1. Introduction and scope of application
This Privacy Policy defines the terms and conditions for the collection, use, retention, and disclosure of your personal data by COPIL SA, whose registered office is located at Route du Nant-d'Avril 96, NPA / Locality 1217 Meyrin. It applies to all processing carried out in the context of your browsing on the website developed with Webflow, accessible at www.copil.ch, as well as to the forms and online services offered.
This Policy supplements the information provided in the Legal Notice and is in compliance with the Federal Act on Data Protection (FADP) which entered into force on September 1, 2023.
2. Definitions and basic principles
2.1 Key definitions
Personal data
Means "any information relating to an identified or identifiable natural person" (name, address, email address, etc.) and aims to protect the personality and fundamental rights of individuals.
Data processing
Any “operation or set of operations” applied regardless of the method (collection, recording, storage, modification, consultation, etc.) to the data.
Data controller
The natural or legal person, public authority, service, or any other body which, alone or jointly with others, determines the purposes and means of data processing.
Processor
The natural or legal person who processes data on behalf of the controller and according to their instructions.
2.2 Fundamental principles (Art. 5 FADP and best practices)
Lawfulness
All processing must be based on a legal basis (consent, execution of a contract, legal obligation, legitimate interests, etc.) in order to be lawfully carried out.
Fairness and transparency
The controller clearly informs the data subjects of the purposes, recipients, and retention period of their data. The terms must be written in plain and accessible language.
Purpose limitation
Data may only be collected for specific, explicit, and legitimate purposes, and must not be further processed in a way that is incompatible with those purposes.
Data minimization
Only the data strictly necessary in relation to the pursued purposes may be collected or retained (“adequate, relevant and limited to what is necessary”).
Accuracy and updating
Data must be accurate and kept up to date. The controller shall establish procedures to rectify or erase inaccurate data without delay.
Limited retention
Data must not be kept in a form allowing the identification of individuals beyond the period necessary for the declared purposes, unless otherwise required by law.
Accountability
The controller must be able to demonstrate the compliance of their processing (record of activities, impact assessments, etc.) and adopt appropriate technical and organizational measures.
3. Types and purposes of data collected
When browsing the website www.copil.ch, COPIL SA may collect several categories of personal data in order to provide, secure, and improve its services while respecting the Federal Act on Data Protection (FADP).
3.1 Types of data collected
Identity and contact data
First name, last name, email address, phone number collected through contact or quote request forms.
Usage and connection data
Technical information (IP address, browser type, pages visited, visit duration) automatically collected to analyze site performance and detect possible fraud.
Marketing data and preferences
Consent for marketing cookies, browsing history, and interests for targeted campaigns and sending newsletters.
Sensitive data (if applicable)
Racial origin, political opinions, health data, only if you explicitly provide them and after express consent.
3.2 Purposes of processing
Provision of services and performance of contracts
Management of quote requests, project follow-up, invoicing, and customer relations.
Communication and support
Responses to your requests, sending administrative or marketing information according to your preferences.
Improvement and security of the site
Navigation analysis to optimize usability, detection of security incidents, and fraud prevention.
Compliance with legal and regulatory obligations
Archiving of data to comply with Swiss tax, accounting, and legal requirements.
4. Data sharing and transfers
COPIL SA is committed to ensuring the confidentiality of your data: only authorized persons within the company, as well as duly designated service providers, have access to the personal information collected.
Internal services (project team, customer support, accounting department) process your data strictly within the scope of their respective missions and in accordance with the purposes described above.
Third-party providers (technical subcontractors, hosting provider, analytics tools) are carefully selected and subject to a data processing agreement (DPA) ensuring compliance with the FADP, including the obligation to implement appropriate transfer mechanisms (standard contractual clauses, binding corporate rules) when processing takes place outside Switzerland.
Before any engagement, Webflow conducts thorough due diligence (security, legal, confidentiality) and signs a DPA including a valid transfer mechanism for each subcontractor involved.
4.1 Transfers outside Switzerland
In accordance with Art. 6 para. 1 let. c FADP and the Data Protection Ordinance (DPO), personal data may be transmitted abroad only if the destination country provides an adequate level of protection, as determined by the Federal Council and published in the annex to the DPO.
Remote access from abroad to data hosted in Switzerland is also considered an outbound transfer and is subject to the same safeguards.
For countries not on the adequacy list, COPIL SA implements additional safeguards:
- Signing Standard Contractual Clauses (SCCs) recognized by the Federal Data Protection and Information Commissioner;
- Adoption of Binding Corporate Rules (BCRs) internally, where applicable;
- Obtaining the express consent of the data subject, after clear information on the potential risks of the transfer.
4.2 Information of data subjects
Before any significant transfer (to a third party or a third country), COPIL SA expressly informs users:
- of the identity of the external recipient(s);
- of the nature of the transmitted data;
- of the purpose of the transfer;
- of the safeguards implemented to ensure a level of protection compliant with the FADP.
5. Cookies and trackers
In accordance with the Federal Act on Data Protection (FADP) and best practices, only cookies strictly necessary for the provision of the service may be deposited without prior consent.
All other cookies (analytics, marketing, social networks, etc.) are considered non-essential and require the explicit consent of the user before being placed or read.
5.1 Types of cookies
Technical cookies (essential):
Used exclusively to “carry out the transmission of a communication over an electronic communications network” or are “strictly necessary” for the provision of a service expressly requested by the user. They do not require consent.
Marketing cookies:
These cookies are used to deliver advertisements more relevant to you and your interests. They may also be used to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the website operator’s authorization.
Personalization cookies:
These allow the website to remember your choices (such as your username, language, or region) and provide enhanced and more personal features. For example, a website may provide you with local weather bulletins or traffic information by storing data about your current location.
Analytics cookies:
These help the website operator understand how the site works, how visitors interact with it, and whether there are any technical issues. This type of storage generally does not collect information that identifies a visitor.
5.2 Collection and management of consent
Cookie banner
On the first visit, a banner is displayed to inform the user of the use of cookies, detail their purposes, and offer a clear choice (“Accept” / “Reject”).
Clear positive action
Acceptance must result from a clear positive act (clicking “I accept,” checking boxes, etc.).
5.3 Withdrawal and modification of consent
The user may withdraw consent at any time, as easily as it was given, via:
- a permanent “Cookie settings” link in the website footer;
- the preference management interface accessible from the cookie banner.
In case of withdrawal, COPIL SA undertakes to delete all non-essential cookies previously placed, except in case of major technical impossibility.
5.4 Configuration via the browser
Users can also configure their browser to:
- block all cookies;
- allow only trusted cookies;
- or delete existing cookies.
The methods vary depending on the browser (Chrome, Firefox, Safari, Edge…) and are detailed on the official websites of the publishers.
6. Data security
The controller and the processor implement appropriate technical and organizational measures (TOMs) to ensure data security, in accordance with Art. 3 DPO and Art. 7 FADP.
These measures include in particular:
- Access management: access rights control to systems containing personal data to ensure confidentiality and integrity.
- Encryption: encryption of data at rest and in transit using recognized protocols (TLS, AES 256-bit).
- Regular backups: implementation of automated backups and restoration tests to ensure availability in case of incident.
- Logging and monitoring: tracking access, modifications, and incidents to quickly detect any anomaly or security breach.
- Incident management plan: documented procedures for responding to data breaches, including notification to the competent authorities and data subjects within the legal deadlines (Art. 15 DPO).
- Awareness and training: regular security training programs for employees to ensure a sustainable security culture.
- Vulnerability testing and audits: periodic security audits and penetration testing to identify and fix potential flaws.
Thus, COPIL SA ensures that the confidentiality, integrity, and availability of data are maintained, in compliance with the FADP requirements.
7. Retention periods
The retention period for personal data must be defined “where possible, by a retention period or according to criteria allowing it to be determined” (Art. 12 para. 2 FADP).
7.1 Examples of retention periods and criteria
Billing and accounting data
In accordance with Art. 958f CO, supporting documents relating to payments (invoices, purchase orders, bank statements) must be kept for 10 years from the date of the transaction.
Data from contact forms and quote requests
The data (name, email, phone number, content of the request) may be kept for 1 year from the last contact, unless a contract is concluded, in which case the corresponding legal periods apply.
Connection logs and security logs
To detect and prevent security incidents, technical traces (IP addresses, timestamps, suspicious activity) are kept for at least 6 months.
Cookies and consent
The record of cookie consents (banner, preferences) is kept for 2 years, in accordance with recommended best practices for analyzing the recurrence of consents.
Staff records (if applicable)
HR data (employment contracts, certificates, pay slips) are kept for 5 to 10 years depending on the nature (e.g. salaries: 10 years, attestations: 10 years, evaluations: 5 years) and the prescriptions of Art. 127–128 CO.
Archiving for legal purposes
Any document that may be required by the tax authorities, the regulator, or the courts (agreements, contracts, correspondence) is archived for 10 years, as provided for by the Federal Act on Accounting and Auditing.
7.2 Determination criteria
When the law does not provide for a specific duration, COPIL SA determines the retention based on:
- The purpose of processing (e.g. customer relationship management, contract performance).
- Legal obligations (tax, accounting, labor law).
- Proportionality and the principle of minimization (data deleted as soon as the purpose is no longer achieved).
7.3 Deletion and anonymization
At the end of the retention period or when the determination criteria are no longer met, COPIL SA:
- Deletes personal data unless further retention is required by law.
- Anonymizes data whose complete deletion is not justified but whose identification is no longer necessary.
8. Rights of data subjects
Data subjects have several rights to control the use of their personal data and guarantee transparency of processing carried out by COPIL SA.
8.1 Right of access
In accordance with Art. 25 FADP, any person may request the controller to indicate whether personal data concerning them are processed, and obtain a copy of this data in a comprehensible format and, in principle, free of charge within 30 days.
8.2 Right to rectification
The data subject may obtain the rectification, without delay, of inaccurate data concerning them and the completion of incomplete data, including by providing a supplementary statement.
8.3 Right to erasure (“right to be forgotten”)
When the data are no longer necessary for the purposes for which they were collected, the data subject may request their erasure, unless retention is required by a legal obligation (e.g. tax obligations).
8.4 Right to restriction of processing
Upon request, the data subject may obtain restriction of processing where:
- they contest the accuracy of the data (during verification);
- the processing is unlawful and they object to erasure;
- COPIL SA no longer needs the data but they are required for the establishment, exercise, or defense of legal claims;
- they have objected to the processing (pending verification whether the company’s legitimate grounds override).
8.5 Right to data portability
When processing is based on consent or contract performance, the data subject may obtain their data in a structured, commonly used, and machine-readable format, or request their direct transmission to another controller, where technically feasible.
8.6 Right to object
The person may object at any time, on grounds relating to their particular situation, to the processing of data concerning them based on a public interest or legitimate interest of COPIL SA, except where compelling legitimate grounds prevail or for the establishment, exercise, or defense of legal claims.
8.7 Withdrawal of consent
Consent given for the processing of personal data may be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
8.8 Complaint to the FDPIC
In case of an alleged violation of their rights or for any question relating to the processing of their data, the data subject may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC), independent and competent in Switzerland.
9. Contact and update of the policy
9.1 Contact
For any questions regarding this Privacy Policy or the exercise of your rights, you may contact:
Data Protection Officer (DPO): Dang Quoc Dung
Email: dang@copil.ch
Postal address: Route du Nant-d'Avril 96, NPA / Locality 1217 Meyrin
The DPO is responsible for ensuring compliance with personal data processing and responding to your requests as quickly as possible.
9.2 Policy update
Review frequency
The Privacy Policy is reviewed at least once a year and whenever new processing or features involving personal data are deployed on the site.
Date of last update
The date of the last update is indicated at the top of this page.
Notification of changes
Any changes (format corrections, clarifications, and other modifications): posted online directly, without individual notification.
Permanent consultation
You are invited to regularly consult this page and check the date of the last update in order to be aware of any modifications.
