Privacy

Privacy Policy

Last updated: 7 May 2026

1. Data controller

The data controller for this site is the operator listed on the Imprint page. Reach us by email at the address listed there.

2. What we collect

We collect only what we need to deliver your purchase:

Email address— collected by Stripe Checkout. We use it to email your receipt and download link.
Payment details— processed by Stripe directly. We never see or store your card details.
Order data— what you bought, when, and the Stripe session ID. Stored in our Supabase database.
Server logs— IP address, user agent, and request paths kept by our hosting provider (Vercel) for security and abuse prevention. Retained for ~30 days.

3. Cookies

We do not use advertising cookies. We do use a small number of functional cookies set by Stripe (during checkout) and Supabase (for any future authenticated areas). No cookie banner is required because we do not place non-essential cookies before consent.

4. Why we process this data

Legal basis: contract performance (Art. 6(1)(b) GDPR / equivalent under Swiss FADP) for everything related to fulfilling your order, and legitimate interest (Art. 6(1)(f)) for security logging.

5. Who we share data with

Stripe— payment processing (stripe.com/privacy).
Supabase— database + file storage (supabase.com/privacy).
Vercel— hosting + analytics (vercel.com/legal/privacy-policy).

We do not sell or rent your data. We do not share it with anyone else without your explicit consent.

6. Where your data lives

Stripe and Supabase host data in EU regions where possible. Some transit through US-based infrastructure may occur, covered by the EU–US Data Privacy Framework and Standard Contractual Clauses.

7. How long we keep it

Order records: 10 years (tax/accounting requirements).
Email and download links: 14 days from purchase.
Server logs: ~30 days.

8. Your rights

You can ask us at any time to: access the data we hold on you, correct it, delete it (within the limits of our legal-retention obligations), restrict its processing, port it elsewhere, or object to processing. Email us via the Imprint address; we respond within 30 days.

You can also lodge a complaint with the data-protection authority of your country of residence (in Switzerland: the FDPIC).