Privacy policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”).

The terms used are not gender-specific.

Last updated: 19 December 2025

Controller

P. Gübeli & G. Rea

8561 Ottoberg | Switzerland

Email address: contact@sailinggrace.ch

Legal notice: https://www.sailinggrace.ch/imprint

Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes of processing, and refers to the affected data subjects.

Types of Processed Data

Master data
Location data
Contact data
Content data
Usage data
Meta, communication, and procedural data
Log data

Categories of Data Subjects

Communication partners
Users

Purposes of Processing

Communication
Security measures
Direct marketing
Reach measurement
Organizational and administrative procedures
Feedback
Profiles with user-related information
Provision of our online offering and user-friendliness
Information technology infrastructure
Public relations

Applicable Legal Bases

Applicable legal bases under Swiss data protection law:
If you are located in Switzerland, we process your data on the basis of the Swiss Federal Act on Data Protection (“Swiss FADP”). Unlike the GDPR, the Swiss FADP generally does not require the explicit naming of a legal basis, provided that the processing of personal data is carried out in good faith, lawfully, and proportionately (Art. 6 para. 1 and 2 Swiss FADP).

Furthermore, personal data is collected only for a specific purpose that is recognizable to the data subject and processed only in a manner compatible with that purpose (Art. 6 para. 3 Swiss FADP).

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, nature, scope, circumstances, and purposes of processing, as well as the likelihood and severity of risks to the rights and freedoms of natural persons.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access, access rights, data input, disclosure, availability, and separation. We have also established procedures to ensure the exercise of data subject rights, deletion of data, and responses to data breaches.

Data protection is taken into account already during the development or selection of hardware, software, and procedures, in accordance with the principles of data protection by design and by default.

TLS/SSL Encryption (HTTPS)

To protect user data transmitted via our online services, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encrypt information transmitted between the website or app and the user’s browser (or between servers), preventing unauthorized access. Websites secured with SSL/TLS are indicated by “HTTPS” in the URL.

Transfer of Personal Data

In the course of processing personal data, it may be transferred or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients may include IT service providers or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate agreements to protect your data.

International Data Transfers

Disclosure of Personal Data Abroad

Under the Swiss FADP, personal data is disclosed abroad only if adequate protection of the data subjects is ensured (Art. 16 Swiss FADP). If no adequate level of protection has been determined by the Swiss Federal Council, alternative safeguards are implemented.

Data Transfers to the United States

For data transfers to the United States, we primarily rely on the Data Privacy Framework (DPF), which was recognized as an adequate legal framework by Switzerland on 7 June 2024. In addition, we have concluded Standard Contractual Clauses (SCCs) approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC). This dual safeguard ensures comprehensive data protection. Should the DPF be amended or invalidated, the SCCs will apply as a fallback mechanism. Information on DPF-certified companies can be found on the website of the U.S. Department of Commerce: https://www.dataprivacyframework.gov/

For transfers to other third countries, appropriate safeguards apply, including international treaties, approved SCCs, or binding corporate rules recognized by the FDPIC or other competent authorities.

General Information on Data Storage and Deletion

We delete personal data in accordance with statutory requirements once consent is withdrawn or other legal bases no longer apply. Exceptions exist where statutory retention obligations or legitimate interests require longer storage.

In particular, data subject to commercial or tax law retention obligations or required for legal enforcement or protection of rights must be archived accordingly.

Where multiple retention periods apply, the longest period shall prevail. Data retained solely due to legal obligations is processed exclusively for those purposes.

Retention Periods under Swiss Law

10 years: Accounting records, financial statements, inventories, business reports, booking documents, invoices, and organizational records (Art. 958f Swiss Code of Obligations).
10 years: Data required for potential claims or legal enforcement, unless a shorter statutory limitation period applies (Art. 127, 130 CO). Certain claims expire after 5 years (Art. 128 CO).

Commencement of Limitation Periods

If a retention period is at least one year and no specific start date is defined, it begins at the end of the calendar year in which the triggering event occurred.

Rights of Data Subjects (Swiss FADP)

Data subjects have the following rights:

Right of access – confirmation whether personal data is processed and access to relevant information
Right to data release or transfer – provision of personal data in a commonly used electronic format
Right to rectification – correction of inaccurate personal data
Right to object, deletion, or destruction – objection to processing and request for deletion or destruction

Provision of the Online Offering and Web Hosting

We process user data to provide our online services, including the IP address necessary for delivering content and functions.
Processed data: Usage data, meta/communication/procedural data, log data
Data subjects: Users
Purposes: Provision of services, IT infrastructure, security
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)
Server log files are stored for a maximum of 30 days, unless longer retention is required for evidence purposes.

Use of Cookies

Cookies are used to store or read information on user devices. We use cookies in accordance with legal requirements and obtain user consent where necessary.

Types of Cookies

Session cookies: Deleted when the browser is closed
Persistent cookies: Remain stored and may last up to two years
Users may revoke consent or object at any time via browser settings.
Legal bases: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR)

Blogs and Publishing Media

We operate blogs or comparable online publication platforms.
Processed data: Master data, contact data, content data, usage data, meta data
Purposes: Feedback, security, administration
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)
IP addresses may be stored to prevent unlawful content or spam.

Contact and Inquiry Management

When contacting us (e.g. by email, contact form, phone, or social media), personal data is processed to handle the inquiry.

Legal bases: Contract performance/pre-contractual measures (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR)

Newsletter and Electronic Notifications

Newsletters are sent only with consent or legal authorization. Unsubscribed email addresses may be stored for up to three years to document prior consent. A blocklist may be maintained to ensure compliance with opt-outs. Legal basis: Consent (Art. 6(1)(a) GDPR)

Web Analytics, Monitoring, and Optimization

We use web analytics to analyze user behavior and optimize our online offering. Data is processed pseudonymously, including IP masking.

Google Analytics

Provider: Google Ireland Limited
Legal basis: Consent
Safeguards: IP masking, DPF, SCCs
Data is processed on EU-based servers before being forwarded.

Social Media Presences

We maintain profiles on social networks to communicate with users. Data may be processed outside the EU.

Platforms used include:

Instagram (Meta)
Facebook Pages (Meta – joint controllership)
LinkedIn (joint controllership for Page Insights)

Users are advised to assert their rights directly with the platform providers.

Plug-ins and Embedded Content

Third-party content (e.g. videos, maps) may process IP addresses. Pixel tags and cookies may be used for statistical or marketing purposes.

Google Maps

Provider: Google Cloud EMEA Limited
Legal basis: Consent
Safeguards: DPF

Amendments and Updates

We regularly review and update this privacy policy. Where changes require user action or consent, we will notify users accordingly.

Definitions

This section explains key terms used in this privacy policy, including:

Master data
Content data
Contact data
Meta, communication, and procedural data
Usage data
Personal data
Profiles with user-related information
Log data
Reach measurement
Location data
Controller
Processing

Created using the free Datenschutz-Generator.de by Dr. Thomas Schwenke