Privacy policy

 

The protection and security of your data is a matter of particular concern to us, regardless of whether you are a customer or a visitor to our website and web shop. We therefore undertake to protect your privacy and to process your data carefully and in compliance with the applicable data protection regulations. Below, we inform you which of your personal data are collected in connection with your visit to this website and for what purposes they are used.

I. Controller

This website is operated by Farfalla Essentials AG, Florastrasse 18, 8610 Uster, Switzerland, which is also the controller within the meaning of the Swiss Data Protection Act (“DPA”).
Enquiries regarding data protection and the use of your personal data may be sent to the following email address and will be processed by us in accordance with the applicable legal requirements: info@farfalla.ch.

II. Data used / purposes of processing / retention period

Below we describe the categories of data used by us as well as the purposes pursued through the use of such data. Where possible, information on the respective retention period is also provided.

Each time this website is accessed, access data are stored in log files. The stored data record includes the following information: IP address, date, time, browser request, and general information transmitted about the operating system or browser. The personal data of website users form the basis for statistical, anonymous evaluations, allowing trends to be identified and enabling us to improve our services accordingly.

Data are also collected and processed in order to prevent fraudulent activities and/or misuse on or in connection with the website, as well as to ensure the technical administration of the website and its operational functions, including the resolution of technical problems.

The legal basis for data processing is Art. 6 DPA and Art. 6 para. 1 lit. f GDPR respectively. Our legitimate interest arises from the purposes of data collection listed above. Under no circumstances do we use the collected data to draw conclusions about your identity.

If you register on our website or for our web shop, we collect the master data you provide (in particular name, salutation, address, telephone or fax number, email address, correspondence language, web shop access data) and use these data on the basis of the agreement concluded thereby. In addition, an internal customer number and one or more contact persons within our company are assigned to you. These data are used to provide the web shop and to support you as a customer or prospective customer. Such data are generally stored for nine months after termination of the use of the web shop (deletion of the customer account).

If you place an order in the web shop, we may collect additional delivery addresses and other data provided by you that are required for order processing. Such data are stored for up to six months after the end of the customer relationship. To the extent that personal master data or order data are also used in our accounting system, such data are stored until the end of the statutory retention periods in accordance with applicable legal obligations.

If you have consented to receiving a newsletter, we use your name and email address to deliver the newsletter. These data are used for the duration of the respective newsletter subscription.

If you have given your consent to the processing of your personal data, you may revoke this consent at any time. Revocation may be declared in writing or by email to info@farfalla.ch.

We store your personal data for as long as necessary for the purposes for which they were collected, but no longer than permitted by law. We delete your personal data as soon as they are no longer required, but at the latest upon expiry of the statutory retention obligations.

III. Recipients and categories of recipients

We may disclose your personal data to third parties in order to obtain necessary technical or organisational services. Such third parties are contractually obliged to process your personal data exclusively on our behalf and in accordance with our instructions, and to ensure the security of your personal data by means of appropriate technical and organisational measures. We may also disclose your personal data if we are legally obliged to do so.

In connection with the operation of this website or our web shop, the following processors act on behalf of the controller:
Website hosting provider: Amazon Web Services (AWS)
Payment service provider: Six Payment Services
HubSpot, Inc.

IV. General principles for the processing of personal data

1. We fully comply with the statutory data protection regulations.
The Swiss Data Protection Act (“nDPA”) and the supplementary applicable regulations apply to the storage, processing and use of personal data.

2. Personal data are not disclosed to third parties without your consent or a statutory legal basis.
We do not disclose your personal data to third parties for advertising or marketing purposes unless this is necessary for the provision of our services or you have given your consent. In certain cases, personal data may be transferred to processors who provide sufficient guarantees for lawful and secure data processing and who are contractually obliged to comply with the principles set out in this privacy policy and with statutory requirements.

3. We only use personal data that are necessary for the stated purposes.
Whenever we collect personal data, we inform you of the purposes for which the data are used. Personal data are collected only to the extent necessary to achieve these purposes and are deleted once no longer required.

V. Your rights regarding your data

If and to the extent that we process personal data relating to you, you are entitled in particular to the following rights:

  • Right of access: You may request information at any time as to whether and which personal data relating to you are processed by us, for which purposes, their origin, any recipients to whom the data have been disclosed, and the storage period.
  • Right to rectification: If you discover that personal data relating to you are incorrect, you may request their correction at any time. If data are incomplete, you may request their completion.
  • Right to erasure: You may request the deletion of your personal data if you believe that their processing is no longer necessary, unlawful or lacks a sufficient legal basis.
  • Right to restriction of processing: Instead of deletion, you may request restriction of processing, in particular if you contest the accuracy of the data or have objected to processing.
  • Right to data portability: With regard to personal data that you have provided yourself and that are processed on the basis of a contract or consent, you may request that such data be provided to you in a commonly used electronic format or transferred directly to another controller.

You also have the right to lodge a complaint with the competent data protection supervisory authority. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

You may revoke any consent given to the processing of your personal data at any time. Please note that the revocation only applies to future processing; processing carried out prior to the revocation remains unaffected.

You also have the right to object: if reasons arising from your particular situation make the processing of your personal data based on a balancing of interests unlawful, you may object to such processing. You also have the right to object at any time if your personal data are used for direct marketing purposes. If you have any questions regarding your rights, please contact us at info@farfalla.ch.

VI. Privacy information for the AI skin analysis

What is the AI skin analysis?
With our AI skin analysis, we offer you the opportunity to have your current skin condition or skin type analysed. This is an AI-based system; no medical diagnosis is performed. For this purpose, you take a photo of your face using the camera of your device (smartphone or webcam).

How does the analysis work?
This photo is analysed by an artificial intelligence (AI) operated by our service provider Thea Care GmbH. The AI has been trained to recognise and assess specific skin characteristics. These include, among others, your skin type (e.g. normal skin, dry skin, oily skin, combination skin, sensitive skin, mature skin, blemished skin or men’s skin), redness, the condition of your pores and other skin-specific features.

What is the purpose?
The purpose of this analysis is to determine your skin condition and to display, immediately afterwards, various product recommendations from our range that are tailored to the specific needs of your skin based on the results of the AI skin analysis. The aim is to provide you with the best possible individual advice and to help you find the right care for yourself.

Legal basis for processing
The processing of your data within the scope of the AI skin analysis is based exclusively on your voluntarily granted consent. This includes:

  • Your consent pursuant to Section 25 (1) TDDDG (German Telecommunications-Telemedia Data Protection Act) for access to the camera of your device in order to take the photo.
  • Your explicit consent pursuant to Art. 6 (1) lit. a in conjunction with Art. 9 (2) lit. a GDPR for the processing of your photo and the health data derived from it (information on your skin condition) for the stated purposes of skin analysis and subsequent product recommendation.
  • Your explicit consent pursuant to Art. 6 (1) lit. a in conjunction with Art. 9 (2) lit. a GDPR for sending your results by email to the email address you provide.
  • Your explicit consent pursuant to Art. 6 (1) lit. a in conjunction with Art. 9 (2) lit. a GDPR for the use of pseudonymised AI skin analysis results to train the AI skin analysis tool.
  • Your explicit consent pursuant to Art. 6 (1) lit. a GDPR for the use of personal data for marketing purposes (sending personalised product recommendations and offers).

Categories of data processed
Within the scope of the AI skin analysis, we process the following categories of personal data:

  • Facial photo: The image (selfie) you take, which is transmitted to our service provider for analysis.
  • Health data: The information about your skin condition derived by the AI from your photo. This may include, for example, information on skin type, the degree of redness, pore size or signs of dryness, blemishes or inflammation.
  • Analysis result: The determined result of the skin analysis, which serves as the basis for the product recommendations.
  • Technical usage data: Where applicable, technical data such as your IP address or information on your device and browser may be processed insofar as this is necessary for the technical provision of the service and for ensuring system security.
  • Email address and information: If you wish to receive the results by email, the information you provide in this context will be processed for the purpose of sending the results to you. Your analysis results are sent via the service provider Resend as a sub-processor. Please note that the transmission of data by email may entail security risks, as complete confidentiality cannot be technically guaranteed when transmitting data over the internet.

Optionally, with separate consent, the pseudonymised image data are processed for the further development of the analysis algorithms, and email addresses in connection with analysis results are stored for marketing purposes.

Recipients of the data and processing on behalf
For the technical execution of the AI skin analysis, we use the specialised service provider Thea Care GmbH, Winterfeldtstrasse 21, 10781 Berlin, Germany. Thea Care GmbH acts as our processor and processes your data exclusively on our behalf and in accordance with our instructions.

We have concluded a data processing agreement with Thea Care GmbH in accordance with Article 28 GDPR. This contract ensures that your data are also protected by our service provider in accordance with the strict requirements of European data protection laws and are used exclusively in accordance with our instructions or for the provision of the analysis service.

Further information on the processing of your data by Thea Care can be found at:
https://cdn.prod.website-files.com/655cef0ba0ff0fc056b8a8ba/67f54b6834e08e84553579dd_2025-04-08_Thea-Care_Datenschutzerkla%CC%88rung_Web-App_EN.pdf 

Use of sub-processors and third-party providers
To provide its services and to carry out the AI skin analysis, Thea Care uses specialised sub-processors. The following providers are used:

  • Resend (Resend Inc., USA): This service is used to send your analysis results by email. Resend is certified under the EU-U.S. Data Privacy Framework. We note, however, that the transmission of data by email may entail security risks (e.g. unauthorised access by third parties), as complete confidentiality on the internet cannot be technically guaranteed.
  • Amazon Web Services (AWS): Operation and monitoring of the web app; processing of technical log data (e.g. IP address, access times); storage of pseudonymised image data for skin analysis and AI further development. To ensure the highest possible level of protection, the service provider exclusively uses the server location Frankfurt am Main (Germany). AWS is also certified under the EU-U.S. Data Privacy Framework.
  • Supabase (Supabase Inc., USA): This service is used to store analysis results and email addresses where active marketing consent has been granted. Data are stored on servers in the EU (Frankfurt). To safeguard data transfers to the USA (administration/support), the service provider has concluded EU standard contractual clauses with Supabase in order to maintain the European level of data protection.

Retention period
Your data are stored only for as long as necessary for the immediate execution of the analysis and the display of the product recommendations.

  • The photo you take is deleted after completion of the analysis or after expiry of the session.
  • Data sent by email with your consent (analysis result) are deleted no later than 24 hours afterwards.
  • Data subject to consent for use for research purposes (AI further development) are stored until you revoke your consent.
  • Data subject to consent for use for email marketing purposes are stored until you revoke your consent.

Right to revoke your consent
You have the right to revoke your consent at any time with effect for the future. The revocation does not affect the lawfulness of the processing carried out on the basis of your consent up until the point of revocation. You may communicate your revocation to us informally, e.g. by email to the contact information provided in this privacy policy (controller and/or data protection officer). After revocation, further use of the AI skin analysis is no longer possible.

VII. Cookies

We use cookies on our website. Cookies are small files that your browser automatically creates and that are stored on your device when you visit our website. Cookies do not cause any damage to your device and do not contain viruses, trojans or other malware.

Cookies store information related to the specific device used. This does not mean, however, that we obtain direct knowledge of your identity.

Most of the cookies we use are deleted from your hard drive at the end of the browser session (so-called session cookies). If you select the option “stay logged in”, cookies are usually deleted after two weeks. Other cookies remain on your device and enable us to recognise your device during your next visit (so-called persistent cookies).

You can prevent the storage of cookies by adjusting your browser settings. Please note, however, that this may limit the full functionality of this website. You may also delete cookies already stored via your browser settings.

The deactivation of cookies may require the storage of a permanent cookie on your device. If this cookie is deleted later, reactivation will be required.

The following categories of cookies are used on our website:

Session cookies
We use a session ID to facilitate browsing on our website. This session ID allows our server to recognise you or your device as the same visitor during a session, even if your IP address changes. The session ID cookie is valid only for the duration of a session and is automatically deleted when you close your browser.

Persistent cookies / Google Analytics
This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses cookies to analyse your use of the website. The information generated by the cookie about your use of the website (including anonymised IP addresses) is transmitted to and stored on a Google server in the USA.

Google uses this information to evaluate your use of the website, compile reports on website activity, and provide other services related to website and internet usage. Google may transfer this information to third parties where required by law or where such third parties process the data on Google’s behalf.

You may prevent the installation of cookies by adjusting your browser settings. Please note that this may limit website functionality. By using this website, you consent to the processing of data by Google in the manner and for the purposes described above.

You can object to the collection and processing of your IP address by Google Analytics at any time with effect for the future. Further information is available at:
http://tools.google.com/dlpage/gaoptout

Facebook visitor action pixel
This website also uses the Facebook visitor action pixel for conversion measurement, provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). This enables tracking of user behaviour after clicking on a Facebook advertisement.

The collected data are anonymous for us as the website operator; however, Facebook stores and processes the data, enabling a connection to the respective user profile and use for Facebook’s own advertising purposes. Further information can be found in Facebook’s privacy policy at:
https://www.facebook.com/about/privacy/

Google Ads tracking pixel
Tracking pixels for Google Ads remarketing are also used. This is a remarketing and behavioural targeting service provided by Google LLC or Google Ireland Limited. Further information can be found in Google’s privacy policy:
https://support.google.com/google-ads/answer/12929169

VIII. Security measures

We have implemented technical and organisational security measures to protect your data, which are regularly reviewed and adapted to technological progress. However, we note that due to the nature of the internet, absolute protection of data cannot be guaranteed.

IX. Updates and changes to this privacy policy

Changes in legislation or internal processes may require updates to this privacy policy. We therefore recommend that you review this privacy policy regularly. The current version can always be accessed and printed on our website under “Privacy Policy”.


Status: April 2026