Privacy Policy

1. Who we are

AlpHexa (“AlpHexa”, “we”, “us”) is a Switzerland-based studio that designs, builds, hosts, and maintains websites for businesses. AlpHexa is the controller for the processing described in this policy, except for visitor analytics on client websites, where we process data on the client's behalf (see section 3). Contact details are in section 13.

2. What this policy covers

This policy covers alphexa.ch and its subdomains — the account service (auth.alphexa.ch), the client panel (client.alphexa.ch), prototype previews (prototype.alphexa.ch), our API (api.alphexa.ch), and this site — as well as the visitor analytics AlpHexa operates on client websites.

We process personal data in accordance with the Swiss Federal Act on Data Protection (FADP) and, where it applies, the EU General Data Protection Regulation (GDPR).

3. Information we collect

Contact form & email

When you contact us through the form on alphexa.ch or by email, we receive the details you send us — typically your name, email address, company, and message.

Client accounts

For clients we create accounts holding your name, email address, a securely hashed password (we never see or store the plain-text password), your role, and a session cookie while you are signed in.

Client panel activity

Support requests and feedback you submit through the client panel are stored with your account so we can respond and track resolution.

Visitor analytics on client websites

AlpHexa operates privacy-focused, cookieless visitor analytics on websites we build for clients. We process this data on the client's behalf. For each page view we record:

• the page path and the referring page;
• browser family, operating system, and device type (phone or computer);
• approximate location (country and city, with coordinates rounded to roughly 11 km — precise enough for a map, not precise enough to identify anyone);
• a one-way hash of the IP address, salted with a value that rotates daily — this lets us count unique visitors within a day but cannot be reversed to the IP, and stops linking visitors across days;
• a random session identifier stored in your browser's sessionStorage.

What we don't collect

• No advertising or cross-site tracking, on our sites or on client sites.
• No analytics cookies — our analytics is cookieless.
• No raw IP addresses stored in analytics data.
• No sale or sharing of personal data for advertising. Ever.
• No use of your data to train AI models.

4. How we use information

• to respond to inquiries and provide our services;
• to operate client accounts, sign-in, and the client panel;
• to show clients visitor analytics for their own websites;
• to handle support requests and feedback;
• to secure the services — including rate limiting and abuse prevention;
• to comply with legal obligations.

Where the GDPR applies, we rely on performance of a contract (accounts, client panel, support), legitimate interests (security, responding to inquiries, analytics for our clients), and legal obligation as legal bases.

5. Cookies

We use only strictly necessary cookies — there are no advertising or third-party analytics cookies, which is why our sites show no cookie banner.

The visitor analytics we run on client websites sets no cookies at all; it uses a random identifier in sessionStorage that your browser discards when the tab session ends.

6. Service providers

We use a small number of providers to run our services:

These providers process data on our instructions. We do not sell personal data to anyone.

7. Data retention

• Contact inquiries — kept as long as needed to handle the inquiry and any follow-up.
• Account data — kept while your account is active; deleted or anonymized after the engagement ends, except where retention is legally required.
• Support & feedback — kept for the duration of the client relationship.
• Visitor analytics — kept for the reporting period agreed with the client; already pseudonymized at collection.
• Server logs — kept for a short operational window for security and debugging, then deleted.

8. Your rights

Under the Swiss FADP and, where applicable, the GDPR, you can ask us for access to your personal data, correction, deletion, restriction of processing, a portable copy, and you can object to processing based on legitimate interests. Where processing is based on consent, you can withdraw it at any time.

Contact us using the details in section 13 — we respond within 30 days. You can also complain to the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, in the EEA, to your local supervisory authority.

For analytics collected on a client's website, the client is the controller — please direct requests to the website you visited; we support our clients in fulfilling them.

9. International transfers

Our infrastructure is hosted in Switzerland and the EU/EEA. Switzerland and the EU recognize each other's data protection frameworks as adequate. Where a provider processes data outside Switzerland or the EEA, we rely on adequacy decisions or standard contractual clauses.

10. Children

Our services are aimed at businesses and are not directed at children under 16. We do not knowingly collect personal data from children; if you believe a child has provided us data, contact us and we will delete it.

11. Security

All traffic to our services is encrypted with TLS. Passwords are stored only as cryptographic hashes. Access to production systems and data is restricted and protected. No system is perfectly secure, but if we learn of a breach affecting your data we will notify you and the competent authority as required by law.

12. Changes to this policy

We may update this policy from time to time. The current version is always published at legal.alphexa.ch/privacywith its “Last updated” date. For material changes we will give reasonable notice — for example by email or a notice in the client panel.

13. Contact

For privacy questions and requests, use the contact form on alphexa.ch or write to louis.bouvard@gmail.com.