Fanktank Privacy Policy

Last Updated: 14.06.2025

1. Introduction

Welcome to Fanktank (fanktank.ch). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website or use our services. We are committed to protecting your privacy in accordance with the Swiss Federal Act on Data Protection (FADP), the European Union's General Data Protection Regulation (GDPR), and other applicable data protection laws.

Data Controller Information:

Controller Name: Tobias Fankhauser

Address: Hegifeldstrasse 10A, 8404 Winterthur, Switzerland

Email: contact@fanktank.ch

Swiss UID/Company Registration: Not applicable (sole proprietorship).

2. Legal Basis for Processing

We process your personal data on the following legal bases:

• Consent: Where you have explicitly agreed to the processing of your personal data for one or more specific purposes.
• Contract Performance: Where processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract.
• Legal Obligation: Where processing is necessary for compliance with a legal obligation to which we are subject.
• Legitimate Interests: Where processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

3. Data We Collect and How

a) Contact Form Submissions

• Data Collected: Name, Email Address, Company Name (Optional), Message Content, Project Type selection (Optional), Timeline selection (Optional).
• Collection Method: When you submit the contact form on our /contact page.
• Purpose: To respond to your inquiries, understand your project needs, and initiate communication regarding potential services.
• Legal Basis: Consent (implied by submitting the form for contact) and steps prior to entering into a contract.
• Third-Party Processor: Resend service for email delivery.
• Retention Period: 24 months from the last interaction related to your inquiry, unless a business relationship is established or longer retention is legally required.

b) Consultation Booking

• Data Collected: Name, Email Address, and any other information you provide directly within the booking form.
• Collection Method: When you schedule a meeting using the embedded Calendly widget on our /contact page.
• Purpose: To schedule and prepare for consultation calls regarding our services.
• Legal Basis: Consent and steps prior to entering into a contract.
• Third-Party Processor: Calendly for scheduling management.
• Retention Period: 12 months from the scheduled meeting date, unless a business relationship is established or longer retention is legally required.

c) Cookie & Site Preference Choices

• Data Collected: Your choices regarding necessary, analytics, and marketing cookies, as well as your preferred theme (light/dark) and language (English/German).
• Collection Method: When you interact with the cookie consent banner, language toggle, or theme toggle.
• Purpose: To store your consent and site preferences to ensure a consistent experience on subsequent visits and comply with regulations.
• Legal Basis: Consent (for optional cookies) and legitimate interest (for necessary site functionality like theme/language and storing consent).
• Storage: Directly in your browser's localStorage or as first-party cookies.
• Retention Period: Preference stored for approx. 6-12 months or until you clear your browser data.

d) Cookie-Based Analytics (Conditional)

• Data Collected: This site does not currently use any cookie-based analytics. If a service like Google Analytics is added in the future, it would collect pseudonymized information about website navigation and interaction.
• Collection Method: Via analytics cookies only if you provide explicit consent for "Analytics Cookies". Currently, no such cookies are in use.
• Purpose: To understand website traffic, improve user experience, and optimize content.
• Legal Basis: Consent.
• Third-Party Processor: Not currently in use.
• Retention Period: Not applicable as no cookie-based analytics are currently used.

e) Chatbot Interactions

• Data Collected:
  • Your messages/questions sent to the chatbot.
  • The AI assistant's responses.
  • An anonymous session_id to group conversation messages.
  • Selected interface language (locale).
• Collection Method: When you interact with the "Fankbot" chat widget.
• Purpose:
  • To provide automated assistance about our services.
  • To process your questions using OpenAI's and Cohere's language models (for response generation and reranking).
  • To anonymously log conversations (session ID, messages) for monitoring and improving the chatbot's performance and usefulness.
• Legal Basis: Legitimate interest (providing service functionality, service improvement) and Consent (implied by using the chat feature after being informed).
• Third-Party Processors:
  • OpenAI & Cohere (for generating and refining responses).
  • Supabase (for storing anonymous chat logs and website content embeddings used by the chatbot).
• Retention Period: Anonymous chat logs are retained for 6 months.

f) Server Logs & Security

• Data Collected: Standard technical data including IP addresses, browser type, operating system, access times, status codes, and referring URLs.
• Collection Method: Automatic collection by our hosting infrastructure (Vercel) and security services (Upstash Rate Limiting).
• Purpose: Website security, diagnostics, performance monitoring, load balancing, preventing abuse, and legal compliance.
• Legal Basis: Legitimate interest (security, performance, abuse prevention) and legal obligation.
• Third-Party Processors: Vercel, Upstash.
• Retention Period: Vercel logs are retained for up to 30 days. IP data for rate limiting is temporary.

g) Website Analytics (Cookie-less)

• Data Collected: Anonymized data including page URL, referrer, network speed, browser, operating system, device type, and country.
• Collection Method: Data is collected automatically upon page load via Vercel's analytics script. This service does not use cookies and does not track users across sites.
• Purpose: To understand website traffic, measure performance, and improve user experience.
• Legal Basis: Legitimate Interest (as the data is anonymized and essential for website operation and improvement).
• Third-Party Processor: Vercel Inc.
• Retention Period: Data is retained by Vercel for 30 days.

4. Cookies and Tracking Technologies

We use the following types of cookies and local storage on our website:

Necessary Cookies & Local Storage (Always Active)

• Purpose: Essential for website functionality such as remembering your theme and language preferences, security, storing your cookie consent choices, and enabling core features.
• Legal Basis: Legitimate interest and legal obligation.
• Examples:
  • `ft_cookie_consent` (localStorage): Stores your cookie preferences. Duration: approx. 6 months.
  • `next-themes` (localStorage): Stores your preferred theme (light/dark). Duration: 1 year.
  • `NEXT_LOCALE` (cookie): Stores your preferred language. Duration: 1 year.

Analytics Cookies (Optional - Requires Consent)

• Purpose: We use cookie-based analytics only if you provide consent. Note: Our primary, cookie-less analytics are provided by Vercel and are governed by Legitimate Interest (see Section 3g).
• Legal Basis: Consent.
• Examples: This website currently does not use any third-party analytics cookies.

Marketing Cookies (Optional - Requires Consent)

• Purpose: Used to track visitors across websites or deliver relevant advertisements.
• Legal Basis: Consent.
• Examples: This website currently does not use any marketing cookies.

You can manage your preferences for optional cookies at any time via the Cookie Consent banner.

5. How We Use Your Data

We use your personal data for the following purposes:

• To provide and maintain our website and services.
• To respond to your inquiries submitted via the contact form.
• To schedule and conduct consultation calls booked via Calendly.
• To operate the chatbot and provide automated assistance.
• To improve our website, services, and chatbot based on usage patterns and feedback (using anonymous or consented data).
• To monitor website performance and usage with Vercel Analytics.
• To ensure website security, prevent fraud, and address technical issues.
• To comply with applicable legal and regulatory obligations.

We process your data only for the purposes for which it was collected, unless we reasonably consider that we need it for another purpose that is compatible with the original purpose, or as permitted or required by law.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include:

• Using secure hosting environments (Vercel, Supabase) with access controls.
• Encrypting data in transit using HTTPS/TLS.
• Regular security monitoring and updates of our systems and dependencies.
• Limiting access to personal data to authorized personnel on a need-to-know basis.
• Utilizing reputable third-party providers with documented security practices.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee its absolute security.

7. Data Sharing and Third Parties

We do not sell your personal data. We share your information only when necessary to provide our services or comply with the law, with the following categories of third-party service providers:

• Resend
  • Data shared: Your name, email address, and message content from the contact form.
  • Purpose: To deliver your contact form submission to our email inbox.
  • Privacy policy: https://resend.com/security
• Calendly
  • Data shared: Your name, email address, and any information you provide when scheduling a meeting.
  • Purpose: To facilitate scheduling of consultation calls.
  • Privacy policy: https://calendly.com/legal/privacy-notice
• OpenAI & Cohere
  • Data shared: Messages you send to the chatbot and necessary context (potentially including snippets of our website content from RAG).
  • Purpose: To generate AI responses within the chatbot and create embeddings for our internal website content.
  • Privacy policy: OpenAI, Cohere
• Supabase
  • Data shared: Anonymous chat logs (session ID, user message, bot response), website content chunks, and their vector embeddings.
  • Purpose: Storing data for chatbot's RAG functionality and anonymous chat log storage for improvement purposes.
  • Privacy policy: https://supabase.com/privacy
• Vercel
  • Data shared: Standard server logs and anonymized analytics data.
  • Purpose: Website hosting, infrastructure management, security, and cookie-less analytics.
  • Privacy policy: https://vercel.com/legal/privacy-policy
• Upstash
  • Data shared: Your IP address (temporarily).
  • Purpose: To provide rate-limiting to prevent abuse of our services.
  • Privacy policy: https://upstash.com/privacy

We require third parties to respect the security of your personal data and to treat it in accordance with the law. We only permit them to process your personal data for specified purposes and in accordance with our instructions or their role as independent controllers.

We reiterate: We do not sell your personal data.

8. International Data Transfers

Your personal data may be processed by our third-party service providers in countries outside of Switzerland and the European Economic Area (EEA). When we transfer your personal data internationally, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• Transfers to countries deemed to provide an adequate level of protection by relevant authorities (e.g., Swiss Federal Council adequacy decisions, EU Commission adequacy decisions).
• Use of specific contracts approved by relevant authorities which give personal data the same protection it has in Switzerland/Europe (e.g., Standard Contractual Clauses - SCCs).
• For transfers to the US, reliance on providers certified under frameworks like the EU-U.S. Data Privacy Framework or Swiss-U.S. Data Privacy Framework, where applicable, or use of SCCs.
• Obtaining your explicit consent for specific transfers after informing you of the risks.

Based on their documentation, our key third-party services may process data in locations including (but not limited to):

• Resend: EU-Region (Ireland).
• Calendly: Primarily United States.
• OpenAI/Cohere: Primarily United States.
• Supabase: Frankfurt, Germany.
• Vercel: EU-Regions.
• Upstash: EU-Regions.

9. Data Retention

We retain your personal data only for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. Specific anticipated retention periods are noted in Section 3 where possible.

To determine the appropriate retention period, we consider:

• The amount, nature, and sensitivity of the personal data.
• The potential risk of harm from unauthorized use or disclosure.
• The purposes for which we process the data and whether we can achieve those purposes through other means.
• The applicable legal, regulatory, tax, accounting or other requirements.

We will securely delete or anonymize your personal data when it is no longer needed.

10. Your Rights

Under applicable data protection laws (FADP, GDPR), you have rights regarding your personal data. Depending on the law and circumstances, these may include:

• Right to Access: Request access to the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ('Right to be Forgotten'): Request deletion of your personal data when it's no longer necessary, consent is withdrawn, etc.
• Right to Restrict Processing: Request we limit how we process your data in certain situations.
• Right to Data Portability: Request your data in a structured, machine-readable format, or have it transferred directly to another controller.
• Right to Object: Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Withdraw your consent at any time for processing based on consent (withdrawal does not affect lawfulness of processing before withdrawal).
• Right to Lodge a Complaint: File a complaint with the relevant data protection supervisory authority.

To exercise any of these rights, please contact us using the details provided in Section 13. We aim to respond within one month. We may need to request specific information from you to help us confirm your identity.

11. Children's Privacy

Our website and services are not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without verification of parental consent, we take steps to remove that information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

You are advised to review this Privacy Policy periodically for any changes. Changes are effective when they are posted on this page.

13. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please contact the Data Controller:

Tobias Fankhauser

• Email: contact@fanktank.ch
• Address: Hegifeldstrasse 10A, 8404 Winterthur, Switzerland

14. Supervisory Authority

If you are located in Switzerland and are unsatisfied with our response, you have the right to lodge a complaint with the Swiss supervisory authority:

Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
CH - 3003 Bern
https://www.edoeb.admin.ch/

If you are located in the EU, you have the right to lodge a complaint with your local data protection authority.

This Privacy Policy was last updated on July 28th, 2025. It supersedes all previous versions.