Privacy Policy

1. Controller

Controller in the meaning of Art. 5 lit. j revFADP (and Art. 4 no. 7 GDPR) is:

ALPENIQ
Glasistrasse 9
8180 Bülach, Switzerland
Email: admin@alpeniq.ch
Phone: +41 78 354 30 93

For any data-protection matter — access, rectification, erasure, withdrawal or complaint — you can reach us at admin@alpeniq.ch. As a three-person SME we have not appointed a separate Data Protection Advisor in the meaning of Art. 10 revFADP; there is no legal obligation to do so.

2. Principles and legal bases

We process personal data lawfully, in good faith and proportionally, and only for the purposes described in this policy (Art. 6 revFADP).

The legal bases for our processing are:
– your consent (Art. 6(6) and Art. 31(1) revFADP; Art. 6(1)(a) GDPR) — e.g. for analytics and marketing cookies;
– the initiation or performance of a contract (Art. 31(2)(a) revFADP; Art. 6(1)(b) GDPR) — e.g. when you use the contact form;
– our overriding legitimate interest (Art. 31(2)(d) revFADP; Art. 6(1)(f) GDPR) — e.g. for security logs, spam protection and rate limiting;
– a legal obligation (Art. 31(2)(c) revFADP; Art. 6(1)(c) GDPR).

3. Server logs and security data

When you visit our website, technical data is automatically processed by our hosting provider Vercel Inc. (see section 6): IP address, date and time, browser type, operating system, referrer URL and the requested page. This data is used solely to deliver the website, to defend against attacks and to maintain system stability.

The /api/contact endpoint additionally uses your IP address for an in-memory rate limit (max. 5 requests per IP per hour) and for CSRF protection (double-submit cookie). The IP address is not stored in any database or email and is discarded once the request is complete. Vercel edge logs are auto-purged after at most 30 days.

Legal basis: legitimate interest in IT security (Art. 31(2)(d) revFADP / Art. 6(1)(f) GDPR).

4. Contact form and email contact

When you use our multi-step contact form (/erstgespraech or /initial-consultation) or send us an email, we process the following data: name, role, email address, phone number (optional), company name, industry, company size, information about your existing website, the services you selected, your acquisition channels, revenue range, problem, timeline, source of awareness and your free-text message.

We also receive a hidden honeypot field from the form to filter automated spam submissions. Real input in this field is silently discarded.

Purpose: handling your enquiry and preparing a free strategy call.
Legal basis: pre-contractual measures at your request (Art. 31(2)(a) revFADP / Art. 6(1)(b) GDPR).
Recipients: the ALPENIQ mailbox admin@alpeniq.ch, transmitted technically through Resend Inc. (see section 6).
Retention: up to 24 months after our last contact with you, then deletion or anonymisation. If a contract is concluded, statutory commercial and tax retention periods apply (Art. 958f Swiss Code of Obligations: 10 years).

5. Cookies and similar technologies

We use strictly necessary cookies without which the website cannot function (for example to store your cookie choice, your language preference or to protect against Cross-Site-Request-Forgery). These are set without consent, based on Art. 45c FMG and our overriding legitimate interest.

All other cookies and comparable technologies (e.g. local-storage entries, pixels) are only activated after your explicit consent through our cookie banner. You can withdraw your consent for the future at any time by reopening the banner via the "Open cookie settings" link in the footer or further down this page. Withdrawal is as easy as the original consent (Art. 6(6) revFADP).

Your choice is stored in your browser under the key "cookie-consent" (local storage) and remains valid until you change it or clear your local storage.

Overview of cookies and comparable storage items in use:

Necessary (always active):
• csrf_token (cookie, alpeniq.ch, 1 hour) — protection against CSRF on the contact form.
• cookie-consent (local storage, alpeniq.ch, unlimited) — stores your cookie preference.
• NEXT_LOCALE (cookie, alpeniq.ch, 1 year) — stores your language choice (de/en).

Analytics (only with consent):
• _ga, _ga_<ID> (cookie, .alpeniq.ch, 13 months, Google Analytics) — recognises user sessions.
• _gid (cookie, .alpeniq.ch, 24 hours, Google Analytics) — distinguishes users.
• _clck, _clsk, CLID, MUID (cookie, .clarity.ms / .alpeniq.ch, up to 12 months, Microsoft Clarity) — session ID and recognition for heatmaps and session replays.
• alpeniq_generate_lead_fired, alpeniq_404_fired_* (local storage, alpeniq.ch, 30 days) — prevents internal events from firing twice.

Marketing (only with consent):
• ALPENIQ currently does not set marketing cookies directly. If conversion tags are loaded through Google Tag Manager in the future, the corresponding cookies (e.g. _gcl_au) will only appear after your marketing consent.

6. Processors and recipients

For the operation of the website we use specialised service providers as processors within the meaning of Art. 9 revFADP. We have concluded the legally required data-processing agreements (DPA) with every processor.

• Vercel Inc. (USA) — hosting, edge network, aggregate statistics ("Vercel Analytics", cookieless). Legal basis for the US transfer: Swiss-U.S. Data Privacy Framework (certified) and EU Standard Contractual Clauses.
• Google Ireland Ltd. (Dublin, IE) and Google LLC (USA) — Google Tag Manager and Google Analytics 4. Tags and cookies only load after your analytics consent. Google Consent Mode v2 is active. IP anonymisation is the GA4 default. Legal basis for the US transfer: Swiss-U.S. Data Privacy Framework (certified) and EU Standard Contractual Clauses.
• Microsoft Ireland Operations Ltd. (Dublin, IE) and Microsoft Corporation (USA) — Microsoft Clarity (heatmaps, session replays). Loaded only after your analytics consent. Form-field input is masked server-side before transmission. Legal basis for the US transfer: Swiss-U.S. Data Privacy Framework (certified) and EU Standard Contractual Clauses.
• Resend Inc. (USA) — transactional email delivery for contact-form submissions to admin@alpeniq.ch. Only the data you entered in the contact form is transmitted; no tracking or browser data. Legal basis for the US transfer: EU Standard Contractual Clauses. Data is retained no longer than required for delivery (typically 30 days, then log auto-purge).
• Cal.com, Inc. (USA / EU hosting on cal.eu) — booking your strategy call (embedded calendar widget). The widget is only loaded when you visit /erstgespraech or /initial-consultation. Legal basis for the US transfer (if applicable): EU Standard Contractual Clauses; the primary data-processing region is the EU.

Apart from that, we only share personal data when we are legally required to or when you have consented. We do not sell personal data or share it commercially with third parties.

7. International transfers

Some of the processors listed in section 6 are established or host data in countries outside Switzerland and the EEA, in particular the USA.

Since the Swiss Federal Council recognised the Swiss-U.S. Data Privacy Framework as of 15 September 2024, the USA is considered to provide adequate protection for certified recipients (Art. 16(1) revFADP read with Annex 1 of the Data Protection Ordinance). For recipients not certified under the DPF we rely on EU Standard Contractual Clauses in their Swiss-adapted version (Art. 16(2)(d) revFADP) and on additional technical and organisational measures (encryption in transit, pseudonymisation, access controls).

You have the right to request a copy of these safeguards by writing to admin@alpeniq.ch.

8. Retention

We only retain personal data for as long as necessary for the relevant purpose (Art. 6(4) revFADP, principle of storage limitation).

In detail:
• Server logs / edge logs: max. 30 days (Vercel auto-purge).
• Contact-form enquiries in the ALPENIQ mailbox: up to 24 months after the last contact; in case of a contract, up to 10 years after the end of the contract (Art. 958f Swiss Code of Obligations).
• Resend delivery logs: max. 30 days.
• Google Analytics 4: 14 months (property-level retention setting).
• Microsoft Clarity: 13 months from last activity (Microsoft default).
• Cookie consent (local storage): until you change it or your browser clears it.
• Accounting and tax records: 10 years (Art. 958f Swiss Code of Obligations).

9. Your rights

Under revFADP and GDPR you have, in particular, the following rights:
– access to whether and which personal data we process about you (Art. 25 revFADP / Art. 15 GDPR);
– rectification of inaccurate data (Art. 32(1) revFADP / Art. 16 GDPR);
– erasure or destruction ("right to be forgotten", Art. 32(2)(c) revFADP / Art. 17 GDPR);
– restriction of processing (Art. 32(2)(a)–(b) revFADP / Art. 18 GDPR);
– data portability in a commonly used electronic format (Art. 28 revFADP / Art. 20 GDPR);
– objection to processing based on a legitimate interest (Art. 30(2)(b) revFADP / Art. 21 GDPR);
– withdrawal of consent at any time with effect for the future (Art. 31(1) revFADP / Art. 7(3) GDPR).

We do not engage in automated individual decision-making that produces legal effects or similarly significantly affects you in the sense of Art. 21 revFADP or Art. 22 GDPR.

To exercise your rights, a plain email to admin@alpeniq.ch is enough. We reply within 30 days, free of charge (Art. 25(7) revFADP).

10. Right to lodge a complaint

If you believe that we process your personal data unlawfully, you can lodge a complaint with the competent supervisory authority at any time:

In Switzerland: Federal Data Protection and Information Commissioner (FDPIC / EDÖB)
Feldeggweg 1, 3003 Bern
Website: https://www.edoeb.admin.ch

In the EEA/EU: the data-protection supervisory authority of your country of residence or work (Art. 77 GDPR).

11. Data security

We take appropriate technical and organisational measures to ensure the confidentiality, integrity and availability of your data (Art. 8 revFADP, Art. 32 GDPR). In particular:
– end-to-end encryption of transport (HTTPS / TLS 1.2+, HSTS with preload);
– strict Content Security Policy, X-Frame-Options, Cross-Origin-Opener-Policy and other security headers;
– CSRF protection and rate limiting on every write endpoint;
– input validation with a Zod schema and HTML escaping before every email is sent;
– honeypot field for spam defence;
– access to admin@alpeniq.ch and to all third-party systems only via personal accounts with two-factor authentication.

A data protection impact assessment under Art. 22 revFADP is not required for our standard processing; we keep a voluntary record of processing activities.

12. Changes to this privacy policy

We update this privacy policy whenever our processing, the tools we use or the legal requirements change. The current version is always available at alpeniq.ch/en/privacy-policy. The date of the last update is shown at the top of this page.