---
title: "Privacy Policy"
canonical: https://kanzlei.sites.webeo.ch/privacy
language: en
---

# Privacy Policy

## Privacy Policy

### Controller

Berger & Roth Attorneys at Law\
Löwenstrasse 42, 8001 Zurich

Email: office@berger-roth.ch\
Phone: +41 44 266 56 56\
Web: berger-roth.ch

Technical operator (data processor): Webeo, webeo.ch

### General

This privacy policy explains which personal data we collect in connection with the operation of this website, for what purpose, and to whom we disclose it. It applies to all websites, applications, and services we operate that reference this policy.

This website has been built in accordance with the requirements of the revised Swiss Federal Act on Data Protection (revFADP). Where the EU General Data Protection Regulation (GDPR) applies to the processing, its requirements are likewise observed. The final responsibility for data protection lies with the controller named above. Your personal data is always processed on a lawful basis and only to the extent necessary for the respective purpose.

### Legal bases of processing

We process personal data on the following legal bases:

- **Performance of a contract** (Art. 6(1)(b) GDPR / Art. 31(2)(a) revFADP): for the performance of contracts or pre-contractual measures, e.g. when you submit a contact request.
- **Legitimate / overriding interest** (Art. 6(1)(f) GDPR / Art. 31(2)(d) revFADP): for the secure and stable operation of the website (server logs, security measures, anonymised reach measurement).
- **Consent** (Art. 6(1)(a) GDPR / Art. 31(1) revFADP): where consent is required and you have granted it.
- **Legal obligation** (Art. 6(1)(c) GDPR / Art. 31(2)(b) revFADP): where processing is required by law.

### What data we collect

**Server log data**\
When you access our website, technical access data is automatically recorded. This includes your IP address, time of access, requested URL, referrer URL, browser, and operating system. This data is used to ensure the technical operation and security of the website and is not combined with other data sources.

**Contact**\
When you contact us by email or contact form, we process the data you provide (name, email address, content of the message) to respond to your enquiry. This data is retained only as long as required for the purpose.

**Cookies and local storage**\
This website does not use tracking cookies. Technically necessary cookies may be used where essential for the operation of the website.

For reach measurement we use Plausible Community Edition — a self-hosted, cookieless analytics solution that collects only aggregated and anonymised data. There is no cross-site tracking, no profiling, and no transfer to third parties. The data is processed in the EU (Helsinki).

Due to this configuration, no cookie consent banner is required.

### Data processing

**Webeo** (webeo.ch) operates this website as a data processor on behalf of the controller named above. Technical infrastructure, maintenance, and development are carried out by Webeo. Data processing takes place exclusively within the scope of the technical services described below.

A Data Processing Agreement (DPA) is in place between the controller and Webeo pursuant to Art. 28 GDPR and Art. 9 revFADP. It governs the rights and obligations of both parties, the engaged sub-processors, and the technical and organisational safeguards.

### Sub-processors

Webeo engages the following sub-processors to deliver the service:

| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Cloudflare, Inc. | Hosting of the website (Workers, KV, D1, R2), Content Delivery Network, DDoS protection, DNS, TLS termination | USA / global | EU-U.S. Data Privacy Framework + Standard Contractual Clauses (SCCs) |
| Hetzner Online GmbH | Hosting of self-hosted web analytics (Plausible Community Edition) | Helsinki, Finland (EU) | No third-country transfer |
| Resend, Inc. | Transactional email delivery (contact-form notifications) | USA | EU-U.S. Data Privacy Framework + Standard Contractual Clauses (SCCs) |

The current detailed list — applicable data-protection guarantees, data processing agreements, technical and organisational measures — forms part of the DPA between the controller and Webeo. Material changes to the sub-processor stack are notified to the controller in writing with a 30-day right of objection.

### International data transfers

In the course of operating this website, personal data is transferred to the data processors named above located in the USA (Cloudflare, Resend). This transfer is based on the following legal grounds:

- Certification of the providers under the EU-U.S. Data Privacy Framework (adequacy decision by the European Commission)
- Standard Contractual Clauses (SCCs) of the European Commission as an additional safeguard

The data of the self-hosted analytics (Plausible CE) is processed exclusively in the EU (Hetzner, Helsinki).

### No disclosure to third parties

Apart from the data processors listed above, we do not disclose your personal data to third parties unless we are legally required to do so or you have given explicit consent.

### Data security

We take appropriate technical and organisational measures to protect your personal data. In particular:

- All data transmission is encrypted via HTTPS/TLS.
- We employ a strict Content Security Policy (CSP) that prevents the loading of content from unauthorised sources.
- Access to personal data is restricted to what is necessary for processing.

Despite all care, complete protection against all risks cannot be guaranteed. In particular, we have no influence over surveillance measures by state authorities or orders issued by foreign authorities to our data processors; such interventions are beyond our control.

### Automated decision-making

This website does not employ automated decision-making with legal effect or similarly significant impact within the meaning of Art. 22 GDPR or Art. 21 revFADP. No profiling is carried out for the assessment of personal aspects.

### Retention and deletion

We retain personal data only as long as necessary for the respective processing purpose or as required by statutory retention obligations. Server log data is typically deleted after 30 days. Data from contact enquiries is deleted once the matter has been resolved, unless statutory retention obligations apply.

### Your rights as a data subject

Regardless of the applicable legal regime, you have the following rights with respect to the processing of your personal data:

- **Access**: You may request information as to whether and which personal data we process about you.
- **Rectification**: You may request the rectification of inaccurate or incomplete personal data.
- **Erasure**: You may request the erasure of your personal data, provided no statutory retention obligations or overriding interests apply.
- **Restriction of processing**: You may request the restriction of processing where the conditions are met.
- **Data portability**: You may request that we provide your personal data to you in a structured, machine-readable format or transmit it directly to another controller.
- **Objection and withdrawal**: You may object to the processing of your personal data on legitimate grounds or withdraw any consent given at any time.

We may reject or limit these claims to the extent that statutory retention obligations, the legitimate interests of third parties, or our own overriding interests apply. For burdensome access requests we may, in exceptional cases, charge a reasonable fee.

**Right to lodge a complaint**\
You may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC). Where the GDPR applies to you, you also have the right to lodge a complaint with a competent supervisory authority in an EU/EEA member state.

To exercise your rights, contact us at: office@berger-roth.ch

### Changes

We may amend this privacy policy at any time. The current version is published on this website. We recommend reviewing this privacy policy periodically.