Legal

Privacy

1. Introduction and scope

This privacy policy informs you comprehensively about the nature, scope and purposes of the collection and use of your personal data by Canelas Natural Beauty Center (sole proprietorship).

This policy applies to our website www.canelasnaturalbeauty.ch and to all related online offerings, services and communication channels.

We take the protection of your personal data very seriously and process it confidentially in accordance with the Swiss Federal Act on Data Protection (revFADP) and the European Union General Data Protection Regulation (GDPR).

Use of our website is generally possible without providing personal data. Where personal data is collected on our pages, this is always done on a voluntary basis. This data will not be passed on to third parties without your express consent.

2. Data controller

The party responsible for data processing within the meaning of data protection law is:

Canelas Natural Beauty Center (sole proprietorship)
Rennweg 30, 8001 Zürich
Switzerland

Email: info@canelasnaturalbeauty.ch
Phone: +41 44 501 66 66
Website: www.canelasnaturalbeauty.ch

You may contact us at any time with questions about data protection.

3. Definitions

To make this privacy policy easier to understand, we use the following definitions:

Personal data: Any information relating to an identified or identifiable natural person (e.g. name, address, email address, phone number, IP address).

Processing: Any handling of personal data, regardless of the means used — including collection, recording, storage, use, alteration, disclosure, archiving, erasure or destruction.

Data subject: The natural person whose personal data is being processed.

Controller: The natural or legal person, authority or other body that, alone or jointly with others, determines the purposes and means of processing.

Processor: A body that processes personal data on behalf of the controller.

Consent: Any freely given, informed and unambiguous indication of the data subject's wishes by a statement or clear affirmative action.

Cookies: Small text files stored on your device. A distinction is made between session cookies (deleted at the end of the browser session) and persistent cookies (stored for a defined period).

4. Legal bases

We process personal data in accordance with Swiss data protection law, in particular the revised Federal Act on Data Protection (revFADP) of 25 September 2020 and the Data Protection Ordinance.

Under Swiss law, processing of personal data is generally permitted provided that:

  • there is no legal prohibition
  • the data subject has consented
  • an overriding private or public interest exists
  • processing is necessary for the performance of a contract

Insofar as the GDPR applies (e.g. for offerings to persons in the EU/EEA), we process personal data on the following legal bases under Art. 6(1) GDPR:

  • Consent (lit. a): The data subject has given consent for one or more specific purposes. Consent may be withdrawn at any time with effect for the future.
  • Performance of a contract (lit. b): Processing is necessary for the performance of a contract or pre-contractual measures.
  • Legal obligation (lit. c): Processing is necessary for compliance with a legal obligation.
  • Vital interests (lit. d): Processing is necessary to protect the vital interests of a natural person.
  • Public interest (lit. e): Processing is necessary for a task carried out in the public interest.
  • Legitimate interests (lit. f): Processing is necessary for our legitimate interests, provided that the interests of the data subject do not override them.

5. Categories of data collected

We collect and process various categories of personal data. The specific data collected depends on the services and functions you use.

Master data: Name, first name, salutation, title — basic identification information.

Contact data: Email address, phone number, postal address — information for contact and communication.

Technical data: IP address, browser type and version, operating system, device type, screen resolution — information collected automatically when using our website.

Usage data: Pages visited, time spent, click paths, access times — information about your browsing behaviour.

Sources: Data is collected directly from you (via email) or automatically (via technical logging when you visit the site).

6. Purposes of processing

We process your personal data for the following purposes:

  • Provision and operation of our website — to make our website and its functions available to you (legal basis: legitimate interest).
  • Ensuring IT security — protecting our systems from misuse, attacks and technical disruptions (legal basis: legitimate interest).
  • Compliance with legal obligations — to meet statutory retention and documentation requirements (legal basis: legal obligation).

7. Server log files

Each time our website is accessed, technical data is automatically recorded in server log files. This is required for technical and security reasons.

Data processed: IP address, date and time of access, requested page/file, transferred data volume, browser type and version, operating system, referrer URL, hostname of the accessing computer.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR / Art. 31(1) revFADP) — ensuring system security and troubleshooting.

Retention period: Log files are automatically deleted after 30 days unless longer retention is required for evidentiary purposes.

8. Third-party services — Google Maps

Our contact page embeds a map provided by Google Maps. The map is only loaded after you explicitly click the corresponding button — no data is transmitted to Google before that.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA).
Purpose: Embedding interactive maps to show our location.
Data categories: IP address, location data, device information, cookies.
Legal basis: Consent (Art. 6(1)(a) GDPR), given by your click.
Google's privacy policy: policies.google.com/privacy

9. International data transfers

As part of our processing, personal data may also be transferred to recipients outside Switzerland and the European Economic Area (EEA). This concerns in particular the following countries: USA.

For these countries there is no adequacy decision by the European Commission or the Swiss Federal Data Protection and Information Commissioner (FDPIC) confirming a level of data protection comparable to that of Switzerland or the EU.

To ensure an adequate level of protection we rely on the following safeguards:

  • Standard Contractual Clauses (SCC) approved by the European Commission have been concluded with the relevant recipients.
  • Adequacy assessment: Before any data transfer we check whether the recipient country offers an adequate level of protection or whether additional safeguards are required.
  • Additional safeguards: Where necessary, we implement technical and organisational measures such as encryption, pseudonymisation or contractual arrangements.

Note on transfers to the USA: US authorities may, under certain circumstances, have access to transferred data. By using the relevant services (after being informed and consenting) you accept this residual risk. You have the right to request a copy of the agreed Standard Contractual Clauses or information about the safeguards implemented.

10. Retention periods

We store your personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by statutory retention obligations.

The retention period is based on:

  • the purpose of processing
  • statutory retention obligations
  • legitimate interests (e.g. defence against legal claims)
  • the nature of the data and the risk to the data subjects

Specific retention periods:

  • Server log files: 30 days (IT security)
  • Booking records / invoices: 10 years (Art. 958f Swiss Code of Obligations)
  • Contracts and business correspondence: 10 years after end of contract (Art. 958f CO / limitation periods)

After the respective periods, data is routinely deleted unless still needed for other purposes.

11. Data security

We take appropriate technical and organisational security measures (TOMs) to protect your personal data from unauthorised access, loss, misuse or destruction. The specific measures correspond to the state of the art and are reviewed regularly.

Our security measures include in particular:

  • Encrypted data transmission (TLS/SSL)
  • Access restrictions and authorisation concepts
  • Protection of the IT infrastructure through appropriate security systems
  • Regular data backups
  • Maintenance and updates of our systems
  • Confidentiality obligations for staff
  • Careful selection and contractual binding of service providers
  • Processes for detecting and handling security incidents

Despite all precautions, no data transmission over the internet can be guaranteed as completely secure. In the event of a data breach likely to result in a high risk to your rights and freedoms, we will inform you and notify the competent authorities without undue delay.

12. Your rights as a data subject

As a data subject you have various rights regarding your personal data. These arise from the Swiss Data Protection Act (revFADP) and, where applicable, from the GDPR.

  • Right of access: Confirmation as to whether we are processing your data and information on purposes, categories, recipients and retention period.
  • Right to rectification of inaccurate data or completion of incomplete data.
  • Right to erasure ("right to be forgotten") under certain conditions, in particular when the data is no longer necessary for the purposes for which it was collected.
  • Right to restriction of processing under certain conditions.
  • Right to data portability: receiving your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21 GDPR): at any time to processing based on legitimate interests; for direct marketing without giving reasons.
  • Right to withdraw consent with effect for the future.
  • Right to lodge a complaint with a supervisory authority if you believe that processing infringes data protection law.

Competent supervisory authority in Switzerland:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, CH-3003 Bern
Tel.: +41 58 462 43 95 · edoeb.admin.ch

For offerings to persons in the EU/EEA you may also contact the data protection supervisory authority responsible for your country.

Exercising your rights: To exercise your rights you may contact us at any time by email at info@canelasnaturalbeauty.ch or by phone at +41 44 501 66 66. We require proof of identity and will normally process your request within one month.

13. Updates and contact

We may amend this privacy policy from time to time to reflect changes in our data processing practices, new legal requirements or other developments. In the case of material changes we will — where possible and appropriate — inform you separately.

For questions about this privacy policy you may contact us at any time:
Email: info@canelasnaturalbeauty.ch
Phone: +41 44 501 66 66

Last updated: 16.05.2026