Privacy Policy

This Privacy Policy (the “Policy”) explains how CS&AC collects, uses, stores, shares, and protects personal data in connection with the three websites listed above (together, the “Sites”) and the products, services, and communications associated with them.

All three Sites are operated by the same data controller. This Policy is the authoritative version and applies in full across the Sites. References on lisalab.net and elisalab.net direct to this canonical document.

This Policy is written to satisfy the transparency obligations of the Swiss Federal Act on Data Protection (nDSG), the EU General Data Protection Regulation (GDPR) where applicable, and the Swiss Federal Act against Unfair Competition (UWG) where it governs commercial communications.

This Policy applies whenever you: (i) browse any of the Sites; (ii) purchase a product via Stripe checkout on lisalab.net or elisalab.net; (iii) receive an invoice from CS&AC in connection with a consulting engagement initiated through seconsulting.ch; (iv) contact us via email or the contact links published on any of the Sites; (v) receive a commercial outreach email sent by CS&AC under the programme described in Section 7.

Where a Site page or communication links to this Policy, the version in force at the moment of your interaction governs that interaction. Material amendments are addressed in Section 18.

The personal data we process depends on how you interact with us. We collect only what is necessary for the stated purpose. The following sections itemise each category in detail:

• Section 4 — data you provide when completing a purchase on lisalab.net or elisalab.net.
• Section 5 — data we receive when issuing an invoice for a consulting engagement on seconsulting.ch.
• Section 6 — data you provide when contacting us directly by email.
• Section 7 — data we collect from public sources about business prospects for the purpose of outbound commercial communications.
• Section 8 — technical data generated automatically when you browse the Sites.

We do not collect special-category personal data (such as health, biometric, political, or religious data) in the ordinary course of our business and do not solicit it.

When you complete a purchase through the Stripe-powered checkout on lisalab.net or elisalab.net, the following categories of personal data are collected and made available to CS&AC through the Stripe merchant dashboard:

• The name and email address you provide at checkout.
• The billing address, where one is collected for the selected payment method or for tax-compliance reasons.
• The country associated with the payment instrument.
• The last four digits and brand of the card used (where a card is used), or the equivalent short identifier for non-card methods (for example, the payer email of a PayPal or Link account).
• The transaction amount, currency, timestamp, and Stripe-assigned transaction identifier.
• Fraud-risk signals generated by Stripe Radar.
• The product purchased (identified by its SKU and metadata).
• Any dispute or chargeback metadata, if such events occur.

The full card number (PAN), CVV/CVC, wallet token, banking PIN, and any other re-usable payment credential are not made available to CS&AC at any point. These remain exclusively within Stripe and the card networks, wallet providers, or banks that Stripe interacts with to authorise the payment. Section 9 expands on this.

The email address you provide at checkout is also used by our fulfilment system to deliver the download link for the purchased product, via our email delivery processor (Section 12).

Consulting engagements initiated through seconsulting.ch are contracted by direct email exchange and invoiced through Stripe Invoicing. When we issue an invoice, the following categories of personal data are processed:

• The name, email address, and (where applicable) the billing address and business name you provide for invoicing purposes.
• The description, quantity, rate, currency, and timestamp of the services billed.
• The payment-method metadata listed in Section 4, once the invoice is settled, on the same terms.

Invoicing data is retained as part of our accounting records under Swiss Code of Obligations Article 958f. Section 14 addresses retention.

seconsulting.ch does not operate a self-service checkout. Invoices are sent to you individually by email after the scope and fees of the engagement have been agreed in writing.

If you contact us by email at any of the addresses published on the Sites (including contact@seconsulting.ch), we process the data contained in your message: typically your name, email address, and any content you choose to share with us.

Incoming and outgoing correspondence is handled through an owner-managed mailbox hosted by Google Workspace (Section 12) in its Europe region. Messages are retained for the duration of any active exchange and for a reasonable additional period thereafter to support follow-up and record-keeping.

Persons who contact CS&AC via the Sites are not added to any outbound marketing list. Your contact data is used exclusively to respond to your enquiry and, where the exchange leads to a transaction or engagement, to perform the resulting contract.

CS&AC operates a limited, targeted outbound business-to-business outreach programme for the purpose of promoting CS&AC's consulting services and the products offered on lisalab.net and elisalab.net. The programme is described in full below because it involves processing personal data from sources other than the data subject.

What we collect. The business email address, business name, website URL, public description, and — where publicly available — the name and role of the relevant point of contact. We collect only what is required to evaluate relevance and to personalise the approach. We do not collect private or personal email addresses under this programme.

Source. Business contact information is identified exclusively from publicly available sources: company websites, public business directories, professional social networks, public press releases, and public regulatory filings. No data is acquired from third-party data brokers or purchased contact lists.

Legal basis. Legitimate interest (GDPR Article 6(1)(f); nDSG Article 31) in promoting a lawful business-to-business service to businesses whose public activity indicates a plausible professional interest. Every outbound message includes a clearly labelled one-click unsubscribe link. Our legitimate interest is balanced against your right to object, with opt-outs honoured on receipt.

Retention of active prospect data. Email addresses of prospects we have identified but not yet contacted, and of those we have contacted without response, are retained for the duration of the active outreach cycle and deleted no later than twelve (12) months from the last contact attempt.

Retention of opt-outs (suppression list). Where a recipient uses the unsubscribe link or otherwise requests no further contact, the email address is moved to a permanent suppression list. This list is retained indefinitely for the sole and exclusive purpose of ensuring that the address is never contacted again by CS&AC. No other processing of any kind — analytics, profiling, segmentation, resale — is performed against addresses on the suppression list. The suppression list is the very mechanism by which your opt-out is honoured; removing your address from it would expose you to the risk of being re-contacted in a future prospecting cycle.

How to opt out. Every outreach email contains a dedicated unsubscribe link that takes you to our unsubscribe page, where you can submit a removal request in a single step.

When you browse the Sites, limited technical data is processed on our behalf by our hosting and content-delivery provider (Cloudflare; see Section 12) for security and operational purposes. This typically includes your IP address, request timestamp, the URL requested, the HTTP status code returned, the user agent (browser and operating system identifier), the approximate geographic region (country or region level) derived from the IP address, and TLS handshake metadata.

We do not run additional analytics, tracking pixels, or profiling scripts on the Sites. We do not log individual browsing behaviour for marketing purposes. The technical data described above is processed by Cloudflare for the purposes of delivering the Sites, protecting against denial-of-service and other attacks, and maintaining operational security; it is retained according to Cloudflare's standard log-retention schedule.

We continuously expand the payment methods offered at checkout to reflect our international customer base. Depending on your region and the purchasing flow, available methods may include credit and debit cards, Google Pay, Apple Pay, Amazon Pay, Link, TWINT, PayPal, SEPA direct debit, and other methods Stripe introduces over time.

Regardless of which method you select, the payment is processed end-to-end by Stripe Payments Europe Limited on Stripe-hosted pages. CS&AC never comes into contact with your full card number, CVV, banking PIN, wallet token, or any other re-usable payment credential — these remain exclusively within Stripe and the card networks or wallet providers Stripe interacts with to authorise your payment.

What CS&AC does receive, through the Stripe merchant dashboard, is the limited payment metadata required to operate the business lawfully: the name and email address you provided at checkout, the billing address where one was collected, the last four digits of the card (or the equivalent short identifier for non-card methods such as the payer email of a PayPal or Link account), the card brand and issuing country, the transaction amount, currency, and timestamp, Stripe's fraud-risk signals, and any dispute or chargeback metadata. This information is used strictly for order fulfilment, accounting and tax compliance, dispute resolution, and the statutory record-keeping obligations imposed by Swiss law (see Section 14).

Where a payment method is backed by a third party (for example, PayPal, Google Pay, Apple Pay, or Amazon Pay), any data processing that third party performs occurs strictly within the transactional scope of authorising, settling, or reconciling your specific payment. CS&AC does not share, transmit, or expose personal data to these third parties beyond what the Stripe processing flow technically requires to complete the payment you selected.

The Sites do not set advertising cookies, analytics cookies, or any first-party tracking cookies. We do not use Google Analytics, Facebook Pixel, LinkedIn Insight, or any comparable third-party analytics platform.

Strictly necessary cookies may be set transiently during the Stripe checkout flow on lisalab.net and elisalab.net; these are required by Stripe to secure the payment session, to resist session-hijacking and fraud, and to satisfy card-network requirements. They are scoped to the Stripe-hosted payment page and are governed by Stripe's own privacy practices.

Cloudflare, our hosting provider, may set security-related cookies (such as those used to challenge automated traffic) when elevated risk signals are detected. These serve a purely defensive purpose and are not used for behavioural tracking.

We rely on the following legal bases, as applicable to your specific interaction with us:

• Performance of a contract (GDPR Art. 6(1)(b); nDSG Art. 31 para. 2 lit. a) — to process purchases, deliver digital products, issue invoices, and perform consulting engagements.
• Compliance with a legal obligation (GDPR Art. 6(1)(c); nDSG Art. 31) — notably Swiss Code of Obligations Article 958f (ten-year accounting-record retention) and applicable tax law.
• Legitimate interest (GDPR Art. 6(1)(f); nDSG Art. 31 para. 1) — for operational security of the Sites (Section 8), fraud prevention at checkout, dispute defence, and the targeted business-to-business outreach programme described in Section 7. In each case we have conducted a purpose, necessity, and balancing assessment.
• Consent (GDPR Art. 6(1)(a); nDSG Art. 31 para. 1) — where you explicitly elect to receive a particular communication or take a specific action. Consent may be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

CS&AC relies on a small number of clearly scoped third-party processors to deliver its products, operate its business, and communicate with its customers. We have executed data-processing agreements with these processors where applicable and have selected them for their contractually enforceable data-protection standards aligned with Swiss and EU law.

• Stripe Payments Europe Limited (Dublin, Ireland; EU) — payment processing, invoicing, and fraud detection at checkout and for consulting invoices. Stripe is the end-to-end payment processor for all commercial transactions across the three Sites. All payment methods offered at checkout (see Section 9) are processed through Stripe's infrastructure.
• Resend, Inc. / Resend Ireland Limited (EU region) — electronic delivery of purchase-flow emails such as download links and receipts. Resend is not used for general enquiries or consulting correspondence.
• Google Workspace (Google Ireland Limited, EU region) — owner-managed mailbox for general enquiries, consulting correspondence, and on-demand requests. Messages sent to or from addresses such as contact@seconsulting.ch transit and are stored on Google Workspace infrastructure.
• Cloudflare, Inc. and its EU subsidiaries — website hosting, DNS, content delivery, DDoS protection, and object storage for product files. Cloudflare processes request-level technical data (Section 8) and stores product files in the EU.

Each processor operates under its own terms and privacy practices. CS&AC remains responsible for the selection and instruction of these processors in respect of your personal data.

Our processors are located in Switzerland, the European Economic Area, or jurisdictions with decisions of adequacy recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC) and, where applicable, the European Commission.

Where a processor (or a sub-processor of one of our processors) operates infrastructure in the United States or another third country, transfers are governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission (EU 2021/914), supplemented by the Swiss addendum issued by the FDPIC where Swiss law applies, and accompanied by any supplementary technical and organisational measures required by the transferring party's transfer impact assessment.

We retain personal data only for as long as necessary for the purpose for which it was collected, or for any longer period required by law. The principal retention periods applicable to our processing are:

• Accounting and invoicing records — ten (10) years from the close of the relevant accounting year, as required by Swiss Code of Obligations Article 958f.
• Purchase and download-link data — up to the statutory accounting-retention period for the transaction-level fields; download links themselves expire within days of issuance (see Terms of Service Section 5).
• Consulting engagement correspondence and deliverables — for the duration of the engagement and up to ten (10) years thereafter in line with the accounting obligation above; engagement-specific terms may impose shorter periods for certain artefacts.
• General enquiry correspondence — for the duration of the exchange and a reasonable additional period thereafter; typically deleted within twelve (12) months of last interaction absent an ongoing engagement.
• Active outbound-prospect data — up to twelve (12) months from last contact attempt (Section 7).
• Opt-out suppression list — retained indefinitely, for the sole purpose of honouring your opt-out (Section 7).
• Site technical logs — according to the standard retention schedule of our hosting and content-delivery provider (Cloudflare); not retained by CS&AC in any separate form.

CS&AC applies technical and organisational measures appropriate to the nature, scope, context, and purposes of processing and to the level of risk to your rights and freedoms. These include:

• TLS encryption in transit for all Site traffic and for all email delivery channels we operate;
• selection of processors that encrypt personal data at rest;
• least-privilege access controls to the merchant dashboards and mailboxes used to operate the business;
• strong authentication on all administrative interfaces;
• prompt application of security updates to the Sites and the administrative environment;
• internal procedures for evaluating any new processor or tool that would handle personal data.

No security measure can eliminate risk entirely. In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (the FDPIC for Switzerland and, where applicable, the relevant EU supervisory authority) and the affected data subjects without undue delay, in accordance with applicable law.

The Sites and the products and services offered through them are not directed at children and are not intended for use by persons under the age of sixteen (16). We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at contact@seconsulting.ch and we will take appropriate steps to delete such data.

We may amend this Policy from time to time to reflect changes in our processing activities, our processor arrangements, or the legal framework. Amended versions take effect upon publication on seconsulting.ch. The effective date of the current version is stated in Section 19.

Where an amendment materially affects the way we process personal data — for example, the introduction of a new category of processor, a new legal basis, or a change in retention period — we will signal the change clearly on the Site and, where appropriate and feasible, notify affected data subjects directly.