Legal

Privacy

1. Introduction and scope

This privacy policy informs you comprehensively about the nature, scope and purposes of the collection and use of your personal data by Canelas Natural Beauty Center (sole proprietorship).

This policy applies to our website www.canelasnaturalbeauty.ch and to all related online offerings, services and communication channels.

We take the protection of your personal data very seriously and process it confidentially in accordance with the revised Swiss Federal Act on Data Protection (revFADP) and - where applicable - the European Union General Data Protection Regulation (GDPR).

Use of our website is generally possible without providing personal data. Where personal data is collected on our pages, this is always done on a voluntary basis. We pass this data on only to the service providers named in this policy - or where we are legally obliged to do so.

2. Data controller

The party responsible for data processing within the meaning of data protection law is:

Canelas Natural Beauty Center (sole proprietorship)
Owner: Diana Creo Cernadas
Rennweg 30, 8001 Zürich
Switzerland

Email: [email protected]
Phone: +41 44 501 66 66
Website: www.canelasnaturalbeauty.ch

You may contact us at any time with questions about data protection.

3. Definitions

To make this privacy policy easier to understand, we use the following definitions:

Personal data: Any information relating to an identified or identifiable natural person (e.g. name, address, email address, phone number, IP address).

Processing: Any handling of personal data, regardless of the means used - including collection, recording, storage, use, alteration, disclosure, archiving, erasure or destruction.

Data subject: The natural person whose personal data is being processed.

Controller: The natural or legal person, authority or other body that, alone or jointly with others, determines the purposes and means of processing.

Processor: A body that processes personal data on behalf of the controller.

Consent: Any freely given, informed and unambiguous indication of the data subject’s wishes by a statement or clear affirmative action.

Cookies: Small text files stored on your device. A distinction is made between session cookies (deleted at the end of the browser session) and persistent cookies (stored for a defined period).

Cookies on this website: Our website itself sets no analytics or advertising cookies and therefore uses no cookie banner. Your browser only stores functional settings (such as your language choice) locally; this information is never transmitted to us. Technically necessary cookies may be set by the service providers named in section 8.

4. Legal bases

We process personal data in accordance with Swiss data protection law, in particular the revised Federal Act on Data Protection (revFADP) of 25 September 2020 and the Data Protection Ordinance.

Under Swiss law, processing of personal data is generally permitted provided that at least one of the following applies:

  • there is no legal prohibition
  • the data subject has consented
  • an overriding private or public interest exists
  • processing is necessary for the performance of a contract

Insofar as the GDPR applies (e.g. where our services are directed at persons in the EU/EEA), we process personal data on the following legal bases under Art. 6(1) GDPR:

  • Consent (point (a)): The data subject has given consent for one or more specific purposes. Consent may be withdrawn at any time with effect for the future.
  • Performance of a contract (point (b)): Processing is necessary for the performance of a contract or steps taken prior to entering into a contract.
  • Legal obligation (point (c)): Processing is necessary for compliance with a legal obligation.
  • Vital interests (point (d)): Processing is necessary to protect the vital interests of a natural person.
  • Public interest (point (e)): Processing is necessary for a task carried out in the public interest.
  • Legitimate interests (point (f)): Processing is necessary for our legitimate interests, provided that the interests of the data subject do not override them.

5. Categories of data collected

We collect and process various categories of personal data. The specific data collected depends on the services and functions you use.

Basic personal details: Surname, first name - basic identification information.

Contact data: Email address, phone number - information for contact and communication.

Technical data: IP address, browser type and version, operating system, device type - information collected automatically when using our website.

Sources: Data is collected directly from you (via our contact form) or automatically (via technical logging when you visit the site).

6. Purposes of processing

We process your personal data for the following purposes:

  • Provision and operation of our website - to make our website and its functions available to you (legal basis: legitimate interest).
  • Ensuring IT security - to protect our systems from misuse, attacks and technical disruptions (legal basis: legitimate interest).
  • Compliance with legal obligations - to meet statutory retention and documentation requirements (legal basis: legal obligation).

7. Server log files

Each time our website is accessed, our hosting provider Cloudflare automatically records technical data in server log files. This is required for technical and security reasons; we do not operate servers of our own.

Data processed: IP address, date and time of access, requested page/file, volume of data transferred, browser type and version, operating system, referrer URL, hostname of the accessing computer.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR / Art. 31(1) revFADP) - ensuring system security and troubleshooting.

Retention period: Log data is stored by the hosting provider only for as long as required for the purposes described.

8. Third-party services and processors

Contact form and email delivery (Resend): When you use our contact form, we process the data you enter (name, email address and message) in order to respond to your enquiry. Delivery of the message is handled by the email service Resend (Resend, Inc., USA). Legal basis: steps taken prior to entering into a contract and our legitimate interest in responding to your enquiry (Art. 6(1)(b) and (f) GDPR). resend.com/legal/privacy-policy

Hosting and spam protection (Cloudflare): Our website is delivered via Cloudflare (Cloudflare, Inc., USA). To protect the contact form from spam and automated access we also use Cloudflare Turnstile, which processes technical data (in particular the IP address). Legal basis: our legitimate interest in the security and availability of our website (Art. 6(1)(f) GDPR). cloudflare.com/privacypolicy

Web analytics (Cloudflare Web Analytics): We use Cloudflare Web Analytics to measure how our website is used and how it performs. The service works without cookies and without cross-site tracking; it records technical data (such as the page visited, referrer, browser type and operating system) in aggregated form. Legal basis: our legitimate interest in analysing and improving our services (Art. 6(1)(f) GDPR).

Communication via WhatsApp and social media: If you contact us via WhatsApp or visit our profiles on Instagram or Facebook, Meta Platforms (Meta Platforms Ireland Ltd. and Meta Platforms, Inc., USA) processes your data (such as your phone number, message content and usage data) under its own responsibility. The privacy policies of WhatsApp, Instagram and Facebook additionally apply.

Google Maps: The contact section of our website embeds a map provided by Google Maps. The map is loaded automatically as soon as that section is displayed. When the map loads, technical data (in particular your IP address) is transmitted to Google; this is technically necessary to display the map.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA).
Purpose: Embedding interactive maps to show our location.
Data categories: IP address, location data, device information, cookies.
Legal basis: Our legitimate interest in clearly presenting our location (Art. 6(1)(f) GDPR / Art. 31 revFADP).
Google’s privacy policy: policies.google.com/privacy

9. International data transfers

As part of our processing, personal data may also be transferred to recipients outside Switzerland and the European Economic Area (EEA). In particular, this concerns the USA.

For the USA, adequacy decisions exist for companies certified under the EU-U.S. Data Privacy Framework (since July 2023, for the EU) and the Swiss-U.S. Data Privacy Framework (since 15 September 2024, for Switzerland). Google and Cloudflare hold this certification.

For transfers to recipients not covered by an adequacy decision, we rely on the following safeguards to ensure an adequate level of protection:

  • Standard Contractual Clauses (SCC) approved by the European Commission apply to the relevant recipients (e.g. Resend) under their respective data processing agreements.
  • Adequacy assessment: Before any data transfer we check whether the recipient country offers an adequate level of protection or whether additional safeguards are required.
  • Additional safeguards: Where necessary, we implement technical and organisational measures such as encryption, pseudonymisation or contractual arrangements.

Note on transfers to the USA: US authorities may, under certain circumstances, have access to transferred data. We hereby inform you transparently of this residual risk. You have the right to request a copy of the agreed Standard Contractual Clauses or information about the safeguards implemented.

10. Retention periods

We store your personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by statutory retention obligations.

The retention period is based on:

  • the purpose of processing
  • statutory retention obligations
  • legitimate interests (e.g. defence against legal claims)
  • the nature of the data and the risk to the data subjects

Specific retention periods:

  • Server log files: only as long as required for IT security (stored by the hosting provider)
  • Booking records / invoices: 10 years (Art. 958f of the Swiss Code of Obligations)
  • Contracts and business correspondence: 10 years after end of contract (Art. 958f CO / limitation periods)

After the respective periods, data is routinely deleted unless still needed for other purposes.

11. Data security

We take appropriate technical and organisational security measures (TOMs) to protect your personal data from unauthorised access, loss, misuse or destruction. The specific measures correspond to the state of the art and are reviewed regularly.

Our security measures include in particular:

  • Encrypted data transmission (TLS/SSL)
  • Access restrictions and authorisation concepts
  • Protection of the IT infrastructure through appropriate security systems
  • Regular data backups
  • Maintenance and updates of our systems
  • Confidentiality obligations for staff
  • Careful selection and contractual binding of service providers
  • Processes for detecting and handling security incidents

Despite all precautions, no data transmission over the internet can be guaranteed to be completely secure. In the event of a data breach likely to result in a high risk to your rights and freedoms, we will inform you and notify the competent authorities without undue delay.

12. Your rights as a data subject

As a data subject you have various rights regarding your personal data. These arise from the Swiss Data Protection Act (revFADP) and, where applicable, from the GDPR.

  • Right of access: Confirmation as to whether we are processing your data and information on purposes, categories, recipients and retention period.
  • Right to rectification of inaccurate data or completion of incomplete data.
  • Right to erasure (‘right to be forgotten’) under certain conditions, in particular when the data is no longer necessary for the purposes for which it was collected.
  • Right to restriction of processing under certain conditions.
  • Right to data portability: Receiving your data in a structured, commonly used and machine-readable format.
  • Right to object (Art. 21 GDPR): You may object at any time to processing based on legitimate interests, and to direct marketing without giving any reason.
  • Right to withdraw consent with effect for the future.
  • Right to lodge a complaint with a supervisory authority if you believe that processing infringes data protection law.

Competent supervisory authority in Switzerland:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, CH-3003 Bern
Phone: +41 58 462 43 95 · edoeb.admin.ch

Where our services are directed at persons in the EU/EEA, you may also contact the data protection supervisory authority responsible for your country.

Exercising your rights: To exercise your rights you may contact us at any time by email at [email protected] or by phone at +41 44 501 66 66. We require proof of identity and will normally process your request within one month.

13. Updates and contact

We may amend this privacy policy from time to time to reflect changes in our data processing practices, new legal requirements or other developments. In the case of material changes we will - where possible and appropriate - inform you separately.

For questions about this privacy policy you may contact us at any time:
Email: [email protected]
Phone: +41 44 501 66 66

Last updated: 11 June 2026