10 years as required by Swiss accounting law. Newsletter subscriptions are retained until you unsubscribe.

6. Your Rights

Under the Swiss DSG and EU GDPR, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your data ("right to be forgotten")
• Right to restriction: Request that we limit processing of your data
• Right to portability: Receive your data in a structured, machine-readable format
• Right to withdraw consent: Withdraw any consent you have given at any time (e.g. newsletter unsubscribe)
• Right to lodge a complaint: With the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local supervisory authority

To exercise any of these rights, contact us at hello@stackhaus.ch. We will respond within 30 days.

7. Cookies

We use essential cookies to maintain your logged-in session. With your consent, we may also use analytics cookies to understand how our website is used. You can manage your cookie preferences via the banner shown on your first visit, or by clearing your browser cookies at any time. We do not use advertising or tracking cookies.

8. International Transfers

Your data is primarily processed in Switzerland and the EU/EEA. Where data is transferred to countries outside this area (e.g. through Stripe or Google), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the EU Commission.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on the website. The "last updated" date at the top of this page reflects the most recent revision.

10. Contact & Complaints

For any privacy-related questions or to exercise your rights, contact us at hello@stackhaus.ch. You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC).