Datenschutzerklärung

Datenschutzinformationen

1. Data Controller

The controller responsible for data processing on this website is:

SWISS LIGHT GmbH

Flüelerstrasse 77

6460 Altdorf, Switzerland

Phone: +41 41 871 39 39

Email: mail@swiss-light.ch

Responsible person: Adrian Wild

2. Scope and Legal Basis

This Privacy Policy applies to the website swiss-light.ch and all related services offered by SWISS LIGHT GmbH. It is based on:

The Swiss Federal Act on Data Protection (nFADP / DSG, in force since 1 September 2023)
The Swiss Ordinance on Data Protection (DPO / DSV)
The EU General Data Protection Regulation (GDPR), insofar as it applies to our processing of personal data of individuals in the EU/EEA

Depending on the purpose of the processing, we rely in particular on the following legal bases:

Consent (Art. 6(1)(a) GDPR / Art. 31(1) nFADP) — e.g. analytics cookies, newsletter
Contract performance (Art. 6(1)(b) GDPR / Art. 31(2)(a) nFADP) — e.g. processing orders, payment, shipping
Legitimate interests (Art. 6(1)(f) GDPR / Art. 31(1) nFADP) — e.g. website security, fraud prevention, essential cookies
Legal obligation (Art. 6(1)(c) GDPR / Art. 31(2)(b) nFADP) — e.g. tax record retention

3. Data We Collect

3.1 Data you provide directly

Contact form: Name, email address, phone number (optional), message content
Account registration: Email address, password (hashed by Supabase Auth)
Orders: Name, shipping address, billing address, email, phone, order details
Product reviews: Display name, review text, rating
Transactional communications: Information required to send account verification, password reset, order confirmation, invoice, and shipping emails

3.2 Data collected automatically

Server log data necessary for secure delivery of the website, such as IP address, date and time, requested URL, and user agent
Browser type, operating system, and screen resolution
Pages visited, time of visit, and referring URL only if you consent to analytics
Web Vitals performance metrics via Vercel Speed Insights (Web-Vitals-Messung) only if you consent to analytics

4. Cookies and Local Storage

We use cookies and browser local storage to provide our services and, with your consent, to analyse website usage. You can accept or decline optional analytics cookies via the cookie consent banner shown on your first visit.

Optional analytics tools are not loaded until you click "Accept all". If you click "Reject all", Google Analytics, Vercel Analytics, and Vercel Speed Insights remain disabled.

You can change your choice at any time via the "Cookie Settings" link in the footer. Withdrawal of consent does not affect processing that took place before your withdrawal.

4.1 Essential (strictly necessary)

These are required for the website to function. Legal basis: legitimate interest.

Name	Type	Purpose	Duration
cookie-consent	localStorage	Stores your cookie consent preference (accepted/declined)	Permanent
theme	localStorage	Stores your light/dark mode preference	Permanent
i18next	Cookie	Stores your selected language (de/en/fr/it)	Session
sb-*-auth-token	Cookie	Authentication session for logged-in users (Supabase)	Session
sl_guest_cart	localStorage	Shopping cart contents for guest users	Permanent
sl_guest_wishlist	localStorage	Wishlist items for guest users	Permanent
sl_recent_searches	localStorage	Recent search queries in the shop	Permanent
REACT_QUERY_OFFLINE_CACHE	localStorage	Caches shop data for faster page loads	24 hours

4.2 Analytics (optional — requires your consent)

These are only activated if you click "Accept all" in the cookie banner.

Name	Provider	Purpose	Duration
_ga, _ga_*	Google Analytics (Google LLC, USA)	Distinguishes unique visitors and tracks page views	2 years
va_*, speed-insights	Vercel Analytics and Vercel Speed Insights (Vercel Inc., USA)	Page view analytics and Web Vitals performance data	Session

You can revoke your cookie consent at any time by clicking the "Cookie Settings" link in the website footer, or by clearing your browser storage.

5. Third-party Service Providers (Processors)

Where necessary for the provision of our website and services, we use the following service providers. Depending on the specific processing activity, these providers may act as processors or, in individual cases, as independent controllers under their own data protection terms:

Provider	Purpose	Data Shared	Location
Supabase Inc.	Authentication, database hosting, application data storage	Account data, profile data, orders, reviews, and related application records	EU (Frankfurt)
Stripe Inc.	Payment processing and payment-related fraud prevention	Name, billing and order data, payment details processed by Stripe, transaction metadata	USA / Ireland
Amazon Web Services (AWS)	Transactional email delivery via Amazon SES and processing of delivery, bounce, and complaint events	Email address, name, message metadata, and technical delivery status information	EU (Ireland)
Vercel Inc.	Website hosting, optional analytics, optional speed insights	Hosting connection data; with consent also page views and Web Vitals metrics	USA / Global Edge
Google LLC	Website analytics (with consent)	IP address, browsing behaviour	USA
Swiss Post	Address validation and autocomplete during checkout, shipping options calculation, label generation, and parcel tracking	Recipient name, delivery address, parcel and shipment data	Switzerland

In addition, our website contains links to external platforms such as Facebook and Instagram and may offer user-triggered share functions. These services are generally contacted only when you actively click the relevant link or sharing function.

6. International Data Transfers

Some of our service providers may process personal data outside Switzerland, the EU, or the EEA, in particular in the United States. Where this is the case, we seek to rely on appropriate safeguards recognised under applicable law. These may include, depending on the provider and processing activity:

Stripe: EU Standard Contractual Clauses (SCCs) and Stripe's Binding Corporate Rules
Vercel: EU Standard Contractual Clauses (SCCs); optional analytics and Speed Insights only with your explicit consent
Google: EU Standard Contractual Clauses (SCCs); analytics only with your explicit consent
AWS: Data processed in the EU (eu-west-1 region, Ireland)
Supabase: Data processed in the EU (eu-central-1 region, Frankfurt)

If you consent to optional analytics, associated analytics data may also be transferred to providers in the United States. In that case, the transfer takes place on the basis of your consent and the safeguards described above, to the extent applicable.

7. Data Retention

Account data: Retained for as long as your account exists, deleted upon account deletion
Order data: Retained for 10 years to comply with Swiss commercial record-keeping obligations (Art. 958f CO)
Contact form messages: Retained for up to 2 years for follow-up, then deleted
Product reviews: Retained until you delete them or request deletion
Transactional email logs and delivery events: Retained only for as long as needed to ensure deliverability, security, and handling of bounces or complaints
Analytics data: Retained in accordance with the configuration of the respective provider; for Google Analytics this is currently configured for 14 months
Server logs: Automatically deleted after 30 days

8. Your Rights

Under the Swiss nFADP and the GDPR, you have the following rights:

Right of access (Art. 25 nFADP / Art. 15 GDPR) — You may request a copy of all personal data we hold about you.
Right to rectification (Art. 32(1) nFADP / Art. 16 GDPR) — You may request correction of inaccurate data.
Right to erasure (Art. 32(2)(c) nFADP / Art. 17 GDPR) — You may request deletion of your data, subject to legal retention obligations.
Right to data portability (Art. 28 nFADP / Art. 20 GDPR) — You may request your data in a structured, machine-readable format.
Right to object (Art. 21 GDPR) — You may object to processing based on legitimate interests.
Right to withdraw consent — You may withdraw any given consent at any time (e.g. cookie consent, newsletter). Withdrawal does not affect the lawfulness of prior processing.
Right to restriction (Art. 18 GDPR) — You may request restriction of processing under certain conditions.

To exercise any of these rights, contact us at mail@swiss-light.ch. We will respond within 30 days.

9. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority:

Federal Data Protection and Information Commissioner (FDPIC)

Feldeggweg 1

3003 Bern, Switzerland

Website: www.edoeb.admin.ch

For individuals in the EU/EEA, you may also contact the data protection authority in your country of residence.

10. Payment Processing

We use Stripe to process payments. When you make a purchase, payment card data and comparable payment credentials are generally processed directly by Stripe. Stripe is PCI DSS Level 1 certified.

We generally receive from Stripe transaction-related information such as payment status, transaction identifiers, and limited payment metadata. We do not intentionally store full card numbers, CVV codes, or comparable secret payment credentials.

Stripe's privacy policy: stripe.com/privacy

11. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by the date at the top of the page. We encourage you to review this page periodically. Where required by law, we will provide additional notice or request renewed consent for material changes.

Zuletzt aktualisiert: April 28, 2026